Skip to content
CI

fix(security): harden context, dry-run, manifest, and glob handling #1253

Sign in to view logs

fix(security): harden context, dry-run, manifest, and glob handling

fix(security): harden context, dry-run, manifest, and glob handling #1253

Workflow file for this run

.github/workflows/ci.yml at 5292283
name: CI
on:
push:
branches: [main]
pull_request:
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- node-version: 22
profile: full
- node-version: 24
profile: smoke
name: ${{ matrix.profile }} (Node ${{ matrix.node-version }})
steps:
- uses: actions/checkout@v6.0.2
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6.4.0
with:
node-version: ${{ matrix.node-version }}
cache: pnpm
- run: pnpm install --frozen-lockfile
# Doc checks are Node-version-independent (markdown + tsx codegen), so run
# them once in the full profile — not duplicated across the Node matrix.
- run: pnpm check:docs
if: matrix.profile == 'full'
- run: pnpm typecheck
- run: pnpm test:unit
- run: pnpm build
- run: pnpm exec vitest run --config vitest.integration.config.ts
if: matrix.profile == 'full'
- run: node dist/cli.js plan lint --include-quality --strict --json
if: matrix.profile == 'full'
- run: node dist/cli.js plan analyze --strict --json
if: matrix.profile == 'full'
- name: Smoke validate and doctor on an initialized project
if: matrix.profile == 'full'
run: |
tmp="$(mktemp -d)"
cd "$tmp"
node "$GITHUB_WORKSPACE/dist/cli.js" init --non-interactive --locale en-US --agent claude-code --json
node "$GITHUB_WORKSPACE/dist/cli.js" validate --json
node "$GITHUB_WORKSPACE/dist/cli.js" doctor --json
- run: node dist/cli.js --version
- run: node dist/cli.js --json --version
ci-status:
name: CI status
runs-on: ubuntu-latest
needs: build
if: ${{ always() }}
steps:
- name: Verify all matrix builds succeeded
if: ${{ needs.build.result != 'success' }}
run: |
echo "build matrix did not succeed: ${{ needs.build.result }}"
exit 1