codeql-action/.github/workflows/pr-checks.yml

name: PR Checks

on:
  push:
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  merge_group:
    types: [checks_requested]
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:
  unit-tests:
    name: Unit Tests
    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        node-version: [20, 24]
    permissions:
      contents: read
      security-events: write # needed to upload ESLint results
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    steps:
      - name: Prepare git (Windows)
        if: runner.os == 'Windows'
        run: git config --global core.autocrlf false

      - uses: actions/checkout@v6

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'

      - name: Install dependencies
        run: |
          # Use the system Bash shell to ensure we can run commands like `npm ci`
          # that are not available in the default shell on Windows.
          npm config set script-shell bash
          npm ci

      - name: Verify compiled JS up to date
        run: .github/workflows/script/check-js.sh

      - name: Run unit tests
        if: always()
        run: npm test

      - name: Lint
        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v4
        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
        with:
          sarif_file: eslint.sarif
          category: eslint

  # These checks do not need to be run as part of the same matrix that we use for the `unit-tests`
  # job.
  pr-checks:
    name: PR checks
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      pull-requests: write
    runs-on: ubuntu-slim
    timeout-minutes: 10

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          # Need full history so we have both the PR merge commit (HEAD) and the base SHA locally
          # for `git archive` to work against either.
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run pr-checks tests
        working-directory: pr-checks
        run: npx tsx --test

      - name: Check repo size
        if: >-
          github.event_name == 'pull_request' &&
          github.event.pull_request.head.repo.full_name == github.repository &&
          github.event.pull_request.user.login != 'dependabot[bot]'
        working-directory: pr-checks
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BASE_REF: ${{ github.event.pull_request.base.ref }}
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: npx tsx check-repo-size.ts

      - name: Verify all Actions use the same Node version
        id: head-version
        run: |
          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "NODE_VERSION: ${NODE_VERSION}"
          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
            echo "::error::More than one node version used in 'action.yml' files."
            exit 1
          fi
          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT

      - name: 'Backport: Check out base ref'
        id: checkout-base
        if: ${{ startsWith(github.head_ref, 'backport-') }}
        uses: actions/checkout@v6
        with:
          ref: ${{ github.base_ref }}

      - name: 'Backport: Verify Node versions unchanged'
        if: steps.checkout-base.outcome == 'success'
        env:
          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
        run: |
          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
          echo "HEAD_VERSION: ${HEAD_VERSION}"
          echo "BASE_VERSION: ${BASE_VERSION}"
          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
            echo "::error::Cannot change the Node version of an Action in a backport PR."
            exit 1
          fi