ci: run identical checks on PRs and main to keep them in lockstep

.circleci/config.yml

@@ -10,44 +10,10 @@ parameters:
 orbs:
   publish-docs: infinitered/publish-docs@0.4
 
-# Docker defaults
-defaults: &defaults
-  docker:
-    - image: cimg/node:18.16.1
-  working_directory: /mnt/ramdisk/repo
-
-# Jobs
-jobs:
-  test_and_build:
-    <<: *defaults
-    steps:
-      - checkout
-      # Restore Yarn cache (Yarn 3 uses .yarn/cache directory)
-      - restore_cache:
-          name: Restore Yarn Cache
-          keys:
-            - yarn-cache-{{ checksum "yarn.lock" }}
-      - run:
-          name: Use local Yarn version
-          command: echo "export PATH=$(pwd)/.yarn/releases:$PATH" >> $BASH_ENV
-      - run:
-          name: Install Dependencies
-          command: yarn install --immutable
-      # Save Yarn cache
-      - save_cache:
-          name: Save Yarn Cache
-          key: yarn-cache-{{ checksum "yarn.lock" }}
-          paths:
-            - .yarn/cache
-      - run:
-          name: Lint code
-          command: yarn lint
-      - run:
-          name: Build modules and packages
-          command: yarn ci:build
-      - run:
-          name: Run tests
-          command: yarn test
+# Lint/build/test now live in GitHub Actions (.github/workflows/ci.yml) so that
+# pull requests and `main` run the exact same checks. CircleCI is kept solely
+# for docs publishing, which relies on the Infinite Red publish-docs orb and
+# CircleCI-managed SSH access to the ir-docs repo.
 
 # Publishing docs details
 publish-details: &publish-details
@@ -67,7 +33,6 @@ workflows:
   version: 2
   build-and-test:
     jobs:
-      - test_and_build
       - publish-docs/build_docs:
           <<: *publish-details
           filters:

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+
+# Single source of truth for the checks that gate the repo.
+#
+# This workflow runs on every pull request AND is called by the release
+# workflow (via `workflow_call`) before anything is versioned or published.
+# Running the exact same `verify` job in both places keeps PR and `main`
+# checks in lockstep, so a PR can't go green and then break on merge.
+
+on:
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    name: Lint, validate changesets, build, and test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          # Full history so `changeset status` can diff against the base branch.
+          fetch-depth: 0
+
+      - name: Setup Node.js 18.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+
+      - name: Install Dependencies
+        run: yarn install --immutable
+
+      - name: Lint code
+        run: yarn lint
+
+      # Catches changesets that reference packages that no longer exist (or were
+      # renamed) before they reach `main`, where `changeset version` would fail.
+      - name: Validate changesets
+        run: yarn changeset status
+
+      - name: Build modules and packages
+        run: yarn ci:build
+
+      - name: Run tests
+        run: yarn test

.github/workflows/release.yml

@@ -10,7 +10,14 @@
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
+  # Run the same lint/changeset/build/test checks that gate every pull request
+  # (see ci.yml) before doing anything irreversible like versioning or
+  # publishing. This keeps `main` in lockstep with PRs.
+  verify:
+    name: "CI checks"
+    uses: ./.github/workflows/ci.yml
+
   version_or_release:
     # This job checks whether any changesets are present in './changesets'
     #
     #  - If changesets are present, it will run 'yarn version' which updates the
@@ -21,6 +28,7 @@
     #    etc.
     #
     name: "Changesets version or release"
+    needs: verify
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo