-
-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (146 loc) · 6.24 KB
/
affinescript-verify.yml
File metadata and controls
157 lines (146 loc) · 6.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# SPDX-License-Identifier: PMPL-1.0-or-later
name: AffineScript Verify
# Direct pushes only on integration branches. Feature-branch validation
# is fully covered by pull_request — running a full AffineScript verify
# on every WIP push to every branch in every consumer repo was a dominant
# estate-wide drain on the shared Actions concurrency pool. No coverage
# is lost: PRs and post-merge main/master still verify.
on:
push:
branches: [main, master]
pull_request:
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
# updates do not pile up queued runs against the shared account-wide
# Actions concurrency pool. Applied only to read-only check workflows
# (no publish/mutation), so cancelling a superseded run is always safe.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
# Compile-verifies changed `.affine` files with the canonical AffineScript
# compiler (hyperpolymath/affinescript). The compiler is pinned to a commit
# SHA for reproducibility; bump COMPILER_REF deliberately.
#
# NON-BLOCKING (temporary): the initial ReScript->AffineScript port (PR #62)
# was done without a compiler, so `affinescript check` currently reports
# errors that need mechanical fixes. Until those are resolved this job
# REPORTS failures (job summary + warnings) but exits green so it does not
# block merges. Flip BLOCKING to "true" once the ports compile clean.
env:
BLOCKING: "false"
COMPILER_REPO: hyperpolymath/affinescript
COMPILER_REF: d2875a552f1d389b4a60c4adfdc02ae53e36aca3
jobs:
verify:
name: AffineScript Verify
runs-on: ubuntu-latest
# advisory: see header note. continue-on-error keeps the
# whole job advisory — including the compiler checkout/setup-ocaml/build
# steps — so a toolchain/build problem cannot block merges or add
# estate-wide red noise while the ports + build are sorted in follow-up.
# Remove this (and flip BLOCKING=true) once the job is reliably green.
continue-on-error: true
permissions:
contents: read
steps:
- name: Checkout standards
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Determine changed .affine files
id: changed
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
BASE="${{ github.event.pull_request.base.sha }}"
else
BASE="${{ github.event.before }}"
fi
if [ -z "$BASE" ] || ! git cat-file -e "$BASE^{commit}" 2>/dev/null \
|| printf '%s' "$BASE" | grep -qE '^0+$'; then
BASE="$(git rev-parse HEAD^ 2>/dev/null || git rev-parse HEAD)"
fi
FILES="$(git diff --name-only --diff-filter=ACMR "$BASE" HEAD -- '*.affine' || true)"
if [ -z "$FILES" ]; then
echo "any=false" >> "$GITHUB_OUTPUT"
echo "No changed .affine files — nothing to verify."
else
echo "any=true" >> "$GITHUB_OUTPUT"
echo "Changed .affine files:"
echo "$FILES"
{ echo 'files<<EOF'; echo "$FILES"; echo 'EOF'; } >> "$GITHUB_OUTPUT"
fi
- name: Checkout AffineScript compiler
if: steps.changed.outputs.any == 'true'
# advisory: compiler checkout is report-only until the port backlog
# is cleared and BLOCKING flips to true.
continue-on-error: true
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: ${{ env.COMPILER_REPO }}
ref: ${{ env.COMPILER_REF }}
path: .affinescript-compiler
- name: Set up OCaml
if: steps.changed.outputs.any == 'true'
# advisory: setup failures should surface as signal without blocking
# unrelated standards changes while AffineScript verification matures.
continue-on-error: true
uses: ocaml/setup-ocaml@e32b06a3e831ff2fbc6f08cf35be2085e3918014 # v3
with:
ocaml-compiler: "5.1"
- name: Build compiler
if: steps.changed.outputs.any == 'true'
# advisory: compiler build failures are reported by this job, not yet
# merge-blocking, until the report-only porting phase ends.
continue-on-error: true
working-directory: .affinescript-compiler
run: |
opam install . --deps-only
opam exec -- dune build
- name: Verify changed .affine files
if: steps.changed.outputs.any == 'true'
# advisory: verification findings are emitted as warnings and job
# summary entries until BLOCKING is intentionally enabled.
continue-on-error: true
working-directory: .affinescript-compiler
run: |
set -u
rc=0
failed=""
while IFS= read -r f; do
[ -z "$f" ] && continue
abs="$GITHUB_WORKSPACE/$f"
echo "::group::check $f"
if opam exec -- dune exec affinescript -- check "$abs" 2>&1; then
echo "✅ $f"
else
echo "::warning file=$f::AffineScript check failed"
echo "❌ $f failed AffineScript check"
failed="$failed$f"$'\n'
rc=1
fi
echo "::endgroup::"
done <<'EOF'
${{ steps.changed.outputs.files }}
EOF
{
echo "## AffineScript Verify"
if [ "$rc" -eq 0 ]; then
echo "All changed \`.affine\` files passed \`affinescript check\`."
else
echo "The following changed \`.affine\` files failed \`affinescript check\`:"
echo ""
echo "$failed" | sed '/^$/d' | sed 's/^/- /'
echo ""
echo "_See the per-file groups in the job log for the compiler errors._"
fi
} >> "$GITHUB_STEP_SUMMARY"
if [ "$rc" -ne 0 ]; then
if [ "$BLOCKING" = "true" ]; then
echo "AffineScript verification failed (blocking)."
exit 1
fi
echo "::warning::AffineScript verification found errors but is non-blocking (BLOCKING=false). See job summary."
exit 0
fi
echo "All changed .affine files passed AffineScript verification."