Copy and naming pass: providers, add flows, API keys, policies #3609
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| format: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| - run: bun install --frozen-lockfile | |
| - run: bun run format:check | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| - run: bun install --frozen-lockfile | |
| - run: bun run lint | |
| typecheck: | |
| name: Typecheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| - run: bun install --frozen-lockfile | |
| - run: bun run typecheck | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| # apps/cloud's test script invokes `node` directly; undici 8.x (pulled | |
| # in by @cloudflare/vitest-pool-workers) calls webidl.markAsUncloneable | |
| # which only exists in Node 22.10+. Pin a known-good runtime. | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - run: bun install --frozen-lockfile | |
| - run: bun run test | |
| e2e: | |
| name: E2E (${{ matrix.target }}${{ matrix['shard-name'] && format(' {0}', matrix['shard-name']) || '' }}) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # Cloud is SHARDED: each shard boots its own fresh dev stack. The | |
| # cloud dev server degrades after a few minutes of sustained suite | |
| # load on 2-core runners (the SSE/OTel memory growth being | |
| # instrumented on main) — requests start failing partway through and | |
| # everything after dies with connection errors. Short shards on | |
| # fresh boots stay under that threshold; re-merge into fewer jobs | |
| # once the degradation is fixed. | |
| - { target: cloud, shard: 1/8, shard-name: 1of8 } | |
| - { target: cloud, shard: 2/8, shard-name: 2of8 } | |
| - { target: cloud, shard: 3/8, shard-name: 3of8 } | |
| - { target: cloud, shard: 4/8, shard-name: 4of8 } | |
| - { target: cloud, shard: 5/8, shard-name: 5of8 } | |
| - { target: cloud, shard: 6/8, shard-name: 6of8 } | |
| - { target: cloud, shard: 7/8, shard-name: 7of8 } | |
| - { target: cloud, shard: 8/8, shard-name: 8of8 } | |
| - target: selfhost | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| # The dev stacks spawn Node sidecars (vite/workerd tooling); pin the | |
| # same known-good runtime the unit-test job uses. | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - run: bun install --frozen-lockfile | |
| # Install from e2e so bunx resolves ITS pinned playwright (the version | |
| # the tests run against) rather than floating to the latest. | |
| - name: Install Playwright Chromium | |
| run: bunx playwright install --with-deps chromium chromium-headless-shell | |
| working-directory: e2e | |
| # The globalsetup boots the target's own dev server (ports are claimed | |
| # per checkout, so this is hermetic) and tears it down after the run. | |
| # --retry=2: browser scenarios time out sporadically on 2-core runners | |
| # (single-test waitFor timeouts, not systemic failures); a retry on the | |
| # same booted stack clears them. | |
| - name: Run ${{ matrix.target }} scenarios | |
| run: bunx vitest run --project ${{ matrix.target }} --retry=2 ${{ matrix.shard && format('--shard={0}', matrix.shard) || '' }} | |
| working-directory: e2e | |
| # Failed runs keep their trace.zip / session.mp4 / step screenshots in | |
| # runs/<target>/<slug>/ — surface them instead of a bare red X. | |
| - name: Upload run artifacts | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: e2e-runs-${{ matrix.target }}${{ matrix['shard-name'] && format('-{0}', matrix['shard-name']) || '' }} | |
| path: e2e/runs/ | |
| retention-days: 7 | |
| e2e-local: | |
| name: E2E (stdio MCP) | |
| # Skipped on pull_request: the local scenario boots a real `executor web` | |
| # plus a browser and is currently flaky on PRs. Still runs on push to main. | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| # The local scenarios boot a real `executor web` (which spawns a Node | |
| # sidecar) and some drive a browser, so pin Node 22 and install Chromium. | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - run: bun install --frozen-lockfile | |
| # `chromium` and the new `chromium-headless-shell` ship as separate | |
| # downloads; the browser-driven scenarios launch the headless shell. | |
| # Install from e2e so bunx resolves ITS pinned playwright (the version the | |
| # tests run against) rather than floating to the latest, which would fetch | |
| # a browser build the test runtime does not look for. | |
| - name: Install Playwright Chromium | |
| run: bunx playwright install --with-deps chromium chromium-headless-shell | |
| working-directory: e2e | |
| # The `local` project is excluded from the default `test` chain (each | |
| # scenario boots its own `executor web`). Run just the stdio MCP scenario | |
| # here: it is the auto-connect / env-as-secret regression guard, and | |
| # running it alone avoids the boot-resource accumulation and the | |
| # pre-existing browser flakiness of the rest of the local suite. Expanding | |
| # to the full `local` project (bun run test:local) is a follow-up once | |
| # those are stabilized. | |
| - name: Run the stdio MCP scenario | |
| run: bunx vitest run --project local local/stdio-mcp.test.ts | |
| working-directory: e2e | |
| desktop-smoke: | |
| name: Desktop smoke build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.11 | |
| - run: bun install --frozen-lockfile | |
| - name: Build web app | |
| run: bun run --filter @executor-js/local build | |
| - name: Build bundled executor | |
| env: | |
| BUN_TARGET: bun-linux-x64 | |
| run: bun ./scripts/build-sidecar.ts | |
| working-directory: apps/desktop | |
| - name: Build Electron main/preload/renderer | |
| run: bunx --bun electron-vite build | |
| working-directory: apps/desktop | |
| selfhost-docker-smoke: | |
| name: Self-host Docker image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build self-host image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: apps/host-selfhost/Dockerfile | |
| push: false | |
| tags: executor-selfhost:ci |