refactor: extract shared hook lib + fix 13 design issues #274
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: vibeguard-ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| validate-and-test: | |
| name: CI (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| steps: | |
| # Must run before checkout so Windows does not convert LF→CRLF in .sh files | |
| - name: Configure Git line endings (Windows) | |
| if: runner.os == 'Windows' | |
| run: git config --global core.autocrlf false | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure Git identity (for tests that create commits) | |
| run: | | |
| git config --global user.name "CI" | |
| git config --global user.email "ci@vibeguard.test" | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install bash 4+ (macOS) | |
| if: runner.os == 'macOS' | |
| shell: bash | |
| run: | | |
| brew install bash | |
| echo "Bash: $(bash --version | head -1)" | |
| - name: Install ast-grep | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: | | |
| if command -v ast-grep >/dev/null 2>&1; then | |
| echo "ast-grep already installed: $(ast-grep --version)" | |
| exit 0 | |
| fi | |
| if [[ "$(uname -s)" == "Darwin" ]]; then | |
| brew install ast-grep | |
| else | |
| # Linux: compile from source (Rust is pre-installed on GitHub Actions) | |
| cargo install ast-grep --locked | |
| fi | |
| echo "Installed: $(ast-grep --version)" | |
| # --- Shell-based validation --- | |
| # Skipped on Windows: these scripts check Unix file-permission bits ([ -x ]) | |
| # which have no meaning on NTFS and would produce false-positive passes. | |
| - name: Validate guard scripts | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/ci/validate-guards.sh | |
| - name: Validate hook scripts | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/ci/validate-hooks.sh | |
| - name: Validate rule files | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/ci/validate-rules.sh | |
| # --- Cross-platform contract validation (Python-embedded shell scripts) --- | |
| # Uses Git Bash on Windows; Python 3 is available from setup-python above. | |
| - name: Validate doc paths | |
| shell: bash | |
| run: bash scripts/ci/validate-doc-paths.sh | |
| - name: Validate doc command paths | |
| shell: bash | |
| run: bash scripts/ci/validate-doc-command-paths.sh | |
| - name: Validate doc freshness | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/verify/doc-freshness-check.sh --strict | |
| # Install pnpm and uv so that the hook rewrite tests (npm→pnpm, | |
| # pip→uv) exercise the tool-availability guard added in pre-bash-guard.sh. | |
| - name: Install pnpm and uv (hook rewrite tests) | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: | | |
| npm install -g pnpm | |
| curl -LsSf https://astral.sh/uv/install.sh | sh | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| # --- Regression tests --- | |
| # Skipped on Windows: the test harness uses Unix path assumptions, | |
| # mktemp patterns, and hook scripts that rely on native bash behaviour. | |
| - name: Hook regression tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/test_hooks.sh | |
| - name: Rust guard regression tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/test_rust_guards.sh | |
| - name: Setup regression tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/test_setup.sh | |
| - name: Hook health regression tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/test_hook_health.sh | |
| - name: Guard unit tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/unit/run_all.sh | |
| - name: Hook precision tests | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/run_precision.sh --all --csv | |
| - name: Hook performance static analysis | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/ci/validate-hook-perf.sh | |
| - name: Hook latency benchmark | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash tests/bench_hook_latency.sh --sla=500 --runs=3 | |
| - name: Store benchmark results | |
| if: runner.os == 'Linux' | |
| uses: benchmark-action/github-action-benchmark@v1 | |
| with: | |
| name: Hook Latency (P95) | |
| tool: customSmallerIsBetter | |
| output-file-path: bench-output.json | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| auto-push: ${{ github.ref == 'refs/heads/main' }} | |
| alert-threshold: "150%" | |
| comment-on-alert: true | |
| fail-on-alert: false | |
| comment-always: ${{ github.event_name == 'pull_request' }} | |
| - name: VibeGuard Benchmark (fast) | |
| if: runner.os != 'Windows' | |
| shell: bash | |
| run: bash scripts/benchmark.sh --mode=fast |