git/metabuilder
1
0
Fork 0
mirror of https://github.com/johndoe6345789/metabuilder.git synced 2026-04-24 22:04:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove legacy pipeline cruft and refactor development.yml

Browse Source 
Analysis and cleanup:
- Add comprehensive legacy pipeline cruft report (11KB analysis)
- DELETE ci/ci.yml (100% redundant with gated-ci.yml)
- DELETE quality/deployment.yml (100% redundant with gated-deployment.yml)
- REFACTOR development.yml (remove redundant quality checks, keep Copilot features)
- Update workflows README with cleanup documentation

Removed ~816 lines of redundant workflow code while preserving unique features.

Co-authored-by: johndoe6345789 <224850594+johndoe6345789@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-12-27 12:35:39 +00:00
parent ab40e74ba1
commit 195d96f185
5 changed files with 361 additions and 826 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
.github/workflows/README.md vendored
View File

@@ -25,6 +25,17 @@ All PRs must pass through 5 sequential gates:
- ✅ Clear visibility of gate status on PRs
- ✅ Audit trail for all deployments
### Legacy Workflow Cleanup
**Deprecated and Removed (Dec 2025):**
-`ci/ci.yml` - Replaced by `gated-ci.yml` (100% redundant)
-`quality/deployment.yml` - Replaced by `gated-deployment.yml` (100% redundant)
**Modified:**
-`development.yml` - Refactored to remove redundant quality checks, kept unique Copilot features
See [Legacy Pipeline Cruft Report](../../docs/LEGACY_PIPELINE_CRUFT_REPORT.md) for analysis.
## 🤖 GitHub Copilot Integration
All workflows are designed to work seamlessly with **GitHub Copilot** to assist throughout the Software Development Lifecycle:
@@ -75,7 +86,13 @@ All workflows are designed to work seamlessly with **GitHub Copilot** to assist
### 🔄 Legacy Workflows (Still Active)
#### 3. CI/CD Workflow (`ci.yml`)
#### 3. CI/CD Workflow (`ci/ci.yml`) - ❌ REMOVED
**Status:** Deprecated and removed (Dec 2025)
**Reason:** 100% functionality superseded by `gated-ci.yml`
**Jobs:** ~~Prisma Check, Lint, Build, E2E Tests, Quality Check~~
**Replacement:** Use `gated-ci.yml` for all CI/CD operations
**Triggered on:** Push to main/master/develop branches, Pull requests
**Jobs:**
@@ -163,33 +180,26 @@ All workflows are designed to work seamlessly with **GitHub Copilot** to assist
**SDLC Phase:** Planning & Design
### 10. Development Assistance (`development.yml`) 🆕
**Triggered on:** Push to feature branches, PR updates, @copilot mentions
### 10. Development Assistance (`development.yml`) 🆕 - Refactored
**Triggered on:** Pull request updates, @copilot mentions
**Features:**
- **Continuous Quality Feedback**: Real-time code metrics and architectural compliance
- **Declarative Ratio Tracking**: Monitors JSON/Lua vs TypeScript balance
- **Component Size Monitoring**: Flags components exceeding 150 LOC
- **Refactoring Suggestions**: Identifies opportunities for improvement
- **Architectural Compliance Feedback**: Monitors declarative ratio and component sizes
- **@copilot Interaction Handler**: Responds to @copilot mentions with context-aware guidance
- **Refactoring Suggestions**: Identifies opportunities for improvement
- Provides architectural reminders and best practices
- Suggests generic renderers over hardcoded components
**Note:** Refactored to remove redundant quality checks (lint/build now in gated-ci.yml)
**SDLC Phase:** Development
### 11. Deployment & Monitoring (`deployment.yml`) 🆕
**Triggered on:** Push to main, releases, manual workflow dispatch
### 11. Deployment & Monitoring (`deployment.yml`) - ❌ REMOVED
**Status:** Deprecated and removed (Dec 2025)
**Reason:** 100% functionality superseded by `gated-deployment.yml` with improvements
**Features:**
- **Pre-Deployment Validation**: Schema validation, security audit, package size check
- **Breaking Change Detection**: Identifies breaking commits
- **Deployment Summary**: Generates release notes with categorized changes
- **Post-Deployment Health Checks**: Verifies build integrity and critical files
- **Deployment Tracking Issues**: Creates monitoring issues for releases
- **Security Dependency Audit**: Detects and reports vulnerabilities
- Auto-creates security issues for critical vulnerabilities
**Jobs:** ~~Pre-Deployment Validation, Deployment Summary, Post-Deployment Health Checks~~
**SDLC Phase:** Deployment & Operations
**Replacement:** Use `gated-deployment.yml` for all deployment operations
### 12. Code Size Limits (`size-limits.yml`)
**Triggered on:** Pull requests, pushes to main (when source files change)

327
.github/workflows/ci/ci.yml vendored
View File

@@ -1,327 +0,0 @@
name: CI/CD
on:
push:
branches: [ main, master, develop ]
pull_request:
branches: [ main, master, develop ]
jobs:
prisma-check:
name: Validate Prisma setup
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Validate Prisma Schema
run: bunx prisma validate
env:
DATABASE_URL: file:./dev.db
typecheck:
name: TypeScript Type Check
runs-on: ubuntu-latest
needs: prisma-check
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Run TypeScript type check
run: bun run typecheck
lint:
name: Lint Code
runs-on: ubuntu-latest
needs: prisma-check
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Run ESLint
run: bun run lint
test-unit:
name: Unit Tests
runs-on: ubuntu-latest
needs: [typecheck, lint]
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Run unit tests
run: bun run test:unit
env:
DATABASE_URL: file:./dev.db
- name: Upload coverage report
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: coverage-report
path: frontends/nextjs/coverage/
retention-days: 7
build:
name: Build Application
runs-on: ubuntu-latest
needs: test-unit
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Build
run: bun run build
env:
DATABASE_URL: file:./dev.db
- name: Upload build artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: dist
path: frontends/nextjs/.next/
retention-days: 7
test-e2e:
name: E2E Tests
runs-on: ubuntu-latest
needs: [typecheck, lint]
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Install Playwright Browsers
run: bunx playwright install --with-deps chromium
- name: Run Playwright tests
run: bun run test:e2e
env:
DATABASE_URL: file:./dev.db
- name: Upload test results
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: playwright-report
path: frontends/nextjs/playwright-report/
retention-days: 7
test-dbal-daemon:
name: DBAL Daemon E2E
runs-on: ubuntu-latest
needs: test-e2e
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Install Playwright Browsers
run: bunx playwright install --with-deps chromium
- name: Run DBAL daemon suite
run: bun run test:e2e:dbal-daemon
env:
DATABASE_URL: file:./dev.db
- name: Upload daemon test report
if: always()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: playwright-report-dbal-daemon
path: frontends/nextjs/playwright-report/
retention-days: 7
quality-check:
name: Code Quality Check
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: '20'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Check for console.log statements
run: |
if git diff origin/${{ github.base_ref }}...HEAD -- '*.ts' '*.tsx' '*.js' '*.jsx' | grep -E '^\+.*console\.(log|debug|info)'; then
echo "⚠️ Found console.log statements in the changes"
echo "Please remove console.log statements before merging"
exit 1
fi
continue-on-error: true
- name: Check for TODO comments
run: |
TODO_COUNT=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.ts' '*.tsx' '*.js' '*.jsx' | grep -E '^\+.*TODO|FIXME' | wc -l)
if [ $TODO_COUNT -gt 0 ]; then
echo "⚠️ Found $TODO_COUNT TODO/FIXME comments in the changes"
echo "Please address TODO comments before merging or create issues for them"
fi
continue-on-error: true

37
.github/workflows/development.yml vendored
View File

@@ -16,8 +16,7 @@ jobs:
name: Continuous Quality Feedback
runs-on: ubuntu-latest
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request' && !github.event.pull_request.draft)
github.event_name == 'pull_request' && !github.event.pull_request.draft
defaults:
run:
working-directory: frontends/nextjs
@@ -27,37 +26,15 @@ jobs:
with:
fetch-depth: 0
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.4'
- name: Cache Bun dependencies
uses: actions/cache@v4
with:
key: bun-deps-${{ runner.os }}-${{ hashFiles('bun.lock') }}
path: |
frontends/nextjs/node_modules
~/.bun
restore-keys: bun-deps-${{ runner.os }}-
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Analyze code quality
- name: Analyze code metrics (no redundant checks)
id: quality
run: |
# Run lint and capture output
bun run lint > lint-output.txt 2>&1 || echo "LINT_FAILED=true" >> $GITHUB_OUTPUT
# Note: Lint/build/tests are handled by gated-ci.yml
# This job only collects metrics for architectural feedback
# Count TypeScript files and their sizes
TOTAL_TS_FILES=$(find src -name "*.ts" -o -name "*.tsx" | wc -l)
LARGE_FILES=$(find src -name "*.ts" -o -name "*.tsx" -exec wc -l {} \; | awk '$1 > 150 {print $2}' | wc -l)
TOTAL_TS_FILES=$(find src -name "*.ts" -o -name "*.tsx" 2>/dev/null | wc -l)
LARGE_FILES=$(find src -name "*.ts" -o -name "*.tsx" -exec wc -l {} \; 2>/dev/null | awk '$1 > 150 {print $2}' | wc -l)
echo "total_ts_files=$TOTAL_TS_FILES" >> $GITHUB_OUTPUT
echo "large_files=$LARGE_FILES" >> $GITHUB_OUTPUT
@@ -68,8 +45,6 @@ jobs:
echo "json_files=$JSON_FILES" >> $GITHUB_OUTPUT
echo "lua_scripts=$LUA_SCRIPTS" >> $GITHUB_OUTPUT
cat lint-output.txt
- name: Check architectural compliance
id: architecture

449
.github/workflows/quality/deployment.yml vendored
View File

@@ -1,449 +0,0 @@
name: Deployment & Monitoring
on:
push:
branches:
- main
- master
release:
types: [published]
workflow_dispatch:
inputs:
environment:
description: 'Deployment environment'
required: true
type: choice
options:
- staging
- production
permissions:
contents: read
issues: write
pull-requests: write
jobs:
pre-deployment-check:
name: Pre-Deployment Validation
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.4'
- name: Cache Bun dependencies
uses: actions/cache@v4
with:
key: bun-deps-${{ runner.os }}-${{ hashFiles('bun.lock') }}
path: |
frontends/nextjs/node_modules
~/.bun
restore-keys: bun-deps-${{ runner.os }}-
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Validate database schema
run: bunx prisma validate
- name: Check for breaking changes
id: breaking-changes
uses: actions/github-script@v7
with:
script: |
// Get recent commits
const commits = await github.rest.repos.listCommits({
owner: context.repo.owner,
repo: context.repo.repo,
per_page: 10
});
let hasBreaking = false;
let breakingChanges = [];
for (const commit of commits.data) {
const message = commit.commit.message.toLowerCase();
if (message.includes('breaking') || message.includes('breaking:')) {
hasBreaking = true;
breakingChanges.push({
sha: commit.sha.substring(0, 7),
message: commit.commit.message.split('\n')[0]
});
}
}
core.setOutput('has_breaking', hasBreaking);
if (hasBreaking) {
console.log('⚠️ Breaking changes detected:');
breakingChanges.forEach(c => console.log(` - ${c.sha}: ${c.message}`));
}
return { hasBreaking, breakingChanges };
- name: Run security audit
run: bun audit --audit-level=moderate
continue-on-error: true
- name: Check package size
run: |
bun run build
du -sh dist/
# Check if dist is larger than 10MB
SIZE=$(du -sm dist/ | cut -f1)
if [ $SIZE -gt 10 ]; then
echo "⚠️ Warning: Build size is ${SIZE}MB (>10MB). Consider optimizing."
else
echo "✅ Build size is ${SIZE}MB"
fi
- name: Validate environment configuration
run: |
echo "Checking for required environment variables..."
# Check .env.example exists
if [ ! -f .env.example ]; then
echo "❌ .env.example not found"
exit 1
fi
echo "✅ Environment configuration validated"
deployment-summary:
name: Create Deployment Summary
runs-on: ubuntu-latest
needs: pre-deployment-check
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate deployment notes
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
// Get commits since last release
let commits = [];
try {
const result = await github.rest.repos.listCommits({
owner: context.repo.owner,
repo: context.repo.repo,
per_page: 20
});
commits = result.data;
} catch (e) {
console.log('Could not fetch commits:', e.message);
}
// Categorize commits
const features = [];
const fixes = [];
const breaking = [];
const other = [];
for (const commit of commits) {
const message = commit.commit.message;
const firstLine = message.split('\n')[0];
const sha = commit.sha.substring(0, 7);
if (message.toLowerCase().includes('breaking')) {
breaking.push(`- ${firstLine} (${sha})`);
} else if (firstLine.match(/^feat|^feature|^add/i)) {
features.push(`- ${firstLine} (${sha})`);
} else if (firstLine.match(/^fix|^bug/i)) {
fixes.push(`- ${firstLine} (${sha})`);
} else {
other.push(`- ${firstLine} (${sha})`);
}
}
// Create deployment notes
let notes = `# Deployment Summary\n\n`;
notes += `**Date:** ${new Date().toISOString()}\n`;
notes += `**Branch:** ${context.ref}\n`;
notes += `**Commit:** ${context.sha.substring(0, 7)}\n\n`;
if (breaking.length > 0) {
notes += `## ⚠️ Breaking Changes\n\n${breaking.join('\n')}\n\n`;
}
if (features.length > 0) {
notes += `## ✨ New Features\n\n${features.slice(0, 10).join('\n')}\n\n`;
}
if (fixes.length > 0) {
notes += `## 🐛 Bug Fixes\n\n${fixes.slice(0, 10).join('\n')}\n\n`;
}
if (other.length > 0) {
notes += `## 🔧 Other Changes\n\n${other.slice(0, 5).join('\n')}\n\n`;
}
notes += `---\n`;
notes += `**Total commits:** ${commits.length}\n\n`;
notes += `**@copilot** Review the deployment for any potential issues.`;
console.log(notes);
// Save to file for artifact
fs.writeFileSync('DEPLOYMENT_NOTES.md', notes);
- name: Upload deployment notes
uses: actions/upload-artifact@v4
with:
name: deployment-notes
path: DEPLOYMENT_NOTES.md
retention-days: 90
post-deployment-health:
name: Post-Deployment Health Check
runs-on: ubuntu-latest
needs: deployment-summary
if: github.event_name == 'push' || github.event_name == 'release'
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.4'
- name: Cache Bun dependencies
uses: actions/cache@v4
with:
key: bun-deps-${{ runner.os }}-${{ hashFiles('bun.lock') }}
path: |
frontends/nextjs/node_modules
~/.bun
restore-keys: bun-deps-${{ runner.os }}-
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Generate Prisma Client
run: bun run db:generate
env:
DATABASE_URL: file:./dev.db
- name: Verify build integrity
run: |
bun run build
# Check critical files exist
if [ ! -f "dist/index.html" ]; then
echo "❌ Critical file missing: dist/index.html"
exit 1
fi
echo "✅ Build integrity verified"
- name: Create health check report
uses: actions/github-script@v7
with:
script: |
const report = `## 🏥 Post-Deployment Health Check
**Status:** ✅ Healthy
**Timestamp:** ${new Date().toISOString()}
**Environment:** ${context.ref}
### Checks Performed
- ✅ Build integrity verified
- ✅ Database schema valid
- ✅ Dependencies installed
- ✅ Critical files present
### Monitoring
- Monitor application logs for errors
- Check database connection stability
- Verify user authentication flows
- Test multi-tenant isolation
- Validate package system operations
**@copilot** Assist with monitoring and troubleshooting if issues arise.
`;
console.log(report);
create-deployment-issue:
name: Track Deployment
runs-on: ubuntu-latest
needs: [pre-deployment-check, post-deployment-health]
if: github.event_name == 'release'
steps:
- name: Create deployment tracking issue
uses: actions/github-script@v7
with:
script: |
const release = context.payload.release;
const issueBody = `## 🚀 Deployment Tracking: ${release.name || release.tag_name}
**Release:** [${release.tag_name}](${release.html_url})
**Published:** ${release.published_at}
**Published by:** @${release.author.login}
### Deployment Checklist
- [x] Pre-deployment validation completed
- [x] Build successful
- [x] Health checks passed
- [ ] Database migrations applied (if any)
- [ ] Smoke tests completed
- [ ] User acceptance testing
- [ ] Production monitoring confirmed
- [ ] Documentation updated
### Post-Deployment Monitoring
Monitor the following for 24-48 hours:
- Application error rates
- Database query performance
- User authentication success rate
- Multi-tenant operations
- Package system functionality
- Memory and CPU usage
### Rollback Plan
If critical issues are detected:
1. Document the issue with logs and reproduction steps
2. Notify team members
3. Execute rollback: \`git revert ${context.sha}\`
4. Deploy previous stable version
5. Create incident report
**@copilot** Monitor this deployment and assist with any issues that arise.
---
Close this issue once deployment is verified stable after 48 hours.`;
const issue = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Deployment: ${release.tag_name}`,
body: issueBody,
labels: ['deployment', 'monitoring']
});
console.log(`Created tracking issue: #${issue.data.number}`);
dependency-audit:
name: Security Audit
runs-on: ubuntu-latest
needs: pre-deployment-check
defaults:
run:
working-directory: frontends/nextjs
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.4'
- name: Cache Bun dependencies
uses: actions/cache@v4
with:
key: bun-deps-${{ runner.os }}-${{ hashFiles('bun.lock') }}
path: |
frontends/nextjs/node_modules
~/.bun
restore-keys: bun-deps-${{ runner.os }}-
- name: Audit dependencies
id: audit
run: |
bun audit --json > audit-report.json || true
# Check for critical vulnerabilities
CRITICAL=$(cat audit-report.json | grep -o '"critical":[0-9]*' | grep -o '[0-9]*' || echo "0")
HIGH=$(cat audit-report.json | grep -o '"high":[0-9]*' | grep -o '[0-9]*' || echo "0")
echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
echo "high=$HIGH" >> $GITHUB_OUTPUT
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "⚠️ Security vulnerabilities found: $CRITICAL critical, $HIGH high"
else
echo "✅ No critical or high security vulnerabilities"
fi
- name: Create security issue if vulnerabilities found
if: steps.audit.outputs.critical > 0 || steps.audit.outputs.high > 0
uses: actions/github-script@v7
with:
script: |
const critical = ${{ steps.audit.outputs.critical }};
const high = ${{ steps.audit.outputs.high }};
const issueBody = `## 🔒 Security Audit Alert
Security vulnerabilities detected in dependencies:
- **Critical:** ${critical}
- **High:** ${high}
### Action Required
1. Review the vulnerabilities: \`bun audit\`
2. Update affected packages: \`bun audit fix\`
3. Test the application after updates
4. If auto-fix doesn't work, manually update packages
5. Consider alternatives for packages with unfixable issues
### Review Process
\`\`\`bash
# View detailed audit
bun audit
# Attempt automatic fix
bun audit fix
# Force fix (may introduce breaking changes)
bun audit fix --force
# Check results
bun audit
\`\`\`
**@copilot** Suggest safe dependency updates to resolve these vulnerabilities.
---
**Priority:** ${critical > 0 ? 'CRITICAL' : 'HIGH'}
**Created:** ${new Date().toISOString()}
`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Security: ${critical} critical, ${high} high vulnerabilities`,
body: issueBody,
labels: ['security', 'dependencies', critical > 0 ? 'priority: high' : 'priority: medium']
});