-
Notifications
You must be signed in to change notification settings - Fork 182
172 lines (164 loc) · 8.1 KB
/
Copy pathcode-qa.yml
File metadata and controls
172 lines (164 loc) · 8.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Code QA Roo Code
on:
workflow_dispatch:
push:
branches: [main]
pull_request:
types: [opened, reopened, ready_for_review, synchronize]
merge_group:
types: [checks_requested]
# Least privilege: every job below escalates only where it needs to.
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
# Only meaningful for PRs — validates the dependency diff of the pull
# request against GitHub's advisory database before merge.
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
# This job never pushes — don't persist the GITHUB_TOKEN.
persist-credentials: false
- name: Dependency review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
invisible-chars:
runs-on: ubuntu-latest
# Reject invisible / homoglyph Unicode that GitHub's diff UI renders
# invisibly and most editors hide. These compile fine, which is the
# risk: identifier-splitting, string-literal injection, and the
# "Trojan Source" bidi-override attack (U+202A-U+202E). Scanning raw
# bytes catches them in strings, identifiers, and comments alike.
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
# This job never pushes — don't persist the GITHUB_TOKEN.
persist-credentials: false
- name: Reject invisible / homoglyph Unicode
run: |
# zero-width (U+200B-200F), word joiner (U+2060), BOM (U+FEFF),
# bidi overrides (U+202A-202E), soft hyphen (U+00AD).
# Covers source, release-adjacent executable scripts
# (*.sh / *.cjs / *.cts / *.mts), and the executable shell
# blocks inside GitHub workflow/action YAML.
if grep -rnP '[\x{200B}-\x{200F}\x{202A}-\x{202E}\x{2060}\x{FEFF}\x{00AD}]' \
--include='*.ts' --include='*.tsx' --include='*.js' --include='*.mjs' \
--include='*.cjs' --include='*.cts' --include='*.mts' --include='*.sh' \
--include='*.yml' --include='*.yaml' \
--exclude-dir=node_modules --exclude-dir=dist --exclude-dir=out \
--exclude-dir=coverage --exclude-dir=.turbo --exclude-dir=.vinxi \
src webview-ui packages apps .github; then
echo "::error::Found invisible or homoglyph Unicode characters (zero-width / bidi-override / BOM / soft hyphen)"
exit 1
fi
check-translations:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js and pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Verify all translations are complete
run: node scripts/find-missing-translations.js
knip:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js and pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Run knip checks
run: pnpm knip
compile:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js and pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Lint
run: pnpm lint
- name: Check types
run: pnpm check-types
unit-test:
name: platform-unit-test (${{ matrix.name }})
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: ubuntu-latest
name: ubuntu-latest
codecov-flag: ubuntu
upload-coverage: true
- os: windows-latest
name: windows-latest
codecov-flag: windows
upload-coverage: false
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js and pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Restore Turbo cache
id: turbo-cache
uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .turbo/cache
key: ${{ runner.os }}-turbo-${{ hashFiles('**/pnpm-lock.yaml') }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-turbo-${{ hashFiles('**/pnpm-lock.yaml') }}-
${{ runner.os }}-turbo-
- name: Run non-core coverage
run: pnpm turbo run test:coverage --filter="!@roo-code/core" --log-order grouped --output-logs new-only
- name: Run core unit coverage
run: pnpm turbo run test:coverage:unit --filter="@roo-code/core" --log-order grouped --output-logs new-only
- name: Run core integration coverage
run: pnpm turbo run test:coverage:integration --filter="@roo-code/core" --log-order grouped --output-logs new-only
- name: Save Turbo cache
if: steps.turbo-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .turbo/cache
key: ${{ steps.turbo-cache.outputs.cache-primary-key }}
# Only ubuntu uploads coverage. Windows still runs the same test
# lanes for behavioral confidence, but duplicating coverage uploads
# there mostly adds Codecov overhead without changing pass/fail
# behavior.
# Coverage is uploaded in three separate steps so each LCOV gets the
# correct flag set. Codecov double-counts overlapping lines when a
# single upload carries multiple flags whose paths overlap, so the
# two core lanes (which both cover packages/core/src/**) must be
# uploaded individually with their own lane flag.
# See https://docs.codecov.com/docs/flags
- name: Upload non-core coverage to Codecov
if: matrix.upload-coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
files: >-
src/coverage/lcov.info,
webview-ui/coverage/lcov.info,
packages/cloud/coverage/lcov.info,
packages/telemetry/coverage/lcov.info,
apps/cli/coverage/lcov.info
disable_search: true
flags: ${{ matrix.codecov-flag }}
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload core unit coverage to Codecov
if: matrix.upload-coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
files: packages/core/coverage/unit/lcov.info
disable_search: true
flags: ${{ matrix.codecov-flag }},core-unit
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload core integration coverage to Codecov
if: matrix.upload-coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
files: packages/core/coverage/integration/lcov.info
disable_search: true
flags: ${{ matrix.codecov-flag }},core-integration
token: ${{ secrets.CODECOV_TOKEN }}