70bf21e064
Handle Changesets / Handle Changesets (push) Waiting to run
Semgrep OSS scan / semgrep-oss (push) Waiting to run
Deploy (to testing) and Test Playground Preview Worker / Deploy Playground Preview Worker (testing) (push) Has been skipped
Deploy Workers Shared Staging / Deploy Workers Shared Staging (push) Failing after 0s
Prerelease / build (push) Has been skipped
152 lines
7.0 KiB
Markdown
152 lines
7.0 KiB
Markdown
# GitHub Actions
|
|
|
|
See below for a summary of this repo's Actions
|
|
|
|
- _Actions marked with "⚠️" are expected to sometimes fail._
|
|
|
|
## Security auditing
|
|
|
|
We use [`zizmor`](https://docs.zizmor.sh/) to audit GitHub Actions workflow definitions and keep CI workflows as safe as possible. When changing files in this directory, run:
|
|
|
|
```sh
|
|
zizmor .github/workflows/*.yml
|
|
```
|
|
|
|
Workflow changes should avoid unsuppressed `zizmor` findings. In particular:
|
|
|
|
- Pin external actions to immutable commit SHAs, not tags.
|
|
- Use `actions/checkout` v6 or newer so persisted credentials are stored under `$RUNNER_TEMP`; set `persist-credentials: false` when a job does not need follow-up authenticated Git operations.
|
|
- Pass GitHub expression values into shell steps through `env` instead of expanding `${{ ... }}` directly inside `run` blocks.
|
|
- Treat privileged triggers such as `pull_request_target` and `workflow_run` as security-sensitive. If a privileged trigger is required, document the safety model and add a targeted `zizmor` ignore with a reason.
|
|
|
|
## PR related actions
|
|
|
|
### Tests + Checks (test-and-check.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs.
|
|
- PRs in the merge queue.
|
|
- Actions
|
|
- Builds all the packages.
|
|
- Runs formatting, linting and type checks.
|
|
- Runs fixture tests, Wrangler unit tests, C3 unit tests, Miniflare unit tests, and ESLint + Prettier checks.
|
|
- Adds the PR to a GitHub project
|
|
- Makes sure that Wrangler's warning for old Node.js versions works.
|
|
|
|
### Wrangler E2E tests (e2e-wrangler.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs on the Cloudflare fork.
|
|
- PRs in the merge queue.
|
|
- Actions
|
|
- Runs the E2E tests for Wrangler.
|
|
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
|
|
|
|
### Vite Plugin E2E tests (e2e-vite.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs on the Cloudflare fork.
|
|
- PRs in the merge queue.
|
|
- Actions
|
|
- Runs the E2E tests for the Vite plugin.
|
|
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
|
|
|
|
## Deploy Pages Previews (deploy-pages-preview.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs that have one of the `preview:...` labels.
|
|
- Actions
|
|
- Deploy a preview of the matching Pages project to Cloudflare.
|
|
|
|
## Deploy (to testing) and Test Playground Preview Worker (worker-playground-preview-testing-env-deploy-and-test.yml)
|
|
|
|
- Triggers
|
|
- Commits merged to the `main` branch, on the Cloudflare fork, which touch files in the `packages/playground-preview-worker` directory.
|
|
- Updates to PRs, on the Cloudflare fork, with the `playground-worker` label applied.
|
|
- Actions
|
|
- Runs integrations tests to ensure the behaviour of the Worker powering the Workers Playground.
|
|
|
|
## Create Pull Request Prerelease (prerelease.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs.
|
|
- Actions
|
|
- Creates an installable pre-release of any package containing `{ "workers-sdk": { "prerelease": true } }` in its `package.json` (e.g. Wrangler, C3, and Miniflare) on every PR.
|
|
- Adds a comment to the PR with links to the pre-releases.
|
|
|
|
## Housekeeping actions
|
|
|
|
### Add issues to DevProd project (issues.yml)
|
|
|
|
- Triggers
|
|
- Updates to issues.
|
|
- Actions
|
|
- Add the issue to a GitHub project.
|
|
|
|
### Triage Issue (triage-issue.yml)
|
|
|
|
- Triggers
|
|
- A new issue is opened (skips PRs and bot-authored issues).
|
|
- A new comment is created on an issue — re-triages with the latest context. Skips PRs, bot comments, and the triage bot's own sticky comment (matched by the sticky-comment marker) to avoid re-triage loops.
|
|
- Manual `workflow_dispatch` with an `issue-number` input.
|
|
- Actions
|
|
- Runs an OpenCode agent with the `.github/skills/issue-review.md` skill against the pre-fetched issue data (including existing comments) to produce a markdown triage report (`report.md`) and a structured JSON summary (`summary.json`).
|
|
- Uploads the report to the triage dashboard.
|
|
- Posts the report and structured summary as a maintainer-facing sticky comment on the issue and applies the suggested labels (validated against existing repo labels). Because the comment is sticky, re-triage updates the existing comment rather than posting a duplicate. Comments and labels are attributed to the workers-devprod bot via `GH_ACCESS_TOKEN`.
|
|
- The AI agent itself runs sandboxed (no shell or network access); all GitHub writes happen in workflow steps from the generated files.
|
|
|
|
### Generate changesets for dependabot PRs (c3-dependabot-versioning-prs.yml and miniflare-dependabot-versioning-prs.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs, by the dependabot user, which update one of:
|
|
- frameworks dependencies in C3,
|
|
- miniflare.
|
|
- Actions
|
|
- Generates changesets for the affected package.
|
|
|
|
### E2E Project Cleanup (e2e-project-cleanup.yml)
|
|
|
|
- Triggers
|
|
- Scheduled to run at 3am each day.
|
|
- Actions
|
|
- Deletes any Workers and Pages projects that were not properly cleaned up by the E2E tests.
|
|
|
|
## Main branch actions
|
|
|
|
### Handle Changesets (changesets.yml)
|
|
|
|
- Triggers
|
|
- Commits merged to the `main` branch, on the Cloudflare fork.
|
|
- Actions
|
|
- If there are changeset in the working directory, create or update a "Version Packages" PR to prep for a release.
|
|
- If there are no changesets, release any packages that have a bump to their version in this change.
|
|
- Public packages are deployed to npm
|
|
- Private packages will run their `deploy` script, if they have one.
|
|
|
|
## C3 related actions
|
|
|
|
### C3 E2E Tests (c3-e2e.yml)
|
|
|
|
- Triggers
|
|
- Updates to PRs.
|
|
- Actions
|
|
- Runs the E2E tests for C3.
|
|
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
|
|
|
|
### Rerun Code Owners (rerun-codeowners.yml + rerun-codeowners-privileged.yml)
|
|
|
|
- Triggers
|
|
- A review is submitted or dismissed on a PR.
|
|
- Actions
|
|
- Re-runs the "Run Codeowners Plus" check so it re-evaluates approval status after the review change.
|
|
- Uses the `workflow_run` pattern: the trigger workflow exists solely to fire a `workflow_run` event; the privileged companion workflow (which has full permissions) reads the PR head SHA from `github.event.workflow_run.head_sha` and performs the re-run. This is necessary because `pull_request_review` gives a read-only token for fork PRs and has no `_target` variant.
|
|
|
|
### Rerun Remote Tests (rerun-remote-tests.yml)
|
|
|
|
- Triggers
|
|
- The `ci:run-remote-tests` or `run-c3-frameworks-tests` label is added to or removed from a PR.
|
|
- Actions
|
|
- Re-runs the E2E workflows for the PR so they pick up the label change and pass (or withhold) API credentials to the test steps.
|
|
- `ci:run-remote-tests` re-runs Wrangler, Vite, and C3 E2E workflows; `run-c3-frameworks-tests` re-runs only C3 E2E.
|
|
- Uses `pull_request_target` to get a privileged token even for fork PRs (safe because no untrusted code is checked out).
|