codeql-action/.github/workflows/pr-checks.yml at 9b6438e93682cb5c2fab835f4e49084118ab1106 · github/codeql-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: PR Checks

on:
  push:
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  merge_group:
    types: [checks_requested]
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:
  unit-tests:
    name: Unit Tests
    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        node-version: [20, 24]
    permissions:
      contents: read
      security-events: write # needed to upload ESLint results
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    concurrency:
      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
      group: pr-checks-unit-tests-${{ github.ref }}-${{ github.event_name }}-${{ matrix.os }}-node${{ matrix['node-version'] }}

    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

      - uses: actions/checkout@v6

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
          # that are not available in the default shell on Windows.
          npm config set script-shell bash
          npm ci

      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

      - name: Run unit tests
        if: always()
        run: npm test

      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v4
        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
        with:
          sarif_file: eslint.sarif
          category: eslint

  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
  # job.
  pr-checks:
    name: PR Checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      pull-requests: write
    runs-on: ubuntu-slim
    timeout-minutes: 10

    concurrency:
      cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
      group: pr-checks-pr-checks-${{ github.ref }}-${{ github.event_name }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          # Need full history so we have both the PR merge commit (HEAD) and the base SHA locally
          # for `git archive` to work against either.
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
        working-directory: pr-checks
        run: npx tsx --test

      - name: Check repo size
        # Forks and Dependabot PRs don't have permission to write comments, so skip the check in
        # those cases.
        if: >-
          github.event_name == 'pull_request' &&
          github.event.pull_request.head.repo.full_name == github.repository &&
          github.event.pull_request.user.login != 'dependabot[bot]'
        working-directory: pr-checks
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BASE_REF: ${{ github.event.pull_request.base.ref }}
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: npx tsx check-repo-size.ts

      - name: Verify all Actions use the same Node version
        id: head-version
        run: |
          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
            exit 1
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

      - name: 'Backport: Check out base ref'
        id: checkout-base
        if: ${{ startsWith(github.head_ref, 'backport-') }}
        uses: actions/checkout@v6
        with:
          ref: ${{ github.base_ref }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi