chore: version packages #8335
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint & Type Check | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| lint: | |
| name: ESLint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "20" | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v6 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-v3-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store-v3- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| # Enforces the no-restricted-imports guard against @objectstack/spec root | |
| # namespace imports (the dormant rule was never run in CI). Syntactic | |
| # only, so no build step needed. | |
| - name: ESLint | |
| run: pnpm lint | |
| # Docs/skills authoring guard (#2035 / ADR-0059): TS code blocks in | |
| # Markdown/MDX are not type-checked or ESLinted, so skills/ and | |
| # content/docs/ can drift back to teaching the bare `: Page = {}` literal | |
| # while the examples (which ARE linted) stay clean. This fails on any bare | |
| # metadata literal for the 16 factory domains in a doc code block. | |
| - name: Doc/skill authoring guard | |
| run: pnpm check:doc-authoring | |
| # ADR-0090 D3 vocabulary ratchet: "role" is reserved-forbidden in docs | |
| # and skills. Existing occurrences are frozen in the baseline (better-auth | |
| # boundary, ARIA samples, educational mentions); NEW occurrences fail. | |
| # Improvements ratchet the baseline down via --update. | |
| - name: Reserved-word ("role") docs ratchet | |
| run: pnpm check:role-word | |
| # Authorization resolution must stay single-sourced (resolveAuthzContext, | |
| # @objectstack/core). Guards against a duplicate resolver copy drifting on a | |
| # security path (the REST-vs-dispatcher sys_user_role drift) and against an | |
| # entry point silently dropping the delegation. | |
| - name: Single authz resolver guard | |
| run: pnpm check:authz-resolver | |
| # Release-notes drift guard: the platform is one version-locked train, so | |
| # every released @objectstack/spec major must have a curated, navigable | |
| # release page at content/docs/releases/v<major>.mdx. Catches the gap that | |
| # let v10–v14 ship with no page while spec was already at 14.x. | |
| - name: Release-notes drift guard | |
| run: pnpm check:release-notes | |
| typecheck: | |
| name: TypeScript Type Check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Verify pnpm version | |
| run: pnpm --version | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v6 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-v3-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store-v3- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Type check (@objectstack/spec) | |
| run: pnpm --filter @objectstack/spec exec tsc --noEmit | |
| # Example apps are AI-authoring reference templates; a red typecheck is a | |
| # bad signal to copy from. tsup transpiles them without a full typecheck, | |
| # so build alone will not catch type drift — typecheck them explicitly. | |
| # They import from built workspace packages, so the packages must be built | |
| # first for cross-package type resolution to succeed. | |
| - name: Build workspace packages | |
| run: pnpm exec turbo run build --filter='./packages/*' | |
| - name: Type check example apps | |
| run: pnpm --filter './examples/*' run typecheck | |
| # Backward-compatibility gate: a frozen third-party-style consumer | |
| # (#2035). Unlike the examples it must NOT be migrated to accommodate a | |
| # spec change — a red typecheck here means the spec dropped/narrowed an | |
| # export a published-spec third party already uses. See the package README. | |
| - name: Type check downstream consumer contract | |
| run: pnpm --filter @objectstack/downstream-contract run typecheck | |
| # Public API-surface gate (#2035): the spec package IS the third-party API. | |
| # A removed/renamed export silently breaks every consumer pinned to a | |
| # published release. This diffs the built export surface against the | |
| # committed snapshot; intentional changes regenerate it via | |
| # `pnpm --filter @objectstack/spec gen:api-surface`. Runs after the build | |
| # step above (reads the built dist). | |
| - name: Check @objectstack/spec public API surface | |
| run: pnpm --filter @objectstack/spec run check:api-surface |