-
Notifications
You must be signed in to change notification settings - Fork 12
309 lines (297 loc) · 10.5 KB
/
ci.yml
File metadata and controls
309 lines (297 loc) · 10.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
name: CI (PR)
on:
pull_request:
# Least-privilege GITHUB_TOKEN: only repo checkout needs a scope here. The
# pnpm/Turbo caches (actions/cache) use the runner's cache runtime token, not
# GITHUB_TOKEN, so no `actions` scope is required.
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true
jobs:
# Classifies the PR diff as "inert" (touches only files that cannot affect
# build/test/fixture results) so heavy jobs can skip their expensive steps.
# Fail-safe: a diff is inert only if *every* changed file matches the
# allow-list below; any unrecognized path forces a full run. Required jobs
# still launch and report (Pattern 1), so the branch ruleset stays satisfied
# on docs-only PRs while the Postgres-backed work is skipped.
changes:
name: Detect inert diff
runs-on: ubuntu-latest
outputs:
inert: ${{ steps.detect.outputs.inert }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0
- id: detect
uses: ./.github/actions/detect-inert-diff
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build
run: pnpm build
- name: Check working tree is clean
run: pnpm check:clean-tree
typecheck:
name: Type Check
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm --filter prisma-orm-demo prisma:generate
- name: Build packages (restored from Turbo cache)
run: pnpm build
- name: Type check packages
run: pnpm typecheck:packages
- name: Type check examples
run: pnpm typecheck:examples
lint:
name: Lint
# Depends on build only for cache coherence: build is the single writer of
# the shared Turbo/pnpm caches, so every other job restores an exact-key
# hit and skips saving. Without this, lint (which does no build) could win
# the cache-save race and persist a build-less cache.
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# `check:upgrade-coverage` diffs HEAD against `origin/main`; needs
# enough history for `git diff origin/main..HEAD` to resolve.
fetch-depth: 0
- name: Fetch base branch (origin/main)
run: git fetch --no-tags origin main:refs/remotes/origin/main
- uses: ./.github/actions/setup
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Lint dependencies
run: pnpm lint:deps
- name: Lint code shape
run: pnpm lint:code
- name: Lint packages
run: pnpm lint:packages
- name: Lint examples
run: pnpm lint:examples
- name: Validate rules
run: pnpm lint:rules
- name: Validate rule symlinks
run: pnpm lint:rules:symlinks
- name: Validate skills
run: pnpm lint:skills
- name: Check rules footprint
run: pnpm lint:rules:footprint
- name: Validate package READMEs
run: pnpm lint:docs
- name: Validate package manifests (license declarations)
run: pnpm lint:manifests
- name: Lint workflow triggers (forbid Pwn Request pattern)
run: pnpm lint:workflows
- name: Test scripts/
run: pnpm test:scripts
- name: Lint casts
run: pnpm lint:casts
- name: Check upgrade-instruction coverage
run: pnpm check:upgrade-coverage --mode pr
- name: Check release notes
run: pnpm check:release-notes --mode pr
fixtures:
name: Fixtures
needs: [build, changes]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Build (restored from Turbo cache)
if: needs.changes.outputs.inert != 'true'
run: pnpm build
- name: Link built binaries
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Check fixtures are up to date
if: needs.changes.outputs.inert != 'true'
run: pnpm fixtures:check
test:
name: Test
needs: [build, changes]
runs-on: ubuntu-latest
env:
TEST_TIMEOUT_MULTIPLIER: 2
# Used by examples/prisma-next-cloudflare-worker's vitest-pool-workers
# integration test. Mirrors the .env.example pattern; the container is
# brought up by `pnpm db:up` below (docker-compose, not a service
# container, because GitHub Actions service containers can't override
# the postgres CMD to enable shared_preload_libraries=pg_stat_statements).
WRANGLER_HYPERDRIVE_LOCAL_CONNECTION_STRING_HYPERDRIVE: postgres://postgres:postgres@127.0.0.1:5433/prisma_next_cloudflare_worker
services:
postgres:
image: postgres:15
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U postgres"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies (skip bin linking)
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile --ignore-scripts
- name: Build packages (restored from Turbo cache; needed for bin linking)
if: needs.changes.outputs.inert != 'true'
run: pnpm build
- name: Link bins
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Start cloudflare-worker Postgres (5433, pg_stat_statements)
if: needs.changes.outputs.inert != 'true'
run: pnpm --filter prisma-next-cloudflare-worker db:up
- name: Test packages
if: needs.changes.outputs.inert != 'true'
run: pnpm test:packages
- name: Test examples
if: needs.changes.outputs.inert != 'true'
run: pnpm test:examples
- name: Check working tree is clean
if: needs.changes.outputs.inert != 'true'
run: pnpm check:clean-tree
test-e2e:
name: E2E Tests
needs: [build, changes]
runs-on: ubuntu-latest
env:
TEST_TIMEOUT_MULTIPLIER: 2
services:
postgres:
image: postgres:15
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U postgres"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Build (restored from Turbo cache)
if: needs.changes.outputs.inert != 'true'
run: pnpm build
- name: Run E2E tests
if: needs.changes.outputs.inert != 'true'
run: pnpm test:e2e
- name: Check working tree is clean
if: needs.changes.outputs.inert != 'true'
run: pnpm check:clean-tree
test-integration:
name: Integration Tests
needs: [build, changes]
runs-on: ubuntu-latest
env:
TEST_TIMEOUT_MULTIPLIER: 2
services:
postgres:
image: postgres:15
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U postgres"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Build (restored from Turbo cache)
if: needs.changes.outputs.inert != 'true'
run: pnpm build
- name: Run Integration tests
if: needs.changes.outputs.inert != 'true'
run: pnpm test:integration
- name: Check working tree is clean
if: needs.changes.outputs.inert != 'true'
run: pnpm check:clean-tree
coverage:
name: Coverage
needs: [build, changes]
runs-on: ubuntu-latest
env:
TEST_TIMEOUT_MULTIPLIER: 2
services:
postgres:
image: postgres:15
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U postgres"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/setup
- name: Install dependencies
if: needs.changes.outputs.inert != 'true'
run: pnpm install --frozen-lockfile
- name: Build (restored from Turbo cache)
if: needs.changes.outputs.inert != 'true'
run: pnpm build
- name: Generate coverage and report
if: needs.changes.outputs.inert != 'true'
run: node scripts/coverage-report.mjs
- name: Check working tree is clean
if: needs.changes.outputs.inert != 'true'
run: pnpm check:clean-tree