discourse · NullVoxPopuli · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024
diff --git a/.eslintrc.js b/.eslintrc.js
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -0,0 +1,206 @@
+# Because C.I. jobs could expose secrets to malicious pull requsets,
+# GitHub prevents (by default) exposing action secrets to pull requests
+# from forks.
+#
+# This is great, however, the jobs that use the secrets are still useful on
+# pull requests.
+#
+# To run a _trusted_ workflow, we can trigger it from an event from an _untrusted_
+# workflow. This keeps the secrets out of reach from the fork, but still allows
+# us to keep the utility of pull request preview deploys, browserstack running, etc.
+# Normally, this _trusted_ behavior is offloaded by Cloudflare, Netlify, Vercel, etc
+# -- their own workers are trusted and can push comments / updates to pull requests.
+#
+# We don't want to use their slower (and sometimes paid) hardware.
+# When we use our own workflows, we can re-use the cache built from the PR
+# (or elsewhere).
+#
+# To be *most* secure, you'd need to build all the artifacts in the PR,
+# then upload them to then be downloaded in the trusted workflows.
+# Trusted workflows should not run any scripts from a PR, as malicious
+# submitters may tweak the build scripts.
+# Since all build artifacts are for the web browser, and not executed in
+# node-space, we can be reasonably confident that downloading and testing/deploying
+# those artifacts does not compromise our secrets.
+#
+#
+# More information here:
+#   https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+#
+# Things that would make this easier:
+#   Readablity: https://github.com/actions/download-artifact/issues/172
+#   Security:
+#    - if there was a way to avoid pnpm install *entirely*
+name: Deploy Preview
+
+# read-write repo token
+# access to secrets
+on:
+  workflow_dispatch:
+    inputs:
+      prNumber:
+        required: true
+        description: Which PR to create a preview for
+
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      # as early as possible
+      - requested
+
+concurrency:
+  group: deploy-preview-${{ github.event.workflow_run.pull_requests[0].number }}
+  cancel-in-progress: true
+
+env:
+  TURBO_API: http://127.0.0.1:9080
+  TURBO_TOKEN: this-is-not-a-secret
+  TURBO_TEAM: myself
+
+
+jobs:
+  # This is the only job that needs access to the source code
+  Build_Dev:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: [determinePR]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_branch }}
+      - name: TurboRepo local server
+        uses: felixmosh/turborepo-gh-artifacts@v3
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: wyvox/action-setup-pnpm@v3
+      - run: pnpm turbo build:dev
+      - uses: actions/upload-artifact@v4
+        with:
+          name: deploy-prep-dev
+          if-no-files-found: error
+          path: |
+            ./benchmark/dist/**
+
+  # This is the only job that needs access to the source code
+  Build_Prod:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: [determinePR]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_branch }}
+      - name: TurboRepo local server
+        uses: felixmosh/turborepo-gh-artifacts@v3
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: wyvox/action-setup-pnpm@v3
+      - run: pnpm turbo build:prod
+      - uses: actions/upload-artifact@v4
+        with:
+          name: deploy-prep-prod
+          if-no-files-found: error
+          path: |
+            ./benchmark/dist/**
+
+#################################################################
+# For the rest:
+# Does not checkout code, has access to secrets
+#################################################################
+
+  determinePR:
+    # this job gates the others -- if the workflow_run request did not come from a PR,
+    # exit as early as possible
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request' || github.event.inputs.prNumber
+    outputs:
+      number: ${{ steps.number.outputs.pr-number || github.event.inputs.prNumber }}
+    steps:
+      # - run: echo "${{ toJSON(github.event.workflow_run) }}"
+      #   name: "debug workflow_run event"
+      - run: echo "${{ github.event.workflow_run.pull_requests[0].number }}"
+        id: number
+
+  # We can know the URL ahead of time:
+  # https://<SHA>.limber-glimmer-tutorial.pages.dev
+  # https://<SHA>.limber-glimdown.pages.dev
+  DeployPreview_Dev:
+    name: "Deploy: Preview Dev"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: [Build_Dev]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/download-artifact@v4
+        name: deploy-prep-dev
+      - name: Preview Dev
+        working-directory: ./deploy-prep-dev/
+        run: |
+          ls -la
+          npx wrangler pages deploy ./ \
+            --project-name=ember-performance-testing-dev \
+            --branch=${{ github.event.workflow_run.head_branch }} \
+            --commit-hash=${{ github.event.workflow_run.head_sha }}
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+
+  DeployPreview_Prod:
+    name: "Deploy: Preview Prod"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: [Build_Prod]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/download-artifact@v4
+        name: deploy-prep-prod
+      - name: Preview Prod
+        working-directory: ./deploy-prep-dist/
+        run: |
+          ls -la
+          npx wrangler pages deploy ./ \
+            --project-name=ember-performance-testing-prod \
+            --branch=${{ github.event.workflow_run.head_branch }} \
+            --commit-hash=${{ github.event.workflow_run.head_sha }}
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+
+  ReformatSubDomain:
+    name: Reformat Sub-domain Alias
+    runs-on: ubuntu-latest
+    needs: [determinePR]
+    outputs:
+      subdomain: ${{ steps.reformat.outputs.subdomain }}
+    steps:
+      - id: reformat
+        run: |
+          branch="${{ github.event.workflow_run.head_branch }}"
+          # Remove any / in the branch name
+          #   renovate/uuid becomes renovate-uuid
+          subdomain="${branch//\//-/}"
+          echo "subdomain=$subdomain" >> $GITHUB_OUTPUT
+
+  PostComment:
+    name: Post Preview URL as comment to PR
+    runs-on: ubuntu-latest
+    needs: [DeployPreview, ReformatSubDomain]
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: preview-urls
+          number: ${{ github.event.workflow_run.pull_requests[0].number }}
+          message: |+
+            | Mode        | Preview URL[^note] | Manage |
+            | -------     | ------------------ | ------ |
+            | Production  | https://${{ needs.ReformatSubDomain.outputs.subdomain }}.ember-performance-testing-prod.pages.dev   | [on Cloudflare](https://dash.cloudflare.com/c67910a047e1510fec6d0d0cf442934c/pages/view/limber-glimdown) |
+            | Development | https://${{ needs.ReformatSubDomain.outputs.subdomain }}.ember-performance-testing-dev.pages.dev | [on Cloudflare](https://dash.cloudflare.com/c67910a047e1510fec6d0d0cf442934c/pages/view/limber-glimmer-tutorial)
+
+            [Logs](https://github.com/NullVoxPopuli/ember-performance/actions/runs/${{ github.run_id }})
+
+            [^note]: if these branch preview links are not working, please check the logs for the commit-based preview link. There is a character limit of 28 for the branch subdomain, as well as some other heuristics, [described here](https://community.cloudflare.com/t/algorithm-to-generate-a-preview-dns-subdomain-from-a-branch-name/477633?u=walshymvp) for the sake of implementation ease in deploy-preview.yml, that algo has been omitted.  The URLs are logged in the wrangler output, but it's hard to get outputs from a matrix job.
+
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
diff --git a/.gitignore b/.gitignore
@@ -1,27 +1,28 @@
 # compiled output
-/dist/
-/declarations/
+dist/
+declarations/
 
 # dependencies
-/node_modules/
+node_modules/
 
 # misc
-/.env*
-/.pnp*
-/.eslintcache
-/coverage/
-/npm-debug.log*
-/testem.log
-/yarn-error.log
-/.idea/
+.turbo
+.env*
+.pnp*
+.eslintcache
+coverage/
+npm-debug.log*
+testem.log
+yarn-error.log
+.idea/
 
 # ember-try
-/.node_modules.ember-try/
-/npm-shrinkwrap.json.ember-try
-/package.json.ember-try
-/package-lock.json.ember-try
-/yarn.lock.ember-try
+.node_modules.ember-try/
+npm-shrinkwrap.json.ember-try
+package.json.ember-try
+package-lock.json.ember-try
+yarn.lock.ember-try
 
 # broccoli-debug
-/DEBUG/
+DEBUG/
 
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1,24 @@
+registry = https://registry.npmjs.org
+ignore-scripts = true
+prefer-workspace-packages = true
+
+####################
+# super strict mode
+####################
+auto-install-peers=false
+strict-peer-dependents=true
+
+################
+# Optimizations
+################
+# Less strict, but required for tooling to not barf on duplicate peer trees.
+# (many libraries declare the same peers, which resolve to the same
+#  versions)
+dedupe-peer-dependents=true
+
+################
+# Compatibility
+################
+# highest is what everyone is used to, but
+# not ensuring folks are actually compatible with declared ranges.
+resolution-mode=highest
diff --git a/.prettierrc.js b/.prettierrc.js