# LocalGreenChain CI Pipeline # Agent 4: Production Deployment # # Runs on every push and pull request: # - Linting and type checking # - Unit and integration tests # - Build verification name: CI on: push: branches: [main, develop] pull_request: branches: [main, develop] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: NODE_ENV: test jobs: # ========================================================================== # Lint and Type Check # ========================================================================== lint: name: Lint & Type Check runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Bun uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: Install dependencies run: bun install --frozen-lockfile - name: Run ESLint run: bun run lint - name: Run TypeScript type check run: bunx tsc --noEmit # ========================================================================== # Unit Tests # ========================================================================== test: name: Unit Tests runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Bun uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: Install dependencies run: bun install --frozen-lockfile - name: Run tests with coverage run: bun run test:coverage - name: Upload coverage reports uses: codecov/codecov-action@v3 if: always() with: files: ./coverage/lcov.info fail_ci_if_error: false verbose: true # ========================================================================== # Build # ========================================================================== build: name: Build runs-on: ubuntu-latest timeout-minutes: 15 needs: [lint, test] steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Bun uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: Install dependencies run: bun install --frozen-lockfile - name: Build application run: bun run build env: NEXT_TELEMETRY_DISABLED: 1 - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: build-output path: .next/ retention-days: 7 # ========================================================================== # Docker Build (only on main branch) # ========================================================================== docker: name: Docker Build runs-on: ubuntu-latest timeout-minutes: 20 needs: [build] if: github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Docker image uses: docker/build-push-action@v5 with: context: . push: false tags: localgreenchain:${{ github.sha }} cache-from: type=gha cache-to: type=gha,mode=max # ========================================================================== # Security Scan # ========================================================================== security: name: Security Scan runs-on: ubuntu-latest timeout-minutes: 10 needs: [lint] steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Bun uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: Install dependencies run: bun install --frozen-lockfile - name: Run security audit run: bun pm audit || true continue-on-error: true - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' severity: 'CRITICAL,HIGH' exit-code: '0'