From 1d3f6cd0e069d3e2b50044b78018398df6302bba Mon Sep 17 00:00:00 2001 From: Barno Date: Wed, 13 Dec 2023 22:30:47 +0300 Subject: [PATCH] Fix the workflow deployment bugs (#472) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix rc bug * change the order of commit, tagging & publishing * Remove cached nx * Fix ci badges * test rc push changes * 🤖 Update version to v$TAG_NAME * Revert "🤖 Update version to v$TAG_NAME" This reverts commit a0a33e793975f150cd55dcf8d19217a8ffa74115. * revert changes & fix additional bugs * Fix force publish * 🤖 Update version to vv1.55.0-rc.0 * Revert "🤖 Update version to vv1.55.0-rc.0" This reverts commit d204cd56b1105e63729f1dd7ff89f961d4b23dad. * remove extra v * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 06aa712c24a1813a09879fcf7b498bd85a4d71c7. * update rc publish * Test pushing packages * 🤖 Update version to v1.55.0-rc.0 * use workflow call * change permissions * change permissions * 🤖 Update version to v1.56.0-rc.0 * Revert "🤖 Update version to v1.56.0-rc.0" This reverts commit e2ccd0fe22fdedf858f725e2367af924e9fabeeb. * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit a36617ae1bdfccebf5e5311f518871d5ad4ac31f. * stash changes * 🤖 Update version to v1.55.0-rc.0 * Test workflow run * Test workflow run * 🤖 Update version to v1.56.0-rc.0 * Test the workflow call * 🤖 Update version to v1.57.0-rc.0 * Add git configs for testing * 🤖 Update version to v1.58.0-rc.0 * Add GPG key * 🤖 Update version to v1.59.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.60.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.61.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.62.0-rc.0 * Debug GPG parsing * 🤖 Update version to v1.63.0-rc.0 * Debug action * 🤖 Update version to v1.64.0-rc.0 * Inherit secrets * 🤖 Update version to v1.65.0-rc.0 * Test the commit signining * 🤖 Update version to v1.66.0-rc.0 * Test the commit signining * Test the commit signining * 🤖 Update version to v1.67.0-rc.0 * Switch the package version to 1.54.1 * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit b0cc386995eef7678882694a74a4d719fea17c00. * Add condition to verify latest version * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 841a701b463415f9af6a8cdd6949ab14b3493a7b. * Checkout based on the specific sha * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 2220895133b2bb917317db1392ebc264260b3bd8. * Pass to the workflow by uploading artifacts * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit af56d97d0b01c7517162e552e3f90ec6353d7cba. * Fix missing sha file * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 47f7fc745f3982a99f649cd9591321b389fbad7d. * trigger on push for provenance creation * 🤖 Update version to v1.55.0-rc.0 * Revert "🤖 Update version to v1.55.0-rc.0" This reverts commit 06b3ab07697fdf2baab278049ca52f5345447e8e. * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * Allow to raise PR instead * 🤖 Update version to v1.55.0-rc.0 (#469) Co-authored-by: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> * Revert "🤖 Update version to v1.55.0-rc.0 (#469)" This reverts commit a09417e7a29c8fc191592cd215514f21d68e7aff. * Fix format of the author * Update the release workflows (#471) * Refactor the publish workflows * Refactor the deploy workflows * Remove commented out code --------- Co-authored-by: tirumerla Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> --- .github/workflows/rc-publish.yml | 80 ++++++--------- .github/workflows/rc-push.yml | 139 +++++++++++++++++++++++++++ .github/workflows/stable-publish.yml | 70 +++++--------- .github/workflows/stable-push.yml | 99 +++++++++++++++++++ .gitignore | 1 + README.md | 4 +- package.json | 8 +- yarn.lock | 40 ++++---- 8 files changed, 320 insertions(+), 121 deletions(-) create mode 100644 .github/workflows/rc-push.yml create mode 100644 .github/workflows/stable-push.yml diff --git a/.github/workflows/rc-publish.yml b/.github/workflows/rc-publish.yml index 881ddb36..fb57ceab 100644 --- a/.github/workflows/rc-publish.yml +++ b/.github/workflows/rc-publish.yml @@ -1,9 +1,9 @@ -name: Publish RC +name: Publish rc on: - schedule: - - cron: 0 0 * * * - workflow_dispatch: {} + push: + branches: + - master # Declare default permissions as read only. permissions: read-all @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-22.04 outputs: latest_commit_author: ${{ steps.commit.outputs.author }} + commit_message: ${{ steps.commit.outputs.message }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -21,6 +22,8 @@ jobs: - name: Checkout Repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 - name: Install yq run: | @@ -32,14 +35,20 @@ jobs: - name: Get last commit details id: commit run: | - COMMIT_SHA=$(git rev-parse HEAD) - COMMIT_DETAILS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/commits/$COMMIT_SHA") - echo "author=$(echo $COMMIT_DETAILS | yq '.author.login')" >> $GITHUB_OUTPUT + + COMMIT_SHA="$(git rev-parse HEAD)" + AUTHOR=$(git show -s --format='%an' $COMMIT_SHA) + MESSAGE=$(git show -s --format='%s' $COMMIT_SHA) + echo "author=$AUTHOR" >> $GITHUB_OUTPUT + echo "message=$MESSAGE" >> $GITHUB_OUTPUT + echo "Author of the commit is $AUTHOR" + echo "Message of the commit is $MESSAGE" + + prepare: needs: check_author runs-on: ubuntu-22.04 - if: ${{ needs.check_author.outputs.latest_commit_author != 'svc-gh-is-01' }} + if: ${{ needs.check_author.outputs.latest_commit_author == 'github-actions[bot]' && contains(needs.check_author.outputs.commit_message, 'rc') }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -64,7 +73,6 @@ jobs: run-scripts: "install-deps, style, nx-build-skip-cache, nx-test-skip-cache" node-version: "16.20.0" - # Git tag the commit for publishing tag: name: Tag RC candidate for all packages permissions: @@ -74,8 +82,7 @@ jobs: runs-on: ubuntu-22.04 needs: provenance outputs: - next_rc_version: ${{ steps.update_version.outputs.next_rc_version }} - changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} + rc_version: ${{ steps.get_version.outputs.rc_version }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -97,28 +104,12 @@ jobs: git_user_signingkey: true git_commit_gpgsign: true - - name: Get latest git tag and verify package changes - id: tag_check_changes - run: | - git fetch --prune --unshallow --tags - latest_tag=$(git describe --tags --abbrev=0 --match "v*") - echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT - changed_packages=$(lerna changed --json | jq -r 'length') - echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT - - - name: Update the tags - if: steps.tag_check_changes.outputs.changed_packages > 0 - run: | - yarn versionup:preminor && ./hack/cross-dependency.sh - - name: Use node@16 - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: 16.20.0 - name: Create temp dir - if: steps.tag_check_changes.outputs.changed_packages > 0 id: temp-dir run: | set -euo pipefail @@ -127,7 +118,6 @@ jobs: echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" - name: Download tarball - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main with: name: ${{ needs.provenance.outputs.package-download-name }} @@ -135,7 +125,6 @@ jobs: sha256: ${{ needs.provenance.outputs.package-download-sha256 }} - name: Download provenance - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0 with: name: ${{ needs.provenance.outputs.provenance-download-name }} @@ -143,58 +132,47 @@ jobs: sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }} - name: Authenticate NPM - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc echo "@openzeppelin:registry https://registry.npmjs.org" >> ~/.npmrc - name: Enable NPM PROVENANCE - if: steps.tag_check_changes.outputs.changed_packages > 0 run: echo "NPM_CONFIG_PROVENANCE=true" >> $GITHUB_ENV - - name: Commit changes - if: steps.tag_check_changes.outputs.changed_packages > 0 - id: update_version + - name: Get version info + id: get_version run: | TAG_NAME=$(node -p "require('./lerna.json').version") - git config user.name github-actions - git config user.email github-actions@github.com - git add . - git commit -m "Update version to v$TAG_NAME" - echo "next_rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT + echo "rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT - name: Unpack the zipped artifact and publish - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | set -euo pipefail cd "${{ steps.temp-dir.outputs.path }}" tar -xzvf "${{ needs.provenance.outputs.package-name }}" cd package/; git init - git config user.name github-actions - git config user.email github-actions@github.com git add . git commit -m "Add the untracked files" - tag_ref=${{ steps.update_version.outputs.next_rc_version }} + tag_ref=${{ steps.get_version.outputs.rc_version }} tag_version=${tag_ref#refs/tags/v} - lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog --force-publish" + lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog" lerna publish $tag_version $lerna_options --dist-tag rc --pre-dist-tag rc cd ../../ - name: Create and push tag - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | - git tag -a ${{ steps.update_version.outputs.next_rc_version }} -m "${{ steps.update_version.outputs.next_rc_version }}" - git push origin ${{ steps.update_version.outputs.next_rc_version }} - git push origin master + git tag -a ${{ steps.get_version.outputs.rc_version }} -m "${{ steps.get_version.outputs.rc_version }}" + git push origin ${{ steps.get_version.outputs.rc_version }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} create-release: permissions: contents: write name: Create Release needs: tag - if: needs.tag.outputs.changed_packages > 0 uses: ./.github/workflows/release.yml with: - tag: ${{ needs.tag.outputs.next_rc_version }} + tag: ${{ needs.tag.outputs.rc_version }} prerelease: true diff --git a/.github/workflows/rc-push.yml b/.github/workflows/rc-push.yml new file mode 100644 index 00000000..46da4c55 --- /dev/null +++ b/.github/workflows/rc-push.yml @@ -0,0 +1,139 @@ +name: Push RC + +on: + schedule: + - cron: 0 0 * * * + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + + # check for changed packages + verify-packages: + name: Verify changed packages + permissions: + id-token: write + contents: write + actions: read + runs-on: ubuntu-22.04 + outputs: + changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} + latest_tag: ${{ steps.tag_check_changes.outputs.latest_tag }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Prepare pre-requisites + uses: ./.github/actions/prepare + + - name: Install deps + run: yarn install-deps + + - name: Style + run: yarn style + + - name: Build + run: yarn nx-build-skip-cache + + - name: Test + run: yarn nx-test-skip-cache + + - name: Get latest git tag and verify package changes + id: tag_check_changes + run: | + git fetch --prune --unshallow --tags + latest_tag=$(git describe --tags --abbrev=0 --match "v*") + echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT + changed_packages=$(lerna changed --json | jq -r 'length') + echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT + + + # Commit & Push to branch + commit-push: + name: Commit and push changes + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + pull-requests: write + needs: verify-packages + if: needs.verify-packages.outputs.changed_packages > 0 + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + token: ${{ secrets.SAI_PAT }} + + - name: Use node@16 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 + with: + node-version: 16.20.0 + + - name: Update RC candidate version ( excluding deploy client ) + run: | + if [[ ${{ needs.verify-packages.outputs.latest_tag }} != *"rc"* ]]; then + yarn versionup:preminor && ./hack/cross-dependency.sh + else + yarn versionup:prerelease && ./hack/cross-dependency.sh + fi + + - name: get latest version + id: update_version + run: | + TAG_NAME=$(node -p "require('./lerna.json').version") + echo "rc_version=v$TAG_NAME" >> $GITHUB_OUTPUT + + - name: Verify version + id: verify_version + run: | + CURRENT_VERSION=$(echo "${{ needs.verify-packages.outputs.latest_tag }}" | sed 's/^v//') + NEW_VERSION=$(echo "${{ steps.update_version.outputs.rc_version }}" | sed 's/^v//') + + CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2) + NEW_MINOR=$(echo "$NEW_VERSION" | cut -d. -f2) + + if (( NEW_MINOR != CURRENT_MINOR + 1 )); then + echo "New version is not one minor version ahead of the current version" + exit 1 + fi + + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0 + with: + gpg_private_key: ${{ secrets.SVC_GPG_KEY }} + passphrase: ${{ secrets.SVC_GPG_PASSPHRASE }} + git_config_global: true + git_tag_gpgsign: true + git_user_signingkey: true + git_commit_gpgsign: true + + # Raise PR to the branch + - name: Raise PR to the branch + id: cpr + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + with: + commit-message: "🤖 Update version to ${{ steps.update_version.outputs.rc_version }}" + branch: 'update-version/${{ steps.update_version.outputs.rc_version }}' + title: "🤖 [Automated Pr] Update version to ${{ steps.update_version.outputs.rc_version }}" + committer: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> + author: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> + delete-branch: true + body: | + This PR updates the version to ${{ steps.update_version.outputs.rc_version }}. + Please review and merge this PR if it looks good. + + + This is an automated PR created by github actions. diff --git a/.github/workflows/stable-publish.yml b/.github/workflows/stable-publish.yml index af259d4d..f8805088 100644 --- a/.github/workflows/stable-publish.yml +++ b/.github/workflows/stable-publish.yml @@ -1,7 +1,9 @@ -name: Publish The Stable Release +name: Publish stable on: - workflow_dispatch: {} + push: + branches: + - master # Declare default permissions as read only. permissions: read-all @@ -11,6 +13,7 @@ jobs: runs-on: ubuntu-22.04 outputs: latest_commit_author: ${{ steps.commit.outputs.author }} + get_version: ${{ steps.get_version.outputs.version }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -34,10 +37,21 @@ jobs: COMMIT_DETAILS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ "https://api.github.com/repos/${{ github.repository }}/commits/$COMMIT_SHA") echo "author=$(echo $COMMIT_DETAILS | yq '.author.login')" >> $GITHUB_OUTPUT + + - name: Use node@16 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 + with: + node-version: 16.20.0 + + - name: Get version + id: get_version + run: | + echo "version=$(node -p "require('./lerna.json').version")" >> $GITHUB_OUTPUT + prepare: needs: check_author runs-on: ubuntu-22.04 - if: ${{ needs.check_author.outputs.latest_commit_author != 'svc-gh-is-01' }} + if: ${{ needs.check_author.outputs.latest_commit_author == 'github-actions[bot]' && !contains(needs.check_author.outputs.get_version, 'rc') }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -72,8 +86,7 @@ jobs: runs-on: ubuntu-22.04 needs: provenance outputs: - next_stable_version: ${{ steps.update_version.outputs.next_stable_version }} - changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} + stable_version: ${{ steps.get_version.outputs.stable_version }} steps: - name: Harden Runner uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -95,29 +108,13 @@ jobs: git_user_signingkey: true git_commit_gpgsign: true - - name: Get latest git tag and verify package changes - id: tag_check_changes - run: | - git fetch --prune --unshallow --tags - latest_tag=$(git describe --tags --abbrev=0 --match "v*") - echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT - changed_packages=$(lerna changed --json | jq -r 'length') - echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT - - - name: Update the tags - if: steps.tag_check_changes.outputs.changed_packages > 0 - run: | - yarn versionup:stableminor && ./hack/cross-dependency.sh - - name: Use node@16 - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: 16.20.0 - name: Create temp dir id: temp-dir - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | set -euo pipefail @@ -125,7 +122,6 @@ jobs: echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" - name: Download tarball - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main with: name: ${{ needs.provenance.outputs.package-download-name }} @@ -133,7 +129,6 @@ jobs: sha256: ${{ needs.provenance.outputs.package-download-sha256 }} - name: Download provenance - if: steps.tag_check_changes.outputs.changed_packages > 0 uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0 with: name: ${{ needs.provenance.outputs.provenance-download-name }} @@ -141,50 +136,37 @@ jobs: sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }} - name: Authenticate NPM - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc echo "@openzeppelin:registry https://registry.npmjs.org" >> ~/.npmrc - name: Enable NPM PROVENANCE - if: steps.tag_check_changes.outputs.changed_packages > 0 run: echo "NPM_CONFIG_PROVENANCE=true" >> $GITHUB_ENV - - name: Commit changes - if: steps.tag_check_changes.outputs.changed_packages > 0 - id: update_version + - name: Get version info + id: get_version run: | TAG_NAME=$(node -p "require('./lerna.json').version") - git config user.name github-actions - git config user.email github-actions@github.com - git add . - git commit -m "Update version to v$TAG_NAME" - echo "next_stable_version=v$TAG_NAME" >> $GITHUB_OUTPUT + echo "stable_version=v$TAG_NAME" >> $GITHUB_OUTPUT - name: Unpack the zipped artifact and publish - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | set -euo pipefail - cd "${{ steps.temp-dir.outputs.path }}" tar -xzvf "${{ needs.provenance.outputs.package-name }}" cd package/; git init - git config user.name github-actions - git config user.email github-actions@github.com git add . git commit -m "Add the untracked files" - tag_ref=${{ steps.update_version.outputs.next_stable_version }} + tag_ref=${{ steps.get_version.outputs.stable_version }} tag_version=${tag_ref#refs/tags/v} - lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog --force-publish" + lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog" lerna publish $tag_version $lerna_options cd ../../ - name: Create and push tag - if: steps.tag_check_changes.outputs.changed_packages > 0 run: | - git tag -a ${{ steps.update_version.outputs.next_stable_version }} -m "${{ steps.update_version.outputs.next_stable_version }}" - git push origin ${{ steps.update_version.outputs.next_stable_version }} - git push origin master + git tag -a ${{ steps.get_version.outputs.stable_version }} -m "${{ steps.get_version.outputs.stable_version }}" + git push origin ${{ steps.get_version.outputs.stable_version }} create-release: name: Create Release @@ -193,5 +175,5 @@ jobs: contents: write uses: ./.github/workflows/release.yml with: - tag: ${{ needs.tag.outputs.next_stable_version }} + tag: ${{ needs.tag.outputs.stable_version }} prerelease: false diff --git a/.github/workflows/stable-push.yml b/.github/workflows/stable-push.yml new file mode 100644 index 00000000..4ca6a9da --- /dev/null +++ b/.github/workflows/stable-push.yml @@ -0,0 +1,99 @@ +name: Push Stable + +on: + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + # check for changed packages + verify-packages: + name: Verify changed packages + permissions: + id-token: write + contents: write + actions: read + runs-on: ubuntu-22.04 + outputs: + changed_packages: ${{ steps.tag_check_changes.outputs.changed_packages }} + latest_tag: ${{ steps.tag_check_changes.outputs.latest_tag }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Prepare pre-requisites + uses: ./.github/actions/prepare + + - name: Install deps + run: yarn install-deps + + - name: Style + run: yarn style + + - name: Build + run: yarn nx-build-skip-cache + + - name: Test + run: yarn nx-test-skip-cache + + - name: Get latest git tag and verify package changes + id: tag_check_changes + run: | + git fetch --prune --unshallow --tags + latest_tag=$(git describe --tags --abbrev=0 --match "v*") + echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT + changed_packages=$(lerna changed --json | jq -r 'length') + echo "changed_packages=${changed_packages:-0}" >> $GITHUB_OUTPUT + + + # Commit & Push to branch + commit-push: + name: Commit and push changes + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + needs: verify-packages + if: needs.verify-packages.outputs.changed_packages > 0 + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Update stable version + run: | + yarn versionup:stableminor && ./hack/cross-dependency.sh + + - name: Commit changes + id: update_version + run: | + TAG_NAME=$(node -p "require('./lerna.json').version") + echo "stable_version=v$TAG_NAME" >> $GITHUB_OUTPUT + + - name: Raise PR to the branch + id: stable-pr + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + with: + commit-message: "🤖 Update version to ${{ steps.update_version.outputs.stable_version }}" + branch: 'update-version/${{ steps.update_version.outputs.stable_version }}' + title: "🤖 [Automated Pr] Update version to ${{ steps.update_version.outputs.stable_version }}" + committer: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> + author: svc-gh-is-01 <116854830+svc-gh-is-01@users.noreply.github.com> + delete-branch: true + body: | + This PR updates the version to ${{ steps.update_version.outputs.stable_version }}. + Please review and merge this PR if it looks good. + + + This is an automated PR created by github actions. diff --git a/.gitignore b/.gitignore index 57c96cc5..0a6d211f 100644 --- a/.gitignore +++ b/.gitignore @@ -8,5 +8,6 @@ lib coverage .env .vscode +.nx .DS_Store .nx diff --git a/README.md b/README.md index a54d194d..15c8c65d 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,8 @@ [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/OpenZeppelin/defender-client/badge)](https://api.securityscorecards.dev/projects/github.com/OpenZeppelin/defender-client) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7395/badge)](https://bestpractices.coreinfrastructure.org/projects/7395) [![Scorecard supply-chain security](https://github.com/OpenZeppelin/defender-client/actions/workflows/scorecard.yml/badge.svg)](https://github.com/OpenZeppelin/defender-client/actions/workflows/scorecard.yml) -[![Stable Git Release](https://github.com/OpenZeppelin/defender-client/actions/workflows/stable.yml/badge.svg)](https://github.com/OpenZeppelin/defender/actions/workflows/stable.yml) -[![RC Git Release](https://github.com/OpenZeppelin/defender-client/actions/workflows/rc.yml/badge.svg)](https://github.com/OpenZeppelin/defender/actions/workflows/rc.yml) +[![Stable Git Release](https://github.com/OpenZeppelin/defender-client/actions/workflows/stable-push.yml/badge.svg)](https://github.com/OpenZeppelin/defender/actions/workflows/stable-push.yml) +[![RC Git Release](https://github.com/OpenZeppelin/defender-client/actions/workflows/rc-publish.yml/badge.svg)](https://github.com/OpenZeppelin/defender/actions/workflows/rc-publish.yml) [![CI](https://github.com/OpenZeppelin/defender-client/actions/workflows/ci.yml/badge.svg)](https://github.com/OpenZeppelin/defender-client/actions/workflows/ci.yml) [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) diff --git a/package.json b/package.json index 514120a2..ddf1e6ce 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "eslint-config-prettier": "^8.8.0", "eslint-plugin-prettier": "^4.2.1", "jest": "^29.1.1", - "lerna": "^7.1.3", + "lerna": "^7.4.2", "prettier": "^2.0.4", "ts-jest": "^29.1.1", "typescript": "^4.9.3", @@ -41,9 +41,9 @@ "style": "yarn lint && yarn format", "skip-lib-ignore": "./hack/skip-lib-ignore.sh", "versionup:rcminor": "lerna version --preid=rc --no-git-tag-version --yes --exact --no-changelog", - "versionup:preminor": "yarn versionup:rcminor preminor", - "versionup:prerelease": "yarn versionup:rcminor prerelease", - "versionup:stableminor": "lerna version patch --conventional-graduate --no-git-tag-version --yes --exact --no-changelog" + "versionup:preminor": "yarn versionup:rcminor preminor --force-publish", + "versionup:prerelease": "yarn versionup:rcminor prerelease --force-publish", + "versionup:stableminor": "lerna version minor --conventional-graduate --no-git-tag-version --yes --exact --no-changelog" }, "repository": { "type": "git", diff --git a/yarn.lock b/yarn.lock index b929d1b9..8ed0d1b5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1083,21 +1083,21 @@ "@jridgewell/resolve-uri" "3.1.0" "@jridgewell/sourcemap-codec" "1.4.14" -"@lerna/child-process@7.3.0": - version "7.3.0" - resolved "https://registry.yarnpkg.com/@lerna/child-process/-/child-process-7.3.0.tgz#c56488a8a881f22a64793bf9339c5a2450a18559" - integrity sha512-rA+fGUo2j/LEq6w1w8s6oVikLbJTWoIDVpYMc7bUCtwDOUuZKMQiRtjmpavY3fTm7ltu42f4AKflc2A70K4wvA== +"@lerna/child-process@7.4.2": + version "7.4.2" + resolved "https://registry.yarnpkg.com/@lerna/child-process/-/child-process-7.4.2.tgz#a2fd013ac2150dc288270d3e0d0b850c06bec511" + integrity sha512-je+kkrfcvPcwL5Tg8JRENRqlbzjdlZXyaR88UcnCdNW0AJ1jX9IfHRys1X7AwSroU2ug8ESNC+suoBw1vX833Q== dependencies: chalk "^4.1.0" execa "^5.0.0" strong-log-transformer "^2.1.0" -"@lerna/create@7.3.0": - version "7.3.0" - resolved "https://registry.yarnpkg.com/@lerna/create/-/create-7.3.0.tgz#5438c231f617b8e825731390d394f8684af471d5" - integrity sha512-fjgiKjg9VXwQ4ZKKsrXICEKRiC3yo6+FprR0mc55uz0s5e9xupoSGLobUTTBdE7ncNB3ibqml8dfaAn/+ESajQ== +"@lerna/create@7.4.2": + version "7.4.2" + resolved "https://registry.yarnpkg.com/@lerna/create/-/create-7.4.2.tgz#f845fad1480e46555af98bd39af29571605dddc9" + integrity sha512-1wplFbQ52K8E/unnqB0Tq39Z4e+NEoNrpovEnl6GpsTUrC6WDp8+w0Le2uCBV0hXyemxChduCkLz4/y1H1wTeg== dependencies: - "@lerna/child-process" "7.3.0" + "@lerna/child-process" "7.4.2" "@npmcli/run-script" "6.0.2" "@nx/devkit" ">=16.5.1 < 17" "@octokit/plugin-enterprise-rest" "6.0.1" @@ -2878,10 +2878,10 @@ content-type@~1.0.4, content-type@~1.0.5: resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.5.tgz#8b773162656d1d1086784c8f23a54ce6d73d7918" integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA== -conventional-changelog-angular@6.0.0: - version "6.0.0" - resolved "https://registry.yarnpkg.com/conventional-changelog-angular/-/conventional-changelog-angular-6.0.0.tgz#a9a9494c28b7165889144fd5b91573c4aa9ca541" - integrity sha512-6qLgrBF4gueoC7AFVHu51nHL9pF9FRjXrH+ceVf7WmAfH3gs+gEYOkvxhjMPjZu57I4AGUGoNTY8V7Hrgf1uqg== +conventional-changelog-angular@7.0.0: + version "7.0.0" + resolved "https://registry.yarnpkg.com/conventional-changelog-angular/-/conventional-changelog-angular-7.0.0.tgz#5eec8edbff15aa9b1680a8dcfbd53e2d7eb2ba7a" + integrity sha512-ROjNchA9LgfNMTTFSIWPzebCwOGFdgkEq45EnvvrmSLvCtAw0HSmrCs7/ty+wAeYUZyNay0YMUNYFTRL72PkBQ== dependencies: compare-func "^2.0.0" @@ -5457,13 +5457,13 @@ kleur@^3.0.3: resolved "https://registry.yarnpkg.com/kleur/-/kleur-3.0.3.tgz#a79c9ecc86ee1ce3fa6206d1216c501f147fc07e" integrity sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w== -lerna@^7.1.3: - version "7.3.0" - resolved "https://registry.yarnpkg.com/lerna/-/lerna-7.3.0.tgz#efecafbdce15694e2f6841256e073a3a2061053e" - integrity sha512-Dt8TH+J+c9+3MhTYcm5OxnNzXb87WG7GPNj3kidjYJjJY7KxIMDNU37qBTYRWA1h3wAeNKBplXVQYUPkGcYgkQ== +lerna@^7.4.2: + version "7.4.2" + resolved "https://registry.yarnpkg.com/lerna/-/lerna-7.4.2.tgz#03497125d7b7c8d463eebfe17a701b16bde2ad09" + integrity sha512-gxavfzHfJ4JL30OvMunmlm4Anw7d7Tq6tdVHzUukLdS9nWnxCN/QB21qR+VJYp5tcyXogHKbdUEGh6qmeyzxSA== dependencies: - "@lerna/child-process" "7.3.0" - "@lerna/create" "7.3.0" + "@lerna/child-process" "7.4.2" + "@lerna/create" "7.4.2" "@npmcli/run-script" "6.0.2" "@nx/devkit" ">=16.5.1 < 17" "@octokit/plugin-enterprise-rest" "6.0.1" @@ -5473,7 +5473,7 @@ lerna@^7.1.3: clone-deep "4.0.1" cmd-shim "6.0.1" columnify "1.6.0" - conventional-changelog-angular "6.0.0" + conventional-changelog-angular "7.0.0" conventional-changelog-core "5.0.1" conventional-recommended-bump "7.0.1" cosmiconfig "^8.2.0"