Add support for additional, validation jobs

Author: mbg

pr-checks/sync.ts

@@ -32,8 +32,6 @@ type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;
  * Represents PR check specifications.
  */
 interface Specification extends JobSpecification {
-  /** The display name for the check. */
-  name: string;
   /** Workflow-level input definitions forwarded to `workflow_dispatch`/`workflow_call`. */
   inputs?: Record<string, WorkflowInput>;
   /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
@@ -50,12 +48,17 @@ interface Specification extends JobSpecification {
   /** Service containers for the job. */
   services?: any;
 
+  /** Additional jobs to run after the main PR check job. */
+  validationJobs?: Record<string, JobSpecification>;
+
   /** If set, this check is part of a named collection that gets its own caller workflow. */
   collection?: string;
 }
 
 /** Represents job specifications. */
 interface JobSpecification {
+  /** The display name for the check. */
+  name: string;
   /** Custom permissions override for the job. */
   permissions?: Record<string, string>;
   /** Extra environment variables for the job. */
@@ -467,6 +470,77 @@ function generateJob(
   return { checkJob, workflowInputs };
 }
 
+/** Generates a validation job. */
+function generateValidationJob(
+  specDocument: yaml.Document,
+  jobSpecification: JobSpecification,
+  checkName: string,
+  name: string,
+) {
+  // Extract the sequence of steps from the YAML document to persist as much formatting as possible.
+  const specSteps = specDocument.getIn([
+    "validationJobs",
+    name,
+    "steps",
+  ]) as yaml.YAMLSeq;
+
+  const validationJob: Record<string, any> = {
+    name: jobSpecification.name,
+    if: "github.triggering_actor != 'dependabot[bot]'",
+    needs: [checkName],
+    permissions: {
+      contents: "read",
+      "security-events": "read",
+    },
+    "timeout-minutes": 5,
+    "runs-on": "ubuntu-slim",
+    steps: specSteps,
+  };
+
+  if (jobSpecification.permissions) {
+    validationJob.permissions = jobSpecification.permissions;
+  }
+
+  for (const key of ["env"] as const) {
+    if (jobSpecification[key] !== undefined) {
+      validationJob[key] = jobSpecification[key];
+    }
+  }
+
+  validationJob.env = validationJob.env ?? {};
+  if (!("CODEQL_ACTION_TEST_MODE" in validationJob.env)) {
+    validationJob.env.CODEQL_ACTION_TEST_MODE = true;
+  }
+
+  return validationJob;
+}
+
+/** Generates additional jobs that run after the main check job, based on the `validationJobs` property. */
+function generateValidationJobs(
+  specDocument: yaml.Document,
+  checkSpecification: Specification,
+  checkName: string,
+): Record<string, any> {
+  if (checkSpecification.validationJobs === undefined) {
+    return {};
+  }
+
+  const validationJobs: Record<string, any> = {};
+
+  for (const [jobName, validationJob] of Object.entries(
+    checkSpecification.validationJobs,
+  )) {
+    validationJobs[jobName] = generateValidationJob(
+      specDocument,
+      validationJob,
+      checkName,
+      jobName,
+    );
+  }
+
+  return validationJobs;
+}
+
 /**
  * Main entry point for the sync script.
  */
@@ -517,6 +591,12 @@ function main(): void {
       });
     }
 
+    const validationJobs = generateValidationJobs(
+      specDocument,
+      checkSpecification,
+      checkName,
+    );
+
     let extraGroupName = "";
     for (const inputName of Object.keys(workflowInputs)) {
       extraGroupName += "-${{inputs." + inputName + "}}";
@@ -561,6 +641,7 @@ function main(): void {
       },
       jobs: {
         [checkName]: checkJob,
+        ...validationJobs,
       },
     };