sentry-dotnet/.github/workflows/verify-api.yml at 3711bc729e8b1e74001403161372a3143a1a4fe5 · getsentry/sentry-dotnet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: verify api
on:
  pull_request:
    paths:
      - 'src/**'
      - 'test/**/ApiApprovalTests*'
      - 'test/Sentry.Testing/ApiExtensions.cs'
      - '.github/workflows/verify-api.yml'

# Serialize with format-code.yml so the two auto-commit workflows can't race
# each other's git push on the same PR branch.
concurrency:
  group: pr-auto-commit-${{ github.event.pull_request.number }}
  cancel-in-progress: false

jobs:
  run-api-tests:
    name: Run API Approval Tests (${{ matrix.rid }})
    runs-on: ${{ matrix.os }}
    # This job builds and runs untrusted PR code — keep the token read-only.
    permissions:
      contents: read

    strategy:
      fail-fast: false
      matrix:
        include:
          # macOS covers all non-Windows TFMs (net9.0, net10.0, netstandard, iOS, MacCatalyst, Android)
          - os: macos-15
            rid: macos
            slnf: Sentry-CI-Build-macOS.slnf
          # Windows is required to produce the .NET Framework (net48 / Net4_8) verified files
          - os: windows-latest
            rid: win-x64
            slnf: Sentry-CI-Build-Windows.slnf

    steps:
      # Check out the PR head sha, not the GitHub-synthesized pull_request merge
      # ref. Otherwise we'd snapshot the API surface of (PR + main) and commit
      # those .verified.txt files back to the PR head, which doesn't contain
      # main's changes — the next run would fail again.
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          submodules: recursive

      - name: Remove unused applications
        uses: ./.github/actions/freediskspace

      - name: Setup Environment
        uses: ./.github/actions/environment

      - name: Restore sentry-native cache
        id: cache-native
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: src/Sentry/Platforms/Native/sentry-native
          key: sentry-native-${{ matrix.rid }}-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
          enableCrossOsArchive: true

      - name: Build sentry-native (cache miss)
        if: steps.cache-native.outputs.cache-hit != 'true'
        shell: pwsh
        run: scripts/build-sentry-native.ps1

      - name: Build Native Dependencies
        uses: ./.github/actions/buildnative

      - name: Restore .NET Dependencies
        run: |
          dotnet workload restore
          dotnet restore ${{ matrix.slnf }} --nologo

      - name: Build
        run: dotnet build ${{ matrix.slnf }} -c Release --no-restore --nologo -v:minimal

      # API approval tests fail when the public API surface changes. We swallow the failure
      # here and rely on the produced *.received.txt files to detect and accept the change.
      - name: Run API Approval Tests
        continue-on-error: true
        run: dotnet test ${{ matrix.slnf }} -c Release --no-build --nologo --filter "FullyQualifiedName~ApiApprovalTests"

      # upload-artifact strips the longest common parent from wildcard paths,
      # which would flatten test/Sentry.Tests/... to Sentry.Tests/... on restore
      # and break accept-verifier-changes.ps1 (it renames each .received.txt
      # to a sibling .verified.txt). Tar first to preserve full paths.
      - name: Package Received API Files
        if: ${{ always() }}
        shell: bash
        run: |
          files=$(find . -name '*.received.txt' -not -path './received-*.tar.gz')
          if [[ -n "$files" ]]; then
            tar -czf received-${{ matrix.rid }}.tar.gz $files
          fi

      - name: Upload Received API Files
        if: ${{ always() }}
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: api-verify-received-${{ matrix.rid }}
          path: received-${{ matrix.rid }}.tar.gz
          if-no-files-found: ignore

      # Fork PRs can't be auto-accepted (the bot can't push to a contributor's
      # repo), so we fail the check here with the exact commands to run locally.
      - name: Fail If Fork PR Has API Changes
        if: github.event.pull_request.head.repo.full_name != github.repository
        shell: bash
        run: |
          if [[ -n "$(find . -name '*.received.txt' -print -quit)" ]]; then
            echo "::error::Public API changes detected. Please run the following commands locally and push the result:"
            echo "::error::  dotnet test ${{ matrix.slnf }} --filter \"FullyQualifiedName~ApiApprovalTests\""
            echo "::error::  pwsh ./scripts/accept-verifier-changes.ps1"
            exit 1
          fi

  accept-api-changes:
    name: Accept and Commit API Changes
    needs: run-api-tests
    runs-on: ubuntu-22.04
    if: github.event.pull_request.head.repo.full_name == github.repository
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}

      # When the matrix produces no received files (clean PR), no artifact is uploaded.
      # download-artifact's pattern branch tolerates zero matches without erroring, so
      # we don't need `continue-on-error` here — that would mask genuine download failures.
      - name: Download Received API Files
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          pattern: api-verify-received-*
          merge-multiple: true

      - name: Extract Received API Files
        shell: bash
        run: |
          for archive in received-*.tar.gz; do
            [[ -f "$archive" ]] && tar -xzf "$archive"
          done
          rm -f received-*.tar.gz

      - name: Accept Verifier Changes
        shell: pwsh
        run: pwsh ./scripts/accept-verifier-changes.ps1

      - name: Detect API Changes
        id: detect
        shell: bash
        run: |
          if [[ -z "$(git status --porcelain)" ]]; then
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
            echo "No API verifier changes detected."
          else
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
            echo "API verifier changes detected:"
            git status --short
          fi

      - name: Commit Accepted API Changes
        if: steps.detect.outputs.has_changes == 'true'
        shell: bash
        run: |
          git config --global user.name 'Sentry Github Bot'
          git config --global user.email 'bot+github-bot@sentry.io'
          git add -A
          git commit -m "Accept API verifier changes"
          git push

      - name: Label Public API PR
        if: steps.detect.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh pr edit "${{ github.event.pull_request.number }}" --add-label "public API" --repo "${{ github.repository }}"