aspire.dev/.github/workflows/ci.yml at main · microsoft/aspire.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: CI

on:
  push:
    branches: [ main, release/* ]
  pull_request:
    branches: [ main, release/* ]

# Concurrency strategy:
# - On pull_request: group by PR number. New commits to the PR cancel the
#   in-flight run for the same PR.
# - On push (main/release/*): include `github.run_id` so every push gets a
#   unique group. This guarantees pushes never cancel each other, even if
#   several commits land while an earlier run is still in progress.
#   (With a shared group, GHA cancels older *pending* runs even when
#   `cancel-in-progress: false`, which would silently drop required CI on
#   `main`.)
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

permissions:
  contents: read
  security-events: write

jobs:
  changes:
    runs-on: ubuntu-latest
    outputs:
      frontend: ${{ steps.filter.outputs.frontend }}
      apphost: ${{ steps.filter.outputs.apphost }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Shallow clone; the two PR SHAs we need to diff against are
          # fetched explicitly below. This is much cheaper than `fetch-depth: 0`.
          fetch-depth: 1

      - name: Fetch PR base and head for diff
        if: github.event_name == 'pull_request'
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          git fetch --depth=1 origin "$BASE_SHA"
          git fetch --depth=1 origin "$HEAD_SHA"

      - id: filter
        name: Detect changed areas
        shell: bash
        run: |
          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
            echo "frontend=true" >> "$GITHUB_OUTPUT"
            echo "apphost=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          base_sha="${{ github.event.pull_request.base.sha }}"
          head_sha="${{ github.event.pull_request.head.sha }}"

          # If the workflow changed, build everything. if it hasn't,
          # check for frontend and/or apphost changes...
          if git diff --quiet "$base_sha" "$head_sha" -- .github/workflows; then
            workflow=false
          else
            workflow=true
          fi

          if [[ "$workflow" == "true" ]]; then
            frontend=true
            apphost=true
          else
            if git diff --quiet "$base_sha" "$head_sha" -- src/frontend; then
              frontend=false
            else
              frontend=true
            fi

            if git diff --quiet "$base_sha" "$head_sha" -- src/apphost src/statichost global.json NuGet.config; then
              apphost=false
            else
              apphost=true
            fi
          fi

          echo "frontend=$frontend" >> "$GITHUB_OUTPUT"
          echo "apphost=$apphost" >> "$GITHUB_OUTPUT"

  frontend-build:
    needs: changes
    if: ${{ needs.changes.outputs.frontend == 'true' }}
    uses: ./.github/workflows/frontend-build.yml
    with:
      node_version: '24.x'
      pull_number: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || '' }}
    secrets:
      ASPIRE_BOT_APP_ID: ${{ secrets.ASPIRE_BOT_APP_ID }}
      ASPIRE_BOT_PRIVATE_KEY: ${{ secrets.ASPIRE_BOT_PRIVATE_KEY }}

  apphost-build:
    needs: changes
    if: ${{ needs.changes.outputs.apphost == 'true' }}
    uses: ./.github/workflows/apphost-build.yml

  ci-gate:
    needs: [changes, frontend-build, apphost-build]
    if: ${{ always() && !cancelled() }}
    runs-on: ubuntu-latest
    steps:
      - name: Verify CI results
        shell: bash
        env:
          CHANGES_RESULT: ${{ needs.changes.result }}
          FRONTEND_CHANGED: ${{ needs.changes.outputs.frontend }}
          APPHOST_CHANGED: ${{ needs.changes.outputs.apphost }}
          FRONTEND_RESULT: ${{ needs['frontend-build'].result }}
          APPHOST_RESULT: ${{ needs['apphost-build'].result }}
        run: |
          echo "changes result: $CHANGES_RESULT"
          echo "frontend changed: $FRONTEND_CHANGED"
          echo "frontend-build result: $FRONTEND_RESULT"
          echo "apphost changed: $APPHOST_CHANGED"
          echo "apphost-build result: $APPHOST_RESULT"

          if [[ "$CHANGES_RESULT" != "success" ]]; then
            echo "The changes job must succeed."
            exit 1
          fi

          if [[ "$FRONTEND_CHANGED" == "true" ]]; then
            if [[ "$FRONTEND_RESULT" != "success" ]]; then
              echo "frontend-build should have run and succeeded."
              exit 1
            fi
          elif [[ "$FRONTEND_RESULT" != "skipped" ]]; then
            echo "frontend-build should have been skipped."
            exit 1
          fi

          if [[ "$APPHOST_CHANGED" == "true" ]]; then
            if [[ "$APPHOST_RESULT" != "success" ]]; then
              echo "apphost-build should have run and succeeded."
              exit 1
            fi
          elif [[ "$APPHOST_RESULT" != "skipped" ]]; then
            echo "apphost-build should have been skipped."
            exit 1
          fi