Update CODEOWNERS (#7216) #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Security Notes | |
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions) | |
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions. | |
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!! | |
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags. | |
name: Build | |
on: | |
push: | |
branches: | |
- main | |
pull_request_target: | |
branches: | |
- main | |
types: | |
- labeled | |
merge_group: | |
defaults: | |
run: | |
# This ensures that the working directory is the root of the repository | |
working-directory: ./ | |
permissions: | |
contents: read | |
actions: read | |
jobs: | |
build: | |
# This Job should run either on `merge_groups` or `push` events | |
# or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request` | |
# since we want to run Website Builds on all these 3 occasions. As this allows us to be certain the that builds are passing | |
if: | | |
(github.event_name == 'push' || github.event_name == 'merge_group') || | |
(github.event_name == 'pull_request_target' && | |
github.event.label.name == 'github_actions:pull-request') | |
name: Build on ${{ matrix.os }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, windows-latest] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: Provide Turborepo Arguments | |
# This step is responsible for providing a reusable string that can be used within other steps and jobs | |
# that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command | |
id: turborepo_arguments | |
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir | |
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--force | |
run: echo "turbo_args=--force=true --cache-dir=.turbo/cache" >> "$GITHUB_OUTPUT" | |
- name: Use GNU tar instead BSD tar | |
# This ensures that we use GNU `tar` which is more efficient for extracting caches's | |
if: matrix.os == 'windows-latest' | |
shell: cmd | |
run: echo C:\Program Files\Git\usr\bin>>"%GITHUB_PATH%" | |
- name: Git Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
# Provides the Pull Request commit SHA or the GitHub merge group ref | |
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} | |
# We only need to fetch the last commit from the head_ref | |
# since we're not using the `--filter` operation from turborepo | |
# We don't use the `--filter` as we always want to force builds regardless of having changes or not | |
# this ensures that our bundle analysis script always runs and that we always ensure next.js is building | |
# regardless of having code changes or not | |
fetch-depth: 1 | |
- uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
# See here for caching with `yarn` https://github.com/actions/cache/blob/main/examples.md#node---yarn or you can leverage caching with actions/setup-node https://github.com/actions/setup-node | |
path: | | |
~/.npm | |
${{ github.workspace }}/apps/site/.next/cache | |
# Generate a new cache whenever packages or source files change. | |
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }} | |
# If source files changed but packages didn't, rebuild from a prior cache. | |
restore-keys: | | |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}- | |
- name: Set up Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
# We want to ensure that the Node.js version running here respects our supported versions | |
node-version-file: '.nvmrc' | |
cache: 'npm' | |
- name: Install npm packages | |
# We want to avoid npm from running the Audit Step and Funding messages on a CI environment | |
# We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted | |
# We also use `--omit=dev` to avoid installing devDependencies as we don't need them during the build step | |
run: npm i --no-audit --no-fund --userconfig=/dev/null --omit=dev | |
- name: Build Next.js (ISR) | |
# We want a ISR build on CI to ensure that regular Next.js builds work as expected. | |
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user | |
# the `${{ steps.turborepo_arguments.outputs.turbo_args }}` is a string substitution coming from a previous step | |
run: npx --package=turbo@latest -- turbo build ${{ steps.turborepo_arguments.outputs.turbo_args }} | |
env: | |
# We want to ensure we have enough RAM allocated to the Node.js process | |
# this should be a last resort in case by any chances the build memory gets too high | |
# but in general this should never happen | |
NODE_OPTIONS: '--max_old_space_size=4096' | |
# Used for API requests that require GitHub API scopes | |
NEXT_GITHUB_API_KEY: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build Next.js (Static) | |
# We only run full static builds within Pull Requests. As they're not needed on `merge_group` or `push` events | |
# Note that we skip full static builds on Crowdin-based Pull Requests as these PRs should only contain translation changes | |
if: | | |
(github.event_name == 'push') || | |
(github.event_name == 'pull_request_target' && | |
github.event.pull_request.head.ref != 'chore/crowdin') | |
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user | |
# the `${{ steps.turborepo_arguments.outputs.turbo_args }}` is a string substitution coming from a previous step | |
run: npx --package=turbo@latest -- turbo deploy ${{ steps.turborepo_arguments.outputs.turbo_args }} | |
env: | |
# We want to ensure we have enough RAM allocated to the Node.js process | |
# this should be a last resort in case by any chances the build memory gets too high | |
# but in general this should never happen | |
NODE_OPTIONS: '--max_old_space_size=4096' | |
# Used for API requests that require GitHub API scopes | |
NEXT_GITHUB_API_KEY: ${{ secrets.GITHUB_TOKEN }} | |
- name: Sync Orama Cloud | |
# We only want to sync the Orama Cloud production indexes on `push` events. | |
# We also want to sync the Orama Cloud preview (deployment) indexes on `pull_request_target` events. | |
# We also want to ensure that the sync only happens on the `ubuntu-latest` runner to avoid duplicate syncs | |
# or Windows-based path issues. | |
env: | |
ORAMA_INDEX_ID: ${{ github.event_name == 'push' && secrets.ORAMA_PRODUCTION_INDEX_ID || secrets.ORAMA_INDEX_ID }} | |
ORAMA_SECRET_KEY: ${{ github.event_name == 'push' && secrets.ORAMA_PRODUCTION_SECRET_KEY || secrets.ORAMA_SECRET_KEY }} | |
if: | | |
(matrix.os == 'ubuntu-latest') && | |
((github.event_name == 'push') || (github.event_name == 'pull_request_target')) | |
run: | | |
cd apps/site && npm run sync-orama |