ci: setup danger.js

Author: alandefreitas

.github/workflows/ci.yml

@@ -9,20 +9,33 @@ on:
     tags:
       - "v*.*.*"
 
+  # pull_request runs the matrix/build on the PR head with the fork-scoped token
+  # (no comment perms on base repo).
   pull_request:
     branches:
       - develop
 
+  # pull_request_target runs repo-owned checks (e.g., Danger comments) on the base ref with the base repo token;
+  # never executes PR code.
+  pull_request_target:
+    branches:
+      - develop
+
 concurrency:
   group: ${{format('{0}:{1}', github.repository, github.ref)}}
   cancel-in-progress: true
 
 jobs:
   cpp-matrix:
+    if: github.event_name != 'pull_request_target'
     runs-on: ubuntu-24.04
     container:
       image: ubuntu:24.04
     name: Generate Test Matrix
+    # Permissions allow Danger to read PR context and post comments.
+    permissions:
+      contents: read
+      pull-requests: write
     outputs:
       matrix: ${{ steps.cpp-matrix.outputs.matrix }}
       llvm-matrix: ${{ steps.llvm-matrix.outputs.llvm-matrix }}
@@ -120,6 +133,7 @@ jobs:
           node .github/releases-matrix.js
 
   build:
+    if: github.event_name != 'pull_request_target'
     needs: cpp-matrix
 
     strategy:
@@ -1293,3 +1307,33 @@ jobs:
           llvm_dir="/var/www/mrdox.com/llvm+clang"
           chmod 755 ${{ matrix.llvm-archive-filename }}
           scp -o StrictHostKeyChecking=no $(pwd)/${{ matrix.llvm-archive-filename }} ubuntu@dev-websites.cpp.al:$llvm_dir/
+
+  repo-checks:
+    name: Repo checks
+    # Run under pull_request_target so we can use the base-repo token to comment on forked PRs
+    # without executing forked code in this job. Declared after the matrix job so the matrix stays first in the UI.
+    if: github.event_name == 'pull_request_target'
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      statuses: write
+    steps:
+      - name: Checkout base revision
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install repo-check tools
+        run: npm --prefix util/danger ci
+
+      - name: Repo checks (Danger)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx --prefix util/danger danger ci --dangerfile util/danger/dangerfile.ts

.gitignore

@@ -20,6 +20,10 @@
 /share/mrdocs/libcxx/
 /share/mrdocs/clang/
 /docs/modules/reference
+/node_modules
 /.gdbinit
 /.lldbinit
-/.github/node_modules/
+/.github/node_modules/
+/util/danger/node_modules/
+/.roadmap
+/AGENTS.md

util/danger/README.md

@@ -0,0 +1,41 @@
+# Danger.js checks for MrDocs
+
+This directory contains the Danger.js rules and fixtures used in CI to add scoped summaries and hygiene warnings on pull requests.
+
+## What runs in CI
+
+- Danger executes via `npx danger ci --dangerfile util/danger/dangerfile.ts` in the `Repo checks` job.
+- That job runs on `pull_request_target` so forked PRs get comments/status updates using the base-repo token without executing forked code.
+- Permissions are scoped to comment and set statuses (`contents: read`, `pull-requests: write`, `issues: write`, `statuses: write`).
+- The job lives in `.github/workflows/ci.yml` after the matrix generator so matrix jobs stay first in the UI.
+
+## Local usage
+
+```bash
+npm --prefix util/danger ci           # install dev deps (without touching the repo root)
+npm --prefix util/danger test         # run Vitest unit tests for rule logic
+npm --prefix util/danger run danger:local  # print the fixture report from util/danger/fixtures/sample-pr.json
+npm --prefix util/danger run danger:ci     # run Danger in CI mode (requires GitHub PR context)
+```
+
+## Key files
+
+- `logic.ts` — Pure rule logic: scope mapping, conventional commit validation, size and hygiene warnings.
+- `runner.ts` — Minimal Danger runtime glue (fetches commits/files and feeds `logic.ts`).
+- `dangerfile.ts` — Entry point passed to `danger ci`; keep thin.
+- `fixtures/` — Sample PR payloads for local runs; update alongside rule changes.
+- `logic.test.ts` — Vitest coverage for the rule logic.
+- `package.json`, `package-lock.json`, `tsconfig.json` — Localized Node setup to avoid polluting the repository root.
+
+## Conventions
+
+- Scopes reflect the MrDocs tree: `source`, `tests`, `golden-tests`, `docs`, `ci`, `build`, `tooling`, `third-party`, `other`.
+- Conventional commit types allowed: `feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert`.
+- Non-test commit size warning triggers around 800 lines of churn (tests and golden fixtures ignored).
+
+## Updating rules
+
+- Edit `logic.ts`, refresh `fixtures/` as needed, and run `npm test`.
+- Keep warnings human-readable; prefer `warn()` over `fail()` until the team decides otherwise.
+
+> Note: The Danger.js rules for MrDocs are still experimental, so some warnings may be rough or occasionally fire as false positives—feedback is welcome.

util/danger/dangerfile.ts

@@ -0,0 +1,25 @@
+//
+// Licensed under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+// Copyright (c) 2025 Alan de Freitas (alandefreitas@gmail.com)
+//
+// Official repository: https://github.com/cppalliance/mrdocs
+//
+import { runDanger } from "./runner";
+
+// Provided globally by Danger at runtime; declared here for editors/typecheckers.
+declare function warn(message: string, file?: string, line?: number): void;
+
+/**
+ * Entrypoint for Danger; delegates to the rule runner.
+ * Wraps execution to surface unexpected errors as warnings instead of failing CI.
+ */
+export default async function dangerfile(): Promise<void> {
+    try {
+        await runDanger();
+    } catch (error) {
+        warn(`Danger checks hit an unexpected error: ${String(error)}`);
+    }
+}

util/danger/fixtures/sample-pr.json

@@ -0,0 +1,36 @@
+{
+  "files": [
+    { "filename": "src/lib/example.cpp", "additions": 120, "deletions": 20 },
+    { "filename": "include/mrdocs/example.hpp", "additions": 30, "deletions": 5 },
+    { "filename": "test-files/golden-tests/foo/output.xml", "additions": 400, "deletions": 10 },
+    { "filename": "docs/modules/ROOT/pages/contribute.adoc", "additions": 12, "deletions": 3 },
+    { "filename": ".github/workflows/ci.yml", "additions": 5, "deletions": 1 }
+  ],
+  "commits": [
+    {
+      "sha": "abc1234",
+      "message": "fix(core): handle edge case",
+      "files": [
+        { "filename": "src/lib/example.cpp", "additions": 120, "deletions": 20 },
+        { "filename": "include/mrdocs/example.hpp", "additions": 30, "deletions": 5 }
+      ]
+    },
+    {
+      "sha": "def5678",
+      "message": "docs: update contributing notes",
+      "files": [
+        { "filename": "docs/modules/ROOT/pages/contribute.adoc", "additions": 12, "deletions": 3 }
+      ]
+    },
+    {
+      "sha": "9999999",
+      "message": "feat: massive change without tests",
+      "files": [
+        { "filename": "src/lib/another.cpp", "additions": 900, "deletions": 200 }
+      ]
+    }
+  ],
+  "prBody": "Sample rationale\\n\\nTesting: unit tests locally",
+  "prTitle": "Sample Danger fixture",
+  "labels": []
+}

util/danger/logic.test.ts

@@ -0,0 +1,87 @@
+//
+// Licensed under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+// Copyright (c) 2025 Alan de Freitas (alandefreitas@gmail.com)
+//
+// Official repository: https://github.com/cppalliance/mrdocs
+//
+import { describe, expect, it } from "vitest";
+import {
+    commitSizeWarnings,
+    parseCommitSummary,
+    basicChecks,
+    summarizeScopes,
+    validateCommits,
+    type CommitInfo,
+    type DangerInputs,
+} from "./logic";
+
+describe("parseCommitSummary", () => {
+    // Ensures we correctly extract type, scope, and subject when format is valid.
+    it("parses valid commit summaries", () => {
+        const parsed = parseCommitSummary("fix(core): handle edge case");
+        expect(parsed?.type).toBe("fix");
+        expect(parsed?.scope).toBe("core");
+        expect(parsed?.subject).toBe("handle edge case");
+    });
+
+    // Guards against accepting malformed commit first lines.
+    it("rejects invalid format", () => {
+        expect(parseCommitSummary("invalid summary")).toBeNull();
+    });
+});
+
+describe("summarizeScopes", () => {
+    // Verifies file paths are bucketed into the correct scopes and totals are tallied.
+    it("aggregates by scope", () => {
+        const report = summarizeScopes([
+            { filename: "src/lib/file.cpp", additions: 10, deletions: 2 },
+            { filename: "src/test/file.cpp", additions: 5, deletions: 1 },
+            { filename: "test-files/golden-tests/out.xml", additions: 100, deletions: 0 },
+            { filename: "docs/index.adoc", additions: 4, deletions: 0 },
+        ]);
+
+        expect(report.totals.source.files).toBe(1);
+        expect(report.totals.tests.files).toBe(1);
+        expect(report.totals["golden-tests"].files).toBe(1);
+        expect(report.totals.docs.files).toBe(1);
+        expect(report.overall.files).toBe(4);
+    });
+});
+
+describe("commitSizeWarnings", () => {
+    // Confirms that large non-test churn triggers a warning while ignoring test fixtures.
+    it("flags large non-test commits", () => {
+        const commits: CommitInfo[] = [
+            {
+                sha: "abc",
+                message: "feat: huge change",
+                files: [
+                    { filename: "src/lib/large.cpp", additions: 900, deletions: 200 },
+                    { filename: "test-files/golden-tests/out.xml", additions: 1000, deletions: 0 },
+                ],
+            },
+        ];
+        const warnings = commitSizeWarnings(commits);
+        expect(warnings.length).toBe(1);
+    });
+});
+
+describe("starterChecks", () => {
+    // Checks that source changes without accompanying tests produce a warning.
+    it("requests tests when source changes without coverage", () => {
+        const inputs: DangerInputs = {
+            files: [],
+            commits: [],
+            prBody: "Summary\n\nTesting: pending",
+            prTitle: "Test PR",
+            labels: [],
+        };
+        const summary = summarizeScopes([{ filename: "src/lib/file.cpp", additions: 1, deletions: 0 }]);
+        const parsed = validateCommits([{ sha: "1", message: "fix: change" }]).parsed;
+        const warnings = basicChecks(inputs, summary, parsed);
+        expect(warnings.some((message) => message.includes("Source changed"))).toBe(true);
+    });
+});