Skip to content
PR

feat(cli): comprehensive build system adopters - Maven, Gradle, Bazel, and Node.js #1997

Sign in to view logs

feat(cli): comprehensive build system adopters - Maven, Gradle, Bazel, and Node.js

feat(cli): comprehensive build system adopters - Maven, Gradle, Bazel, and Node.js #1997

Workflow file for this run

.github/workflows/on.pr.yml at 3f72c60
#
# Copyright (c) 2024 Elide Technologies, Inc.
#
# Licensed under the MIT license (the "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# https://opensource.org/license/mit/
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
#
name: PR
# Labels to control this PR flow:
#
# - ci:api-check-bypass - Bypass API check failures.
# - ci:buf-breaking-ignore - Ignore breaking changes in the model.
# - ci:fmt-ignore - Ignore formatting failures.
# - ci:test-native - Run native tests.
# - ci:build-native - Run native builds.
"on":
pull_request:
types: [opened, reopened, synchronize]
permissions:
contents: read
concurrency:
group: "pr-${{ github.event.pull_request.number }}"
cancel-in-progress: true
jobs:
##
## Job: Change Triage
##
triage:
name: "Triage"
runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }}
permissions:
contents: "read"
outputs:
changes: ${{ steps.extract_branch.outputs.changes }}
branch: ${{ steps.extract_branch.outputs.branch }}
base: ${{ steps.filter.outputs.base }}
natives: ${{ steps.filter.outputs.natives }}
devcontainer: ${{ steps.filter.outputs.devcontainer }}
model: ${{ steps.filter.outputs.model }}
packages: ${{ steps.filter.outputs.packages }}
tools: ${{ steps.filter.outputs.tools }}
images: ${{ steps.filter.outputs.images }}
srcs: ${{ steps.filter.outputs.srcs }}
workflows: ${{ steps.filter.outputs.workflows }}
any: ${{ steps.filter.outputs.any }}
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: "Setup: Checkout"
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
fetch-depth: 1
persist-credentials: false
sparse-checkout: |
.github/triage.yml
.github/labeler.yml
- name: "Triage: Branch Label"
id: extract_branch
shell: bash
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
- name: "Triage: PR Labels"
uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
- name: "Triage: PR Changes"
id: filter
uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5
with:
filters: .github/triage.yml
##
## Job: Multi-platform Build
##
pr-test:
name: "Build"
uses: ./.github/workflows/job.test.yml
secrets: inherit
needs: [triage]
if: fromJson(needs.triage.outputs.model) || fromJson(needs.triage.outputs.packages) || fromJson(needs.triage.outputs.tools)
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
with:
runner: ${{ vars.RUNNER_LARGE || 'ubuntu-cipool' }}
native: ${{ contains(github.event.pull_request.labels.*.name, 'ci:test-native') || contains(github.event.head_commit.message, 'ci:test-native') }}
##
## Job: Claude Review
##
check-ai-review:
name: "Checks"
uses: ./.github/workflows/claude-code-review.yml
needs: [triage]
if: false
# if: |
# (fromJson(needs.triage.outputs.srcs) || fromJson(needs.triage.outputs.workflows)) &&
# github.event.pull_request.draft == false
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
permissions:
contents: "read"
pull-requests: "read"
issues: "read"
id-token: "write"
##
## Job: API Check
##
check-api:
name: "Checks"
uses: ./.github/workflows/checks.apicheck.yml
needs: [triage]
if: fromJson(needs.triage.outputs.srcs) && github.event.pull_request.draft == false
secrets:
GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
permissions:
contents: "read"
##
## Job: Checks for Formatting/Style
##
check-format:
name: "Checks"
uses: ./.github/workflows/checks.formatting.yml
needs: [triage]
if: fromJson(needs.triage.outputs.model) || fromJson(needs.triage.outputs.natives) || fromJson(needs.triage.outputs.srcs)
secrets: inherit
permissions:
contents: "read"
with:
ignore_failures: ${{ contains(github.event.pull_request.labels.*.name, 'ci:fmt-ignore') }}
##
## Job: Clippy Check
##
check-clippy:
name: "Checks"
uses: ./.github/workflows/checks.clippy.yml
needs: [triage]
if: fromJson(needs.triage.outputs.natives)
permissions:
contents: "read"
##
## Job: Check for Wrapper
##
check-wrapper:
name: "Checks"
if: github.event.pull_request.draft == false
uses: ./.github/workflows/checks.gradle-wrapper.yml
needs: [triage]
permissions:
contents: "read"
##
## Job: Dependency Graph
##
dependency-graph:
name: "Checks"
if: github.event.pull_request.draft == false && fromJson(needs.triage.outputs.packages)
uses: ./.github/workflows/checks.dependency-graph.yml
needs: [triage]
permissions:
contents: "write" # needed for graph upload
##
## Job: Checks for Vulnerabilities/Licensing
##
check-dependencies:
name: "Checks"
if: github.event.pull_request.draft == false
uses: ./.github/workflows/checks.dependency-review.yml
needs: [triage, dependency-graph]
permissions:
contents: "read"
with:
base-ref: ${{ github.event.pull_request.base.ref }}
head-ref: ${{ github.event.pull_request.head.ref }}
##
## Job: Checks with Detekt
##
check-detekt:
name: "Checks"
uses: ./.github/workflows/checks.detekt.yml
needs: [triage]
if: false # disabled
secrets:
GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
permissions:
contents: "read"
security-events: "write"