B-21938 Entitlement Refactor #31117
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: F/E bundle diff | |
# For Truss and how we use this repo, pull_request and | |
# pull_request_target have no differences | |
# | |
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# | |
# Workflows triggered via pull_request_target have write permission | |
# to the target repository. They also have access to target | |
# repository secrets. The same is true for workflows triggered on | |
# pull_request from a branch in the same repository, but not from | |
# external forks. | |
# | |
# Truss always uses branches in the same repository | |
# | |
# Using pull_request means changes to the workflow file are used in | |
# the PR, which is incredibly helpful when testing out changes | |
# | |
# In addition analyze_bundle needs to check out and build a branch and | |
# that branch could possibly have untrusted code, and so pull_request | |
# is safer. | |
on: | |
pull_request: | |
branches: | |
- main | |
jobs: | |
changes: | |
runs-on: ubuntu-latest | |
outputs: | |
frontend: ${{ steps.filter.outputs.frontend }} | |
steps: | |
- uses: dorny/paths-filter@v3 | |
id: filter | |
with: | |
filters: | | |
frontend: | |
- 'src/**' | |
- 'yarn.lock' | |
build-pr: | |
concurrency: | |
group: bundle-build-pr-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
needs: changes | |
if: ${{ needs.changes.outputs.frontend == 'true' }} | |
name: 'Build PR' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Cache PR bundle stats | |
id: cache-bundle-stats | |
uses: actions/cache@v4 | |
with: | |
path: build/bundle-stats-${{ github.event.pull_request.head.sha }}.json | |
key: bundle-stats-${{ github.event.pull_request.head.sha }} | |
- name: Check out branch | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
uses: actions/[email protected] | |
- name: Set up node | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
uses: actions/setup-node@v4 | |
with: | |
cache: 'yarn' | |
node-version-file: '.tool-versions' | |
- name: Install dependencies | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: yarn install --frozen-lockfile | |
- name: Build PR with options | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: | | |
export NODE_OPTIONS="--max-old-space-size=4096" | |
echo "Using NODE_OPTIONS:${NODE_OPTIONS}" | |
yarn build --stats | |
- name: Copy stats to cache | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: | | |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json | |
- name: Restore stats from cache | |
if: steps.cache-bundle-stats.outputs.cache-hit == 'true' | |
run: | | |
cp ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json ./build/bundle-stats.json | |
- name: Upload stats.json | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pr-stats | |
path: ./build/bundle-stats.json | |
build-base: | |
concurrency: | |
group: bundle-build-base-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
needs: changes | |
if: ${{ needs.changes.outputs.frontend == 'true' }} | |
name: 'Build base' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Cache base bundle stats | |
id: cache-bundle-stats | |
uses: actions/cache@v4 | |
with: | |
path: build/bundle-stats-${{ github.event.pull_request.base.sha }}.json | |
key: bundle-stats-${{ github.event.pull_request.base.sha }} | |
- name: Check out base branch | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
uses: actions/[email protected] | |
with: | |
ref: ${{ github.base_ref }} | |
- name: Set up node | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
uses: actions/setup-node@v4 | |
with: | |
cache: 'yarn' | |
node-version-file: '.tool-versions' | |
- name: Install dependencies | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: yarn install --frozen-lockfile | |
- name: Build base with options | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: | | |
export NODE_OPTIONS="--max-old-space-size=4096" | |
echo "Using NODE_OPTIONS:${NODE_OPTIONS}" | |
yarn build --stats | |
- name: Copy stats to cache | |
if: steps.cache-bundle-stats.outputs.cache-hit != 'true' | |
run: | | |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json | |
- name: Restore stats from cache | |
if: steps.cache-bundle-stats.outputs.cache-hit == 'true' | |
run: | | |
cp ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json ./build/bundle-stats.json | |
- name: Upload stats.json | |
uses: actions/upload-artifact@v4 | |
with: | |
name: base-stats | |
path: ./build/bundle-stats.json | |
# run the action against the stats.json files | |
compare: | |
if: ${{ needs.changes.outputs.frontend == 'true' }} | |
concurrency: | |
group: bundle-compare-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
name: 'Compare base & PR bundle sizes' | |
runs-on: ubuntu-latest | |
needs: [build-base, build-pr] | |
permissions: | |
pull-requests: write | |
steps: | |
- uses: actions/download-artifact@v4 | |
- uses: github/[email protected] | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
current-stats-json-path: ./pr-stats/bundle-stats.json | |
base-stats-json-path: ./base-stats/bundle-stats.json | |
noop: | |
name: 'Noop job to prevent notification' | |
runs-on: ubuntu-latest | |
steps: | |
- run: 'echo "No build required"' |