You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
229 lines
8.1 KiB
YAML
229 lines
8.1 KiB
YAML
version: '3'
|
|
|
|
tasks:
|
|
security-scan:
|
|
desc: Run full CI quality and security checks
|
|
cmds:
|
|
- task: prepare-reports
|
|
- task: backend-lint
|
|
- task: frontend-lint
|
|
- task: unit-tests
|
|
- task: integration-tests
|
|
- task: enforce-backend-coverage
|
|
- task: docker-build-validate
|
|
- task: k6-smoke
|
|
- task: gosec-scan
|
|
- task: trivy-fs-scan
|
|
- task: trivy-image-scan
|
|
|
|
prepare-reports:
|
|
internal: true
|
|
cmds:
|
|
- mkdir -p reports/security reports/tests reports/tests/coverage reports/docker reports/perf
|
|
|
|
backend-lint:
|
|
cmds:
|
|
- |
|
|
set -eu
|
|
for module in \
|
|
services/admin-service \
|
|
services/game-session-service \
|
|
services/gateway-service \
|
|
services/leaderboard-service \
|
|
services/question-bank-service \
|
|
services/user-service \
|
|
shared
|
|
do
|
|
(cd "backend/${module}" && golangci-lint run ./...)
|
|
done
|
|
|
|
frontend-lint:
|
|
cmds:
|
|
- cd frontend && yarn lint
|
|
- cd frontend && yarn format:check
|
|
|
|
unit-tests:
|
|
cmds:
|
|
- |
|
|
bash -o pipefail -c '
|
|
set -eu
|
|
mkdir -p reports/tests reports/tests/coverage
|
|
: > reports/tests/backend-unit.log
|
|
ROOT="$(pwd)"
|
|
mkdir -p "${ROOT}/.cache/go-build"
|
|
for module in \
|
|
services/admin-service \
|
|
services/game-session-service \
|
|
services/gateway-service \
|
|
services/leaderboard-service \
|
|
services/question-bank-service \
|
|
services/user-service \
|
|
shared
|
|
do
|
|
profile="${ROOT}/reports/tests/coverage/${module//\//-}-unit.out"
|
|
(
|
|
cd "backend/${module}"
|
|
pkgs="$(GOCACHE="${ROOT}/.cache/go-build" go list ./...)"
|
|
pkgs="$(echo "${pkgs}" | grep -v '/tests$' || true)"
|
|
if [ -z "${pkgs}" ]; then
|
|
echo "No unit-test packages for backend/${module}"
|
|
exit 0
|
|
fi
|
|
GOCACHE="${ROOT}/.cache/go-build" go test -v -race -covermode=atomic -coverpkg=./... -coverprofile="${profile}" ${pkgs}
|
|
) | tee -a "${ROOT}/reports/tests/backend-unit.log"
|
|
done
|
|
'
|
|
- bash -o pipefail -c 'cd frontend && CI=1 yarn test | tee ../reports/tests/frontend-unit.log'
|
|
|
|
integration-tests:
|
|
cmds:
|
|
- |
|
|
bash -o pipefail -c '
|
|
set -eu
|
|
mkdir -p reports/tests reports/tests/coverage
|
|
: > reports/tests/backend-integration.log
|
|
ROOT="$(pwd)"
|
|
mkdir -p "${ROOT}/.cache/go-build"
|
|
for module in \
|
|
services/admin-service \
|
|
services/game-session-service \
|
|
services/gateway-service \
|
|
services/leaderboard-service \
|
|
services/question-bank-service \
|
|
services/user-service
|
|
do
|
|
if [ ! -d "backend/${module}/tests" ]; then
|
|
continue
|
|
fi
|
|
profile="${ROOT}/reports/tests/coverage/${module//\//-}-integration.out"
|
|
(
|
|
cd "backend/${module}"
|
|
GOCACHE="${ROOT}/.cache/go-build" go test -v -covermode=atomic -coverpkg=./... -coverprofile="${profile}" ./tests/...
|
|
) | tee -a "${ROOT}/reports/tests/backend-integration.log"
|
|
done
|
|
'
|
|
|
|
enforce-backend-coverage:
|
|
desc: Aggregate backend coverage and fail if below threshold
|
|
cmds:
|
|
- |
|
|
bash -o pipefail -c '
|
|
set -eu
|
|
mkdir -p reports/tests reports/tests/coverage
|
|
COVERAGE_DIR="reports/tests/coverage"
|
|
COMBINED="${COVERAGE_DIR}/backend-combined.out"
|
|
SUMMARY="reports/tests/backend-coverage-summary.txt"
|
|
THRESHOLD="${BACKEND_COVERAGE_THRESHOLD:-80}"
|
|
|
|
rm -f "${COMBINED}"
|
|
echo "mode: atomic" > "${COMBINED}"
|
|
|
|
found=0
|
|
for profile in "${COVERAGE_DIR}"/*.out; do
|
|
[ -f "${profile}" ] || continue
|
|
tail -n +2 "${profile}" >> "${COMBINED}"
|
|
found=1
|
|
done
|
|
|
|
if [ "${found}" -eq 0 ]; then
|
|
echo "No backend coverage profiles were generated." | tee "${SUMMARY}"
|
|
exit 1
|
|
fi
|
|
|
|
total_stats="$(awk "
|
|
NR > 1 {
|
|
total += \$2
|
|
if (\$3 > 0) {
|
|
covered += \$2
|
|
}
|
|
}
|
|
END {
|
|
if (total == 0) {
|
|
printf \"0.00 0 0\"
|
|
} else {
|
|
printf \"%.2f %d %d\", (covered/total)*100, covered, total
|
|
}
|
|
}
|
|
" "${COMBINED}")"
|
|
total_pct="$(echo "${total_stats}" | awk "{print \$1}")"
|
|
covered_stmt="$(echo "${total_stats}" | awk "{print \$2}")"
|
|
total_stmt="$(echo "${total_stats}" | awk "{print \$3}")"
|
|
|
|
{
|
|
echo "Backend total coverage: ${total_pct}%"
|
|
echo "Covered statements: ${covered_stmt}/${total_stmt}"
|
|
echo "Coverage threshold: ${THRESHOLD}%"
|
|
} | tee "${SUMMARY}"
|
|
|
|
awk -v coverage="${total_pct}" -v threshold="${THRESHOLD}" "BEGIN { exit((coverage+0) < (threshold+0)) }"
|
|
'
|
|
|
|
docker-build-validate:
|
|
cmds:
|
|
- bash -o pipefail -c 'set -eu; for service in gateway game-session question-bank user leaderboard admin; do docker build -f "infrastructure/services/${service}.Dockerfile" -t "knowfoolery/${service}:ci" . | tee "reports/docker/${service}-build.log"; done'
|
|
|
|
k6-smoke:
|
|
desc: Run k6 smoke profile for critical gateway paths
|
|
cmds:
|
|
- |
|
|
bash -o pipefail -c '
|
|
set -eu
|
|
mkdir -p reports/perf
|
|
if ! command -v k6 >/dev/null 2>&1; then
|
|
echo "k6 is not installed; skipping smoke load tests."
|
|
exit 0
|
|
fi
|
|
if [ -z "${K6_BASE_URL:-}" ]; then
|
|
echo "K6_BASE_URL is not set; skipping k6 smoke load tests."
|
|
exit 0
|
|
fi
|
|
k6 run \
|
|
--quiet \
|
|
--env K6_PROFILE=smoke \
|
|
--env K6_BASE_URL="${K6_BASE_URL}" \
|
|
--env K6_AUTH_TOKEN="${K6_AUTH_TOKEN:-}" \
|
|
--out json=reports/perf/k6-smoke.json \
|
|
tests/load/k6/gateway-critical.js | tee reports/perf/k6-smoke.log
|
|
'
|
|
|
|
k6-load:
|
|
desc: Run k6 local load profile for critical gateway paths
|
|
cmds:
|
|
- |
|
|
bash -o pipefail -c '
|
|
set -eu
|
|
mkdir -p reports/perf
|
|
: "${K6_BASE_URL:?K6_BASE_URL is required}"
|
|
if ! command -v k6 >/dev/null 2>&1; then
|
|
echo "k6 is not installed."
|
|
exit 1
|
|
fi
|
|
k6 run \
|
|
--env K6_PROFILE=load \
|
|
--env K6_BASE_URL="${K6_BASE_URL}" \
|
|
--env K6_AUTH_TOKEN="${K6_AUTH_TOKEN:-}" \
|
|
--out json=reports/perf/k6-load.json \
|
|
tests/load/k6/gateway-critical.js | tee reports/perf/k6-load.log
|
|
'
|
|
|
|
gosec-scan:
|
|
cmds:
|
|
- bash -o pipefail -c 'set -eu; mkdir -p reports/security; set +e; gosec -fmt sarif -out reports/security/gosec.sarif ./backend/services/admin-service/... ./backend/services/game-session-service/... ./backend/services/gateway-service/... ./backend/services/leaderboard-service/... ./backend/services/question-bank-service/... ./backend/services/user-service/... ./backend/shared/... 2>&1 | tee reports/security/gosec.log; status=${PIPESTATUS[0]}; set -e; if grep -q "Panic when running SSA analyzer" reports/security/gosec.log || grep -q "file requires newer Go version" reports/security/gosec.log; then echo "gosec runtime/toolchain panic detected; treating as non-blocking tool failure."; exit 0; fi; exit "${status}"'
|
|
|
|
trivy-fs-scan:
|
|
cmds:
|
|
- trivy fs --format json --output reports/security/trivy-fs.json --severity HIGH,CRITICAL --exit-code 1 .
|
|
|
|
trivy-image-scan:
|
|
cmds:
|
|
- |
|
|
set -eu
|
|
for service in gateway game-session question-bank user leaderboard admin; do
|
|
trivy image \
|
|
--format json \
|
|
--output "reports/security/trivy-image-${service}.json" \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 1 \
|
|
"knowfoolery/${service}:ci"
|
|
done
|