diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 0000000..189b9a0 --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,79 @@ +name: "๐Ÿฉบ PR Validation" + +on: + pull_request: + branches: ["master"] + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + pre-build-check: + name: ๐Ÿ” Pre-Build Security & Quality + runs-on: ubuntu-latest + steps: + - name: ๐Ÿ“ฅ Checkout repository + uses: actions/checkout@v4 + + - name: ๐Ÿณ Lint Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + failure-threshold: error + + - name: ๐Ÿ›ก๏ธ Scan FS for Secrets and Configs + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + scanners: 'vuln,secret,config' + hide-progress: true + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH' + + - name: ๐Ÿ—๏ธ Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 24 + cache: 'npm' + + - name: ๐Ÿ“ฆ Install dependencies + run: npm ci --legacy-peer-deps + + - name: ๐Ÿงน Lint Check + run: npm run lint + + build-test: + name: โš™๏ธ Test Docker Build + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: ๐Ÿ“ฅ Checkout repository + uses: actions/checkout@v4 + + - name: ๐Ÿค– Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=sha,format=short,prefix= + + - name: โš™๏ธ Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: ๐Ÿš€ Build (Dry Run) + uses: docker/build-push-action@v6 + with: + context: . + push: false + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + NEXT_PUBLIC_BUILD_VERSION=${{ steps.meta.outputs.version }}