chore(deps): actions: bump the all-actions group with 2 updates #541
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| pull_request: {} | |
| workflow_dispatch: | |
| inputs: | |
| deploy: | |
| description: "Deploy after build (- = no deploy)" | |
| type: choice | |
| default: "-" | |
| options: | |
| - "-" | |
| - agentcore | |
| permissions: | |
| actions: none | |
| attestations: none | |
| checks: none | |
| contents: none | |
| deployments: none | |
| discussions: none | |
| id-token: none | |
| issues: none | |
| models: none | |
| packages: none | |
| pages: none | |
| pull-requests: none | |
| repository-projects: none | |
| security-events: none | |
| statuses: none | |
| jobs: | |
| build: | |
| permissions: | |
| actions: write # upload-artifact when self-mutation is detected | |
| contents: read | |
| # Runner priority: vars.DEFAULT_RUNNER_LABEL > PR label 'self-hosted' > PR label 'ubuntu-latest-4-cores' > 'ubuntu-latest' | |
| runs-on: >- | |
| ${{ | |
| vars.DEFAULT_RUNNER_LABEL | |
| || (github.event_name == 'pull_request' | |
| && contains(github.event.pull_request.labels.*.name, 'self-hosted') | |
| && 'self-hosted') | |
| || (github.event_name == 'pull_request' | |
| && contains(github.event.pull_request.labels.*.name, 'ubuntu-latest-4-cores') | |
| && 'ubuntu-latest-4-cores') | |
| || 'ubuntu-latest' | |
| }} | |
| strategy: | |
| matrix: | |
| compute_type: [agentcore] | |
| outputs: | |
| self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }} | |
| env: | |
| CI: "true" | |
| MISE_EXPERIMENTAL: "1" | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Keep secret and dependency scanning enabled in CI; only disable the | |
| # remaining tools that are intentionally skipped here. | |
| MISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep" | |
| steps: | |
| - name: Free Disk Space | |
| shell: bash | |
| run: | | |
| sudo rm -rf \ | |
| /usr/local/lib/android \ | |
| /usr/share/dotnet \ | |
| /opt/hostedtoolcache || true | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 # shallow clone | |
| persist-credentials: false | |
| - name: Resolve github:* tag values | |
| id: tags | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| GH_SHA: ${{ github.sha }} | |
| GH_REF_NAME: ${{ github.ref_name }} | |
| GH_REF_TYPE: ${{ github.ref_type }} | |
| GH_HEAD_REF: ${{ github.head_ref }} | |
| GH_BASE_REF: ${{ github.base_ref }} | |
| MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }} | |
| MG_BASE_REF: ${{ github.event.merge_group.base_ref }} | |
| MG_HEAD_REF: ${{ github.event.merge_group.head_ref }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| case "$EVENT_NAME" in | |
| merge_group) | |
| echo "sha=${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=branch" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=${MG_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| PR_NUM=$(echo "$MG_HEAD_REF" | grep -oP 'pr-\K[0-9]+' || echo "") | |
| echo "pr-number=${PR_NUM}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| pull_request|pull_request_target) | |
| echo "sha=${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=branch" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=${GH_BASE_REF}" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=${PR_NUMBER}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| push) | |
| echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=" >> "$GITHUB_OUTPUT" | |
| ;; | |
| *) | |
| echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" | |
| echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "head-ref=" >> "$GITHUB_OUTPUT" | |
| echo "base-ref=" >> "$GITHUB_OUTPUT" | |
| echo "pr-number=" >> "$GITHUB_OUTPUT" | |
| ;; | |
| esac | |
| - name: Resolve stack name | |
| id: naming | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| COMPUTE_TYPE: ${{ matrix.compute_type }} | |
| GH_SHA: ${{ github.sha }} | |
| GH_REF_NAME: ${{ github.ref_name }} | |
| PR_NUMBER: ${{ steps.tags.outputs.pr-number }} | |
| run: | | |
| sanitize() { | |
| local result | |
| result=$(echo "$1" | tr '[:upper:]' '[:lower:]' | tr '/_.' '-' | sed 's/[^a-z0-9-]//g; s/--*/-/g' | cut -c1-60 | sed 's/^-*//; s/-$//') | |
| # CloudFormation requires stack names to start with a letter | |
| if [[ -z "$result" || ! "$result" =~ ^[a-z] ]]; then | |
| result="s-${result}" | |
| fi | |
| echo "$result" | |
| } | |
| case "$EVENT_NAME" in | |
| push) | |
| REF=$(sanitize "$GH_REF_NAME") | |
| STACK_NAME="${REF}-${COMPUTE_TYPE}" | |
| ;; | |
| pull_request|pull_request_target) | |
| if [[ ! "$PR_NUMBER" =~ ^[0-9]+$ ]]; then | |
| echo "::error::Invalid PR number: '$PR_NUMBER'" | |
| exit 1 | |
| fi | |
| STACK_NAME="pr${PR_NUMBER}-${COMPUTE_TYPE}" | |
| ;; | |
| merge_group) | |
| if [[ -n "$PR_NUMBER" && "$PR_NUMBER" =~ ^[0-9]+$ ]]; then | |
| STACK_NAME="mg${PR_NUMBER}-${COMPUTE_TYPE}" | |
| else | |
| STACK_NAME="${COMPUTE_TYPE}-${GH_SHA:0:7}" | |
| fi | |
| ;; | |
| workflow_dispatch) | |
| REF=$(sanitize "$GH_REF_NAME") | |
| STACK_NAME="${REF}-${COMPUTE_TYPE}" | |
| ;; | |
| *) | |
| STACK_NAME="${COMPUTE_TYPE}-${GH_SHA:0:7}" | |
| ;; | |
| esac | |
| echo "stack_name=$STACK_NAME" >> "$GITHUB_OUTPUT" | |
| echo "Stack name: $STACK_NAME" | |
| - name: Generate CDK context | |
| env: | |
| COMPUTE_TYPE: ${{ matrix.compute_type }} | |
| STACK_NAME: ${{ steps.naming.outputs.stack_name }} | |
| TAG_SHA: ${{ steps.tags.outputs.sha }} | |
| TAG_REF: ${{ steps.tags.outputs.ref }} | |
| TAG_REF_TYPE: ${{ steps.tags.outputs.ref-type }} | |
| TAG_ACTOR: ${{ github.actor }} | |
| TAG_HEAD_REF: ${{ steps.tags.outputs.head-ref }} | |
| TAG_BASE_REF: ${{ steps.tags.outputs.base-ref }} | |
| TAG_PR_NUMBER: ${{ steps.tags.outputs.pr-number }} | |
| TAG_RUN_ID: ${{ github.run_id }} | |
| TAG_RUN_ATTEMPT: ${{ github.run_attempt }} | |
| TAG_EVENT: ${{ github.event_name }} | |
| TAG_WORKFLOW: ${{ github.workflow }} | |
| TAG_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| jq -n \ | |
| --arg compute_type "$COMPUTE_TYPE" \ | |
| --arg stackName "$STACK_NAME" \ | |
| --arg sha "$TAG_SHA" \ | |
| --arg ref "$TAG_REF" \ | |
| --arg ref_type "$TAG_REF_TYPE" \ | |
| --arg actor "$TAG_ACTOR" \ | |
| --arg head_ref "$TAG_HEAD_REF" \ | |
| --arg base_ref "$TAG_BASE_REF" \ | |
| --arg pr_number "$TAG_PR_NUMBER" \ | |
| --arg run_id "$TAG_RUN_ID" \ | |
| --arg run_attempt "$TAG_RUN_ATTEMPT" \ | |
| --arg event "$TAG_EVENT" \ | |
| --arg workflow "$TAG_WORKFLOW" \ | |
| --arg repository "$TAG_REPOSITORY" \ | |
| '{ | |
| "compute_type": $compute_type, | |
| "stackName": $stackName, | |
| "github:sha": $sha, | |
| "github:ref": $ref, | |
| "github:ref-type": $ref_type, | |
| "github:actor": $actor, | |
| "github:head-ref": $head_ref, | |
| "github:base-ref": $base_ref, | |
| "github:pr-number": $pr_number, | |
| "github:run-id": $run_id, | |
| "github:run-attempt": $run_attempt, | |
| "github:event": $event, | |
| "github:workflow": $workflow, | |
| "github:repository": $repository, | |
| "github:clean": "true" | |
| }' > cdk/cdk.context.json | |
| cat cdk/cdk.context.json | |
| - name: Install mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 | |
| with: | |
| cache: true | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22.x | |
| - name: Cache node_modules | |
| id: cache-node-modules | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: node_modules | |
| key: node-modules-${{ runner.os }}-${{ hashFiles('yarn.lock') }} | |
| - name: Cache agent venv | |
| id: cache-agent-venv | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: agent/.venv | |
| key: agent-venv-${{ runner.os }}-${{ hashFiles('agent/uv.lock') }} | |
| - name: Cache Jest transforms | |
| id: cache-jest | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: cdk/.jest-cache | |
| key: jest-${{ runner.os }}-${{ hashFiles('yarn.lock') }}-${{ github.sha }} | |
| restore-keys: | | |
| jest-${{ runner.os }}-${{ hashFiles('yarn.lock') }}- | |
| - name: Cache TypeScript build info | |
| id: cache-tsc | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: | | |
| cdk/tsconfig.tsbuildinfo | |
| cli/tsconfig.tsbuildinfo | |
| key: tsc-${{ runner.os }}-${{ hashFiles('cdk/src/**', 'cdk/tsconfig.json', 'cdk/tsconfig.dev.json', 'cli/src/**', 'cli/tsconfig.json') }} | |
| restore-keys: | | |
| tsc-${{ runner.os }}- | |
| - name: Install dependencies | |
| env: | |
| CACHE_NODE: ${{ steps.cache-node-modules.outputs.cache-hit }} | |
| CACHE_VENV: ${{ steps.cache-agent-venv.outputs.cache-hit }} | |
| CACHE_JEST: ${{ steps.cache-jest.outputs.cache-hit }} | |
| run: | | |
| echo "::group::Cache status" | |
| echo "node_modules: ${CACHE_NODE:-MISS}" | |
| echo "agent .venv: ${CACHE_VENV:-MISS}" | |
| echo "jest transforms: ${CACHE_JEST:-MISS}" | |
| echo "::endgroup::" | |
| SECONDS=0 | |
| mise run install | |
| echo "::notice::Install completed in ${SECONDS}s (node_modules=${CACHE_NODE:-miss}, venv=${CACHE_VENV:-miss}, jest=${CACHE_JEST:-miss})" | |
| - name: build | |
| env: | |
| TMPDIR: ${{ runner.temp }} | |
| run: | | |
| echo "::notice::Runner: $(nproc) cores, $(free -h | awk '/Mem:/{print $2}') RAM" | |
| SECONDS=0 | |
| mise run build | |
| echo "::notice::Build completed in ${SECONDS}s ($(nproc) cores, mise parallel DAG)" | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| continue-on-error: true | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: cdk/coverage/lcov.info,cli/coverage/lcov.info,agent/coverage/lcov.info | |
| fail_ci_if_error: false | |
| - name: Upload CDK artifact (${{ matrix.compute_type }}) | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: cdk-${{ matrix.compute_type }}-out | |
| path: | | |
| cdk/cdk.out/ | |
| cdk/cdk.context.json | |
| - name: Write deploy intent | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| GH_REF_NAME: ${{ github.ref_name }} | |
| DISPATCH_DEPLOY: ${{ inputs.deploy }} | |
| COMPUTE_TYPE: ${{ matrix.compute_type }} | |
| # Keep in sync with matrix.compute_type above, inputs.deploy.options, | |
| # and deploy.yml ALLOWED_COMPUTE_TYPES | |
| ALLOWED_COMPUTE_TYPES: "agentcore" | |
| run: | | |
| # exit (not return) — no recovery path; invalid dispatch input must abort the step | |
| validate_compute_type() { | |
| local type="$1" | |
| for allowed in $ALLOWED_COMPUTE_TYPES; do | |
| [[ "$type" == "$allowed" ]] && return 0 | |
| done | |
| echo "::error::Invalid compute_type: '$type'. Allowed: $ALLOWED_COMPUTE_TYPES" | |
| exit 1 | |
| } | |
| case "$EVENT_NAME" in | |
| push) | |
| if [[ "$GH_REF_NAME" == "main" ]]; then | |
| INTENT="$COMPUTE_TYPE" | |
| else | |
| INTENT="-" | |
| fi | |
| ;; | |
| workflow_dispatch) | |
| if [[ "$DISPATCH_DEPLOY" != "-" ]]; then | |
| validate_compute_type "$DISPATCH_DEPLOY" | |
| fi | |
| INTENT="$DISPATCH_DEPLOY" | |
| ;; | |
| pull_request|pull_request_target) | |
| INTENT="labels" | |
| ;; | |
| *) | |
| INTENT="-" | |
| ;; | |
| esac | |
| jq -n --arg deploy "$INTENT" '{"deploy":$deploy}' > deploy-intent.json | |
| echo "Deploy intent: $INTENT" | |
| - name: Upload deploy intent | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: deploy-intent | |
| path: deploy-intent.json | |
| - name: Find mutations | |
| id: self_mutation | |
| run: |- | |
| git add . | |
| git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT | |
| shell: bash | |
| working-directory: ./ | |
| - name: Upload patch | |
| if: steps.self_mutation.outputs.self_mutation_happened | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: repo.patch | |
| path: repo.patch | |
| overwrite: true | |
| - name: Fail build on mutation | |
| if: steps.self_mutation.outputs.self_mutation_happened | |
| run: |- | |
| echo "::error::Files were changed during build (see build log). Please run the build locally and commit the changes." | |
| cat repo.patch | |
| exit 1 |