Skip to main content

Quality And CI

The project reports package quality in three places:

  • GitHub step summaries for quick CI scanning.
  • Sticky pull request comments for coverage, test performance, and cognitive complexity.
  • Uploaded artifacts for raw coverage, test, and complexity data.

Coverage

Coverage uses c8 over the package source:

npm run test:cov

The gate currently requires 100% statements, branches, functions, and lines. The PR coverage comment compares the pull request against cached base-branch coverage when base data is available.

CI runs package coverage on Node.js 20 and Node.js 22. The Node.js 22 quality job owns PR coverage, performance, and cognitive complexity comments so those reports stay single-source and easy to read.

Performance

Tests use node:test. npm run test:cov runs a small reporting wrapper that writes test-results.json with suite and individual test durations parsed from the test runner output.

The PR performance comment shows:

  • passed, failed, and skipped counts
  • suite count
  • total test step duration
  • test execution duration
  • slowest suites
  • slowest individual tests

When base data exists, each duration includes a diff against the base branch.

Cognitive Complexity

Cognitive complexity uses SonarJS through ESLint:

npm run complexity:check
npm run complexity:report

complexity:check enforces the default threshold of 15 per source function. complexity:report writes complexity/cognitive-complexity-summary.json with totals, per-file aggregates, and the most complex functions.

The PR comment treats complexity as a review signal. The hard gate remains the ESLint threshold.

Driver Integration

Package tests exercise real Drizzle clients for libSQL, better-sqlite3, PostgreSQL, and MySQL. GitHub Actions provides PostgreSQL and MySQL service containers for the coverage job. Local runs skip those networked drivers unless NEST_DRIZZLE_NATIVE_POSTGRES_URL and NEST_DRIZZLE_NATIVE_MYSQL_URL are set.

Release And Security

Release validation checks README/docs links, sample version sync, workspace resolution, the package tarball, and a temporary consumer app that installs the packed tarball:

npm run release:check

For the publish checklist, version sync rules, and post-publish verification, see Release Guide.

After publishing, verify the registry package with:

npm run release:check:published -- <version>

That command installs the published package in a clean consumer and in a temporary sample workspace so the checks cannot accidentally pass through a local workspace link.

Supply-chain auditing checks high-severity production risk:

npm run security:audit

Run the complete local gate with:

npm run ci

Samples

Samples are release blockers. GitHub Actions runs them in the dedicated Sample validation job, and the local gate includes the same matrix:

npm run ci:sample

release:check also verifies every sample/*/package.json depends on the current packages/drizzle version and that npm workspace resolution agrees with the lockfile.