-
Notifications
You must be signed in to change notification settings - Fork 53
246 lines (215 loc) · 9.71 KB
/
Copy pathtest.yml
File metadata and controls
246 lines (215 loc) · 9.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
name: Run unit and integration tests
on:
pull_request:
concurrency:
group: test-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
code: ${{ steps.filter.outputs.code }}
workflow: ${{ steps.filter.outputs.workflow }}
packages: ${{ steps.filter.outputs.packages }}
steps:
- name: Detect relevant changes
id: filter
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
with:
predicate-quantifier: every
filters: |
# Wider excludes than code-quality.yml, which keeps .github/scripts
# and .vscode/.claude in scope because Biome lints them.
code:
- "!**/*.md"
- "!docs/**"
- "!.github/**"
- "!.vscode/**"
- "!.claude/**"
- "!.husky/**"
- "!LICENSE"
- "!.gitignore"
- "!.env.example"
workflow:
- ".github/workflows/test.yml"
packages:
- "packages/**"
unit-test:
needs: changes
# Fail closed: if change detection itself failed, run instead of skipping.
if: ${{ !cancelled() && (needs.changes.result != 'success' || needs.changes.outputs.code == 'true' || needs.changes.outputs.workflow == 'true') }}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup pnpm
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
cache: "pnpm"
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Rebuild native modules for Node
run: node scripts/rebuild-better-sqlite3-node.mjs
- name: Build dependencies
run: pnpm --filter @posthog/electron-trpc build
- name: Run tests
run: pnpm test
- name: Upload test results to Trunk
# Run even when tests fail so flaky/failed results are still reported,
# but never let an upload problem fail the job.
if: ${{ !cancelled() }}
continue-on-error: true
uses: trunk-io/analytics-uploader@385f1ccdf345b4532dc4b6c665dd432b702b8e28 # v2.1.2
with:
# Scope to each package root. A bare **/junit.xml glob descends into
# node_modules, where pnpm symlinks workspace packages, and uploads
# every report many times over.
junit-paths: "apps/*/junit.xml,packages/*/junit.xml"
org-slug: posthog-inc
token: ${{ secrets.TRUNK_API_TOKEN }}
integration-test:
needs: changes
# Fail closed: if change detection itself failed, run instead of skipping.
if: ${{ !cancelled() && (needs.changes.result != 'success' || needs.changes.outputs.code == 'true' || needs.changes.outputs.workflow == 'true') }}
runs-on: macos-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup pnpm
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
cache: "pnpm"
- name: Cache Playwright browsers
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: playwright-cache
with:
path: ~/Library/Caches/ms-playwright
key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
playwright-${{ runner.os }}-
- name: Cache Electron binary
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/Library/Caches/electron
key: electron-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
electron-${{ runner.os }}-
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Rebuild better-sqlite3 for Electron
run: node scripts/rebuild-better-sqlite3-electron.mjs
- name: Build packages
run: |
pnpm --filter @posthog/electron-trpc build &
pnpm --filter @posthog/platform build &
pnpm --filter @posthog/shared build
pnpm --filter @posthog/git build
pnpm --filter @posthog/enricher build
pnpm --filter agent build &
wait
- name: Package Electron app
run: pnpm --filter code run package
env:
NODE_OPTIONS: "--max-old-space-size=6144"
- name: Install Playwright
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: pnpm --filter code exec playwright install --with-deps chromium
- name: Run E2E smoke tests
run: pnpm --filter code run test:e2e
env:
CI: true
- name: Upload test results to Trunk
# Run even when E2E tests fail so flaky/failed results are still
# reported, but never let an upload problem fail the job.
if: ${{ !cancelled() }}
continue-on-error: true
uses: trunk-io/analytics-uploader@385f1ccdf345b4532dc4b6c665dd432b702b8e28 # v2.1.2
with:
junit-paths: "apps/code/tests/e2e/junit.xml"
org-slug: posthog-inc
token: ${{ secrets.TRUNK_API_TOKEN }}
- name: Upload Playwright report
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: failure()
with:
name: playwright-report
path: apps/code/playwright-report/
retention-days: 7
e2e:
# Live-model e2e for the @posthog/agent adapters (claude + codex). Runs only
# after the unit + integration jobs pass — a red tree never reaches the
# gateway — and only when a packages/ file changed. Each arm still self-skips
# unless the POSTHOG_CODE_E2E_GATEWAY_PERSONAL_API_KEY secret is present (fork PRs never
# see it) and POSTHOG_CODE_E2E_GATEWAY_URL points at a runner-reachable gateway.
# Drives cheap models (claude-haiku-4-5 / gpt-5-mini), so a run is a handful of
# short turns.
needs: [changes, unit-test, integration-test]
# Always run on any packages/ change (or a change to this workflow), once
# unit-test + integration-test have passed. There is intentionally NO gate on
# the gateway config being present: if the POSTHOG_CODE_E2E_* secret/vars are
# missing, the fail-loud guard (packages/agent/e2e/guard.e2e.test.ts) REDS the
# run rather than skipping to green. Only fork PRs are skipped, since they never
# receive the gateway secret and would red spuriously.
if: ${{ (needs.changes.outputs.packages == 'true' || needs.changes.outputs.workflow == 'true') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup pnpm
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22
cache: "pnpm"
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build agent dependencies
run: |
pnpm --filter @posthog/shared run build
pnpm --filter @posthog/git run build
pnpm --filter @posthog/enricher run build
- name: Download native codex binary
# Non-fatal at the STEP so a failure surfaces as the fail-loud binary guard
# (guard.e2e.test.ts) with a clear message rather than an opaque download
# error. A missing binary then REDS the run (the guard fails when a token is
# set) instead of letting the codex arm silently skip to green.
run: node apps/code/scripts/download-binaries.mjs || echo "codex binary download failed; the binary guard test will red the run"
- name: Run live e2e (both adapters)
run: pnpm --filter agent run test:e2e
# The suite reads these POSTHOG_CODE_E2E_* names directly
# (packages/agent/e2e/config.ts). The personal API key is an org secret; the
# URL and model/environment overrides are org vars.
env:
POSTHOG_CODE_E2E_GATEWAY_PERSONAL_API_KEY: ${{ secrets.POSTHOG_CODE_E2E_GATEWAY_PERSONAL_API_KEY }}
# Accept the URL from either an org var or an org secret — it has ended
# up in both places, and vars.* can't see secrets.
POSTHOG_CODE_E2E_GATEWAY_URL: ${{ vars.POSTHOG_CODE_E2E_GATEWAY_URL || secrets.POSTHOG_CODE_E2E_GATEWAY_URL }}
POSTHOG_CODE_E2E_CLAUDE_MODEL: ${{ vars.POSTHOG_CODE_E2E_CLAUDE_MODEL }}
POSTHOG_CODE_E2E_CODEX_MODEL: ${{ vars.POSTHOG_CODE_E2E_CODEX_MODEL }}
# Optional: set vars.POSTHOG_CODE_E2E_ENVIRONMENT=cloud to exercise the
# cloud code path (sandbox/permission-profile gating). Unset = local. The
# OS-sandbox enforcement test is macOS-gated, so it doesn't red this linux
# runner.
POSTHOG_CODE_E2E_ENVIRONMENT: ${{ vars.POSTHOG_CODE_E2E_ENVIRONMENT }}