-
Notifications
You must be signed in to change notification settings - Fork 33
129 lines (119 loc) · 4.55 KB
/
Copy pathci.yml
File metadata and controls
129 lines (119 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: CI
# Aggregator workflow that fans out to every PR-gating workflow as a single,
# always-running check. Configure branch protection to require only the "CI"
# status; downstream workflows will run automatically. This avoids the
# previous footgun where path-filtered workflows skipped entire PRs (so all
# checks showed "passing" without ever executing — see #147).
#
# Each child workflow is conditionally invoked based on the paths a PR
# touched, mirroring the path filters that used to live in each child.
# Children that get skipped via `if:` count as "skipped" in the CI rollup
# (not "failed"), so the parent "CI" status reaches SUCCESS and branch
# protection is satisfied. Push-to-main and manual dispatch always run
# everything regardless of changed paths.
on:
workflow_dispatch:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
branches: ["main"]
push:
branches: ["main"]
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
# Reusable child workflows (builds.yml, tests.yml) request actions:read
# (GHA cache) and packages:read (GHCR). GitHub clamps a child workflow's
# permissions to the MIN of (caller's permissions, child's request), so
# we must grant these at the caller level even though ci.yml itself
# doesn't use them. Without this, callers get
# "actions: read, packages: read" but is only allowed "actions: none, packages: none"
actions: read
packages: read
jobs:
# Compute once which path groups changed; every other job references these
# outputs. dorny/paths-filter handles PR base diff, push base diff, and
# empty results on non-diff events (workflow_dispatch); the `if:` guards
# below explicitly opt non-PR events back into running everything.
changes:
name: Detect changes
runs-on: ubuntu-latest
outputs:
builds: ${{ steps.filter.outputs.builds }}
tests: ${{ steps.filter.outputs.tests }}
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3
id: filter
with:
filters: |
builds:
- src/**
- include/**
- cpp-example-collection/**
- bridge/**
- client-sdk-rust/**
- cmake/**
- scripts/**
- CMakeLists.txt
- build.sh
- build.cmd
- .build-info.json.in
- vcpkg.json
- CMakePresets.json
- docker/Dockerfile.base
- docker/Dockerfile.sdk
- .clang-format
- .github/workflows/ci.yml
- .github/workflows/builds.yml
tests:
- src/**
- include/**
- client-sdk-rust/**
- CMakeLists.txt
- CMakePresets.json
- build.sh
- build.cmd
- vcpkg.json
- .token_helpers/**
- .github/workflows/ci.yml
- .github/workflows/tests.yml
docs:
# Quoted because YAML treats a leading `*` as an alias
# reference and would otherwise reject this scalar.
- "**/*.md"
- include/**
- src/**
- docs/**
- scripts/generate-docs.sh
- .github/workflows/ci.yml
- .github/workflows/generate-docs.yml
- .github/workflows/publish-docs.yml
builds:
name: Builds
needs: changes
if: ${{ needs.changes.outputs.builds == 'true' || github.event_name != 'pull_request' }}
uses: ./.github/workflows/builds.yml
secrets: inherit
tests:
name: Tests
needs: changes
if: ${{ needs.changes.outputs.tests == 'true' || github.event_name != 'pull_request' }}
uses: ./.github/workflows/tests.yml
secrets: inherit
# license-check and pin-check are cheap (seconds) and have no meaningful
# path scope (any source change can affect license headers; any action
# bump can affect pinning), so they always run.
license-check:
name: License Check
uses: ./.github/workflows/license_check.yml
pin-check:
name: Pin Check
uses: ./.github/workflows/pin_check.yml
generate-docs:
name: Generate Docs
needs: changes
if: ${{ needs.changes.outputs.docs == 'true' || github.event_name != 'pull_request' }}
uses: ./.github/workflows/generate-docs.yml