Added script to test against templates and github action to run that test

russell-stern · russell-stern · commit 9bbbc7c0539d · 2026-04-30T09:13:20.000-04:00
diff --git a/.github/workflows/template-compatibility-comment.yml b/.github/workflows/template-compatibility-comment.yml
@@ -0,0 +1,130 @@
+name: Template Compatibility Comment
+
+# Triggered when the unprivileged "Template Compatibility Check" workflow
+# completes. This workflow has pull-requests: write so it can post PR comments,
+# but it never checks out or executes any external code — it only reads the
+# artifact produced by the check workflow.
+#
+# SECURITY: workflow_run always runs on the default branch, so this workflow
+# definition itself cannot be tampered with by a PR contributor. Artifact
+# contents are treated as untrusted strings and sanitized before use.
+
+on:
+  workflow_run:
+    workflows: ["Template Compatibility Check"]
+    types: [completed]
+  workflow_dispatch:  # temporary — remove before merging
+    inputs:
+      run_id:
+        required: true
+
+permissions:
+  pull-requests: write
+  actions: read # required to download artifacts from another workflow run
+
+jobs:
+  post-comment:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download results artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: template-compat-results
+          path: /tmp/compat-results
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Post or remove PR comment
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const fs = require('fs');
+
+            const read = (filename) => {
+              try { return fs.readFileSync(`/tmp/compat-results/${filename}`, 'utf8').trim(); }
+              catch { return ''; }
+            };
+
+            // Validate PR number — must be a positive integer.
+            const prNumber = parseInt(read('pr-number.txt'), 10);
+            if (!Number.isInteger(prNumber) || prNumber <= 0) {
+              console.log('Invalid or missing PR number in artifact; skipping comment.');
+              return;
+            }
+
+            const exitCode    = read('exit-code.txt');
+            const fullOutput  = read('output.txt');
+            // Sanitize values read from the artifact before embedding in markdown
+            // to prevent injection (e.g. a malicious branch name or script output
+            // containing markdown syntax that escapes a code fence).
+            const templatesRef = read('templates-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
+            const headRef      = read('head-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
+
+            const marker = '<!-- template-compat-comment -->';
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+            const existing = comments.find(c => c.body.includes(marker));
+
+            if (exitCode === '0') {
+              // Templates pass — remove any stale failure comment.
+              if (existing) {
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: existing.id,
+                });
+              }
+              return;
+            }
+
+            // Extract just the "Results" and "Failure Details" sections from output.
+            const resultsMatch = fullOutput.match(/={8,}\nResults:.*\n={8,}[\s\S]*/);
+            const failureSummary = resultsMatch ? resultsMatch[0].trim() : fullOutput.trim();
+
+            const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.payload.workflow_run.id}`;
+            const refNote = templatesRef === 'main'
+              ? 'tested against `cre-templates:main`'
+              : `tested against \`cre-templates:${templatesRef}\` (compat branch)`;
+
+            const body = [
+              '## ⚠️ Template Compatibility Failures',
+              '',
+              `This PR breaks one or more templates in [cre-templates](https://github.com/smartcontractkit/cre-templates) (${refNote}).`,
+              '',
+              '```',
+              failureSummary,
+              '```',
+              '',
+              `[View full output →](${runUrl})`,
+              '',
+              '<details>',
+              '<summary>What should I do?</summary>',
+              '',
+              '- **Accidental break:** Fix the SDK change so existing templates continue to compile.',
+              `- **Intentional breaking change:** Create a branch in \`cre-templates\` named \`compat/${headRef}\` with the template fixes applied. This job will automatically retest against that branch.`,
+              '',
+              '</details>',
+            ].join('\n');
+
+            const commentBody = `${marker}\n${body}`;
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body: commentBody,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody,
+              });
+            }
diff --git a/.github/workflows/template-compatibility.yml b/.github/workflows/template-compatibility.yml
@@ -0,0 +1,153 @@
+name: Template Compatibility Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+# This job is informational — it is intentionally NOT a required status check
+# so that breaking SDK changes (major version bumps) can still be merged.
+# When templates break, a comment is posted on the PR with details.
+# For intentional breaking changes, create a matching branch in cre-templates
+# named compat/<your-sdk-branch-name> with the template fixes applied.
+# The job will automatically detect and test against that branch.
+
+permissions:
+  contents: read
+
+jobs:
+  template-compatibility:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash {0}
+
+    env:
+      TEMPLATES_REPO: smartcontractkit/cre-templates
+
+    steps:
+      - name: Checkout SDK
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Setup Rust (1.85.0) with wasm target
+        uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4
+        with:
+          toolchain: 1.85.0
+          target: wasm32-wasip1
+          override: true
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+        with:
+          bun-version: 1.3.12
+
+      - name: Cache Bun dependencies
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ~/.bun/install/cache
+          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
+
+      - name: Cache cargo + Javy
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ~/.cache/javy
+          key: ${{ runner.os }}-cre-plugin-v8.1.0-${{ hashFiles('packages/cre-sdk-javy-plugin/src/javy_chainlink_sdk/Cargo.lock', 'packages/cre-sdk-javy-plugin/src/cre_generated_host.Cargo.lock') }}
+
+      - name: Install SDK dependencies
+        run: bun install --frozen-lockfile
+
+      # Detect whether a matching compat branch exists in cre-templates.
+      # If it does, we test against it (coordinated breaking change).
+      # If not, we fall back to main.
+      - name: Detect cre-templates ref to test against
+        id: detect-ref
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          SAFE_HEAD_REF="${HEAD_REF//[^a-zA-Z0-9._\/-]/}"
+          COMPAT_BRANCH="compat/$SAFE_HEAD_REF"
+
+          if gh api "repos/$TEMPLATES_REPO/branches/$COMPAT_BRANCH" &>/dev/null; then
+            echo "ref=$COMPAT_BRANCH" >> "$GITHUB_OUTPUT"
+            echo "Using compat branch: $COMPAT_BRANCH"
+          else
+            echo "ref=main" >> "$GITHUB_OUTPUT"
+            echo "No compat branch found, using: main"
+          fi
+
+      - name: Checkout cre-templates (${{ steps.detect-ref.outputs.ref }})
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ env.TEMPLATES_REPO }}
+          ref: ${{ steps.detect-ref.outputs.ref }}
+          path: cre-templates
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node (for npm)
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+
+      - name: Run template compatibility check
+        id: template-check
+        env:
+          TEMPLATES_DIR: cre-templates
+        run: |
+          set +e
+          OUTPUT=$(./scripts/test-templates.sh 2>&1)
+          EXIT_CODE=$?
+          set -e
+
+          echo "$OUTPUT" > /tmp/template-check-output.txt
+
+          # Surface it in the action log regardless
+          echo "$OUTPUT"
+
+          echo "exit_code=$EXIT_CODE" >> "$GITHUB_OUTPUT"
+
+      # Bundle everything the comment workflow needs into an artifact.
+      # The comment workflow runs with pull-requests: write but must never
+      # execute external code — it only reads these files.
+      - name: Save results for comment workflow
+        if: always()
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          TEMPLATES_REF: ${{ steps.detect-ref.outputs.ref }}
+          HEAD_REF: ${{ github.head_ref }}
+          EXIT_CODE: ${{ steps.template-check.outputs.exit_code }}
+        run: |
+          mkdir -p /tmp/compat-results
+          printf '%s' "$PR_NUMBER"     > /tmp/compat-results/pr-number.txt
+          printf '%s' "$TEMPLATES_REF" > /tmp/compat-results/templates-ref.txt
+          printf '%s' "$HEAD_REF"      > /tmp/compat-results/head-ref.txt
+          printf '%s' "$EXIT_CODE"     > /tmp/compat-results/exit-code.txt
+          if [ -f /tmp/template-check-output.txt ]; then
+            cp /tmp/template-check-output.txt /tmp/compat-results/output.txt
+          fi
+
+      - name: Upload results artifact
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: template-compat-results
+          path: /tmp/compat-results/
+          retention-days: 7
+
+      # Always exit 0 — this job is informational, not a merge gate
+      - name: Report result (non-blocking)
+        if: always()
+        run: |
+          EXIT_CODE="${{ steps.template-check.outputs.exit_code }}"
+          if [ "$EXIT_CODE" = "0" ]; then
+            echo "✅ All templates are compatible with this SDK change."
+          else
+            echo "⚠️  Some templates failed — see PR comment for details."
+            echo "This check is informational and does not block merging."
+          fi
+          exit 0
diff --git a/package.json b/package.json
@@ -14,6 +14,7 @@
     "check:ci": "turbo run check:ci",
     "format": "turbo run format",
     "full-checks": "./scripts/full-checks.sh",
+    "test:templates": "./scripts/test-templates.sh",
     "lint": "turbo run lint",
     "typecheck": "turbo run typecheck"
   },
diff --git a/scripts/test-templates.sh b/scripts/test-templates.sh
