ci: streamline workflows

Author: evansims

.github/actions/setup-and-build/action.yml

@@ -0,0 +1,48 @@
+name: "Setup and Build"
+description: "Setup Node.js, install dependencies, and optionally build"
+inputs:
+  node-version:
+    description: "Node.js version"
+    required: false
+    default: "22"
+  build:
+    description: "Run build step"
+    required: false
+    default: "true"
+  setup:
+    description: "Setup Node.js and install dependencies"
+    required: false
+    default: "true"
+  # Build environment variables
+  build-analytics-id:
+    description: "Analytics tracking ID"
+    required: false
+    default: ""
+  build-base-url:
+    description: "Base URL for build"
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      if: inputs.setup == 'true'
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ inputs.node-version }}
+        registry-url: "https://registry.npmjs.org"
+        cache: "npm"
+
+    - name: Install dependencies
+      if: inputs.setup == 'true'
+      shell: bash
+      run: npm ci
+
+    - name: Build website
+      if: inputs.build == 'true'
+      shell: bash
+      env:
+        HUBSPOT_TRACKING_ID: ${{ inputs.build-analytics-id }}
+        BASE_URL: ${{ inputs.build-base-url }}
+      run: npm run build

.github/workflows/checks.yaml

@@ -1,54 +1,55 @@
 name: Deploy to GitHub Pages
 
 on:
-  # Nightly @ 5AM UTC
-  schedule:
-    - cron: '0 5 * * *'
-  # When triggered manually
   workflow_dispatch:
-  # When a commit is pushed to the main branch
   push:
     branches:
       - main
 
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: 'pages'
+  cancel-in-progress: false
+
 jobs:
-  deploy:
-    name: Deploy to GitHub Pages
-    permissions:
-      contents: write
+  build:
+    name: Build
     runs-on: ubuntu-latest
     steps:
-      - name: Cached LFS checkout
-        uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          lfs: true
+          fetch-depth: 1
 
-      - name: Set up node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      - name: Setup and build
+        uses: ./.github/actions/setup-and-build
         with:
-          node-version: '22'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'npm'
+          build-analytics-id: ${{ secrets.HUBSPOT_TRACKING_ID }}
 
-      - name: Install dependencies
-        run: npm ci
+      - name: Create CNAME file
+        run: echo "openfga.dev" > ./build/CNAME
 
-      - name: Build website
-        run: npm run build
-        env:
-          HUBSPOT_TRACKING_ID: ${{ secrets.HUBSPOT_TRACKING_ID }}
+      - name: Setup Pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
 
-      # Popular action to deploy to GitHub Pages:
-      # Docs: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus
-      - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          # Build output to publish to the `gh-pages` branch:
-          publish_dir: ./build
-          cname: openfga.dev
-          # The following lines assign commit authorship to the official
-          # GH-Actions bot for deploys to `gh-pages` branch:
-          # https://github.com/actions/checkout/issues/13#issuecomment-724415212
-          # The GH actions bot is used by default if you didn't specify the two fields.
-          # You can swap them out with your own user credentials.
-          user_name: github-actions[bot]
-          user_email: 41898282+github-actions[bot]@users.noreply.github.com
+          path: ./build
+
+  deploy:
+    name: Deploy to GitHub Pages
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/deploy.yml

@@ -0,0 +1,184 @@
+name: Pull Request
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - closed
+      - ready_for_review
+
+permissions:
+  contents: read
+
+# Prevent concurrent builds for the same PR
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Run code quality checks
+  code-checks:
+    name: Code Quality (${{ matrix.check }})
+    runs-on: ubuntu-latest
+    if: github.event.action != 'closed' && github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - check: format
+            command: npm run format:check
+          - check: lint
+            command: npm run lint
+          - check: types
+            command: npm run typecheck
+          - check: audit
+            command: npm audit
+            continue-on-error: true
+          - check: circular-deps
+            command: npx madge --circular . --extensions ts,js,jsx,tsx
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          lfs: false
+          fetch-depth: 2
+
+      - name: Setup dependencies
+        uses: ./.github/actions/setup-and-build
+        with:
+          build: 'false'
+
+      - name: Run ${{ matrix.check }}
+        run: ${{ matrix.command }}
+        continue-on-error: ${{ matrix.continue-on-error || false }}
+
+  # Check markdown links
+  markdown-link-check:
+    name: Check Documentation Links (${{ matrix.extension }})
+    runs-on: ubuntu-latest
+    if: github.event.action != 'closed' && github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false
+    strategy:
+      fail-fast: true
+      matrix:
+        extension: ['.md', '.mdx']
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 1
+          lfs: false
+
+      - name: Check Markdown links (${{ matrix.extension }})
+        uses: tcort/github-action-markdown-link-check@a800ad5f1c35bf61987946fd31c15726a1c9f2ba # v1.1.0
+        continue-on-error: true
+        with:
+          file-extension: ${{ matrix.extension }}
+          use-quiet-mode: 'yes'
+          config-file: '.github/workflows/markdown.links.config.json'
+
+  # Build and test deployment
+  build-test:
+    name: Build and Test
+    if: |
+      github.event.action != 'closed' &&
+      github.event.pull_request.draft == false &&
+      (needs.code-checks.result == 'success' || needs.code-checks.result == 'skipped' || github.actor == 'dependabot[bot]')
+    needs: [code-checks] # Only build after checks pass (or are skipped for Dependabot)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          lfs: true
+          fetch-depth: 2
+
+      - name: Setup and build
+        uses: ./.github/actions/setup-and-build
+        with:
+          build-base-url: ${{ github.actor != 'dependabot[bot]' && format('/pr-preview/pr-{0}', github.event.number) || '' }}
+
+      - name: Upload build artifacts
+        if: github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: build-artifacts
+          path: ./build/
+          retention-days: 1
+          compression-level: 9
+
+  # Deploy preview only for non-Dependabot PRs from the main repo (not forks)
+  deploy-preview:
+    name: Deploy Preview
+    needs: build-test
+    runs-on: ubuntu-latest
+    if: |
+      github.event.action != 'closed' &&
+      github.actor != 'dependabot[bot]' &&
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: write # Required for pr-preview-action to push to gh-pages
+      pull-requests: write # Required for PR comments
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          lfs: false
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: build-artifacts
+          path: ./build/
+
+      - name: Deploy preview
+        uses: rossjrw/pr-preview-action@9f77b1d057b494e662c50b8ca40ecc63f21e0887 # v1.6.2
+        id: preview-step
+        with:
+          source-dir: ./build/
+          preview-branch: gh-pages
+          umbrella-dir: pr-preview
+          action: deploy
+
+      - name: Publish preview link
+        if: steps['preview-step'].outputs['deployment-action'] == 'deploy'
+        run: |
+          url="${{ steps['preview-step'].outputs['preview-url'] }}"
+          echo "Preview visible at ${url}" >> "$GITHUB_STEP_SUMMARY"
+          echo "[Open preview](${url})" >> "$GITHUB_STEP_SUMMARY"
+
+  # Clean up preview on PR close (only for PRs from the main repo)
+  cleanup-preview:
+    name: Cleanup Preview
+    runs-on: ubuntu-latest
+    if: |
+      github.event.action == 'closed' &&
+      github.actor != 'dependabot[bot]' &&
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 1
+          lfs: false
+
+      - name: Remove preview
+        uses: rossjrw/pr-preview-action@9f77b1d057b494e662c50b8ca40ecc63f21e0887 # v1.6.2
+        with:
+          preview-branch: gh-pages
+          umbrella-dir: pr-preview
+          action: remove