feat: non-root runner user, --ephemeral, configurable runner version (Phase 4) #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR automations | |
| on: | |
| pull_request: | |
| jobs: | |
| lint-code: | |
| name: Lint code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: '**/node_modules' | |
| key: ec2-github-runner-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install packages | |
| run: npm install | |
| - name: Run linter | |
| run: npm run lint | |
| verify-dist: | |
| name: Verify dist is up to date | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: npm | |
| - name: Install packages | |
| run: npm ci | |
| - name: Rebuild dist | |
| run: npm run package | |
| - name: Fail if dist/ differs from committed copy | |
| # ncc 0.38 produces code-split chunks alongside dist/index.js | |
| # (e.g. dist/136.index.js); the whole dist/ tree must stay in | |
| # sync with src/. | |
| run: | | |
| if ! git diff --quiet -- dist/ || [ -n "$(git status --porcelain -- dist/)" ]; then | |
| echo "::error::dist/ is out of sync with src/." | |
| echo "::error::Run 'npm run package' locally and commit the rebuilt dist/." | |
| git status --porcelain -- dist/ | |
| git diff --stat -- dist/ | |
| exit 1 | |
| fi | |
| unit-tests: | |
| name: Unit tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: npm | |
| - name: Install packages | |
| run: npm ci | |
| - name: Run jest | |
| run: npm test | |
| verify-runner-url: | |
| name: Verify pinned actions/runner release exists | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Extract default runner version from action.yml | |
| id: extract | |
| run: | | |
| # action.yml declares: | |
| # runner-version: | |
| # ... | |
| # default: '2.333.1' | |
| version=$(awk '/^ runner-version:/{found=1} found && /^ default:/{gsub(/[^0-9.]/, "", $2); print $2; exit}' action.yml) | |
| if [ -z "$version" ]; then | |
| echo "::error::Could not locate the default runner-version in action.yml" | |
| exit 1 | |
| fi | |
| echo "version=$version" >> "$GITHUB_OUTPUT" | |
| echo "Default actions/runner: v$version" | |
| - name: HEAD check the Linux x64 release asset | |
| env: | |
| VERSION: ${{ steps.extract.outputs.version }} | |
| run: | | |
| url="https://github.com/actions/runner/releases/download/v${VERSION}/actions-runner-linux-x64-${VERSION}.tar.gz" | |
| echo "Checking $url" | |
| curl -fsSLI -o /dev/null "$url" |