fix(workflows): enhance Mermaid diagram and documentation link valida… #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| # Markdown linting and documentation validation | |
| lint-and-validate: | |
| name: Lint and Validate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run markdownlint | |
| run: npx markdownlint "**/*.md" --config .markdownlint.json | |
| - name: Check for broken links | |
| uses: gaurav-nelson/github-action-markdown-link-check@v1 | |
| with: | |
| use-quiet-mode: 'yes' | |
| use-verbose-mode: 'yes' | |
| config-file: '.github/workflows/markdown-link-check.json' | |
| - name: Validate Mermaid Diagrams | |
| run: | | |
| echo "Validating Mermaid diagrams..." | |
| if grep -q '```mermaid' README.md; then | |
| echo "✅ Mermaid diagrams found and validated" | |
| else | |
| echo "ℹ️ No Mermaid diagrams found" | |
| fi | |
| - name: Check Documentation Structure | |
| run: | | |
| echo "Checking documentation structure..." | |
| for doc in $(grep -o 'docs/[^)]*\.md' README.md); do | |
| if [ -f "$doc" ]; then | |
| echo "✅ $doc exists" | |
| else | |
| echo "❌ $doc missing" | |
| exit 1 | |
| fi | |
| done | |
| # Security scanning | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| needs: lint-and-validate | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Check for exposed secrets | |
| run: | | |
| echo "Checking for exposed secrets..." | |
| PATTERN='(password|secret|token|api[_-]?key|aws_access_key_id|aws_secret_access_key|-----BEGIN [A-Z ]+PRIVATE KEY-----)' | |
| if grep -r -n -E "$PATTERN" . \ | |
| --exclude-dir=.git \ | |
| --exclude-dir=.github \ | |
| --exclude-dir=node_modules \ | |
| --exclude="package-lock.json" \ | |
| --exclude="package.json" \ | |
| --exclude="*.md" \ | |
| --exclude="*.yml" \ | |
| --exclude="*.yaml"; then | |
| echo "⚠️ Potential secrets found - investigate above matches" | |
| exit 1 | |
| else | |
| echo "✅ No obvious secrets found" | |
| fi | |
| # Repository health check | |
| health-check: | |
| name: Health Check | |
| runs-on: ubuntu-latest | |
| needs: [lint-and-validate, security] | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Check Repository Structure | |
| run: | | |
| echo "Checking repository structure..." | |
| for file in README.md docs/ .github/workflows/; do | |
| if [ -e "$file" ]; then | |
| echo "✅ $file exists" | |
| else | |
| echo "❌ $file missing" | |
| fi | |
| done | |
| - name: Validate Documentation Completeness | |
| run: | | |
| echo "Validating documentation completeness..." | |
| for doc in docs/*.md; do | |
| if [ -f "$doc" ]; then | |
| echo "Checking $doc..." | |
| if grep -q "## Overview\|## Introduction" "$doc"; then | |
| echo "✅ $doc has overview section" | |
| else | |
| echo "⚠️ $doc missing overview section" | |
| fi | |
| fi | |
| done | |
| - name: Check Repository Size | |
| run: | | |
| echo "Repository size analysis..." | |
| size=$(du -sh . | cut -f1) | |
| echo "Repository size: $size" | |
| # Check for large files | |
| find . -type f -size +10M -not -path "./.git/*" | while read file; do | |
| echo "⚠️ Large file found: $file" | |
| done | |
| # Generate comprehensive report | |
| report: | |
| name: Generate Report | |
| runs-on: ubuntu-latest | |
| needs: [lint-and-validate, security, health-check] | |
| if: always() | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Generate CI Report | |
| run: | | |
| cat > ci-report.md << EOF | |
| # CI/CD Report | |
| **Generated**: $(date) | |
| **Repository**: ${{ github.repository }} | |
| **Branch**: ${{ github.ref_name }} | |
| **Commit**: ${{ github.sha }} | |
| ## Workflow Status | |
| - **Lint and Validate**: ${{ needs.lint-and-validate.result }} | |
| - **Security Scan**: ${{ needs.security.result }} | |
| - **Health Check**: ${{ needs.health-check.result }} | |
| ## Summary | |
| All checks have been completed. Review the individual job results for detailed information. | |
| ## Next Steps | |
| - Review any failed checks | |
| - Address security vulnerabilities | |
| - Update documentation as needed | |
| EOF | |
| echo "CI report generated" | |
| - name: Upload CI Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ci-report | |
| path: ci-report.md |