-
Notifications
You must be signed in to change notification settings - Fork 2
152 lines (147 loc) · 6.26 KB
/
Copy pathci.yml
File metadata and controls
152 lines (147 loc) · 6.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
# Matrix across Linux / macOS / Windows so cross-platform regressions
# (case-sensitivity, path separators, native ABI mismatches) surface
# daily instead of waiting for the release tag. The launch-readiness
# audit (2026-05-10) flagged that the keytar arch-mismatch class of
# bug was invisible to the prior ubuntu-only check job. `fail-fast:
# false` lets each OS finish so we see ALL the failures, not just
# the first.
name: Lint · Typecheck · Test (${{ matrix.os }})
runs-on: ${{ matrix.os }}
timeout-minutes: 25
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
steps:
- uses: actions/checkout@v4
# pnpm version is read from root package.json `packageManager`
# field (single source of truth). Pinned to pnpm@9.15.9 — see
# package.json comment for the rationale.
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
# keytar's load-time dynamic-linker resolves libsecret-1.so.0 on
# Linux. The .deb installer declares this as a runtime dep
# (electron-builder.yml linux.deb.depends), but the GitHub-hosted
# ubuntu-latest CI runner does not pre-install it. Without this,
# `pnpm test` fails when loading apps/desktop/src/main/services/
# provider-factory.test.ts with "libsecret-1.so.0: cannot open
# shared object file". macOS and Windows both ship keychain APIs
# natively so keytar loads with no extra deps there.
- name: Install keytar Linux runtime (libsecret)
if: matrix.os == 'ubuntu-latest'
run: sudo apt-get update && sudo apt-get install -y libsecret-1-0
- name: Install dependencies
run: pnpm install --frozen-lockfile
# Build the workspace packages' dist outputs before typecheck.
# apps/desktop's tsconfig declares each package as a composite
# project reference, so its `tsc --noEmit` step expects the
# referenced project's `dist/index.d.ts` to exist on disk.
# Local dev gets these dist files implicitly (via prior builds);
# CI starts from a clean checkout with no dist (gitignored), so
# we materialize them explicitly. tsc --build resolves the
# reference graph and builds in dep order automatically.
- name: Build workspace packages (composite refs)
run: pnpm exec tsc --build packages/shared-types packages/role-schema packages/provider-router packages/telemetry-core packages/intelligence packages/local-gguf-runtime
- name: Lint
run: pnpm lint
# Renderer/main ESLint (a11y, react-hooks, import/order, and the
# correctness rules Biome doesn't cover). Runs after the composite
# dist build above so any type-aware rules can resolve package types.
- name: Lint (ESLint)
run: pnpm lint:eslint
- name: Typecheck
run: pnpm typecheck
- name: Test
run: pnpm test
e2e:
name: E2E smoke (Electron)
runs-on: ubuntu-latest
needs: check
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
# pnpm version is read from root package.json `packageManager`
# field (single source of truth). Pinned to pnpm@9.15.9 — see
# package.json comment for the rationale.
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
# Electron needs a GTK/X11 stack plus libxkb + libasound at runtime
# even in headless mode; xvfb provides the display. ubuntu-latest
# ships most of these, but libasound2t64 + libgbm1 are sometimes
# missing on minimal runners — install explicitly to keep the
# job deterministic.
#
# `libsecret-1-0` is keytar's libsecret runtime dep on Linux. The
# `check` job above installs it for the same reason (see the
# Install keytar Linux runtime step there). The E2E job ALSO
# loads the main process which loads keytar — so it needs the
# same .so available, otherwise keytar's dlopen on import either
# throws or hangs and Electron never paints a window.
- name: Install Electron runtime libraries
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
xvfb \
libnss3 \
libatk1.0-0 \
libatk-bridge2.0-0 \
libcups2 \
libdrm2 \
libxkbcommon0 \
libxcomposite1 \
libxdamage1 \
libxfixes3 \
libxrandr2 \
libgbm1 \
libpango-1.0-0 \
libcairo2 \
libasound2t64 \
libgtk-3-0 \
libsecret-1-0
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build desktop (main + preload + renderer)
run: pnpm -F @team-x/desktop build
# `xvfb-run` wraps the Playwright invocation so Electron has a
# virtual display. `--auto-servernum` picks a free :N so parallel
# jobs on the same runner never collide on :99.
- name: Run Playwright E2E smoke
run: xvfb-run --auto-servernum pnpm -F @team-x/desktop test:e2e:run
# `test-results/` is where Playwright writes traces, screenshots, and
# videos per the `outputDir` in `apps/desktop/playwright.config.ts`.
# The HTML reporter is intentionally disabled in CI (we only run
# `list` + `github` reporters), so there is no `playwright-report/`
# directory to upload — but the trace zips under `test-results/`
# are what we actually need to diagnose a failure: open the trace
# in `npx playwright show-trace <zip>` to see exactly what the
# renderer rendered (or didn't) at the moment of timeout.
- name: Upload Playwright traces on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-traces
path: apps/desktop/test-results
retention-days: 7
if-no-files-found: ignore