instar/.github/workflows/ci.yml at 994361560b678cb487515bfb1f5cc67a1b157058 · JKHeadley/instar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

jobs:
  invariants:
    name: Repo Invariants
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      # No npm install needed — the script is pure node stdlib.
      - run: node scripts/check-repo-invariants.mjs

  docs-coverage:
    name: Docs Coverage
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      # Pure node stdlib — no install needed.
      # --check enforces per-category floors calibrated to current state;
      # PRs that improve docs may also raise the floors.
      - run: node scripts/docs-coverage.mjs --check
      - name: Upload coverage report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: docs-coverage
          path: |
            .instar/docs-coverage.md
            .instar/docs-coverage.json

  cartographer-freshness:
    name: Cartographer Freshness
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      # Pure node stdlib + git — no install needed (cartographer-doc-freshness
      # spec #2 Tier-3 ratchet). Floors ship loose (ratio>=0); cartographer state
      # is gitignored so a fresh checkout is a vacuous structural pass — the
      # ratchet's teeth engage on machines that have authored the doc-tree.
      - run: node scripts/cartographer-freshness.mjs --check
      - name: Upload freshness report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: cartographer-freshness
          path: |
            .instar/cartographer-freshness.json

  standards-coverage:
    name: Standards Enforcement Coverage
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      # Pure node stdlib — no install/build needed (cartographer-conformance-audit
      # spec #3 Tier-3 ratchet). For each constitutional standard in
      # docs/STANDARDS-REGISTRY.md, verify the structural guard its prose names
      # exists on disk. Floor on the enforced ratio ships loose (ratio>=0, ratcheted
      # up as gaps close) + a hard ZERO ceiling on dangling refs (a standard must
      # never cite a guard that doesn't exist — a broken guarantee).
      - run: node scripts/standards-coverage.mjs --check
      - name: Upload coverage report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: standards-coverage
          path: |
            .instar/standards-coverage.json

  lint:
    name: Type Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - run: npm run lint

  unit:
    name: Unit Tests (node ${{ matrix.node-version }}, shard ${{ matrix.shard }}/4)
    runs-on: ubuntu-latest
    strategy:
      # Don't cancel other shards if one fails — we want the full picture.
      fail-fast: false
      matrix:
        node-version: [20, 22]
        shard: [1, 2, 3, 4]
    steps:
      - uses: actions/checkout@v4
        with:
          # lint-template-sha-history walks `git log -- src/templates/scripts/
          # telegram-reply.sh` to assert every historical SHIPPED content is
          # in the migrator's prior-shipped set. A shallow clone (default
          # depth=1) defeats that — and silently rubber-stamps the assertion.
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
      - name: Install tmux
        run: sudo apt-get update && sudo apt-get install -y tmux
      - run: npm ci
      # vitest shard syntax: --shard=<index>/<total>. Each runner executes a
      # deterministic disjoint slice of the test files; union is the full suite.
      # fileParallelism stays off within each shard to preserve isolation.
      - run: npm run test:push -- --shard=${{ matrix.shard }}/4
      - name: Working-tree integrity check
        run: |
          if [ -n "$(git status --porcelain)" ]; then
            echo "::error::Test suite mutated the working tree. SafeGitExecutor / SafeFsExecutor likely bypassed."
            git status --porcelain
            git diff
            exit 1
          fi

  integration:
    name: Integration Tests
    runs-on: ubuntu-latest
    needs: unit
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - name: Install tmux
        run: sudo apt-get update && sudo apt-get install -y tmux
      - run: npm ci
      - run: npm run test:integration
      - name: Working-tree integrity check
        run: |
          if [ -n "$(git status --porcelain)" ]; then
            echo "::error::Integration tests mutated the working tree. SafeGitExecutor / SafeFsExecutor likely bypassed."
            git status --porcelain
            git diff
            exit 1
          fi

  e2e:
    name: E2E Tests
    runs-on: ubuntu-latest
    needs: unit
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - name: Install tmux
        run: sudo apt-get update && sudo apt-get install -y tmux
      - run: npm ci
      - run: npm run test:e2e
      - name: Working-tree integrity check
        run: |
          if [ -n "$(git status --porcelain)" ]; then
            echo "::error::E2E tests mutated the working tree. SafeGitExecutor / SafeFsExecutor likely bypassed."
            git status --porcelain
            git diff
            exit 1
          fi

  contract:
    name: Contract Tests (Live API)
    runs-on: ubuntu-latest
    needs: unit
    # Only run when adapter source files or contract tests change
    if: >
      github.event_name == 'push' ||
      contains(github.event.pull_request.changed_files_names || '', 'src/messaging/')
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - name: Run contract tests
        env:
          SLACK_CONTRACT_BOT_TOKEN: ${{ secrets.SLACK_CONTRACT_BOT_TOKEN }}
        run: |
          if [ -z "$SLACK_CONTRACT_BOT_TOKEN" ]; then
            echo "⚠️  SLACK_CONTRACT_BOT_TOKEN not configured — skipping contract tests"
            echo "To enable: add SLACK_CONTRACT_BOT_TOKEN to repository secrets"
            exit 0
          fi
          npx vitest run --config vitest.contract.config.ts

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: [lint, unit]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - run: npm ci
      - run: npm run build