.github/workflows/build.yml

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

---

name: Build

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  merge_group:
    types:
      - checks_requested
  schedule:
    - cron: 0 0 * * 1
  workflow_dispatch: null

permissions: {}

jobs:
  update-code:
    name: Update Code
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
        with:
          ref: ${{ github.HEAD_REF }}
          # Fine-grained Personal Access Token (PAT) with the following permissions for microsoft/PR-Metrics:
          # - Read access to Metadata
          # - Read and Write access to Code (aka Contents)
          token: ${{ secrets.BUILD_UPDATE_CODE_CHECKOUT }}

      - name: Install Node.js
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8  # v4.0.2
        with:
          node-version: 20.14.0

      - name: npm – Install Dependencies
        run: npm ci

      - name: npm – Lint
        run: npm run lint

      - name: npm – Build Package
        run: npm run build:package

      - name: Git – Add Changed Files
        run: git add -A

      - name: Detect Changes
        id: detect-changes
        shell: pwsh
        run: |-
          $GitStatus = git status
          Write-Output -InputObject $GitStatus
          $NoChangesPresent = $GitStatus.Contains("nothing to commit, working tree clean")
          Write-Output -InputObject $NoChangesPresent
          Write-Output -InputObject "NO_CHANGES_PRESENT=$NoChangesPresent" >> $Env:GITHUB_OUTPUT

      - if: ${{ steps.detect-changes.outputs.NO_CHANGES_PRESENT == 'False' }}
        name: Git – Set Name
        run: git config --global user.name "github-actions[bot]"

      - if: ${{ steps.detect-changes.outputs.NO_CHANGES_PRESENT == 'False' }}
        name: Git – Set Email
        run: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"

      - if: ${{ steps.detect-changes.outputs.NO_CHANGES_PRESENT == 'False' }}
        name: Git – Commit Changed Files
        run: git commit -m "Fixing linting, Updating dist folder"

      - if: ${{ steps.detect-changes.outputs.NO_CHANGES_PRESENT == 'False' }}
        name: Git – Push Changed Files
        run: git push

  build:
    name: Build
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4

      - name: Install Node.js
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8  # v4.0.2
        with:
          node-version: 20.14.0

      - name: npm – Install Dependencies
        run: npm ci

      - name: npm – Test Clean
        run: npm run clean

      - name: npm – Build
        run: npm run build

      - name: npm – Test
        run: npm run test

      - name: Release – Create
        run: npx tfx-cli extension create --manifest-globs vss-extension.json --output-path ../ms-omex.PRMetrics.vsix
        working-directory: ${{ github.workspace }}/release

      - name: Release – Upload
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3
        with:
          name: PRMetrics
          path: ${{ github.workspace }}/ms-omex.PRMetrics.vsix

  test-github-action:
    name: Test GitHub Action
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      statuses: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
        with:
          fetch-depth: 0

      - name: PR Metrics
        uses: ./
        env:
          PR_METRICS_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          file-matching-patterns: |
            **/*
            !dist/*
            !package-lock.json

  validate:
    name: Validate
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4

      - name: Validate Markdown Links
        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec  # 1.0.15
        with:
          config-file: .github/linters/markdown-link-check.json

      - name: Initialize
        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
        with:
          build-mode: none
          config-file: .github/linters/codeql.yml
          languages: javascript-typescript
          queries: security-extended,security-and-quality

      - name: Analyze
        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c  # v3.25.11
        with:
          category: TypeScript

  validate-linter:
    name: Validate – Linter
    runs-on: ubuntu-latest
    permissions:
      statuses: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
        with:
          fetch-depth: 0

      - name: Super Linter
        uses: github/super-linter@4e51915f4a812abf59fed160bb14595c0a38a9e7  # v6
        env:
          EDITORCONFIG_FILE_NAME: ../../.editorconfig
          FILTER_REGEX_EXCLUDE: .*dist/.*
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_CONFIG_FILE: gitleaks.toml
          MARKDOWN_CONFIG_FILE: ../../.markdownlint.json
          VALIDATE_JAVASCRIPT_STANDARD: false
          VALIDATE_JSON: false
          VALIDATE_TYPESCRIPT_ES: false
          VALIDATE_TYPESCRIPT_STANDARD: false

  dependabot:
    if: ${{ github.actor == 'dependabot[bot]' }}
    name: Dependabot
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # v2.8.1
        with:
          disable-sudo: true
          egress-policy: audit

      - name: Enable Auto-Merge
        run: gh pr merge --auto --delete-branch --squash "${{ github.event.pull_request.html_url }}"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

...