-
-
Notifications
You must be signed in to change notification settings - Fork 10
93 lines (88 loc) · 3.8 KB
/
ci.yml
File metadata and controls
93 lines (88 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: CI
on:
push:
branches: ["**"]
pull_request:
env:
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
# tsup's --dts worker hits Node's default ~2GB heap during the mcp-server
# build (70+ entry points + DTS emission). Lift the cap to 4GB; both
# ubuntu-latest and windows-latest runners have ~7GB RAM available.
NODE_OPTIONS: "--max-old-space-size=4096"
# Opt into Node 24 for GitHub-shipped JS actions (checkout, setup-node, …)
# ahead of the June 2nd 2026 default. Silences the deprecation warning and
# ensures we're on the runtime GitHub is migrating to.
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
jobs:
build-and-test:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
node-version: [22, 24]
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: npm
- run: npm ci
# Workaround for npm/cli#4828: optional native bindings sometimes don't
# install when `npm ci` runs from a lockfile generated on a different
# platform. Force-install the @tailwindcss/oxide native binding for the
# current runner so vite/postcss can find it.
- name: Install platform-specific tailwind oxide binding (npm/cli#4828)
run: |
if [ "$RUNNER_OS" = "Linux" ]; then
npm install --no-save --workspaces=false @tailwindcss/oxide-linux-x64-gnu
elif [ "$RUNNER_OS" = "Windows" ]; then
npm install --no-save --workspaces=false @tailwindcss/oxide-win32-x64-msvc
elif [ "$RUNNER_OS" = "macOS" ]; then
npm install --no-save --workspaces=false @tailwindcss/oxide-darwin-arm64 @tailwindcss/oxide-darwin-x64
fi
- run: npm run build
- run: npm run typecheck
- name: Test with coverage
run: |
mkdir -p .test-artifacts
set -o pipefail
npm run test:coverage 2>&1 | tee .test-artifacts/vitest.log
- name: Assert no secret shapes in test artifacts
run: node scripts/assert-no-secret-leak.mjs .test-artifacts
- name: Verify MCP tarball is clean
if: matrix.node-version == 22
run: |
cd packages/mcp-server
npm pack --dry-run 2>&1 | tee /tmp/pack.txt
if grep -qE "dev-tools/|\.chrome-profile|captures/" /tmp/pack.txt; then
echo "ERROR: Private files would leak into npm tarball!"
exit 1
fi
- name: Verify VSIX is clean
if: matrix.node-version == 22
run: |
cd packages/extension
npm run prepare:package-deps || true
npx @vscode/vsce ls --no-dependencies 2>&1 | tee /tmp/vsix.txt
# Match true source .ts files (foo.ts) in OUR package directories
# but NOT (a) type declarations (foo.d.ts) bundled with their .js
# by npm packages, (b) any .ts under a node_modules/ path —
# vendored deps like patchright-core legitimately ship their own
# .ts source files alongside the compiled .js. The check is
# strictly about preventing OUR src/ from leaking, not vendored
# third-party content.
if grep -E "\.ts$" /tmp/vsix.txt | grep -vE "\.d\.ts$" | grep -vE "node_modules/" | head -1 | grep -q .; then
echo "ERROR: Source .ts files would leak into VSIX!"
grep -E "\.ts$" /tmp/vsix.txt | grep -vE "\.d\.ts$" | grep -vE "node_modules/" | head -10
exit 1
fi
# dev-tools is under our own packages; never legitimate.
if grep -qE "dev-tools" /tmp/vsix.txt; then
echo "ERROR: dev-tools path would leak into VSIX!"
grep -E "dev-tools" /tmp/vsix.txt | head -10
exit 1
fi