This document explains how to set up Continuous Integration (CI) workflows for an Exercism Language Track using GitHub Actions (GHA). It provides best practices and examples for you to use to make your own fast, reliable and robust CI workflows. The GHA workflows in this folder can be adapted to work with any CI, because the base structure will remain the same.
It will:
Example implementation of these workflow files can be found in exercism/javascript
.
The rest of the document is designed to explain how the workflows work. If you're in a hurry, and you just want to switch from Travis or Circle to GHA without optimizing the PR scripts, check out our ~10 minute guide on Migrating from Travis.
The recommended actions for checking the content of your repository has integrity are as follows:
configlet
linting in order to check config.json
v3
requires new files; this might move to configlet
)There can also be track-specific actions. For example:
And perhaps you'd want more Quality Of Life checks, such as:
For each action think about how often it should run.
configlet
linting is something that's so important (because a track can break if the config.json
breaks) that it should probably always run, but only needs to run once per commit.It can be very helpful to make the actions that should run, available locally as well. This means that the scripts that do the actual work are also manually runnable. To achieve this do not inline the action inside the workflow files., but create a standalone script. For example, checking for stubs can be completely bashed out inside the workflow file, but the recommendation here is to create a new executable script scripts/ci-check
instead.
"But the command is very short, e.g.
eslint . --ext ts --ext tsx
".When this command needs to be updated, it now needs to update in all the places in the documentation, the workflow files, and in the minds of the maintainers. Extracting this to a script resolves all that. Reading a workflow file can also be very daunting.
The scripts/pr
and scripts/pr-check
scripts (see templates) are run with multiple arguments, one for each file that has been changed or added in this PR. For example, if two-fer
has been updated, a call might look like this:
scripts/pr exercises/two-fer/README.md exercises/two-fer/.meta/example.ext
It's recommended to run any actions against the changed exercise and not the changed file. This is because changing a file is likely to trigger changes for the entire exercise (think: configuration, packages).
Not ready? / Complex?
Before implementing this optimization, it may be safely ignored! The migration guide hints at adding at a later stage. If the input arguments are ignored, all the checks will run on all the exercises. This is perfectly fine. It will just take longer.
If the track has a single "top-level" dependency file and/or other configuration files, add an integrity step (that exists alongside a scripts/sync
or bin/sync
, which would copy all configuration files to all exercises), which ensures that the top-level/base files are the same as the one copied to the exercise directories. Now dependencies can be updated, synced across the repository, and we can ensure that all exercises have the same configuration.
A common way to accomplish this is to use a checksum. Ubuntu (and various other Linux distributions) comes with a tool called sha1sum
, but using whichever method to hash or reduce the configuration file (md5, sha1, crc32) to a checksum value, would work:
$ sha1sum README.md
cd58091c5043bf21f00d39ff1740d8b2976deeff *README.md
If the track uses additional workflows that require access to the GitHub token or other secrets, it's best practice to pin all actions used in the workflow to a specific commit. See GitHub's security hardening guide for details.
For example:
- uses: julia-actions/setup-julia@v1
+ uses: julia-actions/setup-julia@d26d1111976eae5f00db04f0515ab744ec9cd79e # 1.3.1
If the tooling has lockfiles for dependency management, consider checking it into the repository and use a "frozen lockfile" inside the workflow files. For example: npm ci
, yarn install --frozen-lockfile
and bundle install --frozen
. This ensures that the lockfile is up-to-date when changing dependencies and prevents malicious packages to come in.
In this directory at minimum there are the following templates:
configlet.yml
: This workflow will do a fetch the latest configlet binary and lint this repository. Run on every commit. For PRs, runs on the actual commit and a "after merge" tree.ci.yml
: This workflow only runs on the main branch, once on each commit.
pr.ci.yml
: This workflow only runs on PRs, once on each commit.
The non-pr workflows can also be triggered via workflow_dispatch
.
Each file has listed at the top which "scripts" should be available. If you want these to be binaries, replace scripts/xxx
with bin/xxx
. Some tooling will require binaries to be inside a bin
folder.
scripts/ci
: a script that should build and test all exercises using the example solutions against the testsscripts/ci-check
: a script that should lint all exercises, and optionally check for stubs, configuration integrity, and morescripts/pr
: same as scripts/ci
, but should only run exercises resolved from the paths given as inputscripts/pr-check
: same as scripts/ci-check
, but should only run for files or exercises resolved from the paths given as inputIf you run into any issues or want someone to review your workflows, please ping the @exercism/github-actions
team.
Changed a top-level file that should trigger a CI run on all exercises
At moment of writing, pr.ci.yml
only allows for "extension" testing. Ideally this is updated to trigger always when certain files are changed (for example the binary to run the tests). However, these changes are often infrequent and done by maintainers, that the fact that ci.yml
runs on main, always, for everything, is probably safe enough.
Created a scripts/xxx file on Windows and now it doesn't work on {other OS}
By default, files created on Windows don't have metadata in the git-index embedded about their executability, because the model for permissions on windows is different. Git, by default, will use the git-index metadata to determine if the file should be executable on POSIX-based systems, and thus make the scripts/xxx
file NOT executable.
git update-index --chmod=+x scripts/xxx
git commit -m "Make scripts/xxx executable"