VSCode-Perplexity-MCP/.github/workflows/ci.yml at main · Automations-Project/VSCode-Perplexity-MCP · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: CI

on:
  push:
    branches: ["**"]
  pull_request:

env:
  PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
  # NODE_OPTIONS=--max-old-space-size is scoped to the build/typecheck steps
  # (which need a larger heap for the tsup DTS + tsc compile across 4 packages)
  # rather than set globally — the multi-worker vitest test step doesn't need a
  # 4GB-per-worker heap and runs with Node's default.
  # Opt into Node 24 for GitHub-shipped JS actions (checkout, setup-node, …)
  # ahead of the June 2nd 2026 default. Silences the deprecation warning and
  # ensures we're on the runtime GitHub is migrating to.
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  build-and-test:
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest]
        node-version: [22, 24]
        exclude:
          # windows-latest + Node 24 reliably crashes vitest's `forks`-pool
          # workers ("Worker exited unexpectedly" — an OS-level reap with no
          # JS error, concentrated on the express/socket-heavy daemon tests).
          # It's not a code/memory issue: ubuntu×{22,24}, windows×22, and local
          # runs all pass clean; scoping NODE_OPTIONS and capping forks did not
          # help. Drop this single cell until the upstream vitest/Node-24/Windows
          # forks incompatibility is resolved — ubuntu still exercises Node 24
          # and windows still exercises Node 22, so both dimensions stay covered.
          - os: windows-latest
            node-version: 24
    defaults:
      run:
        shell: bash
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
      - run: npm ci
      # Workaround for npm/cli#4828: optional native bindings sometimes don't
      # install when `npm ci` runs from a lockfile generated on a different
      # platform. Force-install the @tailwindcss/oxide native binding for the
      # current runner so vite/postcss can find it.
      - name: Install platform-specific tailwind oxide binding (npm/cli#4828)
        run: |
          if [ "$RUNNER_OS" = "Linux" ]; then
            npm install --no-save --workspaces=false @tailwindcss/oxide-linux-x64-gnu
          elif [ "$RUNNER_OS" = "Windows" ]; then
            npm install --no-save --workspaces=false @tailwindcss/oxide-win32-x64-msvc
          elif [ "$RUNNER_OS" = "macOS" ]; then
            npm install --no-save --workspaces=false @tailwindcss/oxide-darwin-arm64 @tailwindcss/oxide-darwin-x64
          fi
      # tsup's --dts worker + tsc across 4 packages can exceed Node's default
      # heap on the mcp-server build (70+ entry points + DTS emission). Lift the
      # cap to 4GB for these single-process steps ONLY — never the multi-worker
      # test step (see env note above).
      - run: npm run build
        env:
          NODE_OPTIONS: "--max-old-space-size=4096"
      - run: npm run typecheck
        env:
          NODE_OPTIONS: "--max-old-space-size=4096"
      - name: Test with coverage
        run: |
          mkdir -p .test-artifacts
          set -o pipefail
          npm run test:coverage 2>&1 | tee .test-artifacts/vitest.log
      - name: Assert no secret shapes in test artifacts
        run: node scripts/assert-no-secret-leak.mjs .test-artifacts

      - name: Verify MCP tarball is clean
        if: matrix.node-version == 22
        run: |
          cd packages/mcp-server
          npm pack --dry-run 2>&1 | tee /tmp/pack.txt
          if grep -qE "dev-tools/|\.chrome-profile|captures/" /tmp/pack.txt; then
            echo "ERROR: Private files would leak into npm tarball!"
            exit 1
          fi

      - name: Verify VSIX is clean
        if: matrix.node-version == 22
        run: |
          cd packages/extension
          npm run prepare:package-deps || true
          npx @vscode/vsce ls --no-dependencies 2>&1 | tee /tmp/vsix.txt
          # Match true source .ts files (foo.ts) in OUR package directories
          # but NOT (a) type declarations (foo.d.ts) bundled with their .js
          # by npm packages, (b) any .ts under a node_modules/ path —
          # vendored deps like patchright-core legitimately ship their own
          # .ts source files alongside the compiled .js. The check is
          # strictly about preventing OUR src/ from leaking, not vendored
          # third-party content.
          if grep -E "\.ts$" /tmp/vsix.txt | grep -vE "\.d\.ts$" | grep -vE "node_modules/" | head -1 | grep -q .; then
            echo "ERROR: Source .ts files would leak into VSIX!"
            grep -E "\.ts$" /tmp/vsix.txt | grep -vE "\.d\.ts$" | grep -vE "node_modules/" | head -10
            exit 1
          fi
          # dev-tools is under our own packages; never legitimate.
          if grep -qE "dev-tools" /tmp/vsix.txt; then
            echo "ERROR: dev-tools path would leak into VSIX!"
            grep -E "dev-tools" /tmp/vsix.txt | head -10
            exit 1
          fi