agentic-dev/.github/workflows/ci.yml

# CI workflow — runs on every push to main and every pull request.
#
# TURBO_TOKEN / TURBO_TEAM: set these in your repository secrets/variables
# to enable Turborepo remote caching. Without them the workflow still works,
# just without the remote-cache speedup.
#
# PAYLOAD_SECRET: the value used here is a throwaway test secret. Do NOT
# reuse it in production. Set a real secret for your deployed environments.

name: CI

on:
  push:
    branches: [main]
  pull_request:

env:
  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
  TURBO_TEAM: ${{ vars.TURBO_TEAM }}
  CI: true

jobs:
  validate:
    name: typecheck + lint + boundaries + test + build
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
          POSTGRES_DB: cms_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
        with:
          # Full history so coverage:diff can resolve `origin/<base-ref>...HEAD`
          # against the PR's base branch (ADR-020 L1).
          fetch-depth: 0
      - uses: pnpm/action-setup@v4
        with:
          version: 9
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
      - run: pnpm install --frozen-lockfile
      - name: Audit package signatures
        run: pnpm audit signatures --audit-level=high
      - name: Socket supply-chain scan
        if: github.event_name == 'pull_request'
        run: |
          if git diff --name-only origin/${{ github.base_ref }}...HEAD \
              | grep -qE '(^|/)package\.json$|(^|/)pnpm-lock\.yaml$'; then
            npx --yes socket-cli@latest scan .
          else
            echo "No package.json or pnpm-lock.yaml changes — skipping Socket scan."
          fi
      - run: pnpm typecheck
      - run: pnpm lint
      - run: pnpm conformance
      - name: Fallow whole-codebase analysis
        run: pnpm fallow --format annotations
      - run: pnpm turbo boundaries
      - name: Test with coverage
        env:
          DATABASE_URL: postgres://postgres:postgres@localhost:5432/cms_test
          PAYLOAD_SECRET: test-secret-do-not-use-in-prod
        run: pnpm test -- --coverage
      # L2 — merge per-package lcovs to coverage/lcov.info + emit
      # coverage/summary.json (ADR-020). Runs even on test failure so the
      # artifact still captures what was produced.
      - name: Coverage — aggregate (L2)
        if: always()
        run: pnpm coverage:aggregate
      # L1 — cover-the-diff gate. Only meaningful on PRs (push-to-main has
      # no base ref to diff against). Compares against the PR's base branch.
      - name: Coverage — diff (L1)
        if: github.event_name == 'pull_request'
        run: pnpm coverage:diff -- --base origin/${{ github.base_ref }}
      - run: pnpm build
      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: coverage
          path: |
            coverage/lcov.info
            coverage/summary.json
            **/coverage/lcov.info
          retention-days: 7

  e2e:
    name: Playwright e2e
    needs: validate
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_USER: postgres
          POSTGRES_DB: cms_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: 9
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
      - run: pnpm install --frozen-lockfile
      - run: pnpm exec playwright install --with-deps chromium
      - name: Run e2e
        env:
          DATABASE_URL: postgres://postgres:postgres@localhost:5432/cms_test
          PAYLOAD_SECRET: test-secret-do-not-use-in-prod
        run: pnpm test:e2e

  storybook:
    name: Storybook smoke tests + visual regression
    needs: validate
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: 9
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
      - run: pnpm install --frozen-lockfile
      - run: pnpm exec playwright install --with-deps chromium
      - name: Build Storybook
        run: pnpm --filter @repo/storybook build:storybook
      - run: pnpm test:stories
      - name: Install Playwright browsers
        run: pnpm exec playwright install chromium --with-deps
      - name: Visual regression
        run: pnpm test:visual