chore(license): init #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI/CD" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| job: | |
| description: "Specific job to run (leave empty for all)" | |
| type: string | |
| required: false | |
| nix_installer: | |
| description: "Nix installer strategy" | |
| type: choice | |
| options: | |
| - full | |
| - quick | |
| default: quick | |
| required: false | |
| debug_enabled: | |
| description: "Run the workflow with tmate.io debugging enabled" | |
| required: true | |
| type: boolean | |
| default: false | |
| deploy_enabled: | |
| description: "Deploy to Cloudflare Workers" | |
| required: false | |
| type: boolean | |
| default: false | |
| workflow_call: | |
| pull_request: | |
| types: [opened, labeled, reopened, synchronize] | |
| paths-ignore: | |
| - "*.md" | |
| push: | |
| branches: | |
| - "main" | |
| paths-ignore: | |
| - "*.md" | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| deployments: write | |
| actions: write | |
| id-token: write | |
| jobs: | |
| scan: | |
| name: gitguardian | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name != 'workflow_dispatch' || | |
| inputs.job == '' || | |
| inputs.job == 'scan' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: GitGuardian scan | |
| uses: GitGuardian/ggshield-action@455483042671cc73b40d0e753baddffef7309a1f # ratchet:GitGuardian/[email protected] | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| set-variables: | |
| needs: scan | |
| runs-on: ubuntu-latest | |
| if: | | |
| !cancelled() && | |
| (github.event_name != 'workflow_dispatch' || | |
| inputs.job == '' || | |
| inputs.job == 'set-variables') | |
| outputs: | |
| debug: ${{ steps.set-variables.outputs.debug }} | |
| skip_ci: ${{ steps.set-variables.outputs.skip_ci }} | |
| deploy_enabled: ${{ steps.set-variables.outputs.deploy_enabled }} | |
| deploy_environment: ${{ steps.set-variables.outputs.deploy_environment }} | |
| checkout_ref: ${{ steps.set-variables.outputs.checkout_ref }} | |
| checkout_rev: ${{ steps.set-variables.outputs.checkout_rev }} | |
| steps: | |
| - name: Set action variables | |
| id: set-variables | |
| run: | | |
| DEBUG="false" | |
| SKIP_CI="false" | |
| DEPLOY_ENABLED="false" | |
| DEPLOY_ENVIRONMENT="preview" | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| DEBUG="${{ inputs.debug_enabled }}" | |
| DEPLOY_ENABLED="${{ inputs.deploy_enabled }}" | |
| fi | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'skip-ci') }}; then | |
| SKIP_CI="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'actions-debug') }}; then | |
| DEBUG="true" | |
| fi | |
| CHECKOUT_REF="${{ github.event.pull_request.head.ref }}" | |
| CHECKOUT_REV="${{ github.event.pull_request.head.sha }}" | |
| else | |
| CHECKOUT_REF="${{ github.ref_name }}" | |
| CHECKOUT_REV="${{ github.sha }}" | |
| fi | |
| # Enable deployment on push to main (production) | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| DEPLOY_ENABLED="true" | |
| DEPLOY_ENVIRONMENT="production" | |
| fi | |
| echo "DEBUG=$DEBUG" | |
| echo "SKIP_CI=$SKIP_CI" | |
| echo "DEPLOY_ENABLED=$DEPLOY_ENABLED" | |
| echo "DEPLOY_ENVIRONMENT=$DEPLOY_ENVIRONMENT" | |
| echo "CHECKOUT_REF=$CHECKOUT_REF" | |
| echo "CHECKOUT_REV=$CHECKOUT_REV" | |
| echo "DEBUG=$DEBUG" >> $GITHUB_OUTPUT | |
| echo "SKIP_CI=$SKIP_CI" >> $GITHUB_OUTPUT | |
| echo "DEPLOY_ENABLED=$DEPLOY_ENABLED" >> $GITHUB_OUTPUT | |
| echo "DEPLOY_ENVIRONMENT=$DEPLOY_ENVIRONMENT" >> $GITHUB_OUTPUT | |
| echo "CHECKOUT_REF=$CHECKOUT_REF" >> $GITHUB_OUTPUT | |
| echo "CHECKOUT_REV=$CHECKOUT_REV" >> $GITHUB_OUTPUT | |
| nix: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest] | |
| needs: set-variables | |
| if: | | |
| !cancelled() && | |
| needs.set-variables.outputs.skip_ci != 'true' && | |
| (github.event_name != 'workflow_dispatch' || | |
| inputs.job == '' || | |
| inputs.job == 'nix') | |
| concurrency: | |
| group: nix-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
| - name: Setup Nix | |
| uses: ./.github/actions/setup-nix | |
| env: | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| with: | |
| installer: ${{ inputs.nix_installer || 'quick' }} | |
| system: x86_64-linux | |
| setup-cachix: true | |
| cachix-auth: true | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # ratchet:mxschmitt/action-tmate@v3 | |
| if: ${{ needs.set-variables.outputs.debug == 'true' }} | |
| - name: Install omnix | |
| run: nix --accept-flake-config profile install "github:juspay/omnix" | |
| - name: Summarize flake | |
| run: om show . | |
| - name: Run flake CI and push to cachix | |
| env: | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| run: | | |
| nix develop -c sops exec-env vars/shared.yaml ' | |
| om ci run | tee /dev/stderr | cachix push "$CACHIX_CACHE_NAME" | |
| ' | |
| test: | |
| needs: [set-variables] | |
| if: | | |
| !cancelled() && | |
| needs.set-variables.outputs.skip_ci != 'true' && | |
| (github.event_name != 'workflow_dispatch' || | |
| inputs.job == '' || | |
| inputs.job == 'test') | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| package: | |
| - name: docs | |
| path: packages/docs | |
| concurrency: | |
| group: test-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
| - name: Setup Nix | |
| uses: ./.github/actions/setup-nix | |
| env: | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| with: | |
| installer: ${{ inputs.nix_installer || 'quick' }} | |
| system: x86_64-linux | |
| setup-cachix: true | |
| - name: Install dependencies | |
| run: nix develop -c just install | |
| - name: Run unit tests with coverage | |
| run: nix develop -c just test-coverage | |
| - name: Build for E2E tests | |
| run: nix develop -c just build | |
| - name: Run E2E tests | |
| run: nix develop -c just test-e2e | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-${{ matrix.package.name }} | |
| path: ${{ matrix.package.path }}/dist/ | |
| retention-days: 7 | |
| include-hidden-files: true | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: playwright-report-${{ matrix.package.name }} | |
| path: ${{ matrix.package.path }}/playwright-report/ | |
| retention-days: 7 | |
| - name: Upload coverage | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-${{ matrix.package.name }} | |
| path: ${{ matrix.package.path }}/coverage/ | |
| retention-days: 7 | |
| deploy: | |
| needs: [set-variables, nix, test] | |
| if: | | |
| !cancelled() && | |
| needs.set-variables.outputs.skip_ci != 'true' && | |
| needs.set-variables.outputs.deploy_enabled == 'true' && | |
| (github.event_name != 'workflow_dispatch' || | |
| inputs.job == '' || | |
| inputs.job == 'deploy') | |
| uses: ./.github/workflows/deploy-docs.yaml | |
| with: | |
| debug_enabled: ${{ needs.set-variables.outputs.debug }} | |
| branch: ${{ needs.set-variables.outputs.checkout_ref }} | |
| environment: ${{ needs.set-variables.outputs.deploy_environment }} | |
| secrets: inherit |