-
Notifications
You must be signed in to change notification settings - Fork 25
126 lines (114 loc) · 3.83 KB
/
Copy pathbuild.yml
File metadata and controls
126 lines (114 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Build
on:
push:
branches: ["main", "v1.x"]
pull_request:
branches: ["main", "v1.x"]
pull_request_target:
types: [labeled, unlabeled]
branches: ["main", "v1.x"]
permissions:
contents: read # This is required for actions/checkout
# Cancel when pull request is updated
concurrency:
group: ${{ github.event_name }}-${{ github.head_ref || github.ref_name || github.run_id }}
cancel-in-progress: true
jobs:
lint-commits:
# Note: To re-run `lint-commits` after fixing the PR title, close-and-reopen the PR.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Use Node.js 22.x
uses: actions/setup-node@v6
with:
node-version: 22.x
cache: "npm"
- name: Check PR title
run: |
node "$GITHUB_WORKSPACE/.github/workflows/lintcommit.js"
build:
needs: lint-commits
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Use Node.js 22.x
uses: actions/setup-node@v6
with:
node-version: 22.x
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Build project
run: npm run build
- name: Upload build artifacts
uses: actions/upload-artifact@v7
with:
name: built-artifacts
path: |
packages/**/dist*/*
package.json
package-lock.json
unit-tests:
needs: build
strategy:
fail-fast: false
matrix:
node-version: ["22.x", "24.x"]
uses: "./.github/workflows/unit-tests.yml"
with:
node-version: ${{ matrix.node-version }}
integration-tests:
needs: build
# Skip integration tests for PRs from forked repos (no access to secrets)
if: github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
node-version: ["22.x", "24.x"]
uses: "./.github/workflows/integration-tests.yml"
with:
node-version: ${{ matrix.node-version }}
secrets: inherit
capacity-provider-tests:
needs: build
# Skip for PRs from forked repos (no access to secrets)
if: github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: read
id-token: write
uses: "./.github/workflows/capacity-provider-tests.yml"
with:
node-version: "24.x"
secrets: inherit
# Always succeed for external PRs to allow merging
external-pr-status:
if: github.event.pull_request.head.repo.full_name != github.repository && github.event_name == 'pull_request_target'
runs-on: ubuntu-latest
steps:
- name: External PR Status
run: |
echo "✅ External PR - Integration tests skipped for security"
echo "Maintainer: Add 'safe-to-merge' label and use squash & merge"
- name: Check for bypass label
uses: actions/github-script@v9
with:
script: |
// Fetch current labels via API (event payload has stale data)
const { data: labels } = await github.rest.issues.listLabelsOnIssue({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const labelNames = labels.map(label => label.name);
const hasBypassLabel = labelNames.includes('safe-to-merge');
console.log(`Current labels: ${labelNames.join(', ')}`);
if (hasBypassLabel) {
console.log('✅ Maintainer approved bypass with safe-to-merge label');
} else {
console.log('⚠️ No bypass label - PR cannot be merged until maintainer adds safe-to-merge label');
core.setFailed('External PR requires maintainer approval via safe-to-merge label');
}