-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (124 loc) · 5.4 KB
/
Copy pathci.yml
File metadata and controls
153 lines (124 loc) · 5.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: CI
on:
pull_request:
push:
branches: [main]
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
env:
TURBO_TELEMETRY_DISABLED: 1
# The gate jobs (lint, types, test-node, test-web) run in parallel; the final
# `ci` job aggregates them under the job name `lint / types / test`, which is
# the required status check in the "main protection" ruleset. Renaming that
# job (or letting it skip) breaks branch protection — see
# docs/plans/2026-06-12-branch-protection.md.
jobs:
lint:
name: lint
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
# Needed so commitlint can walk the PR's commit range (and so
# origin/main exists for the changeset gate).
# Quoted because `&& 0 || 1` short-circuits past the falsy 0 and always returns 1.
fetch-depth: ${{ github.event_name == 'pull_request' && '0' || '1' }}
- uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile
- name: Lint commit messages (PR only)
if: github.event_name == 'pull_request'
run: pnpm exec commitlint --from "${BASE_SHA}" --to "${HEAD_SHA}" --verbose
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
- run: pnpm lint
- name: Require changeset for publishable-package changes (PR only)
# Skip for Dependabot: it can't author changesets, and mechanical
# dependency bumps don't need a release entry. Human PRs still must add
# one (an empty changeset for test-only/infra/internal: `pnpm exec
# changeset --empty`). Keyed off the PR author, not github.actor, so it
# still skips when a maintainer updates/rebases the bot's branch.
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]'
# Exits non-zero if a publishable package changed since main without
# an accompanying changeset. The baseBranch is "main" per
# .changeset/config.json — keep these in sync.
run: pnpm exec changeset status --since=origin/main
types:
name: types
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile
# Cache benefits check-types only (lint/test don't run through turbo);
# revisit if root scripts move under turbo.
- name: Restore Turbo cache
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: .turbo/cache
key: turbo-${{ runner.os }}-${{ github.sha }}
restore-keys: |
turbo-${{ runner.os }}-
- run: pnpm check-types
test-node:
name: test (node)
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile
# Plain (uninstrumented) run — coverage is collected by the scheduled
# coverage.yml workflow, not the PR gate. No OPENMAPX_SKIP_SLOW_CRYPTO:
# that flag only compensates for v8 coverage instrumentation, so the
# gate exercises the real crypto path.
- run: pnpm test --project node
test-web:
name: test (web)
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: .nvmrc
cache: pnpm
- run: pnpm install --frozen-lockfile
- run: pnpm test --project web
# Aggregate gate. Keeps the required-status-check context stable at
# `lint / types / test` while the real work runs in parallel above.
# `if: always()` so it reports (red) even when a dependency fails instead of
# being skipped — a skipped required check would block the PR forever.
ci:
name: lint / types / test
runs-on: ubuntu-latest
timeout-minutes: 5
needs: [lint, types, test-node, test-web]
if: always()
steps:
- name: Fail if any gate job did not succeed
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
run: |
echo "One or more gate jobs failed:"
echo '${{ toJSON(needs.*.result) }}'
exit 1
- name: All gate jobs succeeded
run: echo "lint, types, test-node, test-web all green"