ScreenGraph/.github/workflows/ci.yml at main · nirukk52/ScreenGraph · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# GitHub Actions CI Workflow
#
# Status: ACTIVE
# Purpose: Run comprehensive QA suite on every push/PR
#
# This workflow uses the unified `task qa:all` command.
# Mirrors Husky pre-push hook exactly (same commands, same checks).

name: CI

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]

jobs:
  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  # Comprehensive QA Suite (mirrors pre-push hook)
  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  # Command: cd .cursor && task qa:all
  # Includes: fix, rules, smoke, lint, typecheck, unit, e2e

  qa-all:
    name: QA Suite (fix + rules + smoke + lint + typecheck + unit + e2e)
    runs-on: ubuntu-latest
    env:
      ENCORE_AUTH_KEY: ${{ secrets.ENCORE_AUTH_KEY }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install go-task
        run: |
          sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b /usr/local/bin
          task --version

      - name: Setup bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install Encore CLI
        run: |
          curl -L https://encore.dev/install.sh | bash
          echo "$HOME/.encore/bin" >> $GITHUB_PATH

      - name: Authenticate with Encore Cloud
        run: |
          if [ -z "$ENCORE_AUTH_KEY" ]; then
            echo "⚠️  WARNING: ENCORE_AUTH_KEY not set in GitHub Secrets"
            echo "   Encore builds requiring secrets will fail"
            echo "   To fix:"
            echo "   1. Go to https://app.encore.cloud/screengraph-ovzi"
            echo "   2. Navigate to: App Settings → Auth Keys"
            echo "   3. Create new auth key"
            echo "   4. Add as GitHub Secret named 'ENCORE_AUTH_KEY'"
            exit 1
          else
            echo "🔐 Authenticating with Encore Cloud..."
            encore auth login --auth-key "$ENCORE_AUTH_KEY"
            echo "✅ Encore authentication successful"
          fi

      - name: Install Backend Dependencies
        run: cd backend && bun install

      - name: Install Frontend Dependencies
        run: cd frontend && bun install

      - name: Install Playwright Browser Binaries
        run: cd frontend && bunx playwright install --with-deps chromium

      - name: Start Backend
        run: |
          cd backend
          encore run &
          echo "Waiting for backend to be ready..."
          timeout 60 bash -c 'until curl -sf http://localhost:4000/health > /dev/null; do sleep 2; done'

      - name: Start Frontend
        run: |
          cd frontend
          bun run dev &
          echo "Waiting for frontend to be ready..."
          timeout 60 bash -c 'until curl -sf http://localhost:5173 > /dev/null; do sleep 2; done'

      - name: Run Complete QA Suite
        run: cd .cursor && task qa:all

# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Implementation Notes:
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# SIMPLICITY: Single job runs `task qa:all` - same as pre-push hook
# MIRRORS LOCAL: Exact same command developers run locally
# DRY: No duplication - all logic in .cursor/commands/qa/Taskfile.yml
#
# What `task qa:all` runs (VALIDATION ONLY - no code modification):
# 1. qa:rules     - Validate founder rules (no console.log, no any, American spelling)
# 2. qa:smoke     - Health checks (backend + frontend)
# 3. qa:lint      - Linting (backend + frontend)
# 4. qa:typecheck - TypeScript validation (frontend)
# 5. qa:unit      - Unit tests (backend only - encore test)
# 6. qa:e2e       - E2E tests (frontend Playwright)
#
# Note: Auto-fix (qa:fix) is intentionally excluded from qa:all
# - Git hooks should validate, not modify uncommitted code
# - CI should validate, not modify code (anti-pattern)
# - Manual workflow: `task qa:all:fix` (fix → validate) before committing
#
# Dependencies:
# - go-task      - Taskfile runner
# - bun          - Package manager
# - Node.js      - Automation scripts
# - Encore CLI   - Backend runtime
#
# Environment:
# - Uses standard ports from .env (4000 backend, 5173 frontend)
# - In-memory database for tests
# - ENCORE_AUTH_KEY: GitHub Secret (app-specific auth key) for Encore Cloud authentication
#
# GitHub Secrets Setup:
# 1. Go to: https://app.encore.cloud/screengraph-ovzi → App Settings → Auth Keys
# 2. Create new auth key (NOT `encore auth token` - that's different!)
# 3. Go to: GitHub repo → Settings → Secrets and variables → Actions
# 4. Create new secret: ENCORE_AUTH_KEY
# 5. Paste the auth key from step 2
#
# Testing before activation:
# 1. Create feature branch
# 2. Rename to ci.yml
# 3. Push to trigger workflow
# 4. Verify qa:all passes
# 5. Merge to main

# Validation checklist when modifying:
# 1. Create feature branch
# 2. Push to trigger workflow
# 3. Confirm qa:all passes in GitHub Actions
# 4. Merge to main after review