ci: Declare explicit token permissions for docs and maintenance workflows #5800
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: JS Package Tests | |
| on: | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| actions: write | |
| contents: read | |
| pull-requests: read | |
| jobs: | |
| find-changes: | |
| name: Find path changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is-release-pr: ${{ steps.check.outputs.is-release-pr }} | |
| js-packages: ${{ steps.filter.outputs.js-packages }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Check if automated release PR | |
| id: check | |
| uses: ./.github/actions/check-release-pr | |
| - name: Check path changes | |
| if: steps.check.outputs.is-release-pr != 'true' | |
| id: filter | |
| run: | | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| git fetch origin ${{ github.base_ref }} | |
| BASE_COMMIT="origin/${{ github.base_ref }}" | |
| HEAD_COMMIT="HEAD" | |
| else | |
| BASE_COMMIT="${{ github.event.before }}" | |
| HEAD_COMMIT="${{ github.event.after }}" | |
| fi | |
| JS_PATTERNS="^(package\.json|pnpm-workspace\.yaml|pnpm-lock\.yaml|version\.txt|packages/|\.github/actions/|\.github/workflows/test-js-packages\.yml)" | |
| CHANGED_FILES=$(git diff --name-only $BASE_COMMIT $HEAD_COMMIT) | |
| JS_CHANGES=$(echo "$CHANGED_FILES" | grep -E "$JS_PATTERNS" || true) | |
| if [ -n "$JS_CHANGES" ]; then | |
| echo "js-packages=true" >> $GITHUB_OUTPUT | |
| echo "JS package changes detected" | |
| else | |
| echo "js-packages=false" >> $GITHUB_OUTPUT | |
| echo "No JS package changes" | |
| fi | |
| js_packages: | |
| name: "(${{matrix.os.name}}, Node ${{matrix.node-version}})" | |
| needs: find-changes | |
| if: needs.find-changes.outputs.is-release-pr != 'true' && needs.find-changes.outputs.js-packages == 'true' | |
| timeout-minutes: 30 | |
| runs-on: ${{ matrix.os.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - name: ubuntu | |
| runner: ubuntu-latest | |
| - name: macos | |
| runner: macos-latest | |
| node-version: | |
| - 18 | |
| - 20 | |
| - 22 | |
| env: | |
| TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | |
| TURBO_TEAM: ${{ vars.TURBO_TEAM }} | |
| TURBO_CACHE: remote:rw | |
| steps: | |
| # on main -> current + prev commit | |
| # pr -> pr commits + base commit | |
| - name: Determine fetch depth | |
| id: fetch-depth | |
| run: | | |
| echo "depth=$(( ${{ github.event.pull_request.commits || 1 }} + 1 ))" >> $GITHUB_OUTPUT | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| fetch-depth: ${{ steps.fetch-depth.outputs.depth }} | |
| - name: "Setup Node" | |
| uses: ./.github/actions/setup-node | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| env: | |
| PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 | |
| - name: Install Bun | |
| uses: oven-sh/setup-bun@v2 | |
| - name: Install Global Turbo | |
| uses: ./.github/actions/install-global-turbo | |
| - name: Run tests | |
| # We manually set TURBO_API to an empty string to override Hetzner env | |
| # We filter out turborepo-repository because it's a native package and needs | |
| # to run when turbo core changes. This job (`js_packages`) does not run on turborpeo core | |
| # changes, and we don't want to enable that beahvior for _all_ our JS packages. | |
| run: | | |
| TURBO_API= turbo run check-types test build package-checks --filter="!turborepo-repository" --filter="!@turbo/coverage-reporter" --filter={./packages/*}...[${{ github.event.pull_request.base.sha || 'HEAD^1' }}] --color --env-mode=strict | |
| env: | |
| NODE_VERSION: ${{ matrix.node-version }} | |
| summary: | |
| name: JS Test Summary | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| if: always() | |
| needs: | |
| - find-changes | |
| - js_packages | |
| steps: | |
| - name: Skip for release PR | |
| if: needs.find-changes.outputs.is-release-pr == 'true' | |
| run: echo "Release PR detected - skipping tests (code already tested on main)" | |
| - name: Skip - no JS changes | |
| if: needs.find-changes.outputs.is-release-pr != 'true' && needs.find-changes.outputs.js-packages != 'true' | |
| run: echo "No JS package changes detected - skipping tests" | |
| - name: Compute info | |
| if: needs.find-changes.outputs.is-release-pr != 'true' && needs.find-changes.outputs.js-packages == 'true' | |
| run: | | |
| cancelled=false | |
| failure=false | |
| subjob () { | |
| local result=$1 | |
| if [ "$result" = "cancelled" ]; then | |
| cancelled=true | |
| elif [ "$result" != "success" ] && [ "$result" != "skipped" ]; then | |
| failure=true | |
| fi | |
| } | |
| subjob ${{needs.js_packages.result}} | |
| if [ "$cancelled" = "true" ]; then | |
| echo "Job was cancelled." | |
| exit 0 | |
| elif [ "$failure" = "true" ]; then | |
| echo "Job failed." | |
| exit 1 | |
| else | |
| echo "Job succeeded." | |
| exit 0 | |
| fi |