Anvil
fangorn/ex_git_objectstore public
ref:main 
image: hexpm/elixir:1.18.4-erlang-28.0.2-debian-bookworm-20250811



steps:

  - name: deps

    run: |

      set -e

      apt-get update && apt-get install -y --no-install-recommends git build-essential

      git config --global --add safe.directory /workspace

      export MIX_HOME=/workspace/.mix

      mix local.hex --force && mix local.rebar --force

      mix deps.get

  - name: compile

    run: |

      set -e

      export MIX_HOME=/workspace/.mix

      mix compile --warnings-as-errors

    depends_on: [deps]

  - name: format

    run: |

      set -e

      export MIX_HOME=/workspace/.mix

      mix format --check-formatted

    depends_on: [deps]

  - name: dialyzer

    run: |

      set -e

      export MIX_HOME=/workspace/.mix

      mkdir -p priv/plts

      mix dialyzer

    depends_on: [compile]

  - name: test

    run: |

      set -e

      apt-get update && apt-get install -y --no-install-recommends git

      git config --global --add safe.directory /workspace

      git config --global init.defaultBranch main

      git config --global user.email "ci@anvil.test"

      git config --global user.name "CI"

      export MIX_HOME=/workspace/.mix

      mix test --cover --export-coverage default

      mix run --no-start -e '

        tools_ebin = Path.wildcard("/usr/local/lib/erlang/lib/tools-*/ebin") |> List.first()

        if tools_ebin, do: Code.append_path(tools_ebin)

        :cover.start()

        :cover.import(~c"cover/default.coverdata")

        modules = :cover.imported_modules()

        lcov = Enum.map_join(modules, "", fn mod ->

          case :cover.analyse(mod, :calls, :line) do

            {:ok, lines} ->

              source = try do

                mod.module_info(:compile)[:source] |> to_string()

                |> String.replace(File.cwd!() <> "/", "")

              rescue _ -> nil end

              if source do

                data = Enum.filter(lines, fn {{_, l}, _} -> l > 0 end)

                da = Enum.map_join(data, "", fn {{_, l}, c} -> "DA:#{l},#{c}\n" end)

                h = Enum.count(data, fn {_, c} -> c > 0 end)

                "SF:#{source}\n#{da}LH:#{h}\nLF:#{length(data)}\nend_of_record\n"

              else "" end

            _ -> ""

          end

        end)

        File.write!("cover/lcov.info", lcov)

        IO.puts("LCOV written to cover/lcov.info")

      '

    depends_on: [compile]

    artifacts:

      - name: lcov.info

        path: cover/lcov.info

  - name: release

    run: |

      set -e

      apt-get update && apt-get install -y --no-install-recommends git jq curl

      git config --global --add safe.directory /workspace

      export MIX_HOME=/workspace/.mix



      # Only release from main branch

      # CI checks out a detached HEAD so git branch name is always "HEAD".

      # Compare the checked-out SHA against origin/main instead.

      git fetch origin main 2>/dev/null || true

      HEAD_SHA=$(git rev-parse HEAD)

      MAIN_SHA=$(git rev-parse origin/main 2>/dev/null || echo "")

      if [ "$HEAD_SHA" != "$MAIN_SHA" ]; then

        echo "Skipping release: HEAD ($HEAD_SHA) != origin/main ($MAIN_SHA)"

        exit 0

      fi



      # Install anvil CLI. /runner/download serves the unified

      # anvil/anvil-runner binary (fangorn/anvil#49 merged the two).

      curl -sL "https://anvil.fangorn.io/runner/download?os=$(uname -s)&arch=$(uname -m)" -o /usr/local/bin/anvil

      chmod +x /usr/local/bin/anvil



      # Credentials are auto-injected by the runner: ANVIL_TOKEN is a

      # per-job API token generated at dispatch and auto-revoked when

      # this job finishes, and ANVIL_SERVER_URL points at the server

      # that dispatched us. Both are part of the job environment; we

      # don't need to set up any secrets manually.

      #

      # The scopes granted to that token are controlled by org/repo

      # CI-permission settings — for this repo's release step to work,

      # an admin must grant `releases: write` via:

      #   PUT /api/v1/fangorn/ex_git_objectstore/ci/permissions

      # See fangorn/anvil#46 for the full design.

      #

      # `anvil auth status` fails loud if the runner didn't inject the

      # token, if it's malformed, or if the server rejects it — which

      # is exactly what we want before `anvil release create` tries to

      # use it downstream.

      /usr/local/bin/anvil auth status



      # Compute CalVer version

      VERSION=$(bash ci/release.sh)

      echo "Releasing version: $VERSION"



      # Idempotency: skip if this version tag already exists

      if git rev-parse "$VERSION" >/dev/null 2>&1; then

        echo "Tag $VERSION already exists, skipping release"

        exit 0

      fi



      # Build with version

      export VERSION

      mix compile



      # Generate changelog from commits since last tag

      LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || git rev-list --max-parents=0 HEAD)

      CHANGELOG=$(git log --oneline "$LAST_TAG"..HEAD)



      # Generate docs

      mix docs

      tar czf ex_git_objectstore-${VERSION}-docs.tar.gz doc/



      # Create Anvil release

      anvil release create \

        --tag "$VERSION" \

        --title "ExGitObjectstore $VERSION" \

        --body "$CHANGELOG"



      # Tag and push. The runner clones via an auto-embedded clone

      # token in origin, which only has read access — `git push origin`

      # would 401. Push via an explicit URL that embeds the job API

      # token (ANVIL_TOKEN) so auth goes through the repo's

      # contents:write scope (see fangorn/anvil#46 / #59).

      git tag "$VERSION"

      git push \

        "https://x-token:${ANVIL_TOKEN}@anvil.fangorn.io/fangorn/ex_git_objectstore.git" \

        "$VERSION"



      echo "Released $VERSION"

    depends_on: [compile, format, dialyzer, test]