chore: add origin for local fe development #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Buf | |
| # Proto schema CI for the `proto/` module (buf.build/authorizerdev/authorizer). | |
| # Responsibilities are split by event so nothing runs twice across a PR and its | |
| # merge commit: | |
| # - pull_request -> validate (lint + breaking-change check) | |
| # - push to main -> publish (buf push) | |
| on: | |
| pull_request: | |
| # `labeled`/`unlabeled` so toggling `proto-breaking-approved` re-runs the | |
| # breaking gate with the current label set in the event payload. | |
| types: [opened, synchronize, reopened, labeled, unlabeled] | |
| paths: | |
| - "proto/**" | |
| - "gen/**" | |
| - "Makefile" | |
| - ".github/workflows/buf.yml" | |
| push: | |
| branches: [main] | |
| paths: | |
| - "proto/**" | |
| - "gen/**" | |
| - "Makefile" | |
| - ".github/workflows/buf.yml" | |
| permissions: | |
| contents: read | |
| # Cancel superseded runs on the same ref (e.g. rapid pushes to a PR). | |
| concurrency: | |
| group: buf-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| validate: | |
| name: Lint & breaking | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| persist-credentials: false | |
| - uses: bufbuild/buf-setup-action@v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Lint | |
| run: buf lint proto | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| # Regenerate gen/ from proto/ and fail if the committed output is stale. | |
| - name: Verify generated protobuf output | |
| run: make proto-check | |
| # Compare against the published module so a PR that would break | |
| # wire/source compatibility fails before it lands. Intentional, | |
| # reviewed breaks (e.g. the v1 package consolidation / response-envelope | |
| # flatten) are allowed only when a maintainer applies the | |
| # `proto-breaking-approved` label — the gate still hard-fails on every | |
| # unlabeled PR, so accidental breaks are caught. | |
| - name: Breaking-change check | |
| continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'proto-breaking-approved') }} | |
| run: buf breaking proto --against buf.build/authorizerdev/authorizer | |
| env: | |
| BUF_TOKEN: ${{ secrets.BUF_TOKEN }} | |
| publish: | |
| name: Push to BSR | |
| if: github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| persist-credentials: false | |
| - uses: bufbuild/buf-setup-action@v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # buf de-dupes identical schemas, so commits that don't touch protos | |
| # are no-ops. | |
| - name: Push to BSR | |
| run: buf push proto | |
| env: | |
| BUF_TOKEN: ${{ secrets.BUF_TOKEN }} |