New CI

.changeset/cool-corners-hide.md

@@ -0,0 +1,2 @@
+---
+---

.github/actions/setup/action.yml

@@ -0,0 +1,107 @@
+name: 'Setup platforma environment'
+description: 'Node.js + pnpm + Turbo S3 cache + Docker logins + pnpm install'
+
+inputs:
+  node-version:
+    description: 'Node.js version'
+    required: false
+    default: '22'
+  npmjs-token:
+    description: 'NPM registry auth token'
+    required: true
+  github-token:
+    description: 'GitHub token for npm.pkg.github.com'
+    required: true
+  aws-iam-role:
+    description: 'AWS IAM role ARN for OIDC. Enables Turbo S3 cache, ECR login.'
+    required: false
+    default: ''
+  aws-region:
+    description: 'AWS region'
+    required: false
+    default: 'eu-central-1'
+  turbo-s3-bucket:
+    description: 'S3 bucket for Turbo remote cache'
+    required: false
+    default: ''
+  turbo-team-id:
+    description: 'Turbo team ID (controls cache directory)'
+    required: false
+    default: 'ci-010101'
+  quay-username:
+    description: 'Quay.io username for Docker login'
+    required: false
+    default: ''
+  quay-robot-token:
+    description: 'Quay.io robot token for Docker login'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Node.js ${{ inputs.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - name: Enable pnpm via corepack
+      shell: bash
+      run: corepack enable pnpm
+
+    - name: Get pnpm store directory
+      id: pnpm-cache
+      shell: bash
+      run: echo "store-path=$(pnpm store path)" >> "$GITHUB_OUTPUT"
+
+    - name: Cache pnpm store
+      uses: actions/cache@v4
+      with:
+        path: ${{ steps.pnpm-cache.outputs.store-path }}
+        key: pnpm-store-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+        restore-keys: pnpm-store-${{ runner.os }}-
+
+    - name: Configure AWS credentials
+      if: inputs.aws-iam-role != ''
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.aws-iam-role }}
+        role-duration-seconds: 3600
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Login to ECR
+      if: inputs.aws-iam-role != ''
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Login to Quay.io
+      if: inputs.quay-username != ''
+      uses: docker/login-action@v3
+      with:
+        registry: quay.io
+        username: ${{ inputs.quay-username }}
+        password: ${{ inputs.quay-robot-token }}
+
+    - name: Login to containers.pl-open.science
+      if: inputs.quay-username != ''
+      uses: docker/login-action@v3
+      with:
+        registry: containers.pl-open.science
+        username: ${{ inputs.quay-username }}
+        password: ${{ inputs.quay-robot-token }}
+
+    - name: Setup Turbo S3 remote cache
+      if: inputs.turbo-s3-bucket != ''
+      uses: milaboratory/github-ci/actions/turborepo/cache-s3@v4
+      with:
+        storage-provider: 's3'
+        storage-path: ${{ inputs.turbo-s3-bucket }}
+        team-id: ${{ inputs.turbo-team-id }}
+
+    - name: Install dependencies
+      shell: bash
+      env:
+        NPMJS_TOKEN: ${{ inputs.npmjs-token }}
+        NODE_AUTH_TOKEN: ${{ inputs.github-token }}
+      run: pnpm install --frozen-lockfile --prefer-offline

.github/workflows/_build.yaml

@@ -0,0 +1,48 @@
+name: _build
+
+on:
+  workflow_call: {}
+
+env:
+  BODY_LIMIT: "1048576000"
+
+jobs:
+  build:
+    runs-on: dev-pl-sdk
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_ZEN_APP_ID }}
+          private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup
+        with:
+          npmjs-token: ${{ secrets.NPMJS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
+          aws-iam-role: ${{ secrets.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
+          turbo-s3-bucket: ${{ secrets.AWS_CI_TURBOREPO_S3_BUCKET }}
+          quay-username: ${{ secrets.QUAY_USERNAME }}
+          quay-robot-token: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Check pnpm-workspace.yaml consistency
+        run: |
+          if git diff --name-only origin/main..HEAD | grep -q -E '^pnpm-workspace.yaml$'; then
+            if ! git diff --name-only origin/main..HEAD | grep -q -E '^pnpm-lock.yaml$'; then
+              echo "::error::Changes in pnpm-workspace.yaml detected, but no updates in pnpm-lock.yaml"
+              exit 1
+            fi
+          fi
+
+      - name: Build
+        env:
+          NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PL_DOCKER_REGISTRY_PUSH_TO: "quay.io/milaboratories/pl-containers"
+        run: pnpm run ci:build:local

.github/workflows/_test.yaml

@@ -0,0 +1,89 @@
+name: _test
+
+on:
+  workflow_call: {}
+
+env:
+  BODY_LIMIT: "1048576000"
+
+jobs:
+  test:
+    runs-on: dev-pl-sdk
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_ZEN_APP_ID }}
+          private-key: ${{ secrets.GH_ZEN_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup
+        with:
+          npmjs-token: ${{ secrets.NPMJS_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
+          aws-iam-role: ${{ secrets.AWS_CI_IAM_MONOREPO_SIMPLE_ROLE }}
+          turbo-s3-bucket: ${{ secrets.AWS_CI_TURBOREPO_S3_BUCKET }}
+          quay-username: ${{ secrets.QUAY_USERNAME }}
+          quay-robot-token: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Restore changeset version state
+        if: >-
+          (github.event_name == 'push' && github.ref_name == 'main')
+          || github.event_name == 'pull_request'
+          || github.event_name == 'merge_group'
+        run: pnpm run version-packages
+
+      - name: Rebuild from Turbo cache
+        env:
+          NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PL_DOCKER_REGISTRY_PUSH_TO: "quay.io/milaboratories/pl-containers"
+        run: pnpm run ci:build:local
+
+      - name: Check test cache (dry-run)
+        id: dry-run
+        run: |
+          pnpm run test:local+dry-run > ./test-dry-run.json || true
+          SKIP_TESTS=$(sed -n '/^{/,$p' ./test-dry-run.json | jq -r '.tasks | map(select(.task == "test")) | all((.cache.status == "HIT") or (.cache.status == "MISS" and .command == "<NONEXISTENT>"))' 2>/dev/null || echo "false")
+          echo "skip=$SKIP_TESTS" >> "$GITHUB_OUTPUT"
+          echo "Test cache skip: $SKIP_TESTS"
+
+      - name: Login to ECR
+        if: steps.dry-run.outputs.skip != 'true'
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: "true"
+
+      - name: Start Platforma Docker
+        if: steps.dry-run.outputs.skip != 'true'
+        uses: milaboratory/github-ci/actions/docker/pl-compose@v4
+        with:
+          pl-docker-registry: ${{ format('{0}/{1}', steps.ecr-login.outputs.registry, 'pl') }}
+          pl-docker-tag: main
+          pl-test-assets-dir: assets
+          pl-log-level: info
+
+      - name: Run tests
+        if: steps.dry-run.outputs.skip != 'true'
+        env:
+          PL_ADDRESS: "http://127.0.0.1:6345"
+          PL_TEST_USER: ${{ secrets.PL_CI_TEST_USER }}
+          PL_TEST_PASSWORD: ${{ secrets.PL_CI_TEST_PASSWORD }}
+          PL_LICENSE: ${{ secrets.MI_LICENSE }}
+          MI_LICENSE: ${{ secrets.MI_LICENSE }}
+          NPMJS_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: pnpm run ci:test:local
+
+      - name: Upload coverage
+        if: always()
+        uses: milaboratory/github-ci/actions/node/upload-coverage@v4
+        with:
+          test-coverage-reports: "**/coverage/lcov.info"
+          test-results-reports: "**/test-report.junit.xml"