|
33 | 33 | # Opt into Node.js 24 for all JavaScript-based actions (checkout@v4, etc.) |
34 | 34 | # Remove once actions/checkout@v5 is released with native Node 24 support. |
35 | 35 | FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
36 | | -permissions: |
37 | | - contents: read |
| 36 | +# Permissions are set per-job (not workflow-level) because test-guard |
| 37 | +# requires pull-requests:write while other jobs only need contents:read. |
| 38 | +# The calling workflow (aws_dev.yml / aws_prod.yml) sets the ceiling. |
38 | 39 | jobs: |
39 | 40 | # ─────────────────────────────────────────────────────────────────────────── |
40 | 41 | # JOB 1 – tests |
|
46 | 47 | name: Run tests |
47 | 48 | runs-on: ubuntu-24.04 |
48 | 49 | environment: ci_test |
| 50 | + permissions: |
| 51 | + contents: read |
49 | 52 | steps: |
50 | 53 | # Checkout the repo including all git submodules. |
51 | 54 | # Falls back to the built-in github.token for fork PRs where |
|
74 | 77 | docker compose -f docker/docker-compose-ci.yml build test-node > /dev/null 2>&1 |
75 | 78 | # Run tests — exit code propagated to the workflow step |
76 | 79 | docker compose -f docker/docker-compose-ci.yml up test-node --exit-code-from test-node || exit 1 |
| 80 | +
|
| 81 | + # ── Coverage artifact (consumed by test-guard job) ────────────────── |
| 82 | + - name: Extract coverage report from test container |
| 83 | + run: | |
| 84 | + CONTAINER_ID=$(docker compose -f docker/docker-compose-ci.yml ps -aq test-node | head -1) |
| 85 | + docker cp "$CONTAINER_ID":/var/www/matecat/coverage.xml ./coverage.xml |
| 86 | +
|
| 87 | + - name: Upload coverage artifact |
| 88 | + uses: actions/upload-artifact@v4 |
| 89 | + with: |
| 90 | + name: coverage-report |
| 91 | + path: coverage.xml |
| 92 | + retention-days: 7 |
77 | 93 | # ─────────────────────────────────────────────────────────────────────────── |
78 | 94 | # JOB 2 – deploy (only when should_deploy is true) |
79 | 95 | # |
|
89 | 105 | name: Deploy to ${{ inputs.deploy_environment }} |
90 | 106 | runs-on: ubuntu-24.04 |
91 | 107 | environment: ${{ inputs.deploy_environment }} |
| 108 | + permissions: |
| 109 | + contents: read |
92 | 110 | if: ${{ inputs.should_deploy }} |
93 | 111 | needs: |
94 | 112 | - tests |
@@ -163,3 +181,36 @@ jobs: |
163 | 181 | # ── :latest aliases together ────────────────────────────────────── |
164 | 182 | docker push $WEB_REPO:latest |
165 | 183 | docker push $DAEMONS_REPO:latest |
| 184 | +
|
| 185 | + # ─────────────────────────────────────────────────────────────────────────── |
| 186 | + # JOB – test-guard (PR only) |
| 187 | + # |
| 188 | + # Downloads the "coverage-report" artifact produced by the tests job and |
| 189 | + # runs ostico/test-guard to evaluate test adequacy on changed files. |
| 190 | + # ─────────────────────────────────────────────────────────────────────────── |
| 191 | + test-guard: |
| 192 | + name: Test adequacy gate |
| 193 | + runs-on: ubuntu-latest |
| 194 | + needs: tests |
| 195 | + if: github.event_name == 'pull_request' |
| 196 | + permissions: |
| 197 | + contents: read |
| 198 | + pull-requests: write |
| 199 | + statuses: write |
| 200 | + steps: |
| 201 | + - name: Checkout repository |
| 202 | + uses: actions/checkout@v4 |
| 203 | + with: |
| 204 | + fetch-depth: 0 |
| 205 | + |
| 206 | + - name: Download coverage artifact |
| 207 | + uses: actions/download-artifact@v4 |
| 208 | + with: |
| 209 | + name: coverage-report |
| 210 | + |
| 211 | + - name: Test Guard |
| 212 | + uses: ostico/test-guard@v1.0.1 |
| 213 | + with: |
| 214 | + coverage-file: coverage.xml |
| 215 | + coverage-threshold: '80' |
| 216 | + ai-enabled: 'true' |
0 commit comments