Files
wehub-resource-sync 70bf21e064
Handle Changesets / Handle Changesets (push) Waiting to run
Semgrep OSS scan / semgrep-oss (push) Waiting to run
Deploy (to testing) and Test Playground Preview Worker / Deploy Playground Preview Worker (testing) (push) Has been skipped
Deploy Workers Shared Staging / Deploy Workers Shared Staging (push) Failing after 0s
Prerelease / build (push) Has been skipped
chore: import upstream snapshot with attribution
2026-07-13 12:30:11 +08:00

152 lines
7.0 KiB
Markdown

# GitHub Actions
See below for a summary of this repo's Actions
- _Actions marked with "⚠️" are expected to sometimes fail._
## Security auditing
We use [`zizmor`](https://docs.zizmor.sh/) to audit GitHub Actions workflow definitions and keep CI workflows as safe as possible. When changing files in this directory, run:
```sh
zizmor .github/workflows/*.yml
```
Workflow changes should avoid unsuppressed `zizmor` findings. In particular:
- Pin external actions to immutable commit SHAs, not tags.
- Use `actions/checkout` v6 or newer so persisted credentials are stored under `$RUNNER_TEMP`; set `persist-credentials: false` when a job does not need follow-up authenticated Git operations.
- Pass GitHub expression values into shell steps through `env` instead of expanding `${{ ... }}` directly inside `run` blocks.
- Treat privileged triggers such as `pull_request_target` and `workflow_run` as security-sensitive. If a privileged trigger is required, document the safety model and add a targeted `zizmor` ignore with a reason.
## PR related actions
### Tests + Checks (test-and-check.yml)
- Triggers
- Updates to PRs.
- PRs in the merge queue.
- Actions
- Builds all the packages.
- Runs formatting, linting and type checks.
- Runs fixture tests, Wrangler unit tests, C3 unit tests, Miniflare unit tests, and ESLint + Prettier checks.
- Adds the PR to a GitHub project
- Makes sure that Wrangler's warning for old Node.js versions works.
### Wrangler E2E tests (e2e-wrangler.yml)
- Triggers
- Updates to PRs on the Cloudflare fork.
- PRs in the merge queue.
- Actions
- Runs the E2E tests for Wrangler.
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
### Vite Plugin E2E tests (e2e-vite.yml)
- Triggers
- Updates to PRs on the Cloudflare fork.
- PRs in the merge queue.
- Actions
- Runs the E2E tests for the Vite plugin.
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
## Deploy Pages Previews (deploy-pages-preview.yml)
- Triggers
- Updates to PRs that have one of the `preview:...` labels.
- Actions
- Deploy a preview of the matching Pages project to Cloudflare.
## Deploy (to testing) and Test Playground Preview Worker (worker-playground-preview-testing-env-deploy-and-test.yml)
- Triggers
- Commits merged to the `main` branch, on the Cloudflare fork, which touch files in the `packages/playground-preview-worker` directory.
- Updates to PRs, on the Cloudflare fork, with the `playground-worker` label applied.
- Actions
- Runs integrations tests to ensure the behaviour of the Worker powering the Workers Playground.
## Create Pull Request Prerelease (prerelease.yml)
- Triggers
- Updates to PRs.
- Actions
- Creates an installable pre-release of any package containing `{ "workers-sdk": { "prerelease": true } }` in its `package.json` (e.g. Wrangler, C3, and Miniflare) on every PR.
- Adds a comment to the PR with links to the pre-releases.
## Housekeeping actions
### Add issues to DevProd project (issues.yml)
- Triggers
- Updates to issues.
- Actions
- Add the issue to a GitHub project.
### Triage Issue (triage-issue.yml)
- Triggers
- A new issue is opened (skips PRs and bot-authored issues).
- A new comment is created on an issue — re-triages with the latest context. Skips PRs, bot comments, and the triage bot's own sticky comment (matched by the sticky-comment marker) to avoid re-triage loops.
- Manual `workflow_dispatch` with an `issue-number` input.
- Actions
- Runs an OpenCode agent with the `.github/skills/issue-review.md` skill against the pre-fetched issue data (including existing comments) to produce a markdown triage report (`report.md`) and a structured JSON summary (`summary.json`).
- Uploads the report to the triage dashboard.
- Posts the report and structured summary as a maintainer-facing sticky comment on the issue and applies the suggested labels (validated against existing repo labels). Because the comment is sticky, re-triage updates the existing comment rather than posting a duplicate. Comments and labels are attributed to the workers-devprod bot via `GH_ACCESS_TOKEN`.
- The AI agent itself runs sandboxed (no shell or network access); all GitHub writes happen in workflow steps from the generated files.
### Generate changesets for dependabot PRs (c3-dependabot-versioning-prs.yml and miniflare-dependabot-versioning-prs.yml)
- Triggers
- Updates to PRs, by the dependabot user, which update one of:
- frameworks dependencies in C3,
- miniflare.
- Actions
- Generates changesets for the affected package.
### E2E Project Cleanup (e2e-project-cleanup.yml)
- Triggers
- Scheduled to run at 3am each day.
- Actions
- Deletes any Workers and Pages projects that were not properly cleaned up by the E2E tests.
## Main branch actions
### Handle Changesets (changesets.yml)
- Triggers
- Commits merged to the `main` branch, on the Cloudflare fork.
- Actions
- If there are changeset in the working directory, create or update a "Version Packages" PR to prep for a release.
- If there are no changesets, release any packages that have a bump to their version in this change.
- Public packages are deployed to npm
- Private packages will run their `deploy` script, if they have one.
## C3 related actions
### C3 E2E Tests (c3-e2e.yml)
- Triggers
- Updates to PRs.
- Actions
- Runs the E2E tests for C3.
- Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `ci:run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
### Rerun Code Owners (rerun-codeowners.yml + rerun-codeowners-privileged.yml)
- Triggers
- A review is submitted or dismissed on a PR.
- Actions
- Re-runs the "Run Codeowners Plus" check so it re-evaluates approval status after the review change.
- Uses the `workflow_run` pattern: the trigger workflow exists solely to fire a `workflow_run` event; the privileged companion workflow (which has full permissions) reads the PR head SHA from `github.event.workflow_run.head_sha` and performs the re-run. This is necessary because `pull_request_review` gives a read-only token for fork PRs and has no `_target` variant.
### Rerun Remote Tests (rerun-remote-tests.yml)
- Triggers
- The `ci:run-remote-tests` or `run-c3-frameworks-tests` label is added to or removed from a PR.
- Actions
- Re-runs the E2E workflows for the PR so they pick up the label change and pass (or withhold) API credentials to the test steps.
- `ci:run-remote-tests` re-runs Wrangler, Vite, and C3 E2E workflows; `run-c3-frameworks-tests` re-runs only C3 E2E.
- Uses `pull_request_target` to get a privileged token even for fork PRs (safe because no untrusted code is checked out).