chore(deps): bump the typescript-toolchain group across 1 directory with 3 updates #668
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| contents: read | |
| env: | |
| TURBO_TELEMETRY_DISABLED: 1 | |
| # The gate jobs (lint, types, test-node, test-web) run in parallel; the final | |
| # `ci` job aggregates them under the job name `lint / types / test`, which is | |
| # the required status check in the "main protection" ruleset. Renaming that | |
| # job (or letting it skip) breaks branch protection — see | |
| # docs/plans/2026-06-12-branch-protection.md. | |
| jobs: | |
| lint: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| # Needed so commitlint can walk the PR's commit range (and so | |
| # origin/main exists for the changeset gate). | |
| # Quoted because `&& 0 || 1` short-circuits past the falsy 0 and always returns 1. | |
| fetch-depth: ${{ github.event_name == 'pull_request' && '0' || '1' }} | |
| - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Lint commit messages (PR only) | |
| if: github.event_name == 'pull_request' | |
| run: pnpm exec commitlint --from "${BASE_SHA}" --to "${HEAD_SHA}" --verbose | |
| env: | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| - run: pnpm lint | |
| - name: Require changeset for publishable-package changes (PR only) | |
| # Skip for Dependabot: it can't author changesets, and mechanical | |
| # dependency bumps don't need a release entry. Human PRs still must add | |
| # one (an empty changeset for test-only/infra/internal: `pnpm exec | |
| # changeset --empty`). Keyed off the PR author, not github.actor, so it | |
| # still skips when a maintainer updates/rebases the bot's branch. | |
| if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]' | |
| # Exits non-zero if a publishable package changed since main without | |
| # an accompanying changeset. The baseBranch is "main" per | |
| # .changeset/config.json — keep these in sync. | |
| run: pnpm exec changeset status --since=origin/main | |
| types: | |
| name: types | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| # Cache benefits check-types only (lint/test don't run through turbo); | |
| # revisit if root scripts move under turbo. | |
| - name: Restore Turbo cache | |
| uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 | |
| with: | |
| path: .turbo/cache | |
| key: turbo-${{ runner.os }}-${{ github.sha }} | |
| restore-keys: | | |
| turbo-${{ runner.os }}- | |
| - run: pnpm check-types | |
| test-node: | |
| name: test (node) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| # Plain (uninstrumented) run — coverage is collected by the scheduled | |
| # coverage.yml workflow, not the PR gate. No OPENMAPX_SKIP_SLOW_CRYPTO: | |
| # that flag only compensates for v8 coverage instrumentation, so the | |
| # gate exercises the real crypto path. | |
| - run: pnpm test --project node | |
| test-web: | |
| name: test (web) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - run: pnpm test --project web | |
| # Aggregate gate. Keeps the required-status-check context stable at | |
| # `lint / types / test` while the real work runs in parallel above. | |
| # `if: always()` so it reports (red) even when a dependency fails instead of | |
| # being skipped — a skipped required check would block the PR forever. | |
| ci: | |
| name: lint / types / test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| needs: [lint, types, test-node, test-web] | |
| if: always() | |
| steps: | |
| - name: Fail if any gate job did not succeed | |
| if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped') | |
| run: | | |
| echo "One or more gate jobs failed:" | |
| echo '${{ toJSON(needs.*.result) }}' | |
| exit 1 | |
| - name: All gate jobs succeeded | |
| run: echo "lint, types, test-node, test-web all green" |