forked from strands-agents/harness-sdk
-
Notifications
You must be signed in to change notification settings - Fork 0
105 lines (97 loc) · 3.25 KB
/
Copy pathci.yml
File metadata and controls
105 lines (97 loc) · 3.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: CI
on:
pull_request:
branches: [main]
types: [opened, synchronize, reopened, ready_for_review]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
detect-changes:
name: Detect Changes
runs-on: ubuntu-latest
permissions:
pull-requests: read
contents: read
outputs:
python: ${{ steps.filter.outputs.python }}
typescript: ${{ steps.filter.outputs.typescript }}
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@v7
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
id: filter
with:
# `**/!(*.md)` excludes docs-only changes from the SDK test matrices; keep it an
# extglob, not a `!**/*.md` negation (paths-filter OR-s patterns, so a bare negation fires on everything).
filters: |
python:
- 'strands-py/**/!(*.md)'
- '.github/workflows/python-*'
- '.github/workflows/ci.yml'
typescript:
- 'strands-ts/**/!(*.md)'
- 'strandly/**'
- 'package.json'
- 'package-lock.json'
- '.github/workflows/typescript-*'
- '.github/workflows/ci.yml'
docs:
- 'site/**'
- '.github/workflows/docs-*'
- '.github/workflows/ci.yml'
dependency-review:
name: Dependency Review
# Repo-level security gate covering every ecosystem in the monorepo
# (npm + Python) via GitHub's dependency graph. Diffs the PR against its
# base and fails only on vulnerabilities the PR introduces (adds or bumps
# to a vulnerable version); pre-existing advisories do not block.
# PR-only: it needs a base ref to diff, so it is skipped on dispatch.
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v7
with:
persist-credentials: false
- uses: actions/dependency-review-action@v5
with:
fail-on-severity: high
python:
name: Python
needs: detect-changes
if: needs.detect-changes.outputs.python == 'true'
uses: ./.github/workflows/python-test-lint.yml
permissions:
contents: read
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
typescript:
name: TypeScript
needs: detect-changes
if: needs.detect-changes.outputs.typescript == 'true'
uses: ./.github/workflows/typescript-pr-and-push.yml
permissions:
contents: read
docs:
name: Docs
needs: detect-changes
if: needs.detect-changes.outputs.docs == 'true'
uses: ./.github/workflows/docs-ci.yml
permissions:
contents: read
ci-gate:
name: CI Gate
if: always()
needs: [detect-changes, dependency-review, python, typescript, docs]
runs-on: ubuntu-latest
permissions: {}
steps:
- uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
with:
allowed-skips: dependency-review, python, typescript, docs
jobs: ${{ toJSON(needs) }}