mirror of
https://github.com/nexu-io/open-design.git
synced 2026-07-03 12:27:55 +08:00
* feat(ci): bake pipeline slice 1 — previews-diff guard + single rolling PR Per specs/change/20260618-plugin-preview-bake-pipeline/spec.md rollout step 1 (the smallest change that stops the bleeding on the stacked bake-PR backlog). - scripts/plugin-previews-diff.mjs: decide whether a manifest's `previews` subtree changed, ignoring the per-run `generatedAt` timestamp. node:test coverage in plugin-previews-diff.test.mjs (the #4261 timestamp-only noise case, entry change, add/remove, key-order stability). - bake-plugin-previews.yml: open a review PR only when `previews` actually changed (was: whole-file `git diff` that fired every run because of generatedAt), and reuse ONE rolling branch (chore/plugin-previews) / force-update the open PR in place instead of stacking chore/plugin-previews-<run_id> per run. - guard.ts: allowlist the two new CI-only .mjs scripts. Deferred to later slices (same spec): pre-merge same-repo coupling job, release-cut full bake, tag-union GC, directory-layered artifact keys. * feat(ci): bake pipeline slices 2-4 — pre-merge coupling, release full bake, GC, directory keys Completes the spec (specs/change/20260618-plugin-preview-bake-pipeline) on top of slice 1, all in one PR (GC ships dry-run so staged ENABLEMENT still holds): - .github/actions/bake-previews: composite action for the shared render + R2 upload core, so the three bake workflows stop duplicating it. - bake-plugin-previews.yml (post-merge): refactored onto the composite; role is now uploader + fork path + nightly backstop (rolling PR unchanged). - bake-plugin-previews-pr.yml (slice 2): pre-merge bake for SAME-REPO PRs — renders, uploads, and commits the manifest INTO the author's branch so it rides with the code change. Loop guard checks the head COMMIT author (git log -1 %ae of head.sha, fetched via full checkout), not head.user.login, plus a no-op previews-diff guard. Forks fall through to post-merge. - bake-plugin-previews-release.yml (slice 3): release-cut full bake committing the authoritative manifest onto release/**, with paths-ignore + bot-author loop guards. - scripts/bake-plugin-previews.mjs (slice 4a): directory-layered, content- addressed keys <id>/<fingerprint>/preview.mp4 (+ poster.jpg), prefix-relative in the manifest. Daemon consumer already resolves base+key / path.join(dir,key) so no consumer change; reused flat entries are left untouched (additive). - scripts/plugin-previews-gc.mjs (slice 4b) + .github/workflows/ bake-plugin-previews-gc.yml: weekly R2 GC. Protected set = keys referenced by every tag + live release/** HEAD + main; deletes orphans older than a 90d grace window. DRY-RUN by default (needs --delete AND GC_ENABLE_DELETE=1). Pure protected-set/orphan logic covered by node:test. - guard.ts: allowlist the new CI-only .mjs files. * fix(ci): capture diff-guard result on its own line so a helper error fails the step Per review: `if [ "$(node plugin-previews-diff.mjs ...)" != changed ]` swallows the helper's exit 2 (bad args / unreadable manifest) inside command substitution, so an error reads as empty string → 'unchanged' branch → the manifest PR/commit is silently skipped despite a successful bake. Capture into diff_result on its own line (so `set -e` aborts on a helper error) and `case` on the value, treating unexpected output as a workflow failure. Applied to all three bake workflows. * fix(ci): satisfy actionlint — quote gc description colon + route PR/dispatch context through env - bake-plugin-previews-gc.yml: quote the `delete` input description (the '(default: ...)' colon broke YAML parsing) and pass dispatch inputs via env (GC_DELETE/GC_GRACE_DAYS) instead of interpolating into the run body. - bake-plugin-previews-pr.yml: route head.sha/head.ref through HEAD_SHA/HEAD_REF env vars to avoid the script-injection lint on untrusted PR context. * fix(ci): hard-gate the release bake job to release/** branches workflow_dispatch can fire from any ref; the commit step pushes the authoritative manifest to the triggering ref with contents:write, so a dispatch on main would write straight to main and bypass the release back-merge. Add a job-level `if: startsWith(github.ref, 'refs/heads/release/')` guard. * fix(ci): GC fails closed on partial protected-ref data Per review (non-blocking but real once deletion is armed): the GC workflow's protected-ref fetches ended with '|| true', so a transient fetch failure could leave the tag/release/main protected set incomplete and, with GC_ENABLE_DELETE=1, prune clips a live release/main still references. Drop the '|| true' (fail the job if the protected refs can't be fetched), and add a script-side guard that refuses to delete when the protected set is empty or origin/main's manifest is unreadable.
61 lines
2.5 KiB
JavaScript
61 lines
2.5 KiB
JavaScript
// Unit coverage for the plugin-preview GC protected-set + orphan selection.
|
|
// node --test scripts/plugin-previews-gc.test.mjs
|
|
import { test } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { keysFromManifest, protectedKeys, selectOrphans } from './plugin-previews-gc.mjs';
|
|
|
|
const DAY = 24 * 60 * 60 * 1000;
|
|
|
|
test('keysFromManifest collects video + poster of every entry', () => {
|
|
const m = {
|
|
previews: {
|
|
a: { video: 'a/h1/preview.mp4', poster: 'a/h1/poster.jpg' },
|
|
b: { video: 'b/h2/preview.mp4', poster: 'b/h2/poster.jpg' },
|
|
},
|
|
};
|
|
assert.deepEqual(keysFromManifest(m).sort(), [
|
|
'a/h1/poster.jpg',
|
|
'a/h1/preview.mp4',
|
|
'b/h2/poster.jpg',
|
|
'b/h2/preview.mp4',
|
|
]);
|
|
});
|
|
|
|
test('keysFromManifest tolerates empty / partial manifests', () => {
|
|
assert.deepEqual(keysFromManifest(null), []);
|
|
assert.deepEqual(keysFromManifest({}), []);
|
|
assert.deepEqual(keysFromManifest({ previews: { a: { video: 'a/h/preview.mp4' } } }), [
|
|
'a/h/preview.mp4',
|
|
]);
|
|
});
|
|
|
|
test('protectedKeys unions across manifests (tag + release branch + main)', () => {
|
|
const tag = { previews: { a: { video: 'a/old/preview.mp4', poster: 'a/old/poster.jpg' } } };
|
|
const main = { previews: { a: { video: 'a/new/preview.mp4', poster: 'a/new/poster.jpg' } } };
|
|
const set = protectedKeys([tag, main]);
|
|
// The old clip is still protected because a shipped tag references it.
|
|
assert.ok(set.has('a/old/preview.mp4'));
|
|
assert.ok(set.has('a/new/preview.mp4'));
|
|
assert.equal(set.size, 4);
|
|
});
|
|
|
|
test('selectOrphans keeps protected keys and keys inside the grace window', () => {
|
|
const now = 1_000 * DAY;
|
|
const objects = [
|
|
{ key: 'a/old/preview.mp4', lastModifiedMs: now - 200 * DAY }, // protected → keep
|
|
{ key: 'a/stale/preview.mp4', lastModifiedMs: now - 200 * DAY }, // orphan + old → delete
|
|
{ key: 'a/recent/preview.mp4', lastModifiedMs: now - 10 * DAY }, // orphan but young → keep
|
|
];
|
|
const protectedSet = new Set(['a/old/preview.mp4']);
|
|
const orphans = selectOrphans(objects, protectedSet, { nowMs: now, graceDays: 90 });
|
|
assert.deepEqual(orphans, ['a/stale/preview.mp4']);
|
|
});
|
|
|
|
test('a clip referenced only by a live release branch is never an orphan', () => {
|
|
const releaseBranch = { previews: { z: { video: 'z/r/preview.mp4', poster: 'z/r/poster.jpg' } } };
|
|
const set = protectedKeys([releaseBranch]);
|
|
const now = 1_000 * DAY;
|
|
const objects = [{ key: 'z/r/preview.mp4', lastModifiedMs: now - 500 * DAY }];
|
|
assert.deepEqual(selectOrphans(objects, set, { nowMs: now, graceDays: 90 }), []);
|
|
});
|