-
-
Notifications
You must be signed in to change notification settings - Fork 10
135 lines (112 loc) · 3.68 KB
/
ci.yml
File metadata and controls
135 lines (112 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: CI
on:
pull_request:
# merge queue is required so all commits on target branches trigger this workflow
# despite lack of the push event trigger here
merge_group:
branches:
- main
- next
# merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately
- "maintenance/v*" # branch rulesets don't support v[0-9]+
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.sha }}
cancel-in-progress: true
jobs:
lint-workflows:
name: Lint workflows
runs-on: ubuntu-latest
permissions:
actions: read # only required in private repos
security-events: write # allow writing security events
steps:
- name: Check out repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
persona: pedantic
annotations: true
advanced-security: false
test-unit:
name: Test Unit
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Check out repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: ./.github/actions/ci-setup
- name: Build
run: pnpm build
- name: Unit tests
run: pnpm test:unit
test-integration:
name: Test Integration
runs-on: ubuntu-latest
timeout-minutes: 20
# Integration tests push to the repo, which requires a token with write
# access. Fork PRs only get a read-only GITHUB_TOKEN, so skip them here
# and rely on merge_group to gate the merge.
if: >-
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: write # integration tests create and push temporary branches
steps:
- name: Check out repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 2 # integration tests read the two most recent local commits
persist-credentials: false
- uses: ./.github/actions/ci-setup
with:
skip-cache: true # avoid cache poisoning from this only job with write access, just in case
- name: Build
run: pnpm build
- name: Integration tests
run: pnpm test:integration
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
typecheck:
name: Typecheck
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: ./.github/actions/ci-setup
- name: Codegen
run: pnpm codegen:github
- name: Typecheck
run: pnpm typecheck
lint:
name: Lint
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: ./.github/actions/ci-setup
- name: Codegen
run: pnpm codegen:github
- name: Lint
run: pnpm lint
- name: Format
run: pnpm format
ci-ok:
name: CI OK
runs-on: ubuntu-latest
if: always()
needs: [lint-workflows, test-unit, test-integration, typecheck, lint]
steps:
- name: Exit with error if some jobs are not successful
run: exit 1
if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }}