Sync ci and publish workflows #100
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| # merge queue is required so all commits on target branches trigger this workflow | |
| # despite lack of the push event trigger here | |
| merge_group: | |
| branches: | |
| - main | |
| - next | |
| - "maintenance/v[0-9]+" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint-workflows: | |
| name: Lint workflows | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read # only required in private repos | |
| security-events: write # allow writing security events | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 | |
| with: | |
| persona: pedantic | |
| annotations: true | |
| advanced-security: false | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| # Integration tests push to the repo, which requires a token with write | |
| # access. Fork PRs only get a read-only GITHUB_TOKEN, so skip them here | |
| # and rely on merge_group to gate the merge. | |
| if: >- | |
| github.event_name != 'pull_request' || | |
| github.event.pull_request.head.repo.full_name == github.repository | |
| permissions: | |
| contents: write # integration tests create and push temporary branches | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 2 # integration tests read the two most recent local commits | |
| persist-credentials: false | |
| - uses: ./.github/actions/ci-setup | |
| with: | |
| skip-cache: true # avoid cache poisoning from this only job with write access, just in case | |
| - name: Build | |
| run: pnpm build | |
| - name: Integration tests | |
| run: pnpm test:integration | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| typecheck: | |
| name: Typecheck | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/ci-setup | |
| - name: Codegen | |
| run: pnpm codegen:github | |
| - name: Typecheck | |
| run: pnpm typecheck | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: ./.github/actions/ci-setup | |
| - name: Codegen | |
| run: pnpm codegen:github | |
| - name: Lint | |
| run: pnpm lint | |
| - name: Format | |
| run: pnpm format | |
| ci-ok: | |
| name: CI OK | |
| runs-on: ubuntu-latest | |
| if: always() | |
| needs: [lint-workflows, test, typecheck, lint] | |
| steps: | |
| - name: Exit with error if some jobs are not successful | |
| run: exit 1 | |
| if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }} |