linux_patch_manager/.github/workflows/ci.yml

name: CI

on:
  push:
    branches: [master]
    tags: ['v*']
  pull_request:
    branches: [master]

env:
  CARGO_TERM_COLOR: always

permissions:
  contents: write

jobs:
  rust-format:
    name: Rust Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt
      - uses: Swatinem/rust-cache@v2
      - run: cargo fmt --check --all

  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: clippy
      - uses: Swatinem/rust-cache@v2
      - name: Install system dependencies
        run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev
      - run: cargo clippy --all-targets --all-features

  rust-test:
    name: Rust Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Install system dependencies
        run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev
      - run: cargo test --workspace --all-features --lib --bins --tests

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - run: cargo install cargo-audit && cargo audit

  gitleaks:
    name: Secret scanning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  frontend-lint:
    name: Frontend Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install & Lint
        run: cd frontend && npm ci && npx eslint src/ --ext .ts,.tsx --max-warnings 0 && npx tsc --noEmit

  build-and-release:
    name: Build & Release
    needs: [rust-format, clippy, rust-test, security-audit, frontend-lint]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Free disk space
        run: |
          sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc
          df -h
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Install system dependencies
        run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev dpkg-dev
      - name: Build Rust release
        run: cargo build --release
      - name: Strip binaries
        run: strip target/release/pm-web target/release/pm-worker
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Build frontend
        run: cd frontend && npm ci && npm run build
      - name: Build .deb package
        run: chmod +x scripts/build-package.sh && scripts/build-package.sh
      - name: Generate release notes
        if: startsWith(github.ref, 'refs/tags/v')
        id: release_notes
        run: |
          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
          if [ -n "$PREV_TAG" ]; then
            NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
          else
            NOTES=$(git log --pretty=format:"- %s (%h)" --no-merges)
          fi
          echo "notes<<EOF" >> $GITHUB_OUTPUT
          echo "$NOTES" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT
      - name: Upload to GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: softprops/action-gh-release@v2
        with:
          body: ${{ steps.release_notes.outputs.notes }}
          files: linux-patch-manager_*.deb