-
Notifications
You must be signed in to change notification settings - Fork 95
318 lines (287 loc) · 12.6 KB
/
Copy pathci.yml
File metadata and controls
318 lines (287 loc) · 12.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
name: CI
on:
workflow_dispatch: # Allow manual triggering to refresh cached baseline results
push:
branches:
- master
- 'cds-v[0-9]*'
- 'release-[0-9]+.x'
pull_request:
branches:
- master
- 'cds-v[0-9]+' # preferred branch names for CDS feature branches
- 'cds-v9-master' # one off feature branch for CDS 9 after mistake in cds-v9 branch
- 'release-[0-9]+.x' # preferred branch names for LTS version branches
concurrency:
group: CI-${{github.ref_name}}-${{github.event_name == 'pull_request' && github.event.pull_request.number || github.sha}}
cancel-in-progress: ${{github.event_name == 'pull_request'}}
permissions:
contents: read
actions: read
env:
CI: true
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
CB_GHA_BRANCH: ${{github.head_ref || github.base_ref || github.ref_name}}
jobs:
validate:
name: Validate
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Validate Lockfile
run: node ./tools/ci/validators/validateLockfile.mjs
- name: Validate Patches
run: node ./tools/ci/validators/validatePatches.mjs
- name: Validate Versioned
run: node ./tools/ci/validators/validateVersioned.mjs
- name: Validate CDS Versions
run: node ./tools/validateCDSVersions.mjs
- name: Validate Constraints
run: yarn constraints || exit 1
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Lint
run: yarn nx affected --target=lint --base=$NX_BASE --head=$NX_HEAD --max-warnings=0
format:
name: Format
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Format
run: yarn nx format:check --verbose --base=$NX_BASE --head=$NX_HEAD
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Test
run: yarn nx affected --target=test --base=$NX_BASE --head=$NX_HEAD
test-storybook:
name: Storybook A11y Tests
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Install Playwright
run: |
cd apps/storybook
yarn playwright install
cd ../../
- name: Test Storybook
run: yarn nx run storybook:test-a11y
typecheck:
name: Typecheck
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Typecheck
run: yarn nx affected --target=typecheck --base=$NX_BASE --head=$NX_HEAD
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Build
run: yarn nx affected --exclude=mobile-app --target=build --base=$NX_BASE --head=$NX_HEAD
depcheck:
name: Depcheck
runs-on: ubuntu-latest
# Only run on master pushes (to cache baseline) or PRs targeting master (to compare)
if: github.ref_name == 'master' || (github.event_name == 'pull_request' && github.base_ref == 'master')
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
# Get the merge-base SHA for cache key (PR only)
- name: Get merge-base SHA
if: github.event_name == 'pull_request'
uses: ./.github/actions/get-merge-base
id: get-merge-base
# For PRs: Try to restore cache using merge-base SHA
- name: Restore depcheck baseline (PR)
if: github.event_name == 'pull_request'
uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
id: cache-depcheck
with:
path: depcheck-results.md
key: depcheck-master-${{ steps.get-merge-base.outputs.merge_base }}
# For PRs: Fail with clear message if no baseline found
- name: Check for baseline file (PR)
if: github.event_name == 'pull_request' && steps.cache-depcheck.outputs.cache-hit != 'true'
run: |
echo "::error::ERROR: Depcheck baseline not found for merge-base SHA ${{ steps.get-merge-base.outputs.merge_base }}. This may happen if the merge-base commit doesn't have a cached baseline yet. Please ensure the base branch has run the depcheck job."
exit 1
# Run depcheck in the appropriate mode based on event type
- name: Run Depcheck
env:
DEPCHECK_DIFF: ${{ github.event_name == 'pull_request' }}
run: yarn node tools/depcheck.mjs
# For master: Cache the results with current SHA
- name: Cache depcheck results (Master)
if: github.ref_name == 'master'
uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: depcheck-results.md
key: depcheck-master-${{ github.sha }}
# Disabled until we can fix the actual profile-exports script
# profile-exports:
# name: Profile Exports
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v4
# with:
# fetch-depth: 100 # TODO: This needs to include the merge-base
# - uses: ./.github/actions/setup
# # Get the merge-base SHA for cache key (PR only)
# - name: Get merge-base SHA
# if: github.event_name == 'pull_request'
# uses: ./.github/actions/get-merge-base
# id: get-merge-base
# # For PRs: Try to restore cache using merge-base SHA
# - name: Restore export stats baseline (PR)
# if: github.event_name == 'pull_request'
# uses: actions/cache/restore@v4
# id: cache-export-stats
# with:
# path: export-stats.md
# key: export-stats-master-${{ steps.get-merge-base.outputs.merge_base }}
# # For PRs: Fail with clear message if no baseline found
# - name: Check for baseline file (PR)
# if: github.event_name == 'pull_request' && steps.cache-export-stats.outputs.cache-hit != 'true'
# run: |
# echo "::error::ERROR: Export stats baseline not found for merge-base SHA ${{ steps.get-merge-base.outputs.merge_base }}. This may happen if the merge-base commit doesn't have a cached baseline yet. Please ensure the base branch has run the profile-exports job."
# exit 1
# # Run profile-exports in the appropriate mode based on event type
# - name: Run Profile Exports
# env:
# PROFILE_EXPORTS_DIFF: ${{ github.event_name == 'pull_request' }}
# run: yarn nx run storybook:profile-exports
# # For master: Cache the results with current SHA
# - name: Cache export stats results (Master)
# if: github.ref_name == 'master'
# uses: actions/cache/save@v4
# with:
# path: export-stats.md
# key: export-stats-master-${{ github.sha }}
bundle-stats:
name: Bundle Stats
runs-on: ubuntu-latest
# Only run on master pushes (to cache baseline) or PRs targeting master (to compare)
if: github.ref_name == 'master' || (github.event_name == 'pull_request' && github.base_ref == 'master')
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
# MASTER ONLY
# For master: Build storybook with bundle analyzer
- name: Build for analyze (Master)
if: github.ref_name == 'master'
run: yarn nx run storybook:build-for-analyze
# For master: Cache the results with current SHA
- name: Cache bundle stats results (Master)
if: github.ref_name == 'master'
uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: bundle-stats.json
key: bundle-stats-master-${{ github.sha }}
# PR ONLY
# Get the merge-base SHA for cache key (PR only)
- name: Get merge-base SHA
if: github.event_name == 'pull_request'
uses: ./.github/actions/get-merge-base
id: get-merge-base
# For PRs: Try to restore cache using merge-base SHA
- name: Restore bundle stats baseline (PR)
if: github.event_name == 'pull_request'
uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
id: cache-bundle-stats
with:
path: bundle-stats.json
key: bundle-stats-master-${{ steps.get-merge-base.outputs.merge_base }}
# For PRs: Fail with clear message if no baseline found
- name: Check for baseline file (PR)
if: github.event_name == 'pull_request' && steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
echo "::error::ERROR: Bundle stats baseline not found for merge-base SHA ${{ steps.get-merge-base.outputs.merge_base }}. This may happen if the merge-base commit doesn't have a cached baseline yet. Please ensure the base branch has run the bundle-stats job."
exit 1
# For PRs: Run bundle analysis
- name: Analyze bundle (PR)
if: github.event_name == 'pull_request'
env:
ANALYZE_REPORT_PATH: apps/storybook/bundle-stats.json
run: yarn nx run storybook:analyze-bundle || echo "Bundle analysis failed"
lint-styles:
name: Lint Styles
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 100 # TODO: This needs to include the merge-base
- uses: ./.github/actions/setup
- name: Lint Styles
run: yarn nx affected --target=lint-styles --base=$NX_BASE --head=$NX_HEAD