From 93e67e5ba15ba43d7bf901b99b85c7669bcba92c Mon Sep 17 00:00:00 2001 From: avivkeller Date: Tue, 3 Jun 2025 09:43:28 -0400 Subject: [PATCH] feat(cicd): release-please --- .github/workflows/lint-pr-title.yml | 26 +++++ .github/workflows/publish-packages.yml | 141 ------------------------- .github/workflows/release-please.yml | 72 +++++++++++++ release-please-config.json | 8 ++ 4 files changed, 106 insertions(+), 141 deletions(-) create mode 100644 .github/workflows/lint-pr-title.yml delete mode 100644 .github/workflows/publish-packages.yml create mode 100644 .github/workflows/release-please.yml create mode 100644 release-please-config.json diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml new file mode 100644 index 0000000000000..12774f8ea3e2c --- /dev/null +++ b/.github/workflows/lint-pr-title.yml @@ -0,0 +1,26 @@ +name: 'Lint PR' + +on: + pull_request_target: + types: + - opened + - edited + - reopened + +permissions: {} + +jobs: + validate-pr: + name: Validate PR title + runs-on: ubuntu-latest + permissions: + pull-requests: read + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Validate PR title + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml deleted file mode 100644 index 57c766d89d909..0000000000000 --- a/.github/workflows/publish-packages.yml +++ /dev/null @@ -1,141 +0,0 @@ -name: Publish Packages - -# This workflow publishes packages to npm when changes are merged to main branch or when manually triggered. - -on: - push: - paths: - - 'packages/**' - # For security reasons, this should never be set to anything but `main` - branches: [main] - workflow_dispatch: - inputs: - package: - description: 'Specific package to publish (leave empty for all packages)' - required: false - type: string - -permissions: - contents: read - -env: - COMMIT_SHA: ${{ github.sha }} - -jobs: - prepare-packages: - runs-on: ubuntu-latest - outputs: - # Output the matrix of packages to publish for use in the publish job - matrix: ${{ steps.generate-matrix.outputs.matrix }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: Verify commit authenticity - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - # Get commit data from GitHub API to verify its authenticity - COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) - # Check if commit signature is verified (GPG signed) - VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') - # Check if commit was made through GitHub's web interface (merge queue) - COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') - - # Security checks to ensure we only publish from verified and trusted sources - if [[ "$VERIFIED" != "true" ]]; then - echo "❌ Unverified commit! Aborting." - exit 1 - fi - - if [[ "$COMMITTER" != "noreply@github.com" ]]; then - echo "❌ Not merged with the merge queue! Aborting." - exit 1 - fi - - echo "✅ Commit is verified and trusted." - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 2 # Need at least 2 commits to detect changes between commits - - - name: Generate package matrix - id: generate-matrix - env: - PACKAGE: ${{ github.event.inputs.package }} - EVENT_NAME: ${{ github.event_name }} - run: | - if [ -n "$PACKAGE" ]; then - # If a specific package is requested via workflow_dispatch, just publish that one - echo "matrix={\"package\":[\"$PACKAGE\"]}" >> $GITHUB_OUTPUT - else - # Otherwise, identify all packages with changes since the last commit - CHANGED_PACKAGES=() - for pkg in $(ls -d packages/*); do - PKG_NAME=$(basename "$pkg") - # For manual runs, include all packages. For automatic runs, only include packages with changes - if [ "$EVENT_NAME" == "workflow_dispatch" ] || ! git diff --quiet $COMMIT_SHA~1 $COMMIT_SHA -- "$pkg/"; then - CHANGED_PACKAGES+=("$PKG_NAME") - fi - done - - # Format the output for GitHub Actions matrix using jq - PACKAGES_JSON=$(jq -n '$ARGS.positional' --args "${CHANGED_PACKAGES[@]}" -c) - echo "matrix={\"package\":$PACKAGES_JSON}" >> $GITHUB_OUTPUT - fi - - publish: - needs: prepare-packages - runs-on: ubuntu-latest - # Use the dynamic matrix from prepare-packages job to create parallel jobs for each package - strategy: - matrix: ${{ fromJson(needs.prepare-packages.outputs.matrix) }} - fail-fast: false # Continue publishing other packages even if one fails - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up pnpm - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - with: - cache: true - - - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - with: - node-version-file: '.nvmrc' - registry-url: 'https://registry.npmjs.org' - cache: pnpm - - - name: Publish - working-directory: packages/${{ matrix.package }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - # Create a unique version using the commit SHA as a prerelease identifier - # This ensures we can publish multiple times from the same codebase with unique versions - npm version --no-git-tag-version 1.0.1-$COMMIT_SHA - # Publish the package to the npm registry with public access flag - pnpm publish --access public --no-git-checks - - - name: Notify on Manual Release - if: ${{ github.event_name == 'workflow_dispatch' }} - uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3 - env: - SLACK_COLOR: '#43853D' - SLACK_ICON: https://github.com/nodejs.png?size=48 - SLACK_TITLE: ':rocket: Package Published: ${{ matrix.package }}' - SLACK_MESSAGE: | - :package: *Package*: `${{ matrix.package }}` () - :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }} - :octocat: *Commit*: - SLACK_USERNAME: nodejs-bot - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000000000..4e43a7932bded --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,72 @@ +name: Release and Publish + +on: + push: + branches: [main] + +concurrency: + group: release-${{ github.ref }} + cancel-in-progress: false + +permissions: {} + +jobs: + release: + name: Create Release + runs-on: ubuntu-latest + outputs: + paths_released: ${{ steps.create-release.outputs.paths_released }} + releases_created: ${{ steps.create-release.outputs.releases_created }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Create release with release-please + uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 + id: create-release + with: + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} + release-type: node + + publish: + name: Publish Packages + if: needs.release.outputs.releases_created == 'true' + runs-on: ubuntu-latest + needs: release + permissions: + contents: read + id-token: write # For provenance + strategy: + fail-fast: false + matrix: + path: ${{ fromJson(needs.release.outputs.paths_released) }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup pnpm + uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 + + - name: Setup Node.js + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version-file: '.nvmrc' + registry-url: 'https://registry.npmjs.org' + cache: 'pnpm' + + - name: Publish package with provenance + working-directory: ${{ matrix.path }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true + run: pnpm publish --access=public --provenance diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000000000..a555dab4c2fd2 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/refs/heads/main/schemas/config.json", + "packages": { + "packages/rehype-shiki": {}, + "packages/i18n": {}, + "packages/ui-components": {} + } +}