Skip to content

qa: add tests, CI, lint cleanup, security scanning, and PR template#11

Open
paragon-review[bot] wants to merge 1 commit intomainfrom
qa/hardening-plan
Open

qa: add tests, CI, lint cleanup, security scanning, and PR template#11
paragon-review[bot] wants to merge 1 commit intomainfrom
qa/hardening-plan

Conversation

@paragon-review
Copy link
Copy Markdown
Contributor

@paragon-review paragon-review Bot commented Apr 1, 2026

Summary

This PR establishes comprehensive QA infrastructure for the portfolio project.
paragon-assisted

What Changed

1. Lint Cleanup

Removed 9 stale eslint-disable-next-line no-console directives from Home.tsx, Intouch.tsx, Palkia.tsx, and PillThought.tsx. bun run lint now reports 0 issues.

2. Automated Tests (Vitest)

  • Installed: vitest, @vitest/coverage-v8, @testing-library/react, @testing-library/jest-dom, jsdom
  • Configured Vitest in vite.config.ts with jsdom environment and v8 coverage
  • Added src/test-setup.ts for jest-dom matchers
  • App.test.tsx: 4 routing tests for all defined routes (/, /intouchcx, /pillthought, /palkia)
  • Home.test.tsx: 7 component tests — page heading, GitHub/LinkedIn social links, image rendering, and navigation callbacks for portfolio cards
  • All 11 tests pass

3. New npm Scripts

test           vitest run
test:watch     vitest (interactive)
test:coverage  vitest run --coverage
typecheck      tsc --noEmit

4. Dependency Update

Pinned vite to 6.4.1 to resolve:

  • GHSA-vg6x-rcgg (Vite server.fs.deny bypass)
  • GHSA-mg9h-v3g6-23kh (Vite server.fs.deny bypass via import query)
    Audit findings reduced from 30 to 13. Remaining 13 are all transitive dev-only dependencies with no direct remediation path:
    | Package | Severity | Advisory |
    |---------|----------|---------|
    | flatted <3.4.0 | High | GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh (via eslint) |
    | rollup >=4.0.0 <4.59.0 | High | GHSA-mw96-cpmx-2vgc (via vite, dev-only) |
    | picomatch <2.3.2 | High | GHSA-c2c7-rcm5-vvqj (via vite/vitest/tailwindcss, dev-only) |
    | minimatch | High | GHSA-3ppc-4f35-3m26 (via eslint, dev-only) |
    | glob | High | GHSA-7r86-cg39-jmmj (via eslint, dev-only) |
    | esbuild <=0.24.2 | Moderate | GHSA-67mh-4wv8-2f99 (via vite, dev-only) |
    | yaml <2.8.3 | Moderate | GHSA-48c2-rrv3-qjmp (via vite/tailwindcss, dev-only) |
    | ajv <6.14.0 | Moderate | GHSA-v72f-d9hq-688g (via eslint, dev-only) |
    | @babel/helpers <7.26.10 | Moderate | GHSA-968p-4wvh-cqc8 (via @vitejs/plugin-react, dev-only) |
    All remaining issues are in the dev toolchain (not shipped in production bundles).

5. PR Template

Added .github/PULL_REQUEST_TEMPLATE.md with a QA checklist (lint, typecheck, test, build, audit).

6. CI Workflows (manual step required)

The GitHub App used by Paragon lacks the workflows permission, so workflow files could not be pushed directly. Copy these files manually to add CI:
.github/workflows/ci.yml — runs on push/PR to main:

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

defaults:
  run:
    working-directory: my-portfolio

jobs:
  quality:
    name: Lint, Typecheck, Test, Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Lint
        run: bun run lint

      - name: Typecheck
        run: bun run typecheck

      - name: Test
        run: bun run test

      - name: Build
        run: bun run build

.github/workflows/security.yml — runs on push/PR/weekly schedule:

name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run at 08:00 UTC every Monday
    - cron: '0 8 * * 1'

defaults:
  run:
    working-directory: my-portfolio

jobs:
  dependency-audit:
    name: Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Audit dependencies
        # Allow the step to report findings but not block on moderate/low
        # High/critical findings will surface in the output for triage
        run: bun audit || true

  sast:
    name: SAST (Semgrep)
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v4

      - name: Run Semgrep (medium and above)
        run: >
          semgrep
          --config auto
          --severity ERROR
          --severity WARNING
          my-portfolio/src/
        working-directory: .

Semgrep SAST

semgrep --config auto my-portfolio/src/ --severity ERROR --severity WARNING
Result: 0 findings (clean baseline)

Verification

bun run lint      -- 0 warnings, 0 errors
bun run typecheck -- 0 errors
bun run test      -- 11/11 tests passed (2 test files)
bun run build     -- built in ~3s
semgrep           -- 0 findings
bun audit         -- 13 remaining (all transitive dev-only, documented above)

@paragon-review
qa: add tests, lint cleanup, dependency updates, and PR template
d0a18f0 
- Remove 9 stale eslint-disable-next-line comments from Home, Intouch,
  Palkia, PillThought; bun run lint now reports 0 issues
- Install Vitest, @testing-library/react, jsdom and configure via
  vite.config.ts (globals, jsdom environment, v8 coverage)
- Add src/test-setup.ts for jest-dom matchers
- Add App.test.tsx: 4 routing tests covering all defined routes
- Add Home.test.tsx: 7 component tests covering heading, social links,
  image rendering, and navigation callbacks
- Add test/typecheck/coverage scripts to package.json
- Pin vite to 6.4.1 to resolve GHSA-vg6x-rcgg and related CVEs;
  reduce audit findings from 30 to 13 (all remaining are transitive,
  see PR body for details)
- Add .github/PULL_REQUEST_TEMPLATE.md with QA checklist

Verification:
  bun run lint     -- 0 issues
  bun run typecheck -- 0 errors
  bun run test     -- 11/11 passed (2 test files)
  bun run build    -- success
  semgrep --config auto -- 0 findings

paragon-assisted
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
portfolio Ready Ready Preview, Comment Apr 1, 2026 5:56pm
portfolio-dhgs Ready Ready Preview, Comment Apr 1, 2026 5:56pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants