Skip to content
Pull Request Pipeline

ci: add review app and artifact publish workflow #3

Sign in to view logs

ci: add review app and artifact publish workflow

ci: add review app and artifact publish workflow #3

Workflow file for this run

.github/workflows/pr.yml at 4f79387
name: Pull Request Pipeline
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
concurrency:
group: pr-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
config:
name: CI Strategy
runs-on: ubuntu-latest
timeout-minutes: 7
outputs:
ci-matrix: ${{ steps.ci-matrix.outputs.matrix }}
runner-count: ${{ steps.ci-matrix.outputs.count }}
steps:
# Shallow checkout so GH Actions can resolve local composite actions.
# The setup action re-checks out with full history for moon's affected detection.
# TODO: Remove once composite actions are published to a shared repo.
- uses: actions/checkout@v4
with:
fetch-depth: 1
- uses: ./.github/actions/setup
- id: ci-matrix
uses: ./.github/actions/moon-ci-matrix
ci:
name: Moon CI
needs: [config]
if: ${{ fromJson(needs.config.outputs.runner-count || '0') > 0 }}
runs-on: ubuntu-latest
timeout-minutes: 20
strategy:
fail-fast: true
matrix:
shard: ${{ fromJson(needs.config.outputs.ci-matrix) }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: ./.github/actions/setup
- uses: ./.github/actions/moon-ci
with:
access-token: ${{ secrets.GITHUB_TOKEN }}
audit:
name: Audit & SCA
needs: [ci]
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: ./.github/actions/setup
- name: Run Moon Audit Tasks (OSV, Cargo, Gitleaks)
run: moon run :audit --affected
codeql:
name: CodeQL
needs: [ci]
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup
with:
cache-cargo: "false"
cache-pnpm: "false"
- uses: github/codeql-action/init@v3
with:
languages: javascript
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
# will evaluate when closer to a release
# semgrep:
# name: Semgrep
# needs: [ci]
# runs-on: ubuntu-latest
# permissions:
# security-events: write
# container:
# image: returntocorp/semgrep
# steps:
# - uses: actions/checkout@v4
# - name: Run Semgrep scan
# run: |
# semgrep ci \
# --sarif --output=semgrep.sarif \
# --config="p/default" \
# --config="p/security-audit" \
# --config="p/secrets"
# env:
# SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# - name: Upload SARIF file
# uses: github/codeql-action/upload-sarif@v3
# if: always()
# with:
# sarif_file: semgrep.sarif
# category: semgrep
gate:
name: PR Gate
if: always()
needs: [ci, audit, codeql]
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- run: |
if [[ "${{ needs.ci.result }}" == "failure" || \
"${{ needs.audit.result }}" == "failure" || \
"${{ needs.codeql.result }}" == "failure" ]]; then
exit 1
fi
shell: bash
# Review App & Artifacts (RAA)
review-open:
name: Review Build
if: contains(github.event.pull_request.labels.*.name, 'review-app')
runs-on: ubuntu-latest
needs: [ci]
timeout-minutes: 15
permissions:
deployments: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: ./.github/actions/setup
- id: raa
uses: ./.github/actions/moon-raa
with:
command: run
pr-number: ${{ github.event.pull_request.number }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Summary
if: always()
run: echo "$SUMMARY" >> "$GITHUB_STEP_SUMMARY"
env:
SUMMARY: ${{ steps.raa.outputs.summary }}