OIDC server-side token refresh #27

Workflow file for this run

	# CI checks to run when PR is opened
	name: 🚦 PR Check

	on:
	pull_request:
	branches: ['master', 'develop']

	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	changes:
	name: 🔎 Detect Changes
	runs-on: ubuntu-latest
	outputs:
	lockfile: ${{ steps.filter.outputs.lockfile }}
	workflows: ${{ steps.filter.outputs.workflows }}
	locales: ${{ steps.filter.outputs.locales }}
	translations: ${{ steps.filter.outputs.translations }}
	src: ${{ steps.filter.outputs.src }}
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Filter Paths
	uses: dorny/paths-filter@v4
	id: filter
	with:
	filters: \|
	lockfile:
	- 'yarn.lock'
	workflows:
	- '.github/workflows/**'
	locales:
	- 'src/assets/locales/**'
	- 'src/*/.vue'
	- 'src/*/.js'
	- 'tests/locales/**'
	translations:
	- 'src/assets/locales/**'
	src:
	- 'src/**'
	- 'package.json'
	- 'yarn.lock'
	- 'eslint.config.mjs'
	- 'tsconfig.json'

	lint:
	name: 🛡️ Lint
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.src == 'true'
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'
	cache: 'yarn'

	- name: Install Dependencies
	run: yarn install --frozen-lockfile

	- name: Run ESLint
	run: yarn lint

	typecheck:
	name: 🦴 Typecheck
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.src == 'true'
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'
	cache: 'yarn'

	- name: Install Dependencies
	run: yarn install --frozen-lockfile

	- name: Run vue-tsc
	run: yarn typecheck

	test:
	name: 🧪 Test
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'
	cache: 'yarn'

	- name: Install Dependencies
	run: yarn install --frozen-lockfile

	- name: Run Tests
	run: yarn test

	locales:
	name: 🌐 Locale Check
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.locales == 'true'
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'

	- name: Check Locales
	run: yarn validate-locales

	spellcheck:
	name: ✏️ Spellcheck
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.translations == 'true'
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Spellcheck en.json
	uses: crate-ci/typos@v1
	with:
	files: src/assets/locales/en.json

	build:
	name: 🏗️ Build Check
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Setup Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'
	cache: 'yarn'

	- name: Install Dependencies
	run: yarn install --frozen-lockfile

	- name: Build Project
	run: yarn build

	- name: Verify Build Output
	run: \|
	if [ ! -d "dist" ]; then
	echo "❌ Build failed: dist directory not created"
	exit 1
	fi
	if [ ! -f "dist/index.html" ]; then
	echo "❌ Build failed: index.html not found"
	exit 1
	fi
	echo "✅ Build successful"

	docker-smoke:
	name: 🐳 Docker Smoke Test
	runs-on: ubuntu-latest
	continue-on-error: true
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Build & Test Docker Image
	run: sh tests/docker-smoke-test.sh
	timeout-minutes: 10

	dependency-review:
	name: 🔒 Dependency Audit
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.lockfile == 'true'
	permissions:
	contents: read
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Review Dependencies
	uses: actions/dependency-review-action@v5
	with:
	fail-on-severity: moderate

	secret-scan:
	name: 🔑 Secret Scanning
	runs-on: ubuntu-latest
	permissions:
	contents: read
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6
	with:
	fetch-depth: 0

	- name: Scan PR Diff for Secrets
	uses: trufflesecurity/trufflehog@v3.95.3
	with:
	base: ${{ github.event.pull_request.base.sha }}
	head: ${{ github.event.pull_request.head.sha }}
	extra_args: --only-verified

	workflow-audit:
	name: 🛠️ Workflow Audit
	runs-on: ubuntu-latest
	needs: changes
	if: needs.changes.outputs.workflows == 'true'
	steps:
	- name: Checkout Code
	uses: actions/checkout@v6

	- name: Run Actionlint
	uses: raven-actions/actionlint@v2
	with:
	fail-on-error: true

	- name: Run Zizmor
	uses: zizmorcore/zizmor-action@v0.5.4
	with:
	inputs: .github/workflows/
	advanced-security: false
	annotations: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OIDC server-side token refresh #27

Workflow file

OIDC server-side token refresh #27

Uh oh!

Workflow file for this run