fix(lint-pr-title): adapt action and Dockerfile to bun workspaces (#1120)

* fix(lint-pr-title): adapt action and Dockerfile to bun workspaces

The lint-pr-title action was failing to run correctly after the migration
to bun workspaces in 9ffb9ce. This was
due to two issues:

1. The composite action was not checking out the shared-workflows
   repository, so the workspace dependencies could not be installed.
2. The Dockerfile was not adapted to the workspace structure, and the
   tests were failing due to file permission issues.

This commit addresses both issues. The action.yml now checks out the
shared-workflows repository, following the pattern of other actions in
this repository. The Dockerfile is updated to correctly build in a
workspace context and to run the tests as a non-root user to ensure
file permission tests pass.

It sort of kept working because we forgot to remove the bun.lock file in
`actions/lint-pr-title.` This papered over the problem until a Bun
update needed to update the lock file and it stopped working. Here we
remove that.

Now that we use files outside of the action's own directory
(`package.json`, `bun.lock`), we need to check the repository out and
run from the root.

* refactor(lint-pr-title): modernise Dockerfile (#1121)

The previous Dockerfile was overly complex and inefficient, a result of
adapting an older style to a workspace environment. The multi-stage
build was difficult to read and did not use modern Docker features for
caching.

To fix these problems, we simplify the build process into a more
readable multi-stage build. We introduce Docker cache mounts for
dependency installation, which will result in significantly faster
builds. The COPY commands are now more specific to avoid copying
unnecessary files into the image. Tests continue to be run as a non-root
user to ensure file permission tests work correctly, but in a more
streamlined way.

Author: iainlane

actions/lint-pr-title/Dockerfile

@@ -1,29 +1,52 @@
+# This file must be built from the root of the repository.
+# Example: docker build . -f actions/lint-pr-title/Dockerfile
+
 FROM oven/bun:1.2.18@sha256:2cdd9c93006af1b433c214016d72a3c60d7aa2c75691cb44dfd5250aa379986b AS base
+
 WORKDIR /usr/src/app
 
-FROM base AS install
-RUN mkdir -p /temp/dev
-COPY package.json bun.lockb /temp/dev/
-RUN cd /temp/dev && bun install --frozen-lockfile
+# Create a non-root user to run the tests. Run tests as non-root user because
+# one test expects EACCES when writing to a read-only file, and this will not
+# fail as root.
+RUN useradd -ms /bin/bash newuser
+
+# Install dependencies
+FROM base AS deps
+
+COPY package.json bun.lock ./
+COPY actions/dependabot-auto-triage/package.json ./actions/dependabot-auto-triage/
+
+# Because we use bun's workspaces, we need to have all package.json files
+# available, even if they're not used. (We filter to one workspace.)
+COPY actions/get-latest-workflow-artifact/package.json ./actions/get-latest-workflow-artifact/
+COPY actions/lint-pr-title/package.json ./actions/lint-pr-title/
+
+RUN --mount=type=cache,target=/root/.bun/install/cache \
+    bun install --frozen-lockfile --filter lint-pr-title
 
-# install with --production (exclude devDependencies)
-RUN mkdir -p /temp/prod
-COPY package.json bun.lockb /temp/prod/
-RUN cd /temp/prod && bun install --frozen-lockfile --production
+# Run tests
+FROM base AS test
 
-FROM base AS prerelease
-COPY --from=install /temp/dev/node_modules node_modules
-COPY . .
+COPY --from=deps /usr/src/app/node_modules ./node_modules
+COPY --chown=newuser:newuser actions/lint-pr-title/ ./actions/lint-pr-title/
+USER newuser
 
-# Install dev dependencies to run the tests
 ENV NODE_ENV=development
-RUN bun install --frozen-lockfile --dev
-RUN bun run test
-RUN bun run build
 
-FROM base AS release
-COPY --from=install /temp/prod/node_modules node_modules
-COPY --from=prerelease /usr/src/app/index.ts .
-COPY --from=prerelease /usr/src/app/package.json .
+RUN bun run --filter lint-pr-title test
+
+# Assemble final image from a clean stage
+FROM base
+
+USER root
+
+WORKDIR /usr/src/app
+
+COPY --from=deps /usr/src/app/node_modules ./node_modules
+COPY actions/lint-pr-title/src ./actions/lint-pr-title/src
+COPY actions/lint-pr-title/package.json ./actions/lint-pr-title/
+COPY actions/lint-pr-title/commitlint.config.js ./actions/lint-pr-title/
+
+WORKDIR /usr/src/app/actions/lint-pr-title
 
-ENTRYPOINT [ "bun", "run", "index.ts" ]
+ENTRYPOINT [ "bun", "run", "src/index.ts" ]

actions/lint-pr-title/action.yml

@@ -15,20 +15,31 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Checkout shared-workflows repository
+      env:
+        action_repo: "${{ github.action_repository || 'grafana/shared-workflows' }}"
+        action_ref: ${{ github.action_ref }}
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        repository: ${{ env.action_repo }}
+        ref: ${{ env.action_ref }}
+        path: _shared-workflows-lint-pr-title
+        persist-credentials: false
+
     - name: Install bun package manager
       uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
       with:
-        bun-version-file: actions/lint-pr-title/.bun-version
+        bun-version-file: _shared-workflows-lint-pr-title/.bun-version
 
     - name: Install dependencies
       shell: sh
-      working-directory: ${{ github.action_path }}
+      working-directory: _shared-workflows-lint-pr-title
       run: |
-        bun install --frozen-lockfile --production
+        bun install --frozen-lockfile --production --filter lint-pr-title
 
     - name: Lint PR title
       shell: sh
-      working-directory: ${{ github.action_path }}
+      working-directory: _shared-workflows-lint-pr-title/actions/lint-pr-title
       env:
         GITHUB_TOKEN: ${{ github.token }}
         INPUT_CONFIG_PATH: ${{ inputs.config-path }}