Skip to content

ci/cd work

ci/cd work #31119

name: F/E bundle diff
# For Truss and how we use this repo, pull_request and
# pull_request_target have no differences
#
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
# Workflows triggered via pull_request_target have write permission
# to the target repository. They also have access to target
# repository secrets. The same is true for workflows triggered on
# pull_request from a branch in the same repository, but not from
# external forks.
#
# Truss always uses branches in the same repository
#
# Using pull_request means changes to the workflow file are used in
# the PR, which is incredibly helpful when testing out changes
#
# In addition analyze_bundle needs to check out and build a branch and
# that branch could possibly have untrusted code, and so pull_request
# is safer.
on:
pull_request:
branches:
- main
jobs:
changes:
runs-on: ubuntu-latest
outputs:
frontend: ${{ steps.filter.outputs.frontend }}
steps:
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
frontend:
- 'src/**'
- 'yarn.lock'
build-pr:
concurrency:
group: bundle-build-pr-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
name: 'Build PR'
runs-on: ubuntu-latest
steps:
- name: Cache PR bundle stats
id: cache-bundle-stats
uses: actions/cache@v4
with:
path: build/bundle-stats-${{ github.event.pull_request.head.sha }}.json
key: bundle-stats-${{ github.event.pull_request.head.sha }}
- name: Check out branch
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/[email protected]
- name: Set up node
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/setup-node@v4
with:
cache: 'yarn'
node-version-file: '.tool-versions'
- name: Install dependencies
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: yarn install --frozen-lockfile
- name: Build PR with options
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
export NODE_OPTIONS="--max-old-space-size=4096"
echo "Using NODE_OPTIONS:${NODE_OPTIONS}"
yarn build --stats
- name: Copy stats to cache
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json
- name: Restore stats from cache
if: steps.cache-bundle-stats.outputs.cache-hit == 'true'
run: |
cp ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json ./build/bundle-stats.json
- name: Upload stats.json
uses: actions/upload-artifact@v4
with:
name: pr-stats
path: ./build/bundle-stats.json
build-base:
concurrency:
group: bundle-build-base-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
name: 'Build base'
runs-on: ubuntu-latest
steps:
- name: Cache base bundle stats
id: cache-bundle-stats
uses: actions/cache@v4
with:
path: build/bundle-stats-${{ github.event.pull_request.base.sha }}.json
key: bundle-stats-${{ github.event.pull_request.base.sha }}
- name: Check out base branch
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/[email protected]
with:
ref: ${{ github.base_ref }}
- name: Set up node
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/setup-node@v4
with:
cache: 'yarn'
node-version-file: '.tool-versions'
- name: Install dependencies
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: yarn install --frozen-lockfile
- name: Build base with options
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
export NODE_OPTIONS="--max-old-space-size=4096"
echo "Using NODE_OPTIONS:${NODE_OPTIONS}"
yarn build --stats
- name: Copy stats to cache
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json
- name: Restore stats from cache
if: steps.cache-bundle-stats.outputs.cache-hit == 'true'
run: |
cp ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json ./build/bundle-stats.json
- name: Upload stats.json
uses: actions/upload-artifact@v4
with:
name: base-stats
path: ./build/bundle-stats.json
# run the action against the stats.json files
compare:
if: ${{ needs.changes.outputs.frontend == 'true' }}
concurrency:
group: bundle-compare-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
name: 'Compare base & PR bundle sizes'
runs-on: ubuntu-latest
needs: [build-base, build-pr]
permissions:
pull-requests: write
steps:
- uses: actions/download-artifact@v4
- uses: github/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
current-stats-json-path: ./pr-stats/bundle-stats.json
base-stats-json-path: ./base-stats/bundle-stats.json
noop:
name: 'Noop job to prevent notification'
runs-on: ubuntu-latest
steps:
- run: 'echo "No build required"'