-
Notifications
You must be signed in to change notification settings - Fork 22.5k
155 lines (129 loc) · 6.3 KB
/
pr-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# This file tests more or less everything related to a pull request. All
# in one big job. At the end, if all the testing passes, it proceeds
# to upload all the files that were built to our Dev environment.
# This way, if the tests passed, you'll be able to review the built
# pages on a public URL.
name: PR Test
on:
# The `GITHUB_TOKEN` in workflows triggered by the `pull_request_target` event
# is granted read/write repository access.
# Please pay attention to limit the permissions of each job!
# https://docs.github.com/actions/using-jobs/assigning-permissions-to-jobs
pull_request_target:
branches:
- main
jobs:
tests:
if: github.repository == 'mdn/content'
runs-on: ubuntu-latest
# Set the permissions to `read-all`, preventing the workflow from
# any accidental write access to the repository.
permissions: read-all
outputs:
has_assets: ${{ steps.build-content.outputs.has_assets }}
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
# This is the directory where the built files will be placed.
# It's also hardcoded in the `yarn build` command in package.json.
# If you change it here, you must also make the same change in
# package.json.
BUILD_OUT_ROOT: build
steps:
- uses: actions/checkout@v4
with:
ref: "${{ env.HEAD_SHA }}"
- name: Get changed files
run: |
# Use the GitHub API to get the list of changed files
# documentation: https://docs.github.com/rest/commits/commits#compare-two-commits
DIFF_DOCUMENTS=$(gh api repos/{owner}/{repo}/compare/${{ env.BASE_SHA }}...${{ env.HEAD_SHA }} \
--jq '.files | .[] | select(.status|IN("added", "modified", "renamed", "copied", "changed")) | .filename')
# filter out files that are not markdown files
GIT_DIFF_CONTENT=$(echo "${DIFF_DOCUMENTS}" | egrep -i "^files/.*\.(md)$" | xargs)
echo "GIT_DIFF_CONTENT=${GIT_DIFF_CONTENT}" >> $GITHUB_ENV
# filter out files that are not attachments
GIT_DIFF_FILES=$(echo "${DIFF_DOCUMENTS}" | egrep -i "^files/.*\.(png|jpeg|jpg|gif|svg|webp)$" | xargs)
echo "GIT_DIFF_FILES=${GIT_DIFF_FILES}" >> $GITHUB_ENV
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Node.js environment
if: ${{ env.GIT_DIFF_CONTENT }} || ${{ env.GIT_DIFF_FILES }}
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: yarn
- name: Install all yarn packages
if: ${{ env.GIT_DIFF_CONTENT }} || ${{ env.GIT_DIFF_FILES }}
run: yarn --frozen-lockfile
env:
# https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build changed content
id: build-content
if: ${{ env.GIT_DIFF_CONTENT }}
env:
CONTENT_ROOT: ${{ github.workspace }}/files
# This is so that if there's a single 'unsafe_html' flaw, it
# completely fails the build.
# But all other flaws should be 'warn', so that we can include
# information about the flaws when we analyze the built PR.
BUILD_FLAW_LEVELS: "unsafe_html: error, *:warn"
# Because we build these pages in a way that you get a toolbar,
# so the flaws can be displayed, but we don't want any of the
# other toolbar features like "Fix fixable flaws" or "Quick-edit"
# we set this to disable that stuff.
REACT_APP_CRUD_MODE_READONLY: true
BUILD_LIVE_SAMPLES_BASE_URL: https://live.mdnyalp.dev
BUILD_LEGACY_LIVE_SAMPLES_BASE_URL: https://live-samples.mdn.allizom.net
# In these builds, we never care for or need the ability to sign in.
# This environment variable will disable that functionality entirely.
REACT_APP_DISABLE_AUTH: true
# TODO: This should be implicit when `CI=true`
BUILD_NO_PROGRESSBAR: true
# Playground
REACT_APP_PLAYGROUND_BASE_HOST: mdnyalp.dev
run: |
# The reason this script isn't in `package.json` is because
# you don't need that script as a writer. It's only used in CI
# and it can't use the default CONTENT_ROOT that gets set in
# package.json.
yarn build ${{ env.GIT_DIFF_CONTENT }}
echo "Disk usage size of the build"
du -sh ${{ env.BUILD_OUT_ROOT }}
# Save the PR number into the build
echo ${{ github.event.number }} > ${{ env.BUILD_OUT_ROOT }}/NR
# Download the raw diff blob and store that inside the build
# directory.
# The purpose of this is for the PR Review Companion to later
# be able to use this raw diff file for the benefit of analyzing.
wget https://github.com/${{ github.repository }}/compare/${{ env.BASE_SHA }}...${{ env.HEAD_SHA }}.diff -O ${{ env.BUILD_OUT_ROOT }}/DIFF
# Set the output variable so the next job could skip if there are no assets
echo "has_assets=true" >> "$GITHUB_OUTPUT"
- name: Merge static assets with built documents
if: ${{ env.GIT_DIFF_CONTENT }}
run: |
# Exclude the .map files, as they're used for debugging JS and CSS.
rsync -a --exclude "*.map" node_modules/@mdn/yari/client/build/ ${{ env.BUILD_OUT_ROOT }}
# Show the final disk usage size of the build.
du -sh ${{ env.BUILD_OUT_ROOT }}
- uses: actions/upload-artifact@v3
if: ${{ env.GIT_DIFF_CONTENT }}
with:
name: build
path: ${{ env.BUILD_OUT_ROOT }}
- name: Check changed files
if: ${{ env.GIT_DIFF_FILES }}
run: |
echo ${{ env.GIT_DIFF_FILES }}
export CONTENT_ROOT=$(pwd)/files
yarn filecheck ${{ env.GIT_DIFF_FILES }}
review:
needs: tests
if: ${{ needs.tests.outputs.has_assets }}
# write permissions are required to create a comment in the corresponding PR
permissions: write-all
uses: ./.github/workflows/pr-review-companion.yml
# inherit the secrets from the parent workflow
# https://docs.github.com/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
secrets: inherit