qwen-code/.github/workflows/ci.yml

# .github/workflows/ci.yml

name: 'Qwen Code CI'

on:
  push:
    branches:
      - 'main'
      - 'release/**'
  pull_request:
    branches:
      - 'main'
      - 'release/**'
  merge_group:
  workflow_dispatch:
    inputs:
      branch_ref:
        description: 'Branch to run on'
        required: true
        default: 'main'
        type: 'string'

concurrency:
  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
  cancel-in-progress: |-
    ${{ github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/') }}

permissions:
  checks: 'write'
  contents: 'read'
  statuses: 'write'

defaults:
  run:
    shell: 'bash'

env:
  ACTIONLINT_VERSION: '1.7.7'
  SHELLCHECK_VERSION: '0.11.0'
  YAMLLINT_VERSION: '1.35.1'

jobs:
  lint:
    name: 'Lint'
    runs-on: 'ubuntu-latest'
    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
        with:
          ref: '${{ github.event.inputs.branch_ref || github.ref }}'
          fetch-depth: 0

      - name: 'Set up Node.js'
        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4.4.0
        with:
          node-version-file: '.nvmrc'
          cache: 'npm'

      - name: 'Install dependencies'
        run: 'npm ci'

      - name: 'Check lockfile'
        run: 'npm run check:lockfile'

      - name: 'Install linters'
        run: 'node scripts/lint.js --setup'

      - name: 'Run ESLint'
        run: 'node scripts/lint.js --eslint'

      - name: 'Run actionlint'
        run: 'node scripts/lint.js --actionlint'

      - name: 'Run shellcheck'
        run: 'node scripts/lint.js --shellcheck'

      - name: 'Run yamllint'
        run: 'node scripts/lint.js --yamllint'

      - name: 'Run Prettier'
        run: 'node scripts/lint.js --prettier'

      - name: 'Run sensitive keyword linter'
        run: 'node scripts/lint.js --sensitive-keywords'

  #
  # Test: Node
  #
  test:
    name: 'Test'
    runs-on: '${{ matrix.os }}'
    needs:
      - 'lint'
    permissions:
      contents: 'read'
      checks: 'write'
      pull-requests: 'write'
    strategy:
      fail-fast: false # So we can see all test failures
      matrix:
        os:
          - 'macos-latest'
          - 'ubuntu-latest'
          - 'windows-latest'
        node-version:
          - '20.x'
          - '22.x'
          - '24.x'
    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5

      - name: 'Set up Node.js ${{ matrix.node-version }}'
        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4
        with:
          node-version: '${{ matrix.node-version }}'
          cache: 'npm'
          cache-dependency-path: 'package-lock.json'
          registry-url: 'https://registry.npmjs.org/'

      - name: 'Configure npm for rate limiting'
        run: |-
          npm config set fetch-retry-mintimeout 20000
          npm config set fetch-retry-maxtimeout 120000
          npm config set fetch-retries 5
          npm config set fetch-timeout 300000

      - name: 'Install dependencies'
        run: |-
          npm ci --prefer-offline --no-audit --progress=false

      - name: 'Build project'
        run: |-
          npm run build

      - name: 'Run tests and generate reports'
        env:
          NO_COLOR: true
        run: 'npm run test:ci'

      - name: 'Publish Test Report (for non-forks)'
        if: |-
          ${{ always() && (github.event.pull_request.head.repo.full_name == github.repository) }}
        uses: 'dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3' # ratchet:dorny/test-reporter@v2
        with:
          name: 'Test Results (Node ${{ matrix.node-version }})'
          path: 'packages/*/junit.xml'
          reporter: 'java-junit'
          fail-on-error: 'false'

      - name: 'Upload Test Results Artifact (for forks)'
        if: |-
          ${{ always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }}
        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
        with:
          name: 'test-results-fork-${{ matrix.node-version }}-${{ matrix.os }}'
          path: 'packages/*/junit.xml'

      - name: 'Upload coverage reports'
        if: |-
          ${{ always() }}
        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
        with:
          name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
          path: 'packages/*/coverage'

  post_coverage_comment:
    name: 'Post Coverage Comment'
    runs-on: 'ubuntu-latest'
    needs: 'test'
    if: |-
      ${{ always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository) }}
    continue-on-error: true
    permissions:
      contents: 'read' # For checkout
      pull-requests: 'write' # For commenting
    strategy:
      matrix:
        # Reduce noise by only posting the comment once
        os:
          - 'ubuntu-latest'
        node-version:
          - '22.x'
    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5

      - name: 'Download coverage reports artifact'
        uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
        with:
          name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
          path: 'coverage_artifact' # Download to a specific directory

      - name: 'Post Coverage Comment using Composite Action'
        uses: './.github/actions/post-coverage-comment' # Path to the composite action directory
        with:
          cli_json_file: 'coverage_artifact/cli/coverage/coverage-summary.json'
          core_json_file: 'coverage_artifact/core/coverage/coverage-summary.json'
          cli_full_text_summary_file: 'coverage_artifact/cli/coverage/full-text-summary.txt'
          core_full_text_summary_file: 'coverage_artifact/core/coverage/full-text-summary.txt'
          node_version: '${{ matrix.node-version }}'
          os: '${{ matrix.os }}'
          github_token: '${{ secrets.GITHUB_TOKEN }}'

  codeql:
    name: 'CodeQL'
    runs-on: 'ubuntu-latest'
    permissions:
      actions: 'read'
      contents: 'read'
      security-events: 'write'
    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5

      - name: 'Initialize CodeQL'
        uses: 'github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/init@v3
        with:
          languages: 'javascript'

      - name: 'Perform CodeQL Analysis'
        uses: 'github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/analyze@v3