Skip to content

Bump the github-actions group with 10 updates (#13626) #20235

Bump the github-actions group with 10 updates (#13626)

Bump the github-actions group with 10 updates (#13626) #20235

name: Build plugin
on:
push:
# Don't run for irrelevant changes.
paths-ignore:
- 'docs/**'
- '.storybook/**'
- '.wordpress-org/**'
- '__mocks__/**'
- '__static__/**'
- 'bin/**'
- 'packages/e2e-test-utils/**'
- 'packages/e2e-tests/**'
- 'packages/karma-*/**'
- 'tests/**'
- '**.md'
- '**.yml'
- '**.neon.dist'
- '**.xml.dist'
- '.editorconfig'
- '.eslint*'
- '.markdownlint*'
- '.phpstorm.meta.php'
- '.prettier*'
- '.stylelint*'
- '.github/workflows/**'
- '!.github/workflows/build-and-deploy.yml'
branches:
- main
- release/*
pull_request:
types:
- opened
- reopened
- synchronize
- ready_for_review
# Don't run for irrelevant changes.
paths-ignore:
- 'docs/**'
- '.storybook/**'
- '.wordpress-org/**'
- '__mocks__/**'
- '__static__/**'
- 'bin/**'
- 'packages/e2e-test-utils/**'
- 'packages/e2e-tests/**'
- 'packages/karma-*/**'
- 'tests/**'
- '**.md'
- '**.yml'
- '**.neon.dist'
- '**.xml.dist'
- '.editorconfig'
- '.eslint*'
- '.markdownlint*'
- '.phpstorm.meta.php'
- '.prettier*'
- '.stylelint*'
- '.github/workflows/**'
- '!.github/workflows/build-and-deploy.yml'
permissions:
contents: read
pull-requests: write
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the (target) branch name.
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
bundle-size:
name: Bundle size check
runs-on: ubuntu-latest
timeout-minutes: 15
# The action cannot annotate the PR when run from a PR fork or authored by Dependabot.
if: >
github.event_name == 'pull_request' &&
github.event.pull_request.draft == false &&
github.event.pull_request.head.repo.fork == false &&
github.event.pull_request.user.login != 'dependabot[bot]'
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-file-monitoring: true
egress-policy: block
allowed-endpoints: >
cloudresourcemanager.googleapis.com:443
codeserver.dev.6b7f1eeb-705b-4201-864d-2007030c8372.drush.in:2222
dl.google.com:443
github.com:443
api.github.com:443
oauth2.googleapis.com:443
objects.githubusercontent.com:443
packagist.org:443
registry.npmjs.org:443
storage.googleapis.com:443
54.185.253.63:443
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
- name: Setup Node
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
with:
node-version-file: '.nvmrc'
cache: npm
- name: Bundle size check
uses: preactjs/compressed-size-action@f780fd104362cfce9e118f9198df2ee37d12946c
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pattern: '{assets/js/*.js,assets/css/*.css}'
build-script: 'build:js'
minimum-change-threshold: 100
# Ignore chunk and module hashes in bundle filenames.
strip-hash: '.*-(\w{20})|^(\d{2,5})\.js$'
build:
name: Build & deploy
runs-on: ubuntu-latest
timeout-minutes: 20
if: >
github.event.pull_request.draft == false &&
github.event.pull_request.head.repo.fork == false &&
github.event.pull_request.user.login != 'dependabot[bot]'
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
- name: Setup Node
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
with:
node-version-file: '.nvmrc'
cache: npm
- name: Setup PHP
uses: shivammathur/setup-php@e6f75134d35752277f093989e72e140eaa222f35
with:
php-version: '8.0'
coverage: none
tools: composer
- name: Install dependencies
run: npm ci
env:
PUPPETEER_SKIP_DOWNLOAD: true
- name: Install PHP dependencies
uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a
with:
composer-options: '--prefer-dist --no-progress --no-interaction'
- name: Setup Bun
uses: oven-sh/setup-bun@8f24390df009a496891208e5e36b8a1de1f45135
with:
bun-version: latest
- name: Build plugin
run: |
bun run build:js
bun run workflow:version -- --nightly
mkdir -p build/web-stories-regular build/web-stories-dev
- name: Bundle regular version
run: |
bun run workflow:build-plugin -- --zip web-stories.zip
cp -r build/web-stories/ build/web-stories-regular/
- name: Bundle development version
run: |
rm -rf assets/css/* assets/js/*
npx webpack --env=development
bun run workflow:build-plugin -- --zip web-stories-dev.zip
# Upload ZIP file to GCS for use in QA environment.
- name: Authenticate
uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Setup Cloud SDK
uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
- name: Upload ZIP files to GCS
run: |
gsutil cp -r build/web-stories.zip gs://web-stories-wp-github-artifacts/${{ github.ref }}/web-stories.zip
gsutil cp -r build/web-stories-dev.zip gs://web-stories-wp-github-artifacts/${{ github.ref }}/web-stories-dev.zip
# Leave comment with links to plugin ZIPs.
- name: Check if a comment was already made
id: find-comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: googleforcreators-bot
body-includes: Plugin builds for
# Only run this step if it's a PR. One way to check for that is if `github.head_ref` is not empty.
# Only run if the PR was not authored by Dependabot and it is not a draft or not from a fork.
if: >
github.head_ref &&
github.event.pull_request.draft == false &&
github.event.pull_request.head.repo.fork == false &&
github.event.pull_request.user.login != 'dependabot[bot]'
- name: Get comment body
id: get-comment-body
# Setting a multi-line output requires escaping line-feeds. See <https://github.community/t/set-output-truncates-multiline-strings/16852/3>.
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo 'COMMENT_BODY<<EOF' >> $GITHUB_ENV
echo 'Plugin builds for ${{ github.event.pull_request.head.sha }} are ready :bellhop_bell:!' >> $GITHUB_ENV
echo '- Download [development build](https://storage.googleapis.com/web-stories-wp-github-artifacts/${{ github.ref }}/web-stories-dev.zip?${{ github.sha }})' >> $GITHUB_ENV
echo '- Download [production build](https://storage.googleapis.com/web-stories-wp-github-artifacts/${{ github.ref }}/web-stories.zip?${{ github.sha }})' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
if: >
github.head_ref &&
github.event.pull_request.draft == false &&
github.event.pull_request.head.repo.fork == false &&
github.event.pull_request.user.login != 'dependabot[bot]'
- name: Create or update comment on PR with links to plugin builds
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043
with:
issue-number: ${{ github.event.pull_request.number }}
comment-id: ${{ steps.find-comment.outputs.comment-id }}
edit-mode: replace
body: ${{ env.COMMENT_BODY }}
token: ${{ secrets.GOOGLEFORCREATORS_BOT_TOKEN }}
if: >
github.head_ref &&
github.event.pull_request.draft == false &&
github.event.pull_request.head.repo.fork == false &&
github.event.pull_request.user.login != 'dependabot[bot]'
# Deploy to staging site if on main branch.
- name: Setup SSH Keys and known_hosts
uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387
with:
ssh-private-key: ${{ secrets.PANTHEON_DEPLOY_KEY }}
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
- name: Deploy to staging
run: |
rm -rf build/web-stories
mv build/web-stories-regular/* build/web-stories
bash bin/deploy-to-test-environment.sh
if: github.ref == 'refs/heads/main' && github.event_name == 'push'