# Consumer-side TVU Design System audit (GitHub Actions template) # # ⚠️ THIS IS A TEMPLATE — copy to your consumer product repo's # `.github/workflows/audit.yml` and adjust paths/secrets as needed. # # What this does: # - Runs `audit:consumer-code` on every PR + push to main # - Detects R1 / R2 / R16 violations (inline SVG, hex literals, mixed CN+EN strings) # - Fails the PR if violations are found # # What this does NOT do: # - `audit:consumer-mockup` is NOT run in CI (it requires FIGMA_PERSONAL_ACCESS_TOKEN # + a target fileKey — invoke manually before PR, or via a separate workflow_dispatch) # # Prerequisites in the consumer repo: # 1. `tvu-design-system` is a dependency (npm install / pnpm add) # 2. `package.json` exposes `audit:consumer-code` script (copy from # tvu-design-system/package.json or alias to `node node_modules/@nancyzeng0210/tvu-design-system/scripts/audit-product-code.mjs`) # 3. Source code lives under `src/` (adjust `--dir` in script invocation if different) name: Consumer Code Audit on: pull_request: branches: [main, master] push: branches: [main, master] jobs: audit-consumer-code: runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node uses: actions/setup-node@v4 with: node-version: '20' cache: 'pnpm' # or 'npm' / 'yarn' depending on your package manager - name: Install pnpm uses: pnpm/action-setup@v3 with: version: 10 - name: Install dependencies run: pnpm install --frozen-lockfile - name: Audit consumer code (R1 / R2 / R16) run: pnpm audit:consumer-code -- --json # The audit script exits with code 1 on violations → CI fails the PR # Optional: post audit summary as PR comment # - name: Post audit summary # if: github.event_name == 'pull_request' # uses: actions/github-script@v7 # with: # script: | # // Read audit output and post comment