Poc/pms health checks #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: health_checks | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
jobs: | |
install: | |
strategy: | |
matrix: | |
# Windows install must happen on the same worker size as subsequent jobs. | |
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation | |
# creates file system links that include drive letter. | |
os: [ubuntu-latest, macos-latest, amplify-backend_windows-latest_8-core] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/install_with_cache | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/build_with_cache | |
test_with_coverage: | |
needs: | |
- build | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macos-latest, amplify-backend_windows-latest_8-core] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run set-script-shell | |
- run: npm run test:coverage:threshold | |
test_scripts: | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: | | |
npm run set-script-shell | |
npm run test:scripts | |
test_with_baseline_dependencies: | |
needs: | |
- install | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- name: Pin some dependencies to nearest patch and rebuild | |
run: | | |
npx tsx scripts/set_baseline_dependency_versions.ts | |
npm install | |
# print out diff for auditing or troubleshooting | |
git diff | |
npm run build | |
- name: Run unit and integration tests | |
run: | | |
npm run set-script-shell | |
npm run test | |
check_api_changes: | |
if: github.event_name == 'pull_request' | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout pull request ref | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- name: Publish packages locally | |
timeout-minutes: 2 | |
run: | | |
npm run start:npm-proxy | |
# keep git diff with version increment to make sure test projects resolve right version | |
npm run publish:local -- --keepGitDiff | |
- name: Checkout base branch | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
with: | |
path: base-branch-content | |
ref: ${{ github.event.pull_request.base.sha }} | |
- name: Check API changes | |
run: | | |
mkdir api-validation-projects | |
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects | |
do_include_e2e: | |
runs-on: ubuntu-latest | |
permissions: | |
# This is required so that the step can read the labels on the pull request | |
pull-requests: read | |
env: | |
# The gh cli expects the token at this environment variable | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
outputs: | |
run_e2e: ${{ steps.check.outputs.run_e2e }} | |
steps: | |
# if this workflow is running on a push (ie merge to main), then e2e tests always run | |
# if this workflow is triggered manually, then e2e tests always run | |
# if the workflow is running on a pull request, we perform an additional check for the run-e2e label | |
# this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check e2e test results if they wish | |
# the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running e2e on every PR commit | |
- name: Check event is push to main or pull request has run-e2e label | |
id: check | |
run: | | |
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-e2e --quiet; then | |
echo setting run_e2e to true; | |
echo "run_e2e=true" >> "$GITHUB_OUTPUT"; | |
else | |
echo setting run_e2e to false; | |
echo "run_e2e=false" >> "$GITHUB_OUTPUT"; | |
fi | |
do_include_package_manager_tests: | |
runs-on: ubuntu-latest | |
permissions: | |
# This is required so that the step can read the labels on the pull request | |
pull-requests: read | |
env: | |
# The gh cli expects the token at this environment variable | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
outputs: | |
run_package_manager_tests: ${{ steps.check.outputs.run_package_manager_tests }} | |
steps: | |
# if this workflow is running on a push (ie merge to main), then package_manager_tests always run | |
# if this workflow is triggered manually, then package_manager_tests always run | |
# if the workflow is running on a pull request, we perform an additional check for the run-package-manager-tests label | |
# this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check package manager tests results if they wish | |
# the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running package_manager_tests on every PR commit | |
- name: Check event is push to main or pull request has run-package-manager-tests label | |
id: check | |
run: | | |
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-package-manager-tests --quiet; then | |
echo setting run_package_manager_tests to true; | |
echo "run_package_manager_tests=true" >> "$GITHUB_OUTPUT"; | |
else | |
echo setting run_package_manager_tests to false; | |
echo "run_package_manager_tests=false" >> "$GITHUB_OUTPUT"; | |
fi | |
run_e2e_tests: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: | |
[ | |
amplify-backend_ubuntu-latest_4-core, | |
macos-latest-xl, | |
amplify-backend_windows-latest_8-core, | |
] | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 25 | |
needs: | |
- do_include_e2e | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: cd packages/cli && npm link | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1 | |
with: | |
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }} | |
aws-region: us-west-2 | |
- name: Run E2E tests | |
run: npm run e2e | |
run_package_manager_tests_tests: | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm] | |
node-version: [20] | |
exclude: | |
- os: windows-latest | |
pkg-manager: pnpm | |
env: | |
PACKAGE_MANAGER: ${{ matrix.pkg-manager }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 60 | |
needs: | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout aws-amplify/amplify-cli repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Node.js | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # version 3.8.1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Restore Build Cache | |
uses: ./.github/actions/restore_build_cache | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1 | |
with: | |
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }} | |
aws-region: us-west-2 | |
- name: Run E2E flow tests with ${{ matrix.pkg-manager }} | |
shell: bash | |
run: | | |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts | |
lint: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run lint | |
check_dependencies: | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npm run check:dependencies | |
check_tsconfig_refs: | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npm run check:tsconfig-refs | |
check_api_extract: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run check:api | |
docs_build_and_publish: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run docs | |
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} | |
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # version 3.9.3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_dir: ./docs | |
publish_branch: docs | |
check_pr_size: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: git fetch origin | |
- run: npm run diff:check ${{ github.event.pull_request.base.sha }} | |
check_pr_has_changeset: | |
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
with: | |
# fetch full history so that changeset can properly compute divergence point | |
fetch-depth: 0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- name: Validate that PR has change set | |
run: | | |
npx changeset status --since origin/main | |
- name: Validate that change set has necessary dependency updates | |
run: | | |
npx changeset version | |
npm run check:dependencies | |
check_package_versions: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npm run check:package-versions | |
update_or_publish_versions: | |
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- name: Create release pull request or publish to npm | |
uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # version 1.4.5 | |
with: | |
publish: npm run publish | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
codeql: | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
with: | |
# Minimal depth 2 so we can checkout the commit before possible merge commit. | |
fetch-depth: 2 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3 | |
with: | |
languages: javascript | |
queries: +security-and-quality | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3 | |
with: | |
category: /language:javascript |