forked from aws-amplify/amplify-backend
-
Notifications
You must be signed in to change notification settings - Fork 0
367 lines (365 loc) · 14.8 KB
/
health_checks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
name: health_checks
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
jobs:
install:
strategy:
matrix:
# Windows install must happen on the same worker size as subsequent jobs.
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation
# creates file system links that include drive letter.
os: [ubuntu-latest, macos-latest, amplify-backend_windows-latest_8-core]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/install_with_cache
build:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/build_with_cache
test_with_coverage:
needs:
- build
strategy:
matrix:
os: [ubuntu-latest, macos-latest, amplify-backend_windows-latest_8-core]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run set-script-shell
- run: npm run test:coverage:threshold
test_scripts:
needs:
- build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: |
npm run set-script-shell
npm run test:scripts
test_with_baseline_dependencies:
needs:
- install
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Pin some dependencies to nearest patch and rebuild
run: |
npx tsx scripts/set_baseline_dependency_versions.ts
npm install
# print out diff for auditing or troubleshooting
git diff
npm run build
- name: Run unit and integration tests
run: |
npm run set-script-shell
npm run test
check_api_changes:
if: github.event_name == 'pull_request'
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout pull request ref
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Publish packages locally
timeout-minutes: 2
run: |
npm run start:npm-proxy
# keep git diff with version increment to make sure test projects resolve right version
npm run publish:local -- --keepGitDiff
- name: Checkout base branch
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
with:
path: base-branch-content
ref: ${{ github.event.pull_request.base.sha }}
- name: Check API changes
run: |
mkdir api-validation-projects
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects
do_include_e2e:
runs-on: ubuntu-latest
permissions:
# This is required so that the step can read the labels on the pull request
pull-requests: read
env:
# The gh cli expects the token at this environment variable
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
run_e2e: ${{ steps.check.outputs.run_e2e }}
steps:
# if this workflow is running on a push (ie merge to main), then e2e tests always run
# if this workflow is triggered manually, then e2e tests always run
# if the workflow is running on a pull request, we perform an additional check for the run-e2e label
# this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check e2e test results if they wish
# the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running e2e on every PR commit
- name: Check event is push to main or pull request has run-e2e label
id: check
run: |
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-e2e --quiet; then
echo setting run_e2e to true;
echo "run_e2e=true" >> "$GITHUB_OUTPUT";
else
echo setting run_e2e to false;
echo "run_e2e=false" >> "$GITHUB_OUTPUT";
fi
do_include_package_manager_tests:
runs-on: ubuntu-latest
permissions:
# This is required so that the step can read the labels on the pull request
pull-requests: read
env:
# The gh cli expects the token at this environment variable
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
run_package_manager_tests: ${{ steps.check.outputs.run_package_manager_tests }}
steps:
# if this workflow is running on a push (ie merge to main), then package_manager_tests always run
# if this workflow is triggered manually, then package_manager_tests always run
# if the workflow is running on a pull request, we perform an additional check for the run-package-manager-tests label
# this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check package manager tests results if they wish
# the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running package_manager_tests on every PR commit
- name: Check event is push to main or pull request has run-package-manager-tests label
id: check
run: |
if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-package-manager-tests --quiet; then
echo setting run_package_manager_tests to true;
echo "run_package_manager_tests=true" >> "$GITHUB_OUTPUT";
else
echo setting run_package_manager_tests to false;
echo "run_package_manager_tests=false" >> "$GITHUB_OUTPUT";
fi
run_e2e_tests:
if: needs.do_include_e2e.outputs.run_e2e == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os:
[
amplify-backend_ubuntu-latest_4-core,
macos-latest-xl,
amplify-backend_windows-latest_8-core,
]
runs-on: ${{ matrix.os }}
timeout-minutes: 25
needs:
- do_include_e2e
- build
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: cd packages/cli && npm link
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run E2E tests
run: npm run e2e
run_package_manager_tests_tests:
if: needs.do_include_package_manager_tests.outputs.run_package_manager_tests == 'true'
strategy:
# will finish running other test matrices even if one fails
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm]
node-version: [20]
exclude:
- os: windows-latest
pkg-manager: pnpm
env:
PACKAGE_MANAGER: ${{ matrix.pkg-manager }}
runs-on: ${{ matrix.os }}
timeout-minutes: 60
needs:
- build
- do_include_package_manager_tests
permissions:
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
id-token: write
contents: read
steps:
- name: Checkout aws-amplify/amplify-cli repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # version 3.8.1
with:
node-version: ${{ matrix.node-version }}
- name: Restore Build Cache
uses: ./.github/actions/restore_build_cache
- name: Configure test tooling credentials
uses: ./.github/actions/setup_profile
with:
role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }}
aws-region: us-west-2
profile-name: e2e-tooling
- name: Configure test execution credentials
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1
with:
role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
aws-region: us-west-2
- name: Run E2E flow tests with ${{ matrix.pkg-manager }}
shell: bash
run: |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts
lint:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run lint
check_dependencies:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:dependencies
check_tsconfig_refs:
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:tsconfig-refs
check_api_extract:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run check:api
docs_build_and_publish:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- run: npm run docs
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # version 3.9.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs
publish_branch: docs
check_pr_size:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: git fetch origin
- run: npm run diff:check ${{ github.event.pull_request.base.sha }}
check_pr_has_changeset:
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
with:
# fetch full history so that changeset can properly compute divergence point
fetch-depth: 0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- name: Validate that PR has change set
run: |
npx changeset status --since origin/main
- name: Validate that change set has necessary dependency updates
run: |
npx changeset version
npm run check:dependencies
check_package_versions:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs:
- install
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_install_cache
- run: npm run check:package-versions
update_or_publish_versions:
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
needs:
- build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
- uses: ./.github/actions/setup_node
- uses: ./.github/actions/restore_build_cache
- name: Create release pull request or publish to npm
uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # version 1.4.5
with:
publish: npm run publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
codeql:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
with:
# Minimal depth 2 so we can checkout the commit before possible merge commit.
fetch-depth: 2
- name: Initialize CodeQL
uses: github/codeql-action/init@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3
with:
languages: javascript
queries: +security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3
with:
category: /language:javascript