port over github actions from pxt-microbit (#386)

Author: riknoll

.github/workflows/check-if-merged-pr.yml

@@ -0,0 +1,54 @@
+name: Check if the commit is part of a merged PR
+
+on:
+  workflow_call:
+    outputs:
+      is_merged_pr:
+        description: "Whether the current push came from a merged PR"
+        value: ${{ jobs.check-pr.outputs.is_merged_pr }}
+      pr_head_sha:
+        description: "The head SHA of the merged PR"
+        value: ${{ jobs.check-pr.outputs.pr_head_sha }}
+
+jobs:
+  check-pr:
+    runs-on: ubuntu-latest
+    outputs:
+      is_merged_pr: ${{ steps.parse-check-pr.outputs.is_merged_pr }}
+      pr_head_sha: ${{ steps.parse-check-pr.outputs.pr_head_sha }}
+    steps:
+      - name: Check if this commit is from a merged PR
+        id: check-pr
+        uses: actions/github-script@v7
+        with:
+          result-encoding: string
+          script: |
+            const commitSha = context.sha;
+            const { data: prs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: commitSha
+            });
+
+            if (!prs.length) {
+              core.info('No PRs associated with this commit.');
+              return JSON.stringify({ is_merged_pr: false, pr_head_sha: '' });
+            }
+
+            const mergedPr = prs.find(pr => pr.merged_at !== null);
+      
+            if (!mergedPr) {
+              core.info('PRs found, but none were merged.');
+              return JSON.stringify({ is_merged_pr: false, pr_head_sha: '' });
+            }
+
+            core.info(`Found merged PR head SHA: ${mergedPr.head.sha}`);
+            return JSON.stringify({ is_merged_pr: true, pr_head_sha: mergedPr.head.sha });
+
+      - name: Parse outputs
+        id: parse-check-pr
+        shell: bash
+        run: |
+          echo "Parsing result: ${{ steps.check-pr.outputs.result }}"
+          echo "is_merged_pr=$(jq -r '.is_merged_pr' <<< '${{ steps.check-pr.outputs.result }}')" >> $GITHUB_OUTPUT
+          echo "pr_head_sha=$(jq -r '.pr_head_sha' <<< '${{ steps.check-pr.outputs.result }}')" >> $GITHUB_OUTPUT

.github/workflows/codeql.yml

@@ -0,0 +1,62 @@
+name: "Code scanning - action"
+
+on:
+  push:
+    branches: [ 'master', 'stable*', 'v[0-9]*' ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '0 19 * * 0'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: javascript-typescript
+          build-mode: none
+        - language: cpp
+          build-mode: none
+
+    # CodeQL runs on ubuntu-latest and windows-latest
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@main
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+    # # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # # If this step fails, then you should remove it and run the build manually (see below)
+    # - name: Autobuild
+    #   uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/is-vtag.yml

@@ -0,0 +1,31 @@
+name: Whether the tag is a semver tag
+
+on:
+  workflow_call:
+    outputs:
+      is_vtag:
+        description: 'Whether the tag is a semver tag'
+        value: ${{ jobs.filter-vtags.outputs.is_vtag }}
+
+jobs:
+  filter-vtags:
+    runs-on: ubuntu-latest
+    outputs:
+      is_vtag: ${{ steps.check-tag.outputs.is_vtag }}
+      tag: ${{ steps.check-tag.outputs.tag }}
+    steps:
+      - name: Inputs
+        run: |
+          echo "GITHUB_REF_TYPE=${GITHUB_REF_TYPE}"
+          echo "GITHUB_REF_NAME=${GITHUB_REF_NAME}"
+      - name: Check tag pattern
+        id: check-tag
+        run: |
+          if [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "is_vtag=true" >> "$GITHUB_OUTPUT"
+            echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_vtag=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Outputs
+        run: echo "Step output is_vtag = ${{ steps.check-tag.outputs.is_vtag }}" && echo "Step output tag = ${{ steps.check-tag.outputs.tag }}"

.github/workflows/pxt-buildpr.yml

@@ -0,0 +1,95 @@
+name: pxt-buildpush
+
+on:
+  push:
+    branches:
+      - '**' # Run workflow when any branch is updated
+    tags:
+      - '*'  # Run workflow when any new tag is pushed
+  pull_request:
+    branches:
+      - '**' # Run workflow for pull requests targeting any branch
+
+permissions:
+  contents: write
+  id-token: write  # Required for OIDC
+
+jobs:
+  filter-vtags:
+    uses: ./.github/workflows/is-vtag.yml
+
+  tag-bump-commit:
+    uses: ./.github/workflows/tag-bump-commit.yml
+    needs: filter-vtags
+    if: fromJSON(needs.filter-vtags.outputs.is_vtag || 'false') == false
+
+  buildpush:
+    name: buildpush
+    runs-on: ubuntu-latest
+    needs: tag-bump-commit
+    if: always() && fromJSON(needs.tag-bump-commit.outputs.did_tag || 'false') == false
+    steps:
+      - uses: actions/checkout@main
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Use Node.js
+        uses: actions/setup-node@main
+        with:
+          node-version: 20.x
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: npm install
+        run: |
+          sudo apt-get install xvfb
+          sudo npm install -g pxt
+          npm install
+
+      - name: pxt ci (without publish capability)
+        run: |
+          pxt ci
+        env:
+          CHROME_BIN: chromium-browser
+          DISPLAY: :99.0
+          CI: true
+
+  buildvtag:
+    # This job is a duplicate of pxt-buildvtag.yml's workflow
+    name: buildvtag
+    runs-on: ubuntu-latest
+    needs: tag-bump-commit
+    if: always() && fromJSON(needs.tag-bump-commit.outputs.did_tag || 'false') == true
+    steps:
+      - uses: actions/checkout@main
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Use Node.js
+        uses: actions/setup-node@main
+        with:
+          node-version: 20.x
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: npm install
+        run: |
+          sudo apt-get install xvfb
+          sudo npm install -g pxt
+          npm install
+
+      - name: pxt ci (with publish capability)
+        run: |
+          pxt ci --publish
+        env:
+          CROWDIN_KEY: ${{ secrets.CROWDIN_KEY }}
+          PXT_ACCESS_TOKEN: ${{ secrets.PXT_ACCESS_TOKEN }}
+          PXT_RELEASE_REPO: ${{ secrets.PXT_RELEASE_REPO }}
+          NPM_PUBLISH: true
+          CHROME_BIN: chromium-browser
+          DISPLAY: :99.0
+          CI: true