Skip to content
Main

refactor(ocap-kernel): type vat-endowments allowlist as literal union #4335

Sign in to view logs

refactor(ocap-kernel): type vat-endowments allowlist as literal union

refactor(ocap-kernel): type vat-endowments allowlist as literal union #4335

Workflow file for this run

.github/workflows/main.yml at b44f4b8
name: Main
on:
merge_group:
push:
branches: [main]
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ !contains(github.ref, 'refs/heads/main') }}
jobs:
check-skip-merge-queue:
name: Check if pull request can skip merge queue
runs-on: ubuntu-latest
outputs:
skip-merge-queue: ${{ steps.check-skip-merge-queue.outputs.up-to-date }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
if: github.event_name == 'merge_group'
- name: Check pull request merge queue status
id: check-skip-merge-queue
if: github.event_name == 'merge_group'
uses: MetaMask/github-tools/.github/actions/check-skip-merge-queue@v1
detect-changes:
name: Detect changes
runs-on: ubuntu-latest
outputs:
has-code: ${{ steps.changes.outputs.has-code }}
has-ci: ${{ steps.changes.outputs.has-ci }}
has-lint-targets: ${{ steps.changes.outputs.has-lint-targets }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Detect change categories
id: changes
run: |
if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
# On pushes to main, always run everything
{
echo "has-code=true"
echo "has-ci=true"
echo "has-lint-targets=true"
} >> "$GITHUB_OUTPUT"
exit 0
fi
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BASE="${{ github.event.pull_request.base.sha }}"
elif [[ "${{ github.event_name }}" == "merge_group" ]]; then
BASE="${{ github.event.merge_group.base_sha }}"
else
echo "::error::Unexpected event type: ${{ github.event_name }}"
exit 1
fi
FILES=$(git diff --name-only "$BASE" HEAD)
HAS_CODE=false
HAS_CI=false
HAS_LINT_TARGETS=false
while IFS= read -r file; do
[[ -z "$file" ]] && continue
case "$file" in
# CI workflow files (also lint-worthy for prettier on .yml)
.github/workflows/*)
HAS_CI=true
HAS_LINT_TARGETS=true
;;
# Custom actions are test infrastructure — treat as code
.github/actions/*)
HAS_CI=true
HAS_CODE=true
HAS_LINT_TARGETS=true
;;
# Documentation (lint-worthy for prettier, but not code)
*.md|*.txt|docs/*|LICENSE*)
HAS_LINT_TARGETS=true
;;
# Config/tooling (lint-worthy but not code)
.eslintrc*|.prettierrc*|.editorconfig|.gitignore|.gitattributes|.nvmrc|.yarnrc*)
HAS_LINT_TARGETS=true
;;
# Everything else is code (source, tests, package.json, tsconfig, lockfile, etc.)
*)
HAS_CODE=true
HAS_LINT_TARGETS=true
;;
esac
done <<< "$FILES"
{
echo "has-code=$HAS_CODE"
echo "has-ci=$HAS_CI"
echo "has-lint-targets=$HAS_LINT_TARGETS"
} >> "$GITHUB_OUTPUT"
{
echo "## Change detection results"
echo "- has-code: $HAS_CODE"
echo "- has-ci: $HAS_CI"
echo "- has-lint-targets: $HAS_LINT_TARGETS"
echo "### Changed files"
echo '```'
echo "$FILES"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
check-workflows:
name: Check workflows
runs-on: ubuntu-latest
needs: [check-skip-merge-queue, detect-changes]
if: |
(github.event_name != 'merge_group' || needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true')
&& (needs.detect-changes.outputs.has-ci == 'true' || needs.detect-changes.outputs.has-code == 'true')
steps:
- uses: actions/checkout@v6
- name: Download actionlint
id: download-actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.25
shell: bash
- name: Check workflow files
run: ${{ steps.download-actionlint.outputs.executable }} -color
shell: bash
analyse-code:
name: Code scanner
needs: [check-skip-merge-queue, check-workflows, detect-changes]
if: |
always()
&& needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true'
&& needs.detect-changes.outputs.has-code == 'true'
&& needs.check-workflows.result != 'failure'
uses: ./.github/workflows/security-code-scanner.yml
permissions:
actions: read
contents: read
security-events: write
secrets:
SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
lint-build-test:
name: Lint, build, and test
needs: [check-skip-merge-queue, check-workflows, detect-changes]
if: |
always()
&& needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true'
&& needs.detect-changes.outputs.has-code == 'true'
&& needs.check-workflows.result != 'failure'
uses: ./.github/workflows/lint-build-test.yml
lint-only:
name: Lint (no code changes)
runs-on: ubuntu-latest
needs: [detect-changes]
if: needs.detect-changes.outputs.has-code != 'true' && needs.detect-changes.outputs.has-lint-targets == 'true'
strategy:
matrix:
node-version: [24.x]
steps:
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v3
with:
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
- run: yarn lint
- name: Require clean working directory
shell: bash
run: |
if ! git diff --exit-code; then
echo "Working tree dirty at end of job"
exit 1
fi
coverage-report:
name: Coverage report
needs: lint-build-test
if: github.event_name == 'pull_request'
uses: ./.github/workflows/coverage-report.yml
permissions:
pull-requests: write
publish-coverage:
name: Publish coverage to GitHub Pages
needs: lint-build-test
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: ./.github/workflows/publish-gh-pages.yml
with:
publish_dir: ./coverage
destination_dir: coverage
artifact_name: coverage
permissions:
contents: write
secrets:
PUBLISH_DOCS_TOKEN: ${{ secrets.PUBLISH_DOCS_TOKEN }}
is-release:
name: Determine whether this is a release merge commit
needs: lint-build-test
if: github.event_name == 'push'
runs-on: ubuntu-latest
outputs:
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
publish-release:
name: Publish release
needs: is-release
if: needs.is-release.outputs.IS_RELEASE == 'true'
permissions:
contents: write
uses: ./.github/workflows/publish-release.yml
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
all-jobs-complete:
name: All jobs complete
runs-on: ubuntu-latest
if: ${{ always() }}
needs:
- detect-changes
- check-skip-merge-queue
- check-workflows
- analyse-code
- lint-build-test
- lint-only
outputs:
passed: ${{ steps.set-output.outputs.passed }}
steps:
- name: Set passed output
id: set-output
env:
RESULTS: >-
detect-changes=${{ needs.detect-changes.result }}
check-skip-merge-queue=${{ needs.check-skip-merge-queue.result }}
check-workflows=${{ needs.check-workflows.result }}
analyse-code=${{ needs.analyse-code.result }}
lint-build-test=${{ needs.lint-build-test.result }}
lint-only=${{ needs.lint-only.result }}
run: |
echo "Job results: $RESULTS"
# Each job's own `if` condition controls whether it runs or is
# skipped. This gate only needs to verify that nothing *failed*
# or was *cancelled* — both "success" and "skipped" are acceptable.
for entry in $RESULTS; do
job="${entry%%=*}"
result="${entry#*=}"
if [[ "$result" == "failure" || "$result" == "cancelled" ]]; then
echo "::error::$job did not succeed (result: $result)"
exit 1
fi
done
echo "passed=true" >> "$GITHUB_OUTPUT"
all-jobs-pass:
name: All jobs pass
if: ${{ always() }}
runs-on: ubuntu-latest
needs:
- all-jobs-complete
steps:
- name: Check that all jobs have passed
run: |
if [[ "${{ needs.all-jobs-complete.outputs.passed }}" != "true" ]]; then
exit 1
fi