Skip to content

chore(deps): bump actions/checkout from 4 to 7 #840

chore(deps): bump actions/checkout from 4 to 7

chore(deps): bump actions/checkout from 4 to 7 #840

Workflow file for this run

# Version PRs from `changesets/action` use head branch `changeset-release/<base>` (e.g. `changeset-release/main`;
# see changesets/action `run.ts`: `versionBranch = \`changeset-release/${branch}\``).
#
# GitHub docs: required status checks may be successful, skipped, or neutral — skipped often still allows merge
# (see https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging ).
# This workflow still gates on `changeset-release/*` and finishes with one **`CI complete`** job so there is a
# single unambiguous pass/fail (branch protection also warns that duplicate job *names* across workflows can block merges).
name: CI
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
skip-ci:
name: Gate (skip full CI for version PRs?)
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.gate.outputs.skip }}
steps:
- id: gate
run: |
if [ "${{ github.event_name }}" = "pull_request" ] && \
echo "${{ github.head_ref }}" | grep -q '^changeset-release/'; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "Head is changeset-release/* — full CI skipped; ci-complete will pass."
else
echo "skip=false" >> "$GITHUB_OUTPUT"
fi
format:
name: 💅 Format
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Run format
run: bun run format:check
lint:
name: 🕵 Lint
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Run lint
run: bun run lint:ci
typecheck:
name: ✅ Typecheck
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Run typecheck
run: bun run typecheck
test:
name: 🔬 Test
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Run unit tests with coverage
run: bun run test:coverage
- name: Run scripts tests (Action helpers + TS↔mjs sync)
run: bun run test:scripts
- name: Golden query regression (fixtures/minimal)
run: bun run test:golden
- name: Agent eval harness (probe + live smoke, fixtures/minimal)
run: bun run test:agent-eval
build:
name: 🧰 Build
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Run build
run: bun run build
# Deliberately `node`, not `bun`: many installs use npm + Node; this checks dist/ + better-sqlite3.
# Bun is already used for build/tests above.
- name: Node smoke (dist + better-sqlite3)
run: node dist/index.mjs query "SELECT 1 as ok"
# 0.6.0 regression guard — `resolveBundledRecipesDir()` walked
# past the package root, so `--recipes-json` returned `[]` even
# though the tarball shipped the bundled recipes correctly.
- name: Node smoke (bundled recipes resolve from dist)
run: |
set -euo pipefail
count=$(node dist/index.mjs query --recipes-json | jq 'length')
echo "bundled recipes resolved: $count"
[ "$count" -gt 0 ] || { echo "bundled recipes catalog is empty — resolver path broke"; exit 1; }
# Full rebuild exercises multi-statement DDL (`runSql`), `dropAll`, workers path — Node only.
- name: Node full index (fixtures/minimal)
run: |
set -euo pipefail
export CODEMAP_ROOT="$GITHUB_WORKSPACE/fixtures/minimal"
rm -f "$CODEMAP_ROOT/.codemap.db"
timeout 45 node dist/index.mjs --full
node dist/index.mjs query "SELECT COUNT(*) AS files FROM files"
check-pack:
name: 📦 Pack validation
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Build
run: bun run build
- name: Run pack validation
run: bun run check:pack
benchmark:
name: 📊 Benchmark (fixture)
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: Index fixture and run benchmark
run: |
export CODEMAP_ROOT="$GITHUB_WORKSPACE/fixtures/minimal"
bun run dev --full
bun run benchmark
audit:
# `bun audit` exits 0 regardless of severity — the scan below blocks on high/critical.
# Transitive-dep CVE visibility; advisory-API outage doesn't block.
name: 🛡 Audit
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
- name: bun audit (block on high/critical)
run: |
set +e
# bun emits ANSI color even when piped — strip it or the severity grep misses it.
NO_COLOR=1 bun audit 2>&1 | sed -E 's/\x1b\[[0-9;]*m//g' > /tmp/bun-audit.log
cat /tmp/bun-audit.log
if grep -E '(^|[[:space:]])(high|critical):[[:space:]]' /tmp/bun-audit.log; then
echo "::error::high or critical vulnerabilities found — blocking"
exit 1
fi
action-smoke:
# Dogfood Slice 4 of plan PR #73: invoke `uses: ./` from this very repo
# so the action.yml + scripts/detect-pm.mjs are exercised on every PR.
# Smoke uses `command: --version` to avoid the real-audit dependency
# chain (audit baselines etc.) — this validates the composite-step
# flow + npm-pulled codemap binary, not the audit logic itself
# (which is covered by the unit-test suite).
name: 🤖 Action smoke (dogfood)
needs: skip-ci
if: needs['skip-ci'].outputs.skip != 'true'
runs-on: ubuntu-latest
# Non-blocking until we've published codemap@<v1> matching the Action.
# Today the Action pulls codemap@latest from npm (currently 0.8.x), which works
# for `--version` but doesn't validate v1.x flags. Promote to a hard
# gate when v1.0.0 ships.
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Run the local-path action
uses: ./
with:
command: "--version"
format: "json"
upload-sarif: "false"
pr-comment: "false"
fail-on: "never"
ci-complete:
name: CI complete
needs:
[
skip-ci,
format,
lint,
typecheck,
test,
build,
check-pack,
audit,
benchmark,
]
if: always()
runs-on: ubuntu-latest
steps:
- name: Fail if any required job failed
if: |
needs['skip-ci'].outputs.skip != 'true' && (
needs.format.result != 'success' ||
needs.lint.result != 'success' ||
needs.typecheck.result != 'success' ||
needs.test.result != 'success' ||
needs.build.result != 'success' ||
needs['check-pack'].result != 'success' ||
needs.audit.result != 'success' ||
needs.benchmark.result != 'success'
)
run: exit 1
- name: OK
run: echo "CI requirements satisfied"