# Part of the Carbon Language project, under the Apache License v2.0 with LLVM
# Exceptions. See /LICENSE for license information.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

name: Tests

on:
  push:
    branches: [trunk, action-test]
  pull_request:
  merge_group:

permissions:
  contents: read # For actions/checkout.
  pull-requests: read # For dorny/paths-filter to read pull requests.

# Cancel previous workflows on the PR when there are multiple fast commits.
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  test:
    strategy:
      matrix:
        # Test a recent version of each supported OS.
        runner: ['ubuntu-22.04', 'macos-14']
        build_mode: [fastbuild, opt]
    runs-on: ${{ matrix.runner }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
        with:
          egress-policy: block
          # When adding endpoints, see README.md.
          # prettier-ignore
          allowed-endpoints: >
            *.blob.storage.azure.net:443
            *.githubapp.com:443
            *.sourceforge.net:443
            api.github.com:443
            api.ipify.org:443
            bcr.bazel.build:443
            downloads.sourceforge.net:443
            files.pythonhosted.org:443
            github.com:443
            go.dev:443
            mirror.bazel.build:443
            mirrors.kernel.org:443
            nodejs.org:443
            oauth2.googleapis.com:443
            objects.githubusercontent.com:443
            pypi.org:443
            registry.npmjs.org:443
            release-assets.githubusercontent.com:443
            releases.bazel.build:443
            storage.googleapis.com:443
            uploads.github.com:443
            www.googleapis.com:443

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - id: test-setup
        uses: ./.github/actions/test-setup
        with:
          matrix_runner: ${{ matrix.runner }}
          base_sha:
            ${{ github.event_name == 'pull_request' &&
            github.event.pull_request.base.sha ||
            github.event.merge_group.base_sha }}
          remote_cache_key: ${{ secrets.CARBON_BUILDS_GITHUB }}
          targets_file: ${{ runner.temp }}/targets

      # Build and run just the tests impacted by the PR or merge group.
      - name: Test (${{ matrix.build_mode }})
        if: steps.test-setup.outputs.has_code == 'true'
        shell: bash
        env:
          # 'libtool_check_unique failed to generate' workaround.
          # https://github.com/bazelbuild/bazel/issues/14113#issuecomment-999794586
          BAZEL_USE_CPP_ONLY_TOOLCHAIN: 1
          TARGETS_FILE: ${{ runner.temp }}/targets
        run: |
          # Decrease the jobs sharply if we see repeated failures to try to
          # work around transient network errors even if it makes things
          # slower. Note that we allow passing targets that are incompatible and
          # skip thim as-if we were using `//...` style wild card patterns.
          ./scripts/run_bazel.py \
            --attempts=5 --jobs-on-last-attempt=4 \
            test -c ${{ matrix.build_mode }} \
            --target_pattern_file=$TARGETS_FILE

      # See "Disk space before build" in `test-setup`.
      - name: Disk space after build
        if: steps.test-setup.outputs.has_code == 'true'
        run: df -h