Skip to content

chore(deps): bump actions/upload-artifact from 4 to 7 #34

chore(deps): bump actions/upload-artifact from 4 to 7

chore(deps): bump actions/upload-artifact from 4 to 7 #34

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
# Least privilege: every job only needs to read the checked-out code. Matches
# the security workflow; tighten here so a compromised action can't write to the
# repo or mint tokens.
permissions:
contents: read
jobs:
# Static checks + both build contracts. Cheap and fast; everything else
# depends on it so a typecheck or bundle regression fails before the heavier
# test shards and the browser jobs run.
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
with:
node-version: 22
cache: npm
- run: npm ci
- name: Typecheck
run: npm run typecheck
- name: Main-deferral lint (no top-level viewer.* deref outside viewerLoaded)
run: npm run lint:main-deferral
- name: unsafeHtml lint (no user-derived string reaches an innerHTML sink)
run: npm run lint:unsafe-html
- name: Bucket partition integrity (every test file in exactly one bucket)
run: npm run test:buckets:verify
# Two DISTINCT size contracts, both enforced:
# • test:build → PLAIN build + chunk-isolation (only vendor-three-webgpu
# may exceed the 500 KiB isolation threshold).
# • build:live + check:bundle → the OBFUSCATED build that actually ships,
# gated against its own (larger) per-chunk budget.
# The live index is legitimately larger than the plain one; gating each
# build against its own rule keeps both honest instead of running the
# plain-build isolation rule against the shipped artifact.
- name: Chunk-isolation contract (plain build)
run: npm run test:build
- name: Live-shell bundle budget (obfuscated build that ships)
run: npm run build:live && npm run check:bundle
# Test buckets as a matrix: a failure points at one bucket, output stays
# small, and the four shards run in parallel instead of one monolithic run.
test:
runs-on: ubuntu-latest
needs: verify
# Bound a hung bucket so it fails fast instead of burning the default 360 min.
timeout-minutes: 20
strategy:
fail-fast: false
matrix:
bucket: [unit, terrain, ui, slow]
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
with:
node-version: 22
cache: npm
- run: npm ci
# Cap workers: GitHub-hosted runners have ~2 cores, so an uncapped vitest
# oversubscribes and the large unit bucket can stall/OOM. --reporter=dot
# keeps the log small so a failure is easy to locate.
- name: Test bucket — ${{ matrix.bucket }}
run: npm run test:${{ matrix.bucket }} -- --maxWorkers=2 --reporter=dot
smoke:
runs-on: ubuntu-latest
needs: verify
# Blocking gate: the smoke spec catches the class of bug where the bundle
# builds and the unit tests pass but the page throws on load in a real
# browser. Two specs, ~10 s; failure here means the artifact should not
# ship.
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
with:
node-version: 22
cache: npm
- run: npm ci
- name: Install Playwright Chromium
run: npx playwright install --with-deps chromium
- name: Smoke tests
run: npm run test:smoke
e2e:
runs-on: ubuntu-latest
needs: verify
# Advisory: the broader end-to-end suite drives a headless browser
# through real rendering flows, and GPU-backed paths vary across CI
# runners. A failure here is reported but does not block the build —
# the smoke gate above is the structural hard gate for browser
# correctness.
continue-on-error: true
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
with:
node-version: 22
cache: npm
- run: npm ci
- name: Install Playwright Chromium
run: npx playwright install --with-deps chromium
- name: End-to-end tests
run: npm run test:e2e
- name: Upload Playwright report on failure
if: failure()
uses: actions/upload-artifact@v7
with:
name: playwright-report
path: playwright-report/
retention-days: 7