-
Notifications
You must be signed in to change notification settings - Fork 35
175 lines (154 loc) · 5.85 KB
/
analyze-bundle.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: F/E bundle diff
# For Truss and how we use this repo, pull_request and
# pull_request_target have no differences
#
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
# Workflows triggered via pull_request_target have write permission
# to the target repository. They also have access to target
# repository secrets. The same is true for workflows triggered on
# pull_request from a branch in the same repository, but not from
# external forks.
#
# Truss always uses branches in the same repository
#
# Using pull_request means changes to the workflow file are used in
# the PR, which is incredibly helpful when testing out changes
#
# In addition analyze_bundle needs to check out and build a branch and
# that branch could possibly have untrusted code, and so pull_request
# is safer.
on:
pull_request:
branches:
- main
jobs:
changes:
runs-on: ubuntu-latest
outputs:
frontend: ${{ steps.filter.outputs.frontend }}
steps:
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
frontend:
- 'src/**'
- 'yarn.lock'
build-pr:
concurrency:
group: bundle-build-pr-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
name: 'Build PR'
runs-on: ubuntu-latest
steps:
- name: Cache PR bundle stats
id: cache-bundle-stats
uses: actions/cache@v4
with:
path: build/bundle-stats-${{ github.event.pull_request.head.sha }}.json
key: bundle-stats-${{ github.event.pull_request.head.sha }}
- name: Check out branch
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/[email protected]
- name: Set up node
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/setup-node@v4
with:
cache: 'yarn'
node-version-file: '.tool-versions'
- name: Install dependencies
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: yarn install --frozen-lockfile
- name: Build PR with options
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
export NODE_OPTIONS="--max-old-space-size=4096"
echo "Using NODE_OPTIONS:${NODE_OPTIONS}"
yarn build --stats
- name: Copy stats to cache
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json
- name: Restore stats from cache
if: steps.cache-bundle-stats.outputs.cache-hit == 'true'
run: |
cp ./build/bundle-stats-${{ github.event.pull_request.head.sha }}.json ./build/bundle-stats.json
- name: Upload stats.json
uses: actions/upload-artifact@v4
with:
name: pr-stats
path: ./build/bundle-stats.json
build-base:
concurrency:
group: bundle-build-base-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
name: 'Build base'
runs-on: ubuntu-latest
steps:
- name: Cache base bundle stats
id: cache-bundle-stats
uses: actions/cache@v4
with:
path: build/bundle-stats-${{ github.event.pull_request.base.sha }}.json
key: bundle-stats-${{ github.event.pull_request.base.sha }}
- name: Check out base branch
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/[email protected]
with:
ref: ${{ github.base_ref }}
- name: Set up node
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
uses: actions/setup-node@v4
with:
cache: 'yarn'
node-version-file: '.tool-versions'
- name: Install dependencies
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: yarn install --frozen-lockfile
- name: Build base with options
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
export NODE_OPTIONS="--max-old-space-size=4096"
echo "Using NODE_OPTIONS:${NODE_OPTIONS}"
yarn build --stats
- name: Copy stats to cache
if: steps.cache-bundle-stats.outputs.cache-hit != 'true'
run: |
cp ./build/bundle-stats.json ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json
- name: Restore stats from cache
if: steps.cache-bundle-stats.outputs.cache-hit == 'true'
run: |
cp ./build/bundle-stats-${{ github.event.pull_request.base.sha }}.json ./build/bundle-stats.json
- name: Upload stats.json
uses: actions/upload-artifact@v4
with:
name: base-stats
path: ./build/bundle-stats.json
# run the action against the stats.json files
compare:
if: ${{ needs.changes.outputs.frontend == 'true' }}
concurrency:
group: bundle-compare-${{ github.event.action || 'unknown' }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
name: 'Compare base & PR bundle sizes'
runs-on: ubuntu-latest
needs: [build-base, build-pr]
permissions:
pull-requests: write
steps:
- uses: actions/download-artifact@v4
- uses: github/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
current-stats-json-path: ./pr-stats/bundle-stats.json
base-stats-json-path: ./base-stats/bundle-stats.json
noop:
name: 'Noop job to prevent notification'
runs-on: ubuntu-latest
steps:
- run: 'echo "No build required"'