Files
nexu-io-open-design/scripts/plugin-previews-diff.mjs
lefarcen f4fe5ad757 feat(ci): implement the plugin-preview bake pipeline (spec 4548) (#4700)
* feat(ci): bake pipeline slice 1 — previews-diff guard + single rolling PR

Per specs/change/20260618-plugin-preview-bake-pipeline/spec.md rollout step 1
(the smallest change that stops the bleeding on the stacked bake-PR backlog).

- scripts/plugin-previews-diff.mjs: decide whether a manifest's `previews`
  subtree changed, ignoring the per-run `generatedAt` timestamp. node:test
  coverage in plugin-previews-diff.test.mjs (the #4261 timestamp-only noise
  case, entry change, add/remove, key-order stability).
- bake-plugin-previews.yml: open a review PR only when `previews` actually
  changed (was: whole-file `git diff` that fired every run because of
  generatedAt), and reuse ONE rolling branch (chore/plugin-previews) /
  force-update the open PR in place instead of stacking
  chore/plugin-previews-<run_id> per run.
- guard.ts: allowlist the two new CI-only .mjs scripts.

Deferred to later slices (same spec): pre-merge same-repo coupling job,
release-cut full bake, tag-union GC, directory-layered artifact keys.

* feat(ci): bake pipeline slices 2-4 — pre-merge coupling, release full bake, GC, directory keys

Completes the spec (specs/change/20260618-plugin-preview-bake-pipeline) on top
of slice 1, all in one PR (GC ships dry-run so staged ENABLEMENT still holds):

- .github/actions/bake-previews: composite action for the shared render + R2
  upload core, so the three bake workflows stop duplicating it.
- bake-plugin-previews.yml (post-merge): refactored onto the composite; role is
  now uploader + fork path + nightly backstop (rolling PR unchanged).
- bake-plugin-previews-pr.yml (slice 2): pre-merge bake for SAME-REPO PRs —
  renders, uploads, and commits the manifest INTO the author's branch so it
  rides with the code change. Loop guard checks the head COMMIT author
  (git log -1 %ae of head.sha, fetched via full checkout), not head.user.login,
  plus a no-op previews-diff guard. Forks fall through to post-merge.
- bake-plugin-previews-release.yml (slice 3): release-cut full bake committing
  the authoritative manifest onto release/**, with paths-ignore + bot-author
  loop guards.
- scripts/bake-plugin-previews.mjs (slice 4a): directory-layered, content-
  addressed keys <id>/<fingerprint>/preview.mp4 (+ poster.jpg), prefix-relative
  in the manifest. Daemon consumer already resolves base+key / path.join(dir,key)
  so no consumer change; reused flat entries are left untouched (additive).
- scripts/plugin-previews-gc.mjs (slice 4b) + .github/workflows/
  bake-plugin-previews-gc.yml: weekly R2 GC. Protected set = keys referenced by
  every tag + live release/** HEAD + main; deletes orphans older than a 90d
  grace window. DRY-RUN by default (needs --delete AND GC_ENABLE_DELETE=1).
  Pure protected-set/orphan logic covered by node:test.
- guard.ts: allowlist the new CI-only .mjs files.

* fix(ci): capture diff-guard result on its own line so a helper error fails the step

Per review: `if [ "$(node plugin-previews-diff.mjs ...)" != changed ]` swallows
the helper's exit 2 (bad args / unreadable manifest) inside command substitution,
so an error reads as empty string → 'unchanged' branch → the manifest PR/commit
is silently skipped despite a successful bake. Capture into diff_result on its
own line (so `set -e` aborts on a helper error) and `case` on the value, treating
unexpected output as a workflow failure. Applied to all three bake workflows.

* fix(ci): satisfy actionlint — quote gc description colon + route PR/dispatch context through env

- bake-plugin-previews-gc.yml: quote the `delete` input description (the
  '(default: ...)' colon broke YAML parsing) and pass dispatch inputs via env
  (GC_DELETE/GC_GRACE_DAYS) instead of interpolating into the run body.
- bake-plugin-previews-pr.yml: route head.sha/head.ref through HEAD_SHA/HEAD_REF
  env vars to avoid the script-injection lint on untrusted PR context.

* fix(ci): hard-gate the release bake job to release/** branches

workflow_dispatch can fire from any ref; the commit step pushes the authoritative
manifest to the triggering ref with contents:write, so a dispatch on main would
write straight to main and bypass the release back-merge. Add a job-level
`if: startsWith(github.ref, 'refs/heads/release/')` guard.

* fix(ci): GC fails closed on partial protected-ref data

Per review (non-blocking but real once deletion is armed): the GC workflow's
protected-ref fetches ended with '|| true', so a transient fetch failure could
leave the tag/release/main protected set incomplete and, with GC_ENABLE_DELETE=1,
prune clips a live release/main still references. Drop the '|| true' (fail the
job if the protected refs can't be fetched), and add a script-side guard that
refuses to delete when the protected set is empty or origin/main's manifest is
unreadable.
2026-06-23 15:39:16 +00:00

71 lines
2.7 KiB
JavaScript

#!/usr/bin/env node
// Decide whether two plugin-preview manifests differ in a way that matters —
// i.e. whether their `previews` subtree changed.
//
// The manifest also carries a `generatedAt` timestamp that moves on EVERY bake
// run. Comparing the whole file (as the workflow's old `git diff --quiet` did)
// therefore always reports a change and opens a noise review PR even when no
// clip actually changed — this is what produced timestamp-only PRs like #4261
// and the stacked backlog. The bake workflows use this helper to open/update a
// review PR only when a real preview entry changed.
//
// CLI:
// node scripts/plugin-previews-diff.mjs <oldManifest.json> <newManifest.json>
// → prints "changed" or "unchanged" to stdout; exit 0 on success, 2 on error.
// A missing/unreadable OLD manifest is treated as "no previews yet", so any
// entry in NEW counts as a change.
import { readFileSync, realpathSync } from 'node:fs';
import { fileURLToPath } from 'node:url';
// Stable, key-order-independent serialization of a JSON value, so reordering the
// keys inside a preview entry is not mistaken for a content change.
function canonical(value) {
if (Array.isArray(value)) return `[${value.map(canonical).join(',')}]`;
if (value && typeof value === 'object') {
return `{${Object.keys(value)
.sort()
.map((k) => `${JSON.stringify(k)}:${canonical(value[k])}`)
.join(',')}}`;
}
return JSON.stringify(value) ?? 'null';
}
// True when the `previews` subtree differs between the two manifests, ignoring
// `generatedAt` and any other top-level metadata.
export function previewsChanged(oldManifest, newManifest) {
const oldPreviews = (oldManifest && oldManifest.previews) || {};
const newPreviews = (newManifest && newManifest.previews) || {};
return canonical(oldPreviews) !== canonical(newPreviews);
}
function readJsonOrEmpty(path) {
try {
return JSON.parse(readFileSync(path, 'utf8'));
} catch {
return {};
}
}
// CLI entry — only when this file is the process entrypoint, not when a test
// imports `previewsChanged`.
const invokedDirectly =
process.argv[1] && realpathSync(process.argv[1]) === fileURLToPath(import.meta.url);
if (invokedDirectly) {
const [oldPath, newPath] = process.argv.slice(2);
if (!oldPath || !newPath) {
console.error('usage: plugin-previews-diff.mjs <oldManifest.json> <newManifest.json>');
process.exit(2);
}
let newManifest;
try {
newManifest = JSON.parse(readFileSync(newPath, 'utf8'));
} catch (e) {
console.error(`failed to read new manifest ${newPath}: ${e.message}`);
process.exit(2);
}
const oldManifest = readJsonOrEmpty(oldPath);
process.stdout.write(previewsChanged(oldManifest, newManifest) ? 'changed\n' : 'unchanged\n');
}