-
Notifications
You must be signed in to change notification settings - Fork 56
113 lines (102 loc) · 3.92 KB
/
regression.yml
File metadata and controls
113 lines (102 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Regression Tests
on:
# Trigger via PR comment: "/regression"
issue_comment:
types: [created]
# Also run on push to master for baseline updates
push:
branches: [master]
# Allow manual re-runs (useful for baseline setup)
workflow_dispatch:
# Explicit minimal permissions (fix: workflow missing permissions)
permissions:
contents: read
issues: write
pull-requests: write
jobs:
regression:
runs-on: ubuntu-latest
timeout-minutes: 15
# For issue_comment: only run on PR comments matching "/regression"
# For push: always run on master
# For workflow_dispatch: always run
if: >-
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
contains(github.event.comment.body, '/regression'))
steps:
# Permission check for comment-triggered runs
- name: Check commenter permissions
if: github.event_name == 'issue_comment'
uses: actions/github-script@v4
id: check-access
with:
script: |
const { owner, repo } = context.repo;
const { login } = context.payload.comment.user;
const { data } = await github.repos.getCollaboratorPermissionLevel({ owner, repo, username: login });
if (data.permission !== 'write' && data.permission !== 'admin') {
core.setFailed(`User ${login} does not have write access`);
}
result-encoding: string
# Resolve immutable PR head SHA for comment-triggered runs
# (fix: TOCTOU — use head_sha not head_ref to prevent code changes between permission check and execution)
- name: Get PR head SHA
if: github.event_name == 'issue_comment'
uses: actions/github-script@v4
id: pr-sha
with:
script: |
const { owner, repo } = context.repo;
const { data: pr } = await github.pulls.get({
owner,
repo,
pull_number: context.issue.number
});
core.setOutput('sha', pr.head.sha);
result-encoding: string
- uses: actions/checkout@v5
with:
# Use immutable PR commit SHA for comment triggers (prevents TOCTOU),
# default ref for push/dispatch
ref: ${{ steps.pr-sha.outputs.sha || github.sha }}
- uses: actions/setup-node@v4
with:
node-version: 18
cache: yarn
- uses: actions/cache@v3
with:
path: |
packages/core/.local-chromium
key: chromium-${{ runner.os }}-${{ hashFiles('packages/core/package.json') }}
- name: Install browser dependencies
run: sudo apt-get install -y libgbm-dev
- name: Set up @percy/cli from branch
run: |
PERCY_PACKAGES=$(find packages -mindepth 1 -maxdepth 1 -type d | sed -e 's/packages/@percy/g' | tr '\n' ' ')
yarn install --frozen-lockfile
yarn build
yarn global:link
yarn link `echo $PERCY_PACKAGES`
npx percy --version
- name: Run regression tests
run: yarn test:regression
env:
PERCY_TOKEN: ${{ secrets.PERCY_REGRESSION_TOKEN }}
# Post result back to PR for comment-triggered runs
- name: Comment result on PR
if: github.event_name == 'issue_comment' && always()
uses: actions/github-script@v4
with:
script: |
const status = '${{ job.status }}';
const emoji = status === 'success' ? '✅' : '❌';
const body = `${emoji} **Regression tests ${status}**\n\n[View run](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`;
github.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body
});