-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix the workflow deployment bugs (#472)
* fix rc bug * change the order of commit, tagging & publishing * Remove cached nx * Fix ci badges * test rc push changes * 🤖 Update version to v$TAG_NAME * Revert "🤖 Update version to v$TAG_NAME" This reverts commit a0a33e7. * revert changes & fix additional bugs * Fix force publish * 🤖 Update version to vv1.55.0-rc.0 * Revert "🤖 Update version to vv1.55.0-rc.0" This reverts commit d204cd5. * remove extra v * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 06aa712. * update rc publish * Test pushing packages * 🤖 Update version to v1.55.0-rc.0 * use workflow call * change permissions * change permissions * 🤖 Update version to v1.56.0-rc.0 * Revert "🤖 Update version to v1.56.0-rc.0" This reverts commit e2ccd0f. * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit a36617a. * stash changes * 🤖 Update version to v1.55.0-rc.0 * Test workflow run * Test workflow run * 🤖 Update version to v1.56.0-rc.0 * Test the workflow call * 🤖 Update version to v1.57.0-rc.0 * Add git configs for testing * 🤖 Update version to v1.58.0-rc.0 * Add GPG key * 🤖 Update version to v1.59.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.60.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.61.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.62.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.63.0-rc.0 * Debug action * 🤖 Update version to v1.64.0-rc.0 * Inherit secrets * 🤖 Update version to v1.65.0-rc.0 * Test the commit signining * 🤖 Update version to v1.66.0-rc.0 * Test the commit signining * Test the commit signining * 🤖 Update version to v1.67.0-rc.0 * Switch the package version to 1.54.1 * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit b0cc386. * Add condition to verify latest version * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 841a701. * Checkout based on the specific sha * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 2220895. * Pass to the workflow by uploading artifacts * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit af56d97. * Fix missing sha file * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 47f7fc7. * trigger on push for provenance creation * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 06b3ab0. * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * 🤖 Update version to v1.55.0-rc.0 (#469) Co-authored-by: svc-gh-is-01 <[email protected]> * Revert "🤖 Update version to v1.55.0-rc.0 (#469)" This reverts commit a09417e. * Fix format of the author * Update the release workflows (#471) * Refactor the publish workflows * Refactor the deploy workflows * Remove commented out code --------- Co-authored-by: tirumerla <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: svc-gh-is-01 <[email protected]>
- Loading branch information
4 people
authored
Dec 13, 2023
1 parent
ff20768
commit 1d3f6cd
Showing
8 changed files
with
320 additions
and
121 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,9 @@ | ||
| name: Publish RC | ||
| name: Publish rc | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: 0 0 * * * | ||
| workflow_dispatch: {} | ||
| push: | ||
| branches: | ||
| - master | ||
|
|
||
| # Declare default permissions as read only. | ||
| permissions: read-all | ||
|
|
@@ -13,6 +13,7 @@ jobs: | |
| runs-on: ubuntu-22.04 | ||
| outputs: | ||
| latest_commit_author: ${{ steps.commit.outputs.author }} | ||
| commit_message: ${{ steps.commit.outputs.message }} | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 | ||
|
|
@@ -21,6 +22,8 @@ jobs: | |
|
|
||
| - name: Checkout Repo | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Install yq | ||
| run: | | ||
|
|
@@ -32,14 +35,20 @@ jobs: | |
| - name: Get last commit details | ||
| id: commit | ||
| run: | | ||
| COMMIT_SHA=$(git rev-parse HEAD) | ||
| COMMIT_DETAILS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/commits/$COMMIT_SHA") | ||
| echo "author=$(echo $COMMIT_DETAILS | yq '.author.login')" >> $GITHUB_OUTPUT | ||
| COMMIT_SHA="$(git rev-parse HEAD)" | ||
| AUTHOR=$(git show -s --format='%an' $COMMIT_SHA) | ||
| MESSAGE=$(git show -s --format='%s' $COMMIT_SHA) | ||
| echo "author=$AUTHOR" >> $GITHUB_OUTPUT | ||
| echo "message=$MESSAGE" >> $GITHUB_OUTPUT | ||
| echo "Author of the commit is $AUTHOR" | ||
| echo "Message of the commit is $MESSAGE" | ||
| prepare: | ||
| needs: check_author | ||
| runs-on: ubuntu-22.04 | ||
| if: ${{ needs.check_author.outputs.latest_commit_author != 'svc-gh-is-01' }} | ||
| if: ${{ needs.check_author.outputs.latest_commit_author == 'github-actions[bot]' && contains(needs.check_author.outputs.commit_message, 'rc') }} | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 | ||
|
|
@@ -64,7 +73,6 @@ jobs: | |
| run-scripts: "install-deps, style, nx-build-skip-cache, nx-test-skip-cache" | ||
| node-version: "16.20.0" | ||
|
|
||
| # Git tag the commit for publishing | ||
| tag: | ||
| name: Tag RC candidate for all packages | ||
| permissions: | ||
|
|
@@ -74,8 +82,7 @@ jobs: | |
| runs-on: ubuntu-22.04 | ||
| needs: provenance | ||
| outputs: | ||
| next_rc_version: ${{ steps.update_version.outputs.next_rc_version }} | ||
| changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} | ||
| rc_version: ${{ steps.get_version.outputs.rc_version }} | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 | ||
|
|
@@ -97,28 +104,12 @@ jobs: | |
| git_user_signingkey: true | ||
| git_commit_gpgsign: true | ||
|
|
||
| - name: Get latest git tag and verify package changes | ||
| id: tag_check_changes | ||
| run: | | ||
| git fetch --prune --unshallow --tags | ||
| latest_tag=$(git describe --tags --abbrev=0 --match "v*") | ||
| echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT | ||
| changed_packages=$(lerna changed --json | jq -r 'length') | ||
| echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT | ||
| - name: Update the tags | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| run: | | ||
| yarn versionup:preminor && ./hack/cross-dependency.sh | ||
| - name: Use node@16 | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 | ||
| with: | ||
| node-version: 16.20.0 | ||
|
|
||
| - name: Create temp dir | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| id: temp-dir | ||
| run: | | ||
| set -euo pipefail | ||
|
|
@@ -127,74 +118,61 @@ jobs: | |
| echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" | ||
| - name: Download tarball | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main | ||
| with: | ||
| name: ${{ needs.provenance.outputs.package-download-name }} | ||
| path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}" | ||
| sha256: ${{ needs.provenance.outputs.package-download-sha256 }} | ||
|
|
||
| - name: Download provenance | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0 | ||
| with: | ||
| name: ${{ needs.provenance.outputs.provenance-download-name }} | ||
| path: "${{ steps.temp-dir.outputs.path }}" | ||
| sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }} | ||
|
|
||
| - name: Authenticate NPM | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| run: | | ||
| echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc | ||
| echo "@openzeppelin:registry https://registry.npmjs.org" >> ~/.npmrc | ||
| - name: Enable NPM PROVENANCE | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| run: echo "NPM_CONFIG_PROVENANCE=true" >> $GITHUB_ENV | ||
|
|
||
| - name: Commit changes | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| id: update_version | ||
| - name: Get version info | ||
| id: get_version | ||
| run: | | ||
| TAG_NAME=$(node -p "require('./lerna.json').version") | ||
| git config user.name github-actions | ||
| git config user.email [email protected] | ||
| git add . | ||
| git commit -m "Update version to v$TAG_NAME" | ||
| echo "next_rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT | ||
| echo "rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT | ||
| - name: Unpack the zipped artifact and publish | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| run: | | ||
| set -euo pipefail | ||
| cd "${{ steps.temp-dir.outputs.path }}" | ||
| tar -xzvf "${{ needs.provenance.outputs.package-name }}" | ||
| cd package/; git init | ||
| git config user.name github-actions | ||
| git config user.email [email protected] | ||
| git add . | ||
| git commit -m "Add the untracked files" | ||
| tag_ref=${{ steps.update_version.outputs.next_rc_version }} | ||
| tag_ref=${{ steps.get_version.outputs.rc_version }} | ||
| tag_version=${tag_ref#refs/tags/v} | ||
| lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog --force-publish" | ||
| lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog" | ||
| lerna publish $tag_version $lerna_options --dist-tag rc --pre-dist-tag rc | ||
| cd ../../ | ||
| - name: Create and push tag | ||
| if: steps.tag_check_changes.outputs.changed_packages > 0 | ||
| run: | | ||
| git tag -a ${{ steps.update_version.outputs.next_rc_version }} -m "${{ steps.update_version.outputs.next_rc_version }}" | ||
| git push origin ${{ steps.update_version.outputs.next_rc_version }} | ||
| git push origin master | ||
| git tag -a ${{ steps.get_version.outputs.rc_version }} -m "${{ steps.get_version.outputs.rc_version }}" | ||
| git push origin ${{ steps.get_version.outputs.rc_version }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| create-release: | ||
| permissions: | ||
| contents: write | ||
| name: Create Release | ||
| needs: tag | ||
| if: needs.tag.outputs.changed_packages > 0 | ||
| uses: ./.github/workflows/release.yml | ||
| with: | ||
| tag: ${{ needs.tag.outputs.next_rc_version }} | ||
| tag: ${{ needs.tag.outputs.rc_version }} | ||
| prerelease: true | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| name: Push RC | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: 0 0 * * * | ||
| workflow_dispatch: {} | ||
|
|
||
| # Declare default permissions as read only. | ||
| permissions: read-all | ||
|
|
||
| jobs: | ||
|
|
||
| # check for changed packages | ||
| verify-packages: | ||
| name: Verify changed packages | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| actions: read | ||
| runs-on: ubuntu-22.04 | ||
| outputs: | ||
| changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} | ||
| latest_tag: ${{ steps.tag_check_changes.outputs.latest_tag }} | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
|
|
||
| - name: Prepare pre-requisites | ||
| uses: ./.github/actions/prepare | ||
|
|
||
| - name: Install deps | ||
| run: yarn install-deps | ||
|
|
||
| - name: Style | ||
| run: yarn style | ||
|
|
||
| - name: Build | ||
| run: yarn nx-build-skip-cache | ||
|
|
||
| - name: Test | ||
| run: yarn nx-test-skip-cache | ||
|
|
||
| - name: Get latest git tag and verify package changes | ||
| id: tag_check_changes | ||
| run: | | ||
| git fetch --prune --unshallow --tags | ||
| latest_tag=$(git describe --tags --abbrev=0 --match "v*") | ||
| echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT | ||
| changed_packages=$(lerna changed --json | jq -r 'length') | ||
| echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT | ||
| # Commit & Push to branch | ||
| commit-push: | ||
| name: Commit and push changes | ||
| permissions: | ||
| # Give the default GITHUB_TOKEN write permission to commit and push the | ||
| # added or changed files to the repository. | ||
| contents: write | ||
| pull-requests: write | ||
| needs: verify-packages | ||
| if: needs.verify-packages.outputs.changed_packages > 0 | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| with: | ||
| token: ${{ secrets.SAI_PAT }} | ||
|
|
||
| - name: Use node@16 | ||
| uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 | ||
| with: | ||
| node-version: 16.20.0 | ||
|
|
||
| - name: Update RC candidate version ( excluding deploy client ) | ||
| run: | | ||
| if [[ ${{ needs.verify-packages.outputs.latest_tag }} != *"rc"* ]]; then | ||
| yarn versionup:preminor && ./hack/cross-dependency.sh | ||
| else | ||
| yarn versionup:prerelease && ./hack/cross-dependency.sh | ||
| fi | ||
| - name: get latest version | ||
| id: update_version | ||
| run: | | ||
| TAG_NAME=$(node -p "require('./lerna.json').version") | ||
| echo "rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT | ||
| - name: Verify version | ||
| id: verify_version | ||
| run: | | ||
| CURRENT_VERSION=$(echo "${{ needs.verify-packages.outputs.latest_tag }}" | sed 's/^v//') | ||
| NEW_VERSION=$(echo "${{ steps.update_version.outputs.rc_version }}" | sed 's/^v//') | ||
| CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2) | ||
| NEW_MINOR=$(echo "$NEW_VERSION" | cut -d. -f2) | ||
| if (( NEW_MINOR != CURRENT_MINOR + 1 )); then | ||
| echo "New version is not one minor version ahead of the current version" | ||
| exit 1 | ||
| fi | ||
| - name: Import GPG key | ||
| uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0 | ||
| with: | ||
| gpg_private_key: ${{ secrets.SVC_GPG_KEY }} | ||
| passphrase: ${{ secrets.SVC_GPG_PASSPHRASE }} | ||
| git_config_global: true | ||
| git_tag_gpgsign: true | ||
| git_user_signingkey: true | ||
| git_commit_gpgsign: true | ||
|
|
||
| # Raise PR to the branch | ||
| - name: Raise PR to the branch | ||
| id: cpr | ||
| uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 | ||
| with: | ||
| commit-message: "🤖 Update version to ${{ steps.update_version.outputs.rc_version }}" | ||
| branch: 'update-version/${{ steps.update_version.outputs.rc_version }}' | ||
| title: "🤖 [Automated Pr] Update version to ${{ steps.update_version.outputs.rc_version }}" | ||
| committer: svc-gh-is-01 <[email protected]> | ||
| author: svc-gh-is-01 <[email protected]> | ||
| delete-branch: true | ||
| body: | | ||
| This PR updates the version to ${{ steps.update_version.outputs.rc_version }}. | ||
| Please review and merge this PR if it looks good. | ||
| This is an automated PR created by github actions. |
Oops, something went wrong.