chore(deps): update Cocoa SDK to v9.19.0 #28
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: verify api | |
| on: | |
| pull_request: | |
| paths: | |
| - 'src/**' | |
| - 'test/**/ApiApprovalTests*' | |
| - 'test/Sentry.Testing/ApiExtensions.cs' | |
| - '.github/workflows/verify-api.yml' | |
| # Serialize with format-code.yml so the two auto-commit workflows can't race | |
| # each other's git push on the same PR branch. | |
| concurrency: | |
| group: pr-auto-commit-${{ github.event.pull_request.number }} | |
| cancel-in-progress: false | |
| jobs: | |
| run-api-tests: | |
| name: Run API Approval Tests (${{ matrix.rid }}) | |
| runs-on: ${{ matrix.os }} | |
| # This job builds and runs untrusted PR code — keep the token read-only. | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # macOS covers all non-Windows TFMs (net9.0, net10.0, netstandard, iOS, MacCatalyst, Android) | |
| - os: macos-15 | |
| rid: macos | |
| slnf: Sentry-CI-Build-macOS.slnf | |
| # Windows is required to produce the .NET Framework (net48 / Net4_8) verified files | |
| - os: windows-latest | |
| rid: win-x64 | |
| slnf: Sentry-CI-Build-Windows.slnf | |
| steps: | |
| # Check out the PR head sha, not the GitHub-synthesized pull_request merge | |
| # ref. Otherwise we'd snapshot the API surface of (PR + main) and commit | |
| # those .verified.txt files back to the PR head, which doesn't contain | |
| # main's changes — the next run would fail again. | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| submodules: recursive | |
| - name: Remove unused applications | |
| uses: ./.github/actions/freediskspace | |
| - name: Setup Environment | |
| uses: ./.github/actions/environment | |
| - name: Restore sentry-native cache | |
| id: cache-native | |
| uses: actions/cache/restore@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6.0.0 | |
| with: | |
| path: src/Sentry/Platforms/Native/sentry-native | |
| key: sentry-native-${{ matrix.rid }}-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }} | |
| enableCrossOsArchive: true | |
| - name: Build sentry-native (cache miss) | |
| if: steps.cache-native.outputs.cache-hit != 'true' | |
| shell: pwsh | |
| run: scripts/build-sentry-native.ps1 | |
| - name: Build Native Dependencies | |
| uses: ./.github/actions/buildnative | |
| - name: Restore .NET Dependencies | |
| run: | | |
| dotnet workload restore | |
| dotnet restore ${{ matrix.slnf }} --nologo | |
| - name: Build | |
| run: dotnet build ${{ matrix.slnf }} -c Release --no-restore --nologo -v:minimal | |
| # API approval tests fail when the public API surface changes. We swallow the failure | |
| # here and rely on the produced *.received.txt files to detect and accept the change. | |
| - name: Run API Approval Tests | |
| continue-on-error: true | |
| run: dotnet test ${{ matrix.slnf }} -c Release --no-build --nologo --filter "FullyQualifiedName~ApiApprovalTests" | |
| # upload-artifact strips the longest common parent from wildcard paths, | |
| # which would flatten test/Sentry.Tests/... to Sentry.Tests/... on restore | |
| # and break accept-verifier-changes.ps1 (it renames each .received.txt | |
| # to a sibling .verified.txt). Tar first to preserve full paths. | |
| - name: Package Received API Files | |
| if: ${{ always() }} | |
| shell: bash | |
| run: | | |
| files=$(find . -name '*.received.txt' -not -path './received-*.tar.gz') | |
| if [[ -n "$files" ]]; then | |
| tar -czf received-${{ matrix.rid }}.tar.gz $files | |
| fi | |
| - name: Upload Received API Files | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: api-verify-received-${{ matrix.rid }} | |
| path: received-${{ matrix.rid }}.tar.gz | |
| if-no-files-found: ignore | |
| # Fork PRs can't be auto-accepted (the bot can't push to a contributor's | |
| # repo), so we fail the check here with the exact commands to run locally. | |
| - name: Fail If Fork PR Has API Changes | |
| if: github.event.pull_request.head.repo.full_name != github.repository | |
| shell: bash | |
| run: | | |
| if [[ -n "$(find . -name '*.received.txt' -print -quit)" ]]; then | |
| echo "::error::Public API changes detected. Please run the following commands locally and push the result:" | |
| echo "::error:: dotnet test ${{ matrix.slnf }} --filter \"FullyQualifiedName~ApiApprovalTests\"" | |
| echo "::error:: pwsh ./scripts/accept-verifier-changes.ps1" | |
| exit 1 | |
| fi | |
| accept-api-changes: | |
| name: Accept and Commit API Changes | |
| needs: run-api-tests | |
| runs-on: ubuntu-22.04 | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| # Pin to the same head.sha the matrix job snapshotted against. We push | |
| # to the branch (head.ref) below — if the contributor pushed in the | |
| # meantime, the push won't fast-forward and the workflow fails. Re-running | |
| # generates a fresh snapshot against the new head. Self-healing. | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| # When the matrix produces no received files (clean PR), no artifact is uploaded. | |
| # download-artifact's pattern branch tolerates zero matches without erroring, so | |
| # we don't need `continue-on-error` here — that would mask genuine download failures. | |
| - name: Download Received API Files | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: api-verify-received-* | |
| merge-multiple: true | |
| - name: Extract Received API Files | |
| shell: bash | |
| run: | | |
| for archive in received-*.tar.gz; do | |
| [[ -f "$archive" ]] && tar -xzf "$archive" | |
| done | |
| rm -f received-*.tar.gz | |
| - name: Accept Verifier Changes | |
| shell: pwsh | |
| run: pwsh ./scripts/accept-verifier-changes.ps1 | |
| - name: Detect API Changes | |
| id: detect | |
| shell: bash | |
| run: | | |
| if [[ -z "$(git status --porcelain)" ]]; then | |
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | |
| echo "No API verifier changes detected." | |
| else | |
| echo "has_changes=true" >> "$GITHUB_OUTPUT" | |
| echo "API verifier changes detected:" | |
| git status --short | |
| fi | |
| - name: Commit Accepted API Changes | |
| if: steps.detect.outputs.has_changes == 'true' | |
| shell: bash | |
| run: | | |
| git config --global user.name 'Sentry Github Bot' | |
| git config --global user.email 'bot+github-bot@sentry.io' | |
| git add -A | |
| git commit -m "Accept API verifier changes" | |
| # Push from detached HEAD to the PR branch. Fails non-fast-forward | |
| # if the contributor pushed since we snapshotted head.sha — workflow | |
| # fails red, re-run regenerates against the new head. | |
| git push origin "HEAD:refs/heads/${{ github.event.pull_request.head.ref }}" | |
| - name: Label Public API PR | |
| if: steps.detect.outputs.has_changes == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr edit "${{ github.event.pull_request.number }}" --add-label "public API" --repo "${{ github.repository }}" |