codemap/.github/workflows/ci.yml at main · stainless-code/codemap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# Version PRs from `changesets/action` use head branch `changeset-release/<base>` (e.g. `changeset-release/main`;
# see changesets/action `run.ts`: `versionBranch = \`changeset-release/${branch}\``).
#
# GitHub docs: required status checks may be successful, skipped, or neutral — skipped often still allows merge
# (see https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging ).
# This workflow still gates on `changeset-release/*` and finishes with one **`CI complete`** job so there is a
# single unambiguous pass/fail (branch protection also warns that duplicate job *names* across workflows can block merges).
name: CI

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  skip-ci:
    name: Gate (skip full CI for version PRs?)
    runs-on: ubuntu-latest
    outputs:
      skip: ${{ steps.gate.outputs.skip }}
    steps:
      - id: gate
        run: |
          if [ "${{ github.event_name }}" = "pull_request" ] && \
             echo "${{ github.head_ref }}" | grep -q '^changeset-release/'; then
            echo "skip=true" >> "$GITHUB_OUTPUT"
            echo "Head is changeset-release/* — full CI skipped; ci-complete will pass."
          else
            echo "skip=false" >> "$GITHUB_OUTPUT"
          fi

  format:
    name: 💅 Format
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Run format
        run: bun run format:check

  lint:
    name: 🕵 Lint
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Run lint
        run: bun run lint:ci

  typecheck:
    name: ✅ Typecheck
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Run typecheck
        run: bun run typecheck

  test:
    name: 🔬 Test
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Run unit tests with coverage
        run: bun run test:coverage

      - name: Golden query regression (fixtures/minimal)
        run: bun run test:golden

  build:
    name: 🧰 Build
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Run build
        run: bun run build

      # Deliberately `node`, not `bun`: many installs use npm + Node; this checks dist/ + better-sqlite3.
      # Bun is already used for build/tests above.
      - name: Node smoke (dist + better-sqlite3)
        run: node dist/index.mjs query "SELECT 1 as ok"

      # Full rebuild exercises multi-statement DDL (`runSql`), `dropAll`, workers path — Node only.
      - name: Node full index (fixtures/minimal)
        run: |
          export CODEMAP_ROOT="$GITHUB_WORKSPACE/fixtures/minimal"
          rm -f "$CODEMAP_ROOT/.codemap.db"
          node dist/index.mjs --full
          node dist/index.mjs query "SELECT COUNT(*) AS files FROM files"

  benchmark:
    name: 📊 Benchmark (fixture)
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: Index fixture and run benchmark
        run: |
          export CODEMAP_ROOT="$GITHUB_WORKSPACE/fixtures/minimal"
          bun run dev --full
          bun run benchmark

  audit:
    # Non-blocking — visibility into transitive-dep CVEs without gating PRs.
    # Promote to a hard gate once the team agrees on a vulnerability budget.
    name: 🛡 Audit (non-blocking)
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup
        uses: ./.github/actions/setup

      - name: bun audit
        run: bun audit

  action-smoke:
    # Dogfood Slice 4 of plan PR #73: invoke `uses: ./` from this very repo
    # so the action.yml + scripts/detect-pm.mjs are exercised on every PR.
    # Smoke uses `command: --version` to avoid the real-audit dependency
    # chain (audit baselines etc.) — this validates the composite-step
    # flow + npm-pulled codemap binary, not the audit logic itself
    # (which is covered by the unit-test suite).
    name: 🤖 Action smoke (dogfood)
    needs: skip-ci
    if: needs['skip-ci'].outputs.skip != 'true'
    runs-on: ubuntu-latest
    # Non-blocking until we've published codemap@<v1> matching the Action.
    # Today the Action pulls codemap@latest from npm (0.4.0), which works
    # for `--version` but doesn't validate v1.x flags. Promote to a hard
    # gate when v1.0.0 ships.
    continue-on-error: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run the local-path action
        uses: ./
        with:
          command: "--version"
          format: "json"
          upload-sarif: "false"
          pr-comment: "false"
          fail-on: "never"

  ci-complete:
    name: CI complete
    needs: [skip-ci, format, lint, typecheck, test, build, benchmark]
    if: always()
    runs-on: ubuntu-latest
    steps:
      - name: Fail if any required job failed
        if: |
          needs['skip-ci'].outputs.skip != 'true' && (
            needs.format.result != 'success' ||
            needs.lint.result != 'success' ||
            needs.typecheck.result != 'success' ||
            needs.test.result != 'success' ||
            needs.build.result != 'success' ||
            needs.benchmark.result != 'success'
          )
        run: exit 1

      - name: OK
        run: echo "CI requirements satisfied"