From 0c3fc19cdf4ab04ecc48f2810d75098e6975d4eb Mon Sep 17 00:00:00 2001 From: gandarfh Date: Sat, 20 Jun 2026 18:42:03 -0300 Subject: [PATCH] Add CI and quality workflows --- .github/dependabot.yml | 6 ++++++ .github/workflows/quality.yml | 38 ++++++++++++++++++++++++++++++++++ .github/workflows/security.yml | 21 +++++++++++++++++++ scripts/check-file-size.sh | 18 ++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/quality.yml create mode 100644 .github/workflows/security.yml create mode 100755 scripts/check-file-size.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c75e875 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml new file mode 100644 index 0000000..6922a6e --- /dev/null +++ b/.github/workflows/quality.yml @@ -0,0 +1,38 @@ +name: Quality + +on: + pull_request: + push: + branches: [main] + +permissions: + contents: read + +jobs: + duplication: + name: Duplication (jscpd) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: "20" + - run: > + npx --yes jscpd . + --threshold 3 + --reporters consoleFull + --ignore "**/target/**,**/_build/**,**/node_modules/**,**/dist/**,**/*.lock,src/parser.c,src/grammar.json,src/node-types.json" + + file-size: + name: File size + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: bash scripts/check-file-size.sh + + typos: + name: Typos + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: crate-ci/typos@master diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..9a5aba8 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,21 @@ +name: Security + +on: + pull_request: + push: + branches: [main] + +permissions: + contents: read + +jobs: + secrets: + name: Secret scan (TruffleHog) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: trufflesecurity/trufflehog@main + with: + extra_args: --only-verified diff --git a/scripts/check-file-size.sh b/scripts/check-file-size.sh new file mode 100755 index 0000000..942c929 --- /dev/null +++ b/scripts/check-file-size.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# Fails when a tracked source file exceeds the size ceiling. +# Guideline: target ~300 lines per file; hard ceiling 800 before splitting. +set -euo pipefail +LIMIT="${FILE_SIZE_LIMIT:-800}" +fail=0 +while IFS= read -r f; do + [ -f "$f" ] || continue + lines=$(wc -l < "$f") + if [ "$lines" -gt "$LIMIT" ]; then + echo "::error file=$f::$f has $lines lines (limit $LIMIT)" + fail=1 + fi +done < <(git ls-files \ + '*.ml' '*.mli' '*.rs' '*.ts' '*.js' '*.go' '*.py' '*.java' \ + | grep -vE '(^|/)(target|_build|node_modules|dist)/' || true) +[ "$fail" -eq 0 ] && echo "All source files within the $LIMIT-line ceiling." +exit "$fail"