chore(deps): bump actions/upload-artifact from 4 to 7 #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| # Least privilege: every job only needs to read the checked-out code. Matches | |
| # the security workflow; tighten here so a compromised action can't write to the | |
| # repo or mint tokens. | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Static checks + both build contracts. Cheap and fast; everything else | |
| # depends on it so a typecheck or bundle regression fails before the heavier | |
| # test shards and the browser jobs run. | |
| verify: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v5 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - name: Typecheck | |
| run: npm run typecheck | |
| - name: Main-deferral lint (no top-level viewer.* deref outside viewerLoaded) | |
| run: npm run lint:main-deferral | |
| - name: unsafeHtml lint (no user-derived string reaches an innerHTML sink) | |
| run: npm run lint:unsafe-html | |
| - name: Bucket partition integrity (every test file in exactly one bucket) | |
| run: npm run test:buckets:verify | |
| # Two DISTINCT size contracts, both enforced: | |
| # • test:build → PLAIN build + chunk-isolation (only vendor-three-webgpu | |
| # may exceed the 500 KiB isolation threshold). | |
| # • build:live + check:bundle → the OBFUSCATED build that actually ships, | |
| # gated against its own (larger) per-chunk budget. | |
| # The live index is legitimately larger than the plain one; gating each | |
| # build against its own rule keeps both honest instead of running the | |
| # plain-build isolation rule against the shipped artifact. | |
| - name: Chunk-isolation contract (plain build) | |
| run: npm run test:build | |
| - name: Live-shell bundle budget (obfuscated build that ships) | |
| run: npm run build:live && npm run check:bundle | |
| # Test buckets as a matrix: a failure points at one bucket, output stays | |
| # small, and the four shards run in parallel instead of one monolithic run. | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: verify | |
| # Bound a hung bucket so it fails fast instead of burning the default 360 min. | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| bucket: [unit, terrain, ui, slow] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v5 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| # Cap workers: GitHub-hosted runners have ~2 cores, so an uncapped vitest | |
| # oversubscribes and the large unit bucket can stall/OOM. --reporter=dot | |
| # keeps the log small so a failure is easy to locate. | |
| - name: Test bucket — ${{ matrix.bucket }} | |
| run: npm run test:${{ matrix.bucket }} -- --maxWorkers=2 --reporter=dot | |
| smoke: | |
| runs-on: ubuntu-latest | |
| needs: verify | |
| # Blocking gate: the smoke spec catches the class of bug where the bundle | |
| # builds and the unit tests pass but the page throws on load in a real | |
| # browser. Two specs, ~10 s; failure here means the artifact should not | |
| # ship. | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v5 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - name: Install Playwright Chromium | |
| run: npx playwright install --with-deps chromium | |
| - name: Smoke tests | |
| run: npm run test:smoke | |
| e2e: | |
| runs-on: ubuntu-latest | |
| needs: verify | |
| # Advisory: the broader end-to-end suite drives a headless browser | |
| # through real rendering flows, and GPU-backed paths vary across CI | |
| # runners. A failure here is reported but does not block the build — | |
| # the smoke gate above is the structural hard gate for browser | |
| # correctness. | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v5 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| - name: Install Playwright Chromium | |
| run: npx playwright install --with-deps chromium | |
| - name: End-to-end tests | |
| run: npm run test:e2e | |
| - name: Upload Playwright report on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: playwright-report | |
| path: playwright-report/ | |
| retention-days: 7 |