name: CI on: push: branches: [main] pull_request: branches: [main] permissions: contents: read security-events: write # required to upload the SARIF to the Security tab jobs: ci: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 20 cache: npm - run: npm ci - run: npm run build - run: npm run typecheck # Dogfooding: ctxweight audits its own context files and writes SARIF. # continue-on-error keeps THIS step from failing the job — generating the # report and deciding pass/fail are intentionally separate (the CI-safe # pattern ctxweight implements: emit the report first, gate after). The real # pass/fail decision lives in the gate step below. - name: Context audit (self) — generate SARIF continue-on-error: true run: node dist/cli.js . --sarif > ctxweight.sarif # Real gate: break the build only if a secret ever lands in a context file. # On the current clean repo this exits 0. - name: Context audit gate — fail on leaked secrets run: node dist/cli.js . --fail-on secrets/private-key,secrets/aws-key,secrets/openai-key,secrets/generic-token # if: always() so the SARIF is uploaded even when the gate step above fails # — findings always reach the Security tab, mirroring ctxweight's design. - name: Upload SARIF if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ctxweight.sarif