Skip to content

fix(protocol): treat optional array fields as Path leaves; export pre… #70

fix(protocol): treat optional array fields as Path leaves; export pre…

fix(protocol): treat optional array fields as Path leaves; export pre… #70

Workflow file for this run

# CI gate: credential-free, infra-free. Runs on PRs and merges to main.
# Infra-required tiers (Minio, Postgres, cloud conformance) are deferred
# to a future workflow that provisions service containers.
name: CI
on:
# PR event covers all feature branches — any push to a branch that has
# an open PR triggers this workflow once, not twice. CI runs on EVERY PR
# (no path filter): the job always reports a status, which is what lets it
# serve as a required status check on main without docs-only PRs hanging on
# a check that never runs. Docs validation rides along inside `pnpm verify`
# (verify:docs), so a docs-only PR is still gated here.
pull_request:
# Push event covers merges to main (direct push or squash-merge).
# Combined with the PR trigger above, this avoids double-runs on
# feature branches: only main merges fire the push path.
push:
branches: [main]
# Manual run button — useful for debugging or re-running without a new commit.
workflow_dispatch:
# Least-privilege: only reading the repo is needed to run tests.
permissions:
contents: read
# A new push to the same ref cancels any still-running instance of this
# workflow, saving runner minutes during fast-iteration development.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
# Upper bound guards against runaway workerd binary downloads or
# hung vitest workers. The normal suite completes well under 10 min.
timeout-minutes: 15
steps:
# Actions are pinned to a full commit SHA (not a moving tag) so a
# compromised or force-pushed tag can't silently change what runs in
# CI (cf. the tj-actions/changed-files compromise); the trailing
# comment records the human-readable version — bump both together.
# Only first-party actions/* are used here (covered by the org's
# `github_owned_allowed` policy); pnpm is provisioned via Corepack
# below rather than a third-party setup action, so nothing in this
# workflow needs an org Actions allow-list entry.
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
# Provision pnpm with Corepack (bundled with Node) from the version
# pinned in package.json's `packageManager` field (pnpm@11.1.2) — the
# canonical, zero-third-party-action way to manage the package manager.
# Must run BEFORE setup-node: the `pnpm` shim has to exist on PATH when
# setup-node's `cache: pnpm` step shells `pnpm store path` to resolve
# the store dir to cache. (This enable targets the runner's
# pre-installed Node; it is re-run after setup-node below so the shim
# also resolves against the Node 24 that setup-node installs.)
# NOTE: Node 25 stops bundling Corepack — a future Node bump will need
# `npm i -g corepack` before this step.
- run: corepack enable
# Node 24 is required, not optional: the default vitest project sets
# `execArgv: ["--js-base-64"]` — a V8 flag that enables
# Uint8Array.{toBase64,fromBase64}, which are TC39 Stage 4 but still
# behind a flag in V8 13.6 / Node 24. The engines field in package.json
# is `>=24`. cache: pnpm uses the pnpm store for node_modules caching.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
# Re-enable Corepack against the Node 24 that setup-node just installed
# (it prepends its own toolcache bin to PATH over the pre-installed
# Node the first enable targeted). Cheap, idempotent insurance that the
# `pnpm` shim the install/test steps below invoke resolves against the
# pinned Node — not the runner's default.
- run: corepack enable
# `pnpm install` triggers the `prepare` lifecycle hook
# (scripts/prepare.mjs), which runs `pnpm run build` — so dist/ is
# already built by the time later steps run. `pnpm test`'s `pretest`
# hook also builds, but that's a quick no-op rebuild of an already-
# current dist/. No explicit build step is needed here.
- name: Install dependencies
run: pnpm install --frozen-lockfile
# Full static gate: typecheck (tsgo --noEmit), example typechecks,
# lint (oxlint), format check (oxfmt), import/layer linters, and
# doc checks. See the `verify` script in package.json.
- name: Verify
run: pnpm verify
# create-baerly-storage's "real git" integration test scaffolds a
# project and asserts `git init` + an initial commit happened. The
# scaffolder gracefully SKIPS git-init when no `user.name`/`user.email`
# is configured (intended product behavior), so on a bare runner —
# which has git but no identity — it would skip and the test would see
# no .git/. Configure a CI identity so the happy path is exercised.
# (Locally the test passes off the developer's ambient global config.)
- name: Configure git identity (for create-baerly-storage git-init test)
run: |
git config --global user.name "baerly-ci"
git config --global user.email "ci@baerly.invalid"
# Default vitest project: memory + local-fs suites under pool: forks.
# Zero infra, no credentials. The pretest hook rebuilds dist/ here.
- name: Test
run: pnpm test
# Cloudflare adapter tests under @cloudflare/vitest-pool-workers
# (miniflare / workerd). No credentials, no external network. The workerd
# binary ships inside the `@cloudflare/workerd-<platform>` npm package — a
# normal pnpm dependency — so it's already in the pnpm store and restored
# by setup-node's `cache: pnpm` above (its restore-keys even cover the
# lockfile-changed case). No separate workerd cache buys anything.
- name: Test (Cloudflare adapter)
run: pnpm test:adapter-cloudflare