-
Notifications
You must be signed in to change notification settings - Fork 168
152 lines (134 loc) · 5.66 KB
/
Copy pathpkg-pr-new.yml
File metadata and controls
152 lines (134 loc) · 5.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Publish (pkg.pr.new)
on:
pull_request:
permissions:
contents: read
concurrency:
group: pkg-pr-new-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
# Per-platform matrix: build the executor binary, tar it, upload to R2.
# The wrapper npm package is built later by the `publish` job which just
# needs to know which platforms made it this far.
build-preview-binary:
name: Build preview binary (${{ matrix.target }})
# Fork PRs don't receive repo secrets, so the R2 upload step can't
# authenticate. Skip the whole preview pipeline (publish `needs:` this
# job and cascades to skipped) rather than failing the check.
if: github.event.pull_request.head.repo.full_name == github.repository
strategy:
fail-fast: false
matrix:
include:
- runner: blacksmith-4vcpu-ubuntu-2404
target: executor-linux-x64
- runner: macos-14
target: executor-darwin-arm64
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- name: Cache Bun package cache
uses: actions/cache@v4
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-1.3.11-${{ hashFiles('bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-1.3.11-
# No prebuilt better-sqlite3 binary matches the Blacksmith Linux runner,
# so `bun install` builds it from source via node-gyp, whose undici needs
# Node 22.10+ (webidl.markAsUncloneable).
- uses: actions/setup-node@v4
if: runner.os == 'Linux'
with:
node-version: 22
- run: bun install --frozen-lockfile
- name: Build executor preview tarball
env:
EXECUTOR_PREVIEW_CDN_URL: ${{ vars.EXECUTOR_PREVIEW_CDN_URL }}
EXECUTOR_PREVIEW_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
run: bun run --filter=executor build:preview:tarball
- name: Upload preview binary to R2
# curl --aws-sigv4 handles large uploads directly against R2's S3
# endpoint. Simpler than aws-cli (endpoint validation quirks) or
# Bun.s3 (ConnectionRefused on ubuntu-latest for reasons unclear).
env:
AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
R2_ENDPOINT: https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com
SHA: ${{ github.event.pull_request.head.sha || github.sha }}
TARGET: ${{ matrix.target }}
run: |
tarball="apps/cli/dist/previews/${TARGET}.tar.gz"
echo "Uploading ${TARGET}.tar.gz → r2://executor-previews/$SHA/"
curl --fail-with-body --silent --show-error \
-X PUT "$R2_ENDPOINT/executor-previews/$SHA/${TARGET}.tar.gz" \
--upload-file "$tarball" \
--aws-sigv4 "aws:amz:auto:s3" \
--user "$AWS_ACCESS_KEY_ID:$AWS_SECRET_ACCESS_KEY"
publish:
name: Publish
needs: build-preview-binary
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.11
- name: Cache Bun package cache
uses: actions/cache@v4
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-1.3.11-${{ hashFiles('bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-1.3.11-
# No prebuilt better-sqlite3 binary matches this runner, so `bun install`
# builds it from source via node-gyp, whose undici needs Node 22.10+
# (webidl.markAsUncloneable). Pin the same runtime the CI jobs use.
- uses: actions/setup-node@v4
with:
node-version: 22
- run: bun install --frozen-lockfile
- name: Build executor preview wrapper
env:
EXECUTOR_PREVIEW_CDN_URL: ${{ vars.EXECUTOR_PREVIEW_CDN_URL }}
EXECUTOR_PREVIEW_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
EXECUTOR_PREVIEW_TARGETS: executor-linux-x64,executor-darwin-arm64
run: bun run --filter=executor build:preview:wrapper
# Apply the same `publishConfig.exports` promotion and `workspace:*`
# resolution the real npm release does. Runs `build:packages`
# internally. Without this, pkg-pr-new ships unresolved
# `workspace:*` references and the dev-time `src/index.ts` exports.
- run: bun run release:publish:packages:prepare
# Explicit list (not `plugins/*`) — must match PUBLIC_PACKAGE_DIRS
# in scripts/publish-packages.ts. Globbing would pick up unprepared
# private packages that would publish with broken refs.
#
# No --compact: it requires every package already exist on npm to
# generate short URLs. New packages aren't published yet, and
# --compact aborts the whole run when it can't resolve them.
- run: >
npx pkg-pr-new publish --bun
'./apps/cli/dist/executor'
'./packages/core/storage-core'
'./packages/core/sdk'
'./packages/core/config'
'./packages/core/execution'
'./packages/core/cli'
'./packages/kernel/core'
'./packages/kernel/runtime-quickjs'
'./packages/plugins/file-secrets'
'./packages/plugins/graphql'
'./packages/plugins/keychain'
'./packages/plugins/mcp'
'./packages/plugins/onepassword'
'./packages/plugins/openapi'