elements/.github/workflows/ci.yml at main · NVIDIA/elements · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          lfs: true
          # The CLI build runs semantic-release dry-run to bake the next binary version.
          # On main, checkout credentials must match the release token used by that dry-run.
          token: ${{ github.ref == 'refs/heads/main' && secrets.RELEASE_TOKEN || github.token }}
      - uses: ./.github/actions/setup-ci
      # - uses: google/wireit@setup-github-actions-caching/v2
      - name: Run CI checks
        env:
          ELEMENTS_PAGES_BASE_URL: ${{vars.ELEMENTS_PAGES_BASE_URL}}
          ELEMENTS_REGISTRY_URL: ${{vars.ELEMENTS_REGISTRY_URL}}
          ELEMENTS_REPO_BASE_URL: ${{vars.ELEMENTS_REPO_BASE_URL}}
          GITHUB_TOKEN: ${{ github.ref == 'refs/heads/main' && secrets.RELEASE_TOKEN || github.token }}
        run: PAGES_BASE_URL="/elements/" pnpm run ci && PAGES_BASE_URL="/elements/" node ./projects/internals/ci/cache-validate.js ci
      - name: Write CI job summary
        if: always()
        run: node ./projects/internals/ci/ci-summary.js >> "$GITHUB_STEP_SUMMARY"
      - name: Upload build artifacts
        if: github.event_name == 'push'
        uses: actions/upload-artifact@v7
        with:
          name: build-artifacts
          retention-days: 1
          path: |
            projects/core/dist
            projects/core/package.json
            projects/forms/dist
            projects/forms/package.json
            projects/styles/dist
            projects/styles/package.json
            projects/themes/dist
            projects/themes/package.json
            projects/lint/dist
            projects/lint/package.json
            projects/cli/dist
            projects/cli/package.json
            projects/code/dist
            projects/code/package.json
            projects/create/dist
            projects/create/package.json
            projects/markdown/dist
            projects/markdown/package.json
            projects/media/dist
            projects/media/package.json
            projects/monaco/dist
            projects/monaco/package.json
            projects/pages/dist
      - name: Upload pages artifact
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
        uses: actions/upload-pages-artifact@v5
        with:
          path: projects/pages/dist

  lighthouse:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          lfs: true
      - uses: ./.github/actions/setup-ci
      # - uses: google/wireit@setup-github-actions-caching/v2
      - name: Run Lighthouse tests
        run: WIREIT_FAILURES=kill pnpm run lighthouse && node ./projects/internals/ci/cache-validate.js lighthouse && node ./projects/internals/ci/metrics.lighthouse.js
      - name: Write lighthouse job summary
        if: always()
        run: node ./projects/internals/ci/lighthouse-summary.js >> "$GITHUB_STEP_SUMMARY"

  release:
    needs: ci
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    permissions:
      issues: write
      deployments: write
      pull-requests: write
      contents: write
      id-token: write
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          lfs: true
          ref: main
          # Use RELEASE_TOKEN so the persisted git credentials match the token
          # semantic-release pushes with — otherwise the default GITHUB_TOKEN's
          # http.extraheader overrides @semantic-release/git's push auth.
          token: ${{secrets.RELEASE_TOKEN}}
      - uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d
        with:
          version: 11.0.8
          run_install: false
      - uses: actions/setup-node@v6
        with:
          node-version-file: './.nvmrc'
          registry-url: 'https://registry.npmjs.org'
          cache: 'pnpm'
      - run: pnpm install --frozen-lockfile
      - name: Download build artifacts
        uses: actions/download-artifact@v8
        with:
          name: build-artifacts
          path: projects
      - name: Release
        env:
          # RELEASE_TOKEN must be a PAT or GitHub App token with contents:write and
          # bypass permission for main's branch protection rules. The default
          # GITHUB_TOKEN cannot push tags/release commits to a protected branch.
          GITHUB_TOKEN: ${{secrets.RELEASE_TOKEN}}
          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
        run: WIREIT_PARALLEL=1 WIREIT_LOGGER=metrics pnpm run release

  deploy-pages:
    needs: ci
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      pages: write
      id-token: write
    environment:
      name: github-pages
      url: ${{steps.deployment.outputs.page_url}}
    concurrency:
      group: pages
      cancel-in-progress: false
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v5