pipeline-check-vscode/.github/workflows/ci.yml at 19261f073653099382361db5a8056bf8cc5f87f5 · greylag-ci/pipeline-check-vscode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: CI

# Gate every PR and every push to main on the same three checks the
# publish workflow runs before shipping: lint, type-compile, and vsix
# pack. If a contributor's PR can't be packaged, the marketplace
# upload would have failed anyway, so failing fast here saves a
# release-day fire-drill.

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  # The dogfood step's SARIF upload (github/codeql-action/upload-sarif)
  # writes findings to the repo's Security tab. PR triggers degrade
  # gracefully without this (GitHub strips write tokens for forks), so
  # the gap only surfaced on the first push: main run.
  security-events: write
  # attest-build-provenance needs an OIDC token (id-token) and write
  # access to the repo's attestations store. Same fork caveat as
  # security-events — declared here for push:main runs, gated by
  # `if:` on the attest step so fork-PR runs don't fail trying to use
  # them.
  id-token: write
  attestations: write

jobs:
  check:
    timeout-minutes: 30
    # The extension is cross-platform; the LSP child-process spawn
    # path, the bundle loader, and several file-path helpers are all
    # Windows-sensitive. Running the gate on three OSes catches the
    # LF/CRLF and path-separator bugs that single-OS CI silently
    # ignores. The matrix shares the same step list — only the vsix
    # upload and the network-bound npm audit are pinned to Linux.
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
        with:
          # `persist-credentials: false` keeps the GITHUB_TOKEN out of
          # `.git/config`'s extraheader. Without it any later `run:` step
          # can `git config --get http.https://github.com/.extraheader`
          # to read the token (GHA-037).
          persist-credentials: false

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
        with:
          node-version: '20'
          cache: 'npm'

      - run: npm ci

      - name: Lint
        run: npm run lint

      - name: Marketplace description length
        # The marketplace truncates listing descriptions around 145
        # characters in search results. Anything longer loses signal
        # before users click through. The current copy hugs the limit
        # deliberately — this step keeps future edits honest.
        if: matrix.os == 'ubuntu-latest'
        run: |
          node -e 'const d=require("./package.json").description; if(d.length>145){console.error("description is "+d.length+" chars (max 145):",d);process.exit(1)}'

      - name: TypeScript compile
        run: npm run compile

      - name: Unit tests
        run: npm test

      - name: Bundle smoke
        # Catches the "vsix packages but won't load" failure mode — a
        # successful vsce package doesn't prove the bundle has all its
        # runtime deps. Loads dist/extension.js with a vscode stub and
        # asserts activate/deactivate are exported.
        run: npm run smoke

      - name: Integration tests (real VS Code)
        # @vscode/test-electron boots a real extension host and runs
        # the mocha suite under src/test/integration/. Verifies the
        # activation / command / view contracts that unit tests can
        # only approximate. Linux-only — VS Code needs an X server
        # (xvfb-run) on headless runners; Windows/macOS in this
        # matrix already exercise the platform-specific paths via the
        # unit suite + bundle smoke.
        if: matrix.os == 'ubuntu-latest'
        run: xvfb-run -a npm run test:integration

      - name: npm audit (prod deps, high+)
        # Network-bound and platform-independent; one run is enough.
        if: matrix.os == 'ubuntu-latest'
        run: npm audit --omit=dev --audit-level=high

      - name: Dogfood — pipeline-check on our own workflows
        # Run the published pipeline-check action against this repo's
        # `.github/workflows/`. Catches GHA-rule regressions in our own
        # CI/release pipeline before they ship, and exercises the tool
        # end-to-end from the same surface marketplace users invoke.
        # Linux-only — the action runs once per workspace, not once per
        # matrix leg. `fail-on: HIGH` gates: HIGH+ findings break the
        # build; LOW/MEDIUM stay informational so a single style nit
        # doesn't block contributors.
        if: matrix.os == 'ubuntu-latest'
        # Pinned to a specific tag — the upstream action repo doesn't
        # publish a floating `v1` major tag, so a bare `@v1` reference
        # fails the actions resolver. Dependabot's github-actions
        # updater bumps this line on new releases.
        uses: dmartinochoa/pipeline-check@8a71ff62715b80d7c5901fabfeb1c2a705a4e69c  # v1.5.0
        with:
          pipeline: github
          fail-on: HIGH

      - name: Verify vsix packs cleanly
        # vsce is a pinned devDependency (see package.json) — Dependabot
        # bumps it via the npm config. `npm ci` has already installed it.
        run: npx vsce package --out pipeline-check.vsix

      - name: Generate SBOM (CycloneDX)
        # Linux-only — one SBOM per run is enough; the matrix legs
        # would produce identical content from the same lockfile.
        # Mirrors the publish workflow's SBOM step so a release SBOM
        # can be diffed against a CI SBOM if the trees diverge.
        if: matrix.os == 'ubuntu-latest'
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
        with:
          format: cyclonedx-json
          output-file: pipeline-check-sbom.cdx.json
          artifact-name: sbom

      - name: Attest build provenance
        # Produces a signed SLSA build provenance attestation for the
        # CI .vsix via OIDC + Sigstore keyless signing. Gated on
        # `push` because fork-PR runs get read-only tokens that
        # cannot mint OIDC tokens or write attestations. Linux-only
        # — same one-per-run rationale as the SBOM step.
        if: github.event_name == 'push' && matrix.os == 'ubuntu-latest'
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
        with:
          subject-path: pipeline-check.vsix

      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
        # Single artefact upload from the Linux job; identical-name
        # uploads from the matrix would collide.
        if: matrix.os == 'ubuntu-latest'
        with:
          name: vsix
          path: pipeline-check.vsix
          retention-days: 14