refactor: enhance CI/CD pipeline with improved change detection, caching, and security audits

Maxime-Cllt · Maxime-Cllt · commit d0133c504d48 · 2025-09-23T11:41:25.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,6 +28,7 @@ jobs:
       backend: ${{ steps.changes.outputs.backend }}
       frontend: ${{ steps.changes.outputs.frontend }}
       tauri: ${{ steps.changes.outputs.tauri }}
+      skip_ci: ${{ steps.changes.outputs.skip_ci }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -53,72 +54,181 @@ jobs:
               - 'src-tauri/tauri.conf.json'
               - 'src-tauri/capabilities/**'
               - 'src-tauri/icons/**'
-
-  # Backend Rust tests and checks
-  rust-backend:
-    name: Rust Backend
+            skip_ci:
+              - '**.md'
+              - '.gitignore'
+              - 'LICENSE'
+              - 'docs/**'
+
+  # Combined Full Stack Test and Build
+  full-stack-test-build:
+    name: Full Stack Test & Build
     runs-on: ${{ matrix.os }}
     needs: changes
-    if: needs.changes.outputs.backend == 'true' || needs.changes.outputs.tauri == 'true'
+    if: needs.changes.outputs.skip_ci == 'false' && (needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' || needs.changes.outputs.tauri == 'true')
 
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        os: [ macos-latest, windows-latest ]
 
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
 
+      # Setup all required tools
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
       - name: Install Rust Toolchain
         uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           toolchain: stable
           components: rustfmt, clippy
           cache: true
 
-      - name: Install System Dependencies (Ubuntu)
-        if: matrix.os == 'ubuntu-latest'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y \
-            libwebkit2gtk-4.0-dev \
-            libwebkit2gtk-4.1-dev \
-            libappindicator3-dev \
-            librsvg2-dev \
-            patchelf \
-            libssl-dev \
-            pkg-config
-
-      - name: Install System Dependencies (macOS)
-        if: matrix.os == 'macos-latest'
+      # Enhanced caching strategy
+      - name: Get pnpm store directory
+        shell: bash
         run: |
-          # Most dependencies are already available on macOS runners
-          echo "macOS dependencies already installed"
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
-      - name: Cache Rust Dependencies
-        uses: Swatinem/rust-cache@v2
+      - name: Cache All Dependencies
+        uses: actions/cache@v4
         with:
-          workspaces: src-tauri
-          cache-on-failure: true
-          shared-key: ${{ matrix.os }}-rust-cache
+          path: |
+            ${{ env.STORE_PATH }}
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            src-tauri/target/
+            node_modules
+            dist/
+          key: ${{ runner.os }}-fullstack-${{ hashFiles('**/Cargo.lock', '**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-fullstack-
+            ${{ runner.os }}-
+
+      # Install all dependencies
+      - name: Install Frontend Dependencies
+        run: pnpm install --frozen-lockfile
+
+      # Backend tests and checks (if backend changed)
+      - name: Check Rust Formatting
+        if: needs.changes.outputs.backend == 'true'
+        run: |
+          cd src-tauri
+          cargo fmt --all -- --check
 
-      - name: Run Rust Tests
+      - name: Run Clippy
+        if: needs.changes.outputs.backend == 'true'
         run: |
           cd src-tauri
-          cargo test --verbose --all-features
+          cargo clippy --all-targets --all-features -- -D warnings
 
-      - name: Check Rust Build
+      - name: Run Rust Unit Tests
+        if: needs.changes.outputs.backend == 'true'
         run: |
           cd src-tauri
-          cargo check --release
+          cargo test --verbose --all-features --lib
+
+      # Frontend tests and checks (if frontend changed)
+      - name: Type Check Frontend
+        if: needs.changes.outputs.frontend == 'true'
+        run: pnpm run type-check
+        continue-on-error: false
+
+      - name: Lint Frontend
+        if: needs.changes.outputs.frontend == 'true'
+        run: pnpm run lint
+        continue-on-error: false
+
+      - name: Run Frontend Unit Tests
+        if: needs.changes.outputs.frontend == 'true'
+        run: pnpm test
+        env:
+          NODE_ENV: test
+
+      # Build frontend first (required for Tauri)
+      - name: Build Frontend
+        run: pnpm run build
+
+      # Start backend for integration tests (if needed)
+      - name: Start Backend for Integration Tests
+        if: needs.changes.outputs.frontend == 'true' && needs.changes.outputs.backend == 'true'
+        run: |
+          cd src-tauri
+          cargo build --release
+          # Start backend in background for frontend integration tests
+          cargo run --release &
+          echo $! > backend.pid
+          sleep 5  # Give backend time to start
+        continue-on-error: true
+
+      # Run frontend integration tests that depend on backend
+      - name: Run Frontend Integration Tests
+        if: needs.changes.outputs.frontend == 'true' && needs.changes.outputs.backend == 'true'
+        run: pnpm run test:integration
+        env:
+          NODE_ENV: test
+          BACKEND_URL: http://localhost:8080
+        continue-on-error: true
+
+      # Stop backend
+      - name: Stop Backend
+        if: needs.changes.outputs.frontend == 'true' && needs.changes.outputs.backend == 'true'
+        run: |
+          if [ -f backend.pid ]; then
+            kill $(cat backend.pid) || true
+            rm backend.pid
+          fi
+        continue-on-error: true
+
+      # Build Tauri application (includes both frontend and backend)
+      - name: Build Tauri Application
+        run: pnpm tauri build --verbose
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Run Tauri integration tests
+      - name: Run Tauri Integration Tests
+        run: |
+          cd src-tauri
+          cargo test --verbose --all-features --test integration
+        continue-on-error: true
+
+      # Upload build artifacts
+      - name: Upload Tauri Bundles
+        uses: actions/upload-artifact@v4
+        with:
+          name: tauri-bundles-${{ matrix.os }}
+          path: |
+            src-tauri/target/release/bundle/
+          retention-days: 7
+
+      - name: Upload Frontend Build
+        if: matrix.os == 'macos-latest'  # Only upload once
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-dist
+          path: dist/
+          retention-days: 3
 
-  # Frontend tests and checks
-  frontend:
-    name: Frontend
+  # Quick validation job for PRs (runs on Ubuntu for speed)
+  quick-validation:
+    name: Quick Validation
     runs-on: ubuntu-latest
     needs: changes
-    if: needs.changes.outputs.frontend == 'true' || needs.changes.outputs.tauri == 'true'
+    if: github.event_name == 'pull_request' && needs.changes.outputs.skip_ci == 'false'
 
     steps:
       - name: Checkout Repository
@@ -135,48 +245,36 @@ jobs:
           node-version: '20'
           cache: 'pnpm'
 
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Cache pnpm dependencies
-        uses: actions/cache@v4
+      - name: Install Rust Toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          toolchain: stable
+          components: rustfmt, clippy
 
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Run Frontend Tests
-        run: pnpm test
-        env:
-          NODE_ENV: test
-
-      - name: Build Frontend
-        run: pnpm run build
-
-      - name: Upload Build Artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: frontend-dist
-          path: dist/
-          retention-days: 1
+      # Quick checks only
+      - name: Quick Rust Check
+        if: needs.changes.outputs.backend == 'true'
+        run: |
+          cd src-tauri
+          cargo check --all-targets
+          cargo fmt --all -- --check
 
-  # Integration tests with Tauri
-  tauri-test-build:
-    name: Tauri Build Development
-    runs-on: ${{ matrix.os }}
-    needs: [ changes, frontend ]
-    if: needs.changes.outputs.tauri == 'true' || (needs.changes.outputs.backend == 'true' && needs.changes.outputs.frontend == 'true')
+      - name: Quick Frontend Check
+        if: needs.changes.outputs.frontend == 'true'
+        run: |
+          pnpm run type-check
+          pnpm run build
 
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
+  # Security audit (optional, runs separately to not block main flow)
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true'
+    continue-on-error: true  # Don't fail CI on audit issues
 
     steps:
       - name: Checkout Repository
@@ -195,41 +293,40 @@ jobs:
 
       - name: Install Rust Toolchain
         uses: actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          toolchain: stable
-          cache: true
 
-      - name: Install System Dependencies (Ubuntu)
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Frontend Security Audit
+        if: needs.changes.outputs.frontend == 'true'
         run: |
-          sudo apt-get update
-          sudo apt-get install -y \
-            libwebkit2gtk-4.0-dev \
-            libwebkit2gtk-4.1-dev \
-            libappindicator3-dev \
-            librsvg2-dev \
-            patchelf \
-            libssl-dev \
-            pkg-config
-
-      - name: Cache Dependencies
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            src-tauri/target/
-            node_modules
-          key: ${{ runner.os }}-tauri-${{ hashFiles('**/Cargo.lock', '**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-tauri-
+          pnpm install --frozen-lockfile
+          pnpm audit
+        continue-on-error: true
 
-      - name: Install Dependencies
-        run: pnpm install --frozen-lockfile
+      - name: Rust Security Audit
+        if: needs.changes.outputs.backend == 'true'
+        run: |
+          cd src-tauri
+          cargo audit
+        continue-on-error: true
 
-      - name: Build Tauri Application
-        run: pnpm tauri build --verbose
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # Final status check
+  ci-success:
+    name: CI Success
+    runs-on: ubuntu-latest
+    needs: [full-stack-test-build, quick-validation]
+    if: always() && needs.changes.outputs.skip_ci == 'false'
+
+    steps:
+      - name: Check CI Status
+        run: |
+          if [[ "${{ needs.full-stack-test-build.result }}" == "failure" ]]; then
+            echo "Full stack build failed"
+            exit 1
+          elif [[ "${{ needs.quick-validation.result }}" == "failure" ]]; then
+            echo "Quick validation failed"
+            exit 1
+          else
+            echo "CI OK"
+          fi
