.github/workflows/build.yml at main · keii.dev/nodejs.org

keii.dev / nodejs.org
The Node.js® Website
nodejs.org / .github / workflows / build.yml
at main 6.8 kB view raw
  1# Security Notes
  2# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
  3# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
  4# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
  5# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.
  6
  7name: Build
  8
  9on:
 10  push:
 11    branches:
 12      - main
 13  pull_request_target:
 14    branches:
 15      - main
 16    types:
 17      - labeled
 18  merge_group:
 19
 20defaults:
 21  run:
 22    # This ensures that the working directory is the root of the repository
 23    working-directory: ./
 24
 25permissions:
 26  contents: read
 27  actions: read
 28
 29jobs:
 30  build:
 31    # This Job should run either on `merge_groups` or `push` events
 32    # or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request`
 33    # since we want to run Website Builds on all these 3 occasions. As this allows us to be certain the that builds are passing
 34    if: |
 35      (github.event_name == 'push' || github.event_name == 'merge_group') ||
 36      (github.event_name == 'pull_request_target' &&
 37        github.event.label.name == 'github_actions:pull-request')
 38
 39    name: Build on ${{ matrix.os }}
 40    runs-on: ${{ matrix.os }}
 41
 42    strategy:
 43      fail-fast: false
 44      matrix:
 45        os: [ubuntu-latest, windows-latest]
 46
 47    steps:
 48      - name: Harden Runner
 49        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
 50        with:
 51          egress-policy: audit
 52
 53      - name: Provide Turborepo Arguments
 54        # This step is responsible for providing a reusable string that can be used within other steps and jobs
 55        # that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command
 56        id: turborepo_arguments
 57        # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
 58        # See https://turbo.build/repo/docs/reference/command-line-reference/run#--force
 59        run: echo "turbo_args=--force=true --cache-dir=.turbo/cache" >> "$GITHUB_OUTPUT"
 60
 61      - name: Use GNU tar instead BSD tar
 62        # This ensures that we use GNU `tar` which is more efficient for extracting caches's
 63        if: matrix.os == 'windows-latest'
 64        shell: cmd
 65        run: echo C:\Program Files\Git\usr\bin>>"%GITHUB_PATH%"
 66
 67      - name: Git Checkout
 68        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 69        with:
 70          # Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork
 71          # we want to clone the fork's repository instead of the base repository
 72          # this allows us to have the correct history tree of the perspective of the Pull Request's branch
 73          # If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository
 74          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
 75          # We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow
 76          # is always running with the latest `ref` (changes) of the Pull Request's branch
 77          # If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main`
 78          # or the merge_group `ref`
 79          ref: ${{ github.event.pull_request.head.ref || github.ref }}
 80          # We only need to fetch the last commit from the head_ref
 81          # since we're not using the `--filter` operation from turborepo
 82          # We don't use the `--filter` as we always want to force builds regardless of having changes or not
 83          # this ensures that our bundle analysis script always runs and that we always ensure next.js is building
 84          # regardless of having code changes or not
 85          fetch-depth: 1
 86
 87      - name: Set up Node.js
 88        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
 89        with:
 90          # We want to ensure that the Node.js version running here respects our supported versions
 91          node-version-file: '.nvmrc'
 92          cache: 'npm'
 93
 94      - name: Install npm packages
 95        # We want to avoid npm from running the Audit Step and Funding messages on a CI environment
 96        # We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted
 97        # We also use `--omit=dev` to avoid installing devDependencies as we don't need them during the build step
 98        run: npm i --no-audit --no-fund --userconfig=/dev/null --omit=dev
 99
100      - name: Build Next.js (ISR)
101        # We want a ISR build on CI to ensure that regular Next.js builds work as expected.
102        # We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
103        # the `${{ steps.turborepo_arguments.outputs.turbo_args }}` is a string substitution coming from a previous step
104        run: npx --package=turbo@latest -- turbo build ${{ steps.turborepo_arguments.outputs.turbo_args }}
105        env:
106          # We want to ensure we have enough RAM allocated to the Node.js process
107          # this should be a last resort in case by any chances the build memory gets too high
108          # but in general this should never happen
109          NODE_OPTIONS: '--max_old_space_size=4096'
110
111      - name: Build Next.js (Static)
112        # We only run full static builds within Pull Requests. As they're not needed on `merge_group` or `push` events
113        # Note that we skip full static builds on Crowdin-based Pull Requests as these PRs should only contain translation changes
114        if: |
115          (github.event_name == 'push') ||
116          (github.event_name == 'pull_request_target' &&
117            github.event.pull_request.head.ref != 'chore/crowdin')
118        # We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
119        # the `${{ steps.turborepo_arguments.outputs.turbo_args }}` is a string substitution coming from a previous step
120        run: npx --package=turbo@latest -- turbo deploy ${{ steps.turborepo_arguments.outputs.turbo_args }}
121        env:
122          # We want to ensure we have enough RAM allocated to the Node.js process
123          # this should be a last resort in case by any chances the build memory gets too high
124          # but in general this should never happen
125          NODE_OPTIONS: '--max_old_space_size=4096'
126
127      - name: Sync Orama Cloud
128        if: github.ref == 'refs/heads/main'
129        run: |
130          npm run sync-orama