-
Notifications
You must be signed in to change notification settings - Fork 1
326 lines (312 loc) · 12.5 KB
/
Copy pathcode-pull-request.yml
File metadata and controls
326 lines (312 loc) · 12.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
name: Validate
on:
push:
branches:
- main
pull_request:
types: [opened, edited, synchronize, reopened]
branches:
- main
workflow_dispatch:
workflow_call:
permissions:
contents: read
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
ARCHGATE_TELEMETRY: "0"
jobs:
validate:
name: Lint, Test & Check
runs-on: ubuntu-latest
timeout-minutes: 10
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
fetch-depth: 0
- name: Restore Bun Package Cache
id: restore-bun-cache
uses: actions/cache/restore@caa296126883cff596d87d8935842f9db880ef25 # v5
with:
path: /home/runner/.bun/install/cache
key: bun-packages-${{ runner.os }}-v1-${{ hashFiles('bun.lock') }}
- uses: ./.github/actions/setup-bun-project
with:
cache: "true"
cache-base: main
- name: Validate commit messages
if: github.event_name == 'pull_request'
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: echo "$PR_TITLE" | bun run commitlint
- name: Check llms-full.txt is up to date
run: |
bun run docs/scripts/generate-llms-full.ts
git diff --exit-code docs/public/llms-full.txt || {
echo "::error::docs/public/llms-full.txt is out of date. Run 'bun run docs/scripts/generate-llms-full.ts' and commit the result."
exit 1
}
- name: Validate
id: validate
run: bun run validate:coverage
- name: Upload coverage
if: always() && steps.validate.outcome == 'success'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-linux
path: coverage/lcov.info
retention-days: 1
- name: Save Bun Cache
uses: actions/cache/save@caa296126883cff596d87d8935842f9db880ef25 # v5
if: steps.validate.outcome == 'success' && steps.restore-bun-cache.outputs.cache-hit != 'true'
with:
path: /home/runner/.bun/install/cache
key: ${{ steps.restore-bun-cache.outputs.cache-primary-key }}
shim-changes:
name: Detect Shim Changes
runs-on: ubuntu-latest
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
outputs:
shims_changed: ${{ steps.changes.outputs.shims_changed }}
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
fetch-depth: 0
- name: Check for shim changes
id: changes
env:
# Passed via env, not inlined into the script, to avoid template-injection
# (zizmor: code injection via template expansion).
BASE_REF: ${{ github.base_ref }}
run: |
# Detect changes to shim source code AND workflow files that configure
# shim test/publish infrastructure (e.g., action version bumps, runtime
# version changes). Without checking workflow files, a Renovate PR that
# bumps Ruby 3.3→3.4 in the shim-tests job would skip tests entirely.
PATHS=(shims/ .github/workflows/publish-shims.yml .github/workflows/code-pull-request.yml)
if [ "${{ github.event_name }}" = "pull_request" ]; then
CHANGED=$(git diff --name-only "origin/$BASE_REF...HEAD" -- "${PATHS[@]}" || true)
else
CHANGED=$(git diff --name-only HEAD~1 -- "${PATHS[@]}" || true)
fi
if [ -n "$CHANGED" ]; then
echo "shims_changed=true" >> "$GITHUB_OUTPUT"
else
echo "shims_changed=false" >> "$GITHUB_OUTPUT"
fi
shim-tests:
name: Shim Tests (${{ matrix.shim }})
runs-on: ubuntu-latest
timeout-minutes: 10
needs: shim-changes
if: needs.shim-changes.outputs.shims_changed == 'true'
strategy:
fail-fast: false
matrix:
shim: [npm, pypi, go, maven, nuget, rubygem]
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
# --- npm (Node.js pre-installed on ubuntu-latest) ---
- name: Test npm shim
if: matrix.shim == 'npm'
run: node --test shims/npm/test/archgate.test.cjs
# --- PyPI ---
- name: Setup Python
if: matrix.shim == 'pypi'
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Test PyPI shim
if: matrix.shim == 'pypi'
working-directory: shims/pypi
run: python -m unittest discover tests/
# --- Go ---
- name: Setup Go
if: matrix.shim == 'go'
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version: "1.21"
cache-dependency-path: shims/go/go.sum
- name: Test Go shim
if: matrix.shim == 'go'
working-directory: shims/go
run: go test ./...
# --- Maven ---
- name: Setup Java
if: matrix.shim == 'maven'
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5
with:
distribution: temurin
java-version: "11"
- name: Test Maven shim
if: matrix.shim == 'maven'
working-directory: shims/maven
run: mvn test -B
# --- NuGet ---
- name: Setup .NET
if: matrix.shim == 'nuget'
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5
with:
dotnet-version: "8.0.x"
- name: Test NuGet shim
if: matrix.shim == 'nuget'
working-directory: shims/nuget/tests/Archgate.Tool.Tests
run: dotnet test
# --- RubyGem ---
- name: Setup Ruby
if: matrix.shim == 'rubygem'
uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
with:
ruby-version: "4.0.5"
- name: Test RubyGem shim
if: matrix.shim == 'rubygem'
working-directory: shims/rubygem
run: bundle install --jobs 4 && bundle exec ruby test/test_shim.rb
smoke-windows:
name: Smoke Test (Windows)
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
uses: ./.github/workflows/smoke-test-windows.yml
smoke-linux:
name: Smoke Test (Linux)
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
uses: ./.github/workflows/smoke-test-linux.yml
# Uploads findings to the Security tab (GitHub Advanced Security, free for
# public repos) rather than failing the build — there's an existing
# unreviewed findings backlog across several workflow files. Once that's
# triaged, this can be promoted to a hard gate via code-scanning merge
# protection (repo Settings, not this workflow).
zizmor:
name: Zizmor (Workflow Security)
runs-on: ubuntu-latest
timeout-minutes: 5
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
permissions:
contents: read # actions/checkout
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Run zizmor
# Fork PRs get a read-only GITHUB_TOKEN regardless of the
# `permissions:` above, so SARIF upload would fail — fall back to
# console-only output and don't let that (or the pre-existing
# findings backlog) fail the gate for external contributors.
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
continue-on-error: ${{ github.event.pull_request.head.repo.fork == true }}
with:
config: zizmor.yml
advanced-security: ${{ github.event.pull_request.head.repo.fork != true }}
# Validates workflow schema (zizmor covers security patterns only). See CI-002.
actionlint:
name: Actionlint (Workflow Schema)
runs-on: ubuntu-latest
timeout-minutes: 5
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
permissions:
contents: read # actions/checkout
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Install actionlint
# Pinned script commit + pinned version, not `latest` — see CI-002.
run: |
bash <(curl -fsSL "https://raw.githubusercontent.com/rhysd/actionlint/011a6d15e749bb3f2d771eed9c7aa0e7e3e10ee7/scripts/download-actionlint.bash") 1.7.12
- name: Run actionlint
run: ./actionlint -color
coverage:
name: Coverage Report
runs-on: ubuntu-latest
if: always() && needs.validate.result == 'success'
needs: [validate, smoke-windows]
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Download Linux coverage
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-linux
path: coverage-linux
- name: Download Windows coverage
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-windows
path: coverage-windows
continue-on-error: true
- name: Merge coverage and generate report
id: coverage-report
uses: ./.github/actions/coverage-report
with:
min-coverage: "90"
github-token: ${{ github.token }}
event-name: ${{ github.event_name }}
pr-number: ${{ github.event.pull_request.number }}
is-fork: ${{ github.event.pull_request.head.repo.fork }}
run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- name: Upload coverage report
if: always() && steps.coverage-report.outcome == 'success'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-report
path: ${{ steps.coverage-report.outputs.html-report-path }}
retention-days: 30
- name: Enforce coverage threshold
if: always() && steps.coverage-report.outcome == 'success'
run: |
COVERAGE="${{ steps.coverage-report.outputs.coverage }}"
MIN_COVERAGE=90
BELOW=$(awk "BEGIN{print ($COVERAGE < $MIN_COVERAGE) ? 1 : 0}")
if [ "$BELOW" = "1" ]; then
echo "::error::Code coverage is ${COVERAGE}%, which is below the minimum threshold of ${MIN_COVERAGE}%."
exit 1
fi
echo "Coverage ${COVERAGE}% meets the minimum threshold of ${MIN_COVERAGE}%."
# Gate job — single required status check for branch protection.
status:
name: Validate Code
runs-on: ubuntu-latest
if: always()
needs:
[
validate,
shim-changes,
shim-tests,
smoke-windows,
smoke-linux,
zizmor,
actionlint,
coverage,
]
steps:
- name: Check job results
run: |
# shim-tests is skipped when no shim files changed — treat skipped as success.
SHIM_OK="${{ needs.shim-tests.result }}"
if [[ "$SHIM_OK" == "skipped" ]]; then SHIM_OK="success"; fi
if [[ "${{ needs.validate.result }}" != "success" ]] || \
[[ "$SHIM_OK" != "success" ]] || \
[[ "${{ needs.smoke-windows.result }}" != "success" ]] || \
[[ "${{ needs.smoke-linux.result }}" != "success" ]] || \
[[ "${{ needs.zizmor.result }}" != "success" ]] || \
[[ "${{ needs.actionlint.result }}" != "success" ]] || \
[[ "${{ needs.coverage.result }}" != "success" ]]; then
echo "::error::One or more jobs failed:"
echo " validate: ${{ needs.validate.result }}"
echo " shim-tests: ${{ needs.shim-tests.result }}"
echo " smoke-windows: ${{ needs.smoke-windows.result }}"
echo " smoke-linux: ${{ needs.smoke-linux.result }}"
echo " zizmor: ${{ needs.zizmor.result }}"
echo " actionlint: ${{ needs.actionlint.result }}"
echo " coverage: ${{ needs.coverage.result }}"
exit 1
fi
echo "All checks passed."