From 2e4e211befc9eb49ea01cda936198281a90b48fd Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 4 Mar 2026 08:04:30 +0000 Subject: [PATCH] fix: harden phase 8 CI workflow and checks --- .github/workflows/ci.yml | 6 +++- tests/ci_test/phase8_ci_matrix_shape_test.sh | 30 ++++++++++++++------ 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f75abd8..406de4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,8 @@ on: jobs: test: + permissions: + contents: read strategy: fail-fast: false matrix: @@ -24,4 +26,6 @@ jobs: - uses: actions/checkout@v4 - uses: bazel-contrib/setup-bazel@0.15.0 - name: Run tests (${{ matrix.phase8_target }}) - run: bazel test //tests/... + run: | + echo "Phase 8 target: ${{ matrix.phase8_target }}" + bazel test //tests/... diff --git a/tests/ci_test/phase8_ci_matrix_shape_test.sh b/tests/ci_test/phase8_ci_matrix_shape_test.sh index 23930f0..74bb0f5 100755 --- a/tests/ci_test/phase8_ci_matrix_shape_test.sh +++ b/tests/ci_test/phase8_ci_matrix_shape_test.sh @@ -2,12 +2,26 @@ set -euo pipefail workflow_file="$1" +if [ -z "${workflow_file}" ]; then + echo "Error: workflow file path required as first argument" >&2 + exit 1 +fi -grep -Eq '^name:[[:space:]]+CI$' "${workflow_file}" -grep -Eq 'USE_BAZEL_VERSION:[[:space:]]+9\.0\.0' "${workflow_file}" -grep -Eq 'os:[[:space:]]+ubuntu-latest' "${workflow_file}" -grep -Eq 'phase8_target:[[:space:]]+linux-x64' "${workflow_file}" -grep -Eq 'os:[[:space:]]+macos-14' "${workflow_file}" -grep -Eq 'phase8_target:[[:space:]]+darwin-arm64' "${workflow_file}" -grep -Eq 'os:[[:space:]]+windows-latest' "${workflow_file}" -grep -Eq 'phase8_target:[[:space:]]+windows' "${workflow_file}" +check_pattern() { + local pattern="$1" + local message="$2" + if ! grep -Eq "${pattern}" "${workflow_file}"; then + echo "Error: ${message}" >&2 + exit 1 + fi +} + +check_pattern '^name:[[:space:]]+CI$' "missing workflow name CI" +check_pattern 'USE_BAZEL_VERSION:[[:space:]]+9\.0\.0' "missing Bazel 9.0.0 pin" +check_pattern 'os:[[:space:]]+ubuntu-latest' "missing ubuntu matrix entry" +check_pattern 'phase8_target:[[:space:]]+linux-x64' "missing linux-x64 matrix target" +check_pattern 'os:[[:space:]]+macos-14' "missing macos matrix entry" +check_pattern 'phase8_target:[[:space:]]+darwin-arm64' "missing darwin-arm64 matrix target" +check_pattern 'os:[[:space:]]+windows-latest' "missing windows matrix entry" +check_pattern 'phase8_target:[[:space:]]+windows' "missing windows matrix target" +echo "CI matrix shape checks passed"