Allow once-off sponsored transactions #109
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Size Check | |
| on: | |
| # zizmor: ignore[dangerous-triggers] - Mitigated by checking repository origin | |
| pull_request_target: | |
| types: [labeled, opened, synchronize, reopened] | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.head_ref || github.ref_name }}-build-size | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Job 1: Post instruction comment for external PRs | |
| comment-external-pr: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| if: | | |
| github.event.pull_request.head.repo.full_name != github.repository && | |
| github.event.action == 'opened' | |
| steps: | |
| - name: Comment on external PR | |
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| ## 👋 Thanks for your contribution! | |
| Since this PR comes from a forked repository, the build size check will only run for internal PRs for security reasons. | |
| Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main** | |
| **Next steps:** | |
| 1. A maintainer will review your code | |
| 2. If approved, they'll add the `safe-to-deploy` label to trigger deployment | |
| 3. **After each new commit**, the maintainer will need to remove and re-add the label for security | |
| Thank you for your patience! 🙏 | |
| # Job 2: Build size check (only runs for internal PRs) | |
| build-size-check: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| # Security gate: Only run when 'safe-to-deploy' label is ADDED OR from internal branch | |
| if: | | |
| (github.event.label.name == 'safe-to-deploy') || | |
| (github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main' | |
| steps: | |
| - name: Checkout PR branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: yarn | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Build | |
| env: | |
| NODE_OPTIONS: '--max-old-space-size=8192' | |
| run: yarn build | |
| - name: Compare package sizes | |
| uses: preactjs/compressed-size-action@946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a # v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| pattern: "packages/vechain-kit/dist/**/*" | |
| exclude: "{**/node_modules/**}" | |
| compression: none | |
| minimum-change-threshold: 1000 |