name: CI on: push: branches: [main] pull_request: branches: [main] permissions: contents: read security-events: write jobs: ts: name: TypeScript (lint + test + build) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '24' - run: npm ci - run: npm run lint - run: npm test - run: npm run build py: name: Python (lint + test) runs-on: ubuntu-latest strategy: matrix: python-version: ['3.11', '3.12', '3.13'] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - run: python -m pip install --upgrade pip - run: pip install -e ".[dev]" - run: ruff check src tests - run: pytest gitleaks: name: Secret scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install gitleaks CLI run: | GL_VERSION=8.24.3 curl -sSL -o /tmp/gitleaks.tar.gz \ "https://github.com/zricethezav/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" tar -xzf /tmp/gitleaks.tar.gz -C /tmp sudo mv /tmp/gitleaks /usr/local/bin/gitleaks - name: Scan full repository run: gitleaks detect --source . --redact --verbose --exit-code 1 # CodeQL: desabilitado em repo private sem GitHub Advanced Security addon. # Reativar quando repo tornar-se público ou GHAS for contratado. # codeql: # name: CodeQL # runs-on: ubuntu-latest # permissions: { security-events: write } # steps: # - uses: actions/checkout@v4 # - uses: github/codeql-action/init@v3 # with: { languages: javascript, python } # - uses: github/codeql-action/analyze@v3 bench: name: Benchmark (informational) runs-on: ubuntu-latest needs: ts steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '24' - run: npm ci - run: npm run bench