.github/workflows/health_checks.yml

name: health_checks

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  schedule:
    - cron: '0 12 * * *' # every day 12:00 UTC

jobs:
  install:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/install_with_cache
  build:
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/build_with_cache
  test_with_coverage:
    needs:
      - build
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - run: npm run set-script-shell
      - run: npm run test:coverage:threshold
  do_include_e2e:
    runs-on: ubuntu-latest
    permissions:
      # This is required so that the step can read the labels on the pull request
      pull-requests: read
    env:
      # The gh cli expects the token at this environment variable
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    outputs:
      run_e2e: ${{ steps.check.outputs.run_e2e }}
    steps:
      # if this workflow is running on a push (ie merge to main), then e2e tests always run
      # if the workflow is running on a pull request, we perform an additional check for the run-e2e label
      # this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check e2e test results if they wish
      # the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running e2e on every PR commit
      - name: Check event is push or pull request has run-e2e label
        id: check
        run: |
          if [[ ${{ github.event_name }} == 'push' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-e2e --quiet; then
            echo setting run_e2e to true;
            echo "run_e2e=true" >> "$GITHUB_OUTPUT";
          else
            echo setting run_e2e to false;
            echo "run_e2e=false" >> "$GITHUB_OUTPUT";
          fi
  run_e2e_tests:
    if: needs.do_include_e2e.outputs.run_e2e == 'true'
    strategy:
      # will finish running other test matrices even if one fails
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60
    needs:
      - do_include_e2e
      - build
    permissions:
      # these permissions are required for the configure-aws-credentials action to get a JWT from GitHub
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - run: cd packages/cli && npm link
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1
        with:
          role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }}
          aws-region: us-west-2
      - name: Run E2E tests
        run: npm run e2e
  lint:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - run: npm run lint
  check_dependencies:
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_install_cache
      - run: npm run check:dependencies
  check_tsconfig_refs:
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_install_cache
      - run: npm run check:tsconfig-refs
  check_api_extract:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - run: npm run check:api
  docs_build_and_publish:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - run: npm run docs
      - if: github.event_name == 'push'
        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # version 3.9.3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./docs
          publish_branch: docs
  check_pr_size:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_install_cache
      - run: git fetch origin
      - run: npm run diff:check ${{ github.event.pull_request.base.sha }}
  check_pr_has_changeset:
    if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]'
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
        with:
          # fetch full history so that changeset can properly compute divergence point
          fetch-depth: 0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_install_cache
      - run: npx changeset status --since origin/main
  check_package_versions:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    needs:
      - install
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_install_cache
      - run: npm run check:package-versions
  update_or_publish_versions:
    if: github.event_name == 'push'
    needs:
      - build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
      - uses: ./.github/actions/setup_node
      - uses: ./.github/actions/restore_build_cache
      - name: Create release pull request or publish to npm
        uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # version 1.4.5
        with:
          publish: npm run publish
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  codeql:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0
        with:
          # Minimal depth 2 so we can checkout the commit before possible merge commit.
          fetch-depth: 2
      - name: Initialize CodeQL
        uses: github/codeql-action/init@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3
        with:
          languages: javascript
          queries: +security-and-quality
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3
        with:
          category: /language:javascript