Add comprehensive CI/CD workflows for Forgejo Actions

- ci.yml: Complete CI pipeline with lint, type-check, tests, build, security, and i18n validation - code-quality.yml: Advanced code analysis including complexity, TODO tracking, and import analysis - dependency-review.yml: Automated dependency update review with security checks - pr-labeler.yml: Intelligent PR labeling based on files and content - release.yml: Automated release process with changelog generation - Documentation and best practices guide Features: - Multi-node testing (Node 18, 20) - Security scanning for hardcoded secrets - Bundle size impact analysis - Translation key validation - Complexity analysis and code quality metrics 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-07 19:50:57 -04:00 · 2025-07-07 19:50:57 -04:00 · b913475932
commit b913475932
parent 5151e87824
6 changed files with 750 additions and 0 deletions
--- a/.forgejo/workflows/dependency-review.yml
+++ b/.forgejo/workflows/dependency-review.yml
@ -0,0 +1,112 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          
+      - name: Check for major version changes
+        run: |
+          echo "Checking for major dependency updates..."
+          git fetch origin main
+          
+          # Get the package.json from main branch
+          git show origin/main:package.json > package-main.json
+          
+          # Compare dependencies
+          node -e "
+          const fs = require('fs');
+          const mainPkg = JSON.parse(fs.readFileSync('package-main.json', 'utf8'));
+          const currentPkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+          
+          function compareDeps(mainDeps = {}, currentDeps = {}, type) {
+            console.log(\`\\nChecking \${type}:\`);
+            let hasChanges = false;
+            
+            for (const [pkg, currentVer] of Object.entries(currentDeps)) {
+              const mainVer = mainDeps[pkg];
+              if (!mainVer) {
+                console.log(\`  ✅ Added: \${pkg}@\${currentVer}\`);
+                hasChanges = true;
+              } else if (mainVer !== currentVer) {
+                const mainMajor = mainVer.match(/\\d+/)?.[0];
+                const currentMajor = currentVer.match(/\\d+/)?.[0];
+                
+                if (mainMajor && currentMajor && mainMajor !== currentMajor) {
+                  console.log(\`  ⚠️  Major update: \${pkg} \${mainVer} → \${currentVer}\`);
+                } else {
+                  console.log(\`  📦 Updated: \${pkg} \${mainVer} → \${currentVer}\`);
+                }
+                hasChanges = true;
+              }
+            }
+            
+            for (const [pkg, mainVer] of Object.entries(mainDeps)) {
+              if (!currentDeps[pkg]) {
+                console.log(\`  ❌ Removed: \${pkg}@\${mainVer}\`);
+                hasChanges = true;
+              }
+            }
+            
+            if (!hasChanges) {
+              console.log(\`  No changes\`);
+            }
+          }
+          
+          compareDeps(mainPkg.dependencies, currentPkg.dependencies, 'dependencies');
+          compareDeps(mainPkg.devDependencies, currentPkg.devDependencies, 'devDependencies');
+          "
+          
+      - name: Check for security advisories
+        run: |
+          npm audit --json > audit.json || true
+          node -e "
+          const audit = JSON.parse(require('fs').readFileSync('audit.json', 'utf8'));
+          const vulns = audit.metadata?.vulnerabilities || {};
+          
+          console.log('\\nSecurity Audit Summary:');
+          console.log('  Critical:', vulns.critical || 0);
+          console.log('  High:', vulns.high || 0);
+          console.log('  Moderate:', vulns.moderate || 0);
+          console.log('  Low:', vulns.low || 0);
+          
+          if (vulns.critical > 0 || vulns.high > 0) {
+            console.error('\\n❌ Found critical or high severity vulnerabilities!');
+            process.exit(1);
+          }
+          "
+          
+      - name: Check bundle size impact
+        run: |
+          echo "Analyzing bundle size impact..."
+          
+          # Install dependencies from main
+          git show origin/main:package-lock.json > package-lock-main.json
+          npm ci --package-lock-only --package-lock=package-lock-main.json
+          npm run build:frontend || true
+          du -sh public/dist > size-main.txt
+          
+          # Install current dependencies
+          npm ci
+          npm run build:frontend
+          du -sh public/dist > size-current.txt
+          
+          echo "Bundle size comparison:"
+          echo "Main branch: $(cat size-main.txt)"
+          echo "This branch: $(cat size-current.txt)"