From baa66b13823352178ee37c32d22a695c1d8fb812 Mon Sep 17 00:00:00 2001 From: Subin Lee Date: Mon, 11 May 2026 09:59:36 +0900 Subject: [PATCH] =?UTF-8?q?ci:=20release-please=20PR=20=EA=B2=80=EC=A6=9D?= =?UTF-8?q?=EC=9D=84=20CI=20=EC=82=AC=EC=9D=B4=ED=81=B4=20=EB=82=B4?= =?UTF-8?q?=EB=A1=9C=20=ED=86=B5=ED=95=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 기존 흐름은 master push 시 ci.yml과 release-please.yml이 병렬로 돌면서 release-please가 만든 PR에는 GITHUB_TOKEN 정책상 외부 CI가 자동 트리거되지 않아 PR 검증이 누락되는 비대칭이 있었다. solapi/solactl이 사용 중인 패턴을 따라 release-please를 CI 완료 후 직렬화하고, 같은 워크플로 안에서 PR head를 다시 빌드·테스트해 commit status로 보고한다. - workflow_run["CI"] 트리거로 변경 (CI 성공 후에만 실행) - release-please job에 outputs로 release_created·tag_name·pr_head_sha 노출 - unit-test-release-pr matrix job 추가: release PR head 체크아웃 후 ci.yml과 동일한 PHP 7.1~8.5 매트릭스로 unit test - 결과를 repos/{repo}/statuses/{sha} API로 commit status 등록 (외부 CI 자동 트리거가 없는 release-please PR에서도 PR 화면에 검증 결과 표시되도록) - 워크플로 인젝션 방지를 위해 모든 표현식을 env 경유로 셸에 전달 Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-please.yml | 126 ++++++++++++++++++++++++++- 1 file changed, 123 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 58c0cd9..58af903 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -1,21 +1,141 @@ name: release-please on: - push: - branches: - - master + workflow_run: + workflows: ["CI"] + branches: [master] + types: [completed] permissions: contents: write pull-requests: write + statuses: write jobs: release-please: name: Run release-please + if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' }} runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} + pr_head_sha: ${{ steps.pr-sha.outputs.sha }} steps: - name: Run release-please + id: release uses: googleapis/release-please-action@v4 with: config-file: .github/release-please-config.json manifest-file: .github/.release-please-manifest.json + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Get release-please PR head SHA + id: pr-sha + if: ${{ !steps.release.outputs.release_created }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + run: | + set -euo pipefail + SHA=$(gh pr list \ + --repo "$GH_REPO" \ + --head release-please--branches--master \ + --state open \ + --json headRefOid \ + --jq '.[0].headRefOid // ""') + echo "sha=$SHA" >> "$GITHUB_OUTPUT" + + unit-test-release-pr: + name: Unit (Release PR) / PHP ${{ matrix.php }} + needs: release-please + if: ${{ !needs.release-please.outputs.release_created && needs.release-please.outputs.pr_head_sha != '' }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + php: ["7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2", "8.3", "8.4", "8.5"] + env: + PHP_VERSION: ${{ matrix.php }} + SHA: ${{ needs.release-please.outputs.pr_head_sha }} + REPO: ${{ github.repository }} + steps: + - name: Set pending commit status + continue-on-error: true + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api "repos/$REPO/statuses/$SHA" \ + -f state=pending \ + -f context="Unit / PHP $PHP_VERSION" \ + -f description="Running unit tests..." + + - name: Checkout release-please PR head + uses: actions/checkout@v4 + with: + ref: ${{ needs.release-please.outputs.pr_head_sha }} + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php }} + extensions: json, mbstring + coverage: none + tools: composer:v2 + + - name: Determine PHPUnit constraint + id: phpunit + run: | + case "$PHP_VERSION" in + 7.1|7.2) echo "constraint=^7.5" >> "$GITHUB_OUTPUT" ;; + *) echo "constraint=^9.5" >> "$GITHUB_OUTPUT" ;; + esac + + - name: Resolve Composer cache directory + id: composer-cache + run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" + + - name: Cache Composer dependencies + uses: actions/cache@v4 + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: composer-${{ matrix.php }}-${{ steps.phpunit.outputs.constraint }}-${{ hashFiles('composer.json') }} + restore-keys: | + composer-${{ matrix.php }}-${{ steps.phpunit.outputs.constraint }}- + composer-${{ matrix.php }}- + + - name: Allow legacy PHPUnit on PHP 7.1/7.2 + if: matrix.php == '7.1' || matrix.php == '7.2' + run: composer config --no-plugins audit.block-insecure false || true + + - name: Pin PHPUnit constraint + env: + PHPUNIT_CONSTRAINT: ${{ steps.phpunit.outputs.constraint }} + run: composer require --dev --no-update --no-interaction "phpunit/phpunit:$PHPUNIT_CONSTRAINT" + + - name: Install dependencies + env: + COMPOSER_NO_AUDIT: "1" + run: composer update --prefer-dist --no-interaction --no-progress + + - name: Run unit tests + run: composer test:unit + + - name: Report success commit status + if: success() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api "repos/$REPO/statuses/$SHA" \ + -f state=success \ + -f context="Unit / PHP $PHP_VERSION" \ + -f description="Unit tests passed" + + - name: Report failure commit status + if: failure() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api "repos/$REPO/statuses/$SHA" \ + -f state=failure \ + -f context="Unit / PHP $PHP_VERSION" \ + -f description="Unit tests failed"