-
Notifications
You must be signed in to change notification settings - Fork 1
245 lines (223 loc) · 12.4 KB
/
lint-and-tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
# Security Notes
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.
name: Linting and Tests
on:
push:
branches:
- main
pull_request_target:
branches:
- main
types:
- labeled
merge_group:
defaults:
run:
# This ensures that the working directory is the root of the repository
working-directory: ./
permissions:
contents: read
actions: read
# This permission is required by `MishaKav/jest-coverage-comment`
pull-requests: write
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
jobs:
base:
name: Base Tasks
runs-on: ubuntu-latest
outputs:
turbo_args: ${{ steps.turborepo_arguments.outputs.turbo_args }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Provide Turborepo Arguments
# This step is responsible for providing a reusable string that can be used within other steps and jobs
# that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command
id: turborepo_arguments
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--force
run: echo "turbo_args=--force=true --cache-dir=.turbo/cache" >> "$GITHUB_OUTPUT"
lint:
# This Job should run either on `merge_groups` or `push` events
# or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request`
# since we want to run lint checks against any changes on pull requests, or the final patch on merge groups
# or if direct pushes happen to main (or when changes in general land on the `main` (default) branch)
# Note that the reason why we run this on pushes against `main` is that on rare cases, maintainers might do direct pushes against `main`
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target' &&
github.event.label.name == 'github_actions:pull-request')
name: Lint
runs-on: ubuntu-latest
needs: [base]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Git Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
# Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork
# we want to clone the fork's repository instead of the base repository
# this allows us to have the correct history tree of the perspective of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
# We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow
# is always running with the latest `ref` (changes) of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main`
# or the merge_group `ref`
ref: ${{ github.event.pull_request.head.ref || github.ref }}
- name: Set up pnpm
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
version: 8.15.6
- name: Restore Lint Cache
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
.turbo/cache
node_modules/.cache
.eslintjscache
.stylelintcache
.prettiercache
# We want to restore Turborepo Cache and ESlint and Prettier Cache
# The ESLint and Prettier cache's are useful to reduce the overall runtime of ESLint and Prettier
# as they will only run on files that have changed since the last cached run
# this might of course lead to certain files not being checked against the linter, but the chances
# of such situation from happening are very slim as the checksums of both files would need to match
key: cache-lint-${{ hashFiles('pnpm-lock.json') }}-
restore-keys: |
cache-lint-${{ hashFiles('pnpm-lock.json') }}-
cache-lint-
- name: Set up Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# We want to ensure that the Node.js version running here respects our supported versions
node-version-file: ".nvmrc"
cache: "pnpm"
- name: Install pnpm packages
# We want to avoid npm from running the Audit Step and Funding messages on a CI environment
# We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted
run: CI=true pnpm i --ignore-scripts
- name: Run `turbo lint`
# We run the ESLint and Prettier commands on all Workflow triggers of the `Lint` job
# Note: Linting and Prettifying of files on Crowdin PRs is handled by the `translations-pr.yml` Workflow
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target')
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
# the `${{ needs.base.outputs.turbo_args }}` is a string substitution happening from the base job
run: npx --package=turbo@latest -- turbo lint:js lint:css prettier:fix ${{ needs.base.outputs.turbo_args}}
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
- name: Run `tsc build`
# We want to ensure that the whole codebase is passing and successfully compiles with TypeScript
run: npx --package=typescript@latest -- tsc --build .
- name: Save Lint Cache
# We only want to save caches on `push` events or `pull_request_target` events
# and if it is a `pull_request_target` event, we want to avoid saving the cache if the PR comes from Dependabot
# or if it comes from an automated Crowdin Pull Request
# The reason we save caches on `push` is because caches creates on `main` (default) branches can be reused within
# other Pull Requests and PRs coming from forks
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request_target' &&
startsWith(github.event.pull_request.head.ref, 'dependabot/') == false)
uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
.turbo/cache
node_modules/.cache
.eslintjscache
.stylelintcache
.prettiercache
key: cache-lint-${{ hashFiles('pnpm-lock.json') }}-${{ hashFiles('.turbo/cache/**') }}
tests:
# This Job should run either on `merge_groups` or `push` events
# or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request`
# since we want to run lint checks against any changes on pull requests and on final patches against a pull request.
# We don't need to execute the tests again on pushes against (`main`) as the merge group should already handle that
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target' &&
github.event.label.name == 'github_actions:pull-request')
name: Tests
runs-on: ubuntu-latest
needs: [base]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Git Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
# Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork
# we want to clone the fork's repository instead of the base repository
# this allows us to have the correct history tree of the perspective of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
# We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow
# is always running with the latest `ref` (changes) of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main`
# or the merge_group `ref`
ref: ${{ github.event.pull_request.head.ref || github.ref }}
fetch-depth: 0
- name: Set up pnpm
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
version: 8.15.6
- name: Set up Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# We want to ensure that the Node.js version running here respects our supported versions
node-version-file: ".nvmrc"
cache: "pnpm"
- name: Install pnpm packages
# We want to avoid npm from running the Audit Step and Funding messages on a CI environment
# We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted
run: CI=true pnpm i --ignore-scripts
- name: Run Unit Tests
# We want to run Unit Tests in every circumstance, including Dependabot PRs to ensure
# that changes to dependencies or translations don't break the Unit Tests
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
# the `${{ needs.base.outputs.turbo_args }}` is a string substitution happening from the base job
run: npx --package=turbo@latest -- turbo test:unit ${{ needs.base.outputs.turbo_args }} -- --ci --coverage
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
- name: Jest Coverage Comment
# We don't need to post the Jest Coverage comment on Dependabot PRs
# as in general they introduce no changes to the Unit Tests and the Codebase
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request_target' &&
startsWith(github.event.pull_request.head.ref, 'dependabot/') == false)
# This comments the current Jest Coverage Report containing JUnit XML reports
# and a Code Coverage Summary
uses: MishaKav/jest-coverage-comment@c2d5cfd6c32e8799c6deb0fd76a8e2d9ad8b35c2 # v1.0.25
with:
title: "Unit Test Coverage Report"
junitxml-path: ./junit.xml
junitxml-title: Unit Test Report