fix(compile): --watch path honors apm.yml targets and --target flag #2748
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| env: | |
| PYTHON_VERSION: '3.12' | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| # Tier 1 also runs in merge queue context so the same unit + build checks | |
| # execute against the tentative merge commit that the queue creates. See | |
| # microsoft/apm#770 for the design. | |
| merge_group: | |
| branches: [ main ] | |
| types: [ checks_requested ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Fast lint gate -- runs in ~3s using Astral's ruff-action (no Python/uv setup needed). | |
| # Fails fast on style, import, and complexity violations before the heavier build-and-test job. | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: astral-sh/setup-uv@v6 | |
| - name: Ruff lint | |
| run: uv run --extra dev ruff check src/ tests/ | |
| - name: Ruff format check | |
| run: uv run --extra dev ruff format --check src/ tests/ | |
| - name: Check YAML encoding safety | |
| run: | | |
| # Ensure YAML file I/O goes through yaml_io helpers. | |
| # Catches yaml.dump/safe_dump writing to a file handle outside yaml_io.py. | |
| VIOLATIONS=$(grep -rn --include='*.py' -P \ | |
| 'yaml\.(safe_)?dump\(.+,\s*[a-zA-Z_]\w*\b' src/apm_cli/ \ | |
| | grep -v 'utils/yaml_io.py' \ | |
| | grep -v '# yaml-io-exempt' \ | |
| || true) | |
| if [ -n "$VIOLATIONS" ]; then | |
| echo "::error::Direct yaml.dump() to file handle detected. Use yaml_io.dump_yaml() instead:" | |
| echo "$VIOLATIONS" | |
| exit 1 | |
| fi | |
| - name: File length guardrail | |
| run: | | |
| # Ruff has no max-module-lines rule. This check prevents new files from | |
| # exceeding the current worst case. Tighten the threshold over time. | |
| MAX_LINES=2450 # current max: 2404 (github_downloader.py) | |
| VIOLATIONS=$(find src/ -name '*.py' -print0 | xargs -0 -I{} awk -v max="$MAX_LINES" \ | |
| 'END { if (NR > max) printf "%s: %d lines (max %d)\n", FILENAME, NR, max }' {}) | |
| if [ -n "$VIOLATIONS" ]; then | |
| echo "::error::Source files exceed $MAX_LINES-line limit:" | |
| echo "$VIOLATIONS" | |
| exit 1 | |
| fi | |
| - name: Lint - no raw str(relative_to) patterns | |
| run: | | |
| # Fail if any code uses str(x.relative_to(y)) instead of portable_relpath() | |
| if grep -rn --include="*.py" -P 'str\([^)]*\.relative_to\(' src/apm_cli/ | grep -v portable_relpath | grep -v '\.pyc'; then | |
| echo "::error::Found raw str(path.relative_to()) calls. Use portable_relpath() from apm_cli.utils.paths instead." | |
| exit 1 | |
| fi | |
| - name: Code duplication guardrail (pylint R0801) | |
| run: | | |
| uv run --extra dev python -m pylint \ | |
| --disable=all --enable=R0801 \ | |
| --min-similarity-lines=50 \ | |
| --fail-on=R0801 \ | |
| src/apm_cli/ | |
| - name: Lint - auth-protocol boundary (#1212 anti-regression) | |
| run: bash scripts/lint-auth-signals.sh | |
| # Linux-only for PR feedback. Full platform matrix (incl. macOS + Windows) runs post-merge in build-release.yml. | |
| # Combines unit tests + binary build into a single job to eliminate runner re-provisioning overhead. | |
| build-and-test: | |
| name: Build & Test (Linux) | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v6 | |
| with: | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: uv sync --extra dev --extra build | |
| - name: Run tests | |
| run: uv run pytest tests/unit tests/test_console.py -n auto --dist worksteal | |
| - name: Install UPX | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y upx-ucl | |
| - name: Build binary | |
| run: | | |
| chmod +x scripts/build-binary.sh | |
| uv run ./scripts/build-binary.sh | |
| - name: Upload binary as workflow artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: apm-linux-x86_64 | |
| # Scripts are included to preserve the artifact root at ./ (not ./dist/). | |
| # Without a sibling directory, upload-artifact strips the dist/ prefix, | |
| # breaking download paths in ci-integration.yml which expects dist/$BINARY_NAME/apm. | |
| path: | | |
| ./dist/apm-linux-x86_64 | |
| ./dist/apm-linux-x86_64.sha256 | |
| ./scripts/test-release-validation.sh | |
| ./scripts/github-token-helper.sh | |
| include-hidden-files: true | |
| retention-days: 30 | |
| if-no-files-found: error | |
| # Dogfood the audit-only CI gate we ship and document to users: | |
| # - Gate A (consumer-side): `apm audit --ci --no-drift` -- lockfile / | |
| # content-integrity check. setup-only: true keeps managed files | |
| # untouched so the SHA-256 content-integrity check can detect tampered | |
| # files. The drift check (install-replay comparison) is skipped | |
| # via --no-drift because there is no warm cache in a setup-only | |
| # run; content-integrity covers the same tamper signal. | |
| # See microsoft/apm#883 for context. Tier 1 (no secrets needed). | |
| apm-self-check: | |
| name: APM Self-Check | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Installs the APM CLI (latest stable) and adds `apm` to PATH. | |
| # setup-only: true skips `apm install` so managed files on disk are | |
| # not overwritten before the audit runs. This preserves the committed | |
| # state so content-integrity can detect any tampered file hashes. | |
| - uses: microsoft/apm-action@v1 | |
| with: | |
| setup-only: true | |
| # Gate A: lockfile / install fidelity (consumer-side). | |
| # Verifies every file in lockfile.deployed_files exists, ref consistency | |
| # between apm.yml and apm.lock.yaml, no orphan packages, and | |
| # content-integrity (SHA-256 hashes against deployed_file_hashes in the | |
| # lockfile) on deployed package content. --no-drift skips the | |
| # install-replay because there is no warm cache (setup-only did not | |
| # run apm install); content-integrity still catches tampered files. | |
| - name: apm audit --ci --no-drift | |
| run: apm audit --ci --no-drift | |
| # Gate B: regeneration drift (producer-side) -- legacy bash fallback. | |
| # NOTE: With setup-only: true this step is a guaranteed no-op. | |
| # apm install did not run and the working tree is unchanged, so the | |
| # git status check always finds nothing. It is kept so the pattern is | |
| # visible; a full install+audit workflow would rely on this step to | |
| # detect hand-edits to regenerated .github/ files. | |
| - name: Check APM integration drift (legacy bash fallback, see #1071) | |
| run: | | |
| if [ -n "$(git status --porcelain -- .github/ .claude/ .cursor/ .opencode/)" ]; then | |
| echo "::error::APM integration files are out of date." | |
| echo "Run 'apm install' locally (with .github/ present) and commit the result." | |
| git --no-pager diff -- .github/ .claude/ .cursor/ .opencode/ | |
| exit 1 | |
| fi |