Skip to content

Feature: Entrypoint V2, Part 3 #625

Feature: Entrypoint V2, Part 3

Feature: Entrypoint V2, Part 3 #625

Workflow file for this run

#
# Copyright (c) 2024 Elide Technologies, Inc.
#
# Licensed under the MIT license (the "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# https://opensource.org/license/mit/
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
#
name: PR
# Labels to control this PR flow:
#
# - ci:api-check-bypass - Bypass API check failures.
# - ci:buf-breaking-ignore - Ignore breaking changes in the model.
# - ci:fmt-ignore - Ignore formatting failures.
# - ci:test-native - Run native tests.
# - ci:build-native - Run native builds.
"on":
pull_request:
types: [opened, reopened, synchronize]
permissions:
contents: read
concurrency:
group: "pr-${{ github.event.pull_request.number }}"
cancel-in-progress: true
jobs:
##
## Job: Change Triage
##
triage:
name: "Triage"
runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }}
permissions:
contents: "read"
outputs:
changes: ${{ steps.extract_branch.outputs.changes }}
branch: ${{ steps.extract_branch.outputs.branch }}
base: ${{ steps.filter.outputs.base }}
devcontainer: ${{ steps.filter.outputs.base }}
model: ${{ steps.filter.outputs.model }}
packages: ${{ steps.filter.outputs.packages }}
tools: ${{ steps.filter.outputs.tools }}
images: ${{ steps.filter.outputs.tools }}
srcs: ${{ steps.filter.outputs.srcs }}
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: "Setup: Checkout"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
persist-credentials: false
- name: "Triage: Branch Label"
id: extract_branch
shell: bash
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
- name: "Triage: PR Labels"
uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
- name: "Triage: PR Changes"
id: filter
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
with:
filters: |
base: &base
- ".version"
- ".release"
- ".github/workflows/*.*"
devcontainer: &ci
- *base
- ".devcontainer/*.*"
- ".devcontainer/**/*.*"
model: &model
- *base
- "proto/**/*.*"
packages: &packages
- *base
- *model
- "packages"
- "packages/*"
- "packages/**/*.*"
tools: &tools
- *base
- "tools"
- "tools/*"
- "tools/**/*.*"
images: &images
- *base
- "tools/images/*"
- "tools/images/*.*"
- "tools/images/**/*.*"
srcs: &srcs
- *base
- *model
- *packages
- *tools
##
## Job: Multi-platform Build
##
pr-build:
name: "Build"
uses: ./.github/workflows/job.build.yml
secrets: inherit
needs: [triage]
if: fromJson(needs.triage.outputs.model) || fromJson(needs.triage.outputs.packages) || fromJson(needs.triage.outputs.tools)
permissions:
contents: "write"
actions: "read"
id-token: "write"
checks: "write"
pull-requests: "write"
packages: "read"
security-events: "write"
with:
provenance: false
native: ${{ contains(github.event.pull_request.labels.*.name, 'ci:build-native') || contains(github.event.head_commit.message, 'ci:build-native') }}
##
## Job: Multi-platform Build
##
pr-test:
name: "Build"
uses: ./.github/workflows/job.test.yml
secrets: inherit
needs: [triage]
if: fromJson(needs.triage.outputs.model) || fromJson(needs.triage.outputs.packages) || fromJson(needs.triage.outputs.tools)
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
with:
native: ${{ contains(github.event.pull_request.labels.*.name, 'ci:test-native') || contains(github.event.head_commit.message, 'ci:test-native') }}
##
## Job: API Check
##
check-api:
name: "Checks"
uses: ./.github/workflows/checks.apicheck.yml
needs: [triage]
if: fromJson(needs.triage.outputs.srcs)
secrets:
GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
permissions:
contents: "read"
##
## Job: Checks for Models
##
check-model:
name: "Checks"
uses: ./.github/workflows/checks.model.yml
needs: [triage]
if: fromJson(needs.triage.outputs.model)
secrets:
BUF_TOKEN: ${{ secrets.BUF_TOKEN }}
permissions:
contents: "read"
with:
ignore_breaking: ${{ contains(github.event.pull_request.labels.*.name, 'ci:buf-breaking-ignore') }}
##
## Job: Checks for Formatting/Style
##
check-format:
name: "Checks"
uses: ./.github/workflows/checks.formatting.yml
needs: [triage]
if: fromJson(needs.triage.outputs.model)
secrets: inherit
permissions:
contents: "read"
with:
ignore_failures: ${{ contains(github.event.pull_request.labels.*.name, 'ci:fmt-ignore') }}
##
## Job: Check for Wrapper
##
check-wrapper:
name: "Checks"
uses: ./.github/workflows/checks.gradle-wrapper.yml
needs: [triage]
permissions:
contents: "read"
##
## Job: Checks for Vulnerabilities/Licensing
##
check-dependencies:
name: "Checks"
uses: ./.github/workflows/checks.dependency-review.yml
needs: [triage, pr-build]
permissions:
contents: "read"
##
## Job: Checks with CodeQL
##
check-codeql:
name: "Checks"
uses: ./.github/workflows/checks.codeql.yml
needs: [triage, pr-build]
if: fromJson(needs.triage.outputs.packages)
secrets:
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
permissions:
actions: "read"
contents: "read"
security-events: "write"
##
## Job: Checks with Detekt
##
check-detekt:
name: "Checks"
uses: ./.github/workflows/checks.detekt.yml
needs: [triage, pr-build]
if: fromJson(needs.triage.outputs.srcs)
secrets:
GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
permissions:
contents: "read"
security-events: "write"