diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-lint-test.yml similarity index 96% rename from .github/workflows/build-test.yml rename to .github/workflows/build-lint-test.yml index 1ff5a85d..6a3c122d 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -1,9 +1,7 @@ name: Build, Lint, and Test on: - push: - branches: [main] - pull_request: + workflow_call: jobs: build-lint-test: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..21493f84 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,93 @@ +name: Main + +on: + push: + branches: [main] + pull_request: + +jobs: + check-workflows: + name: Check workflows + runs-on: ubuntu-latest + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: false + - name: Download actionlint + id: download-actionlint + run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.23 + shell: bash + - name: Check workflow files + run: ${{ steps.download-actionlint.outputs.executable }} -color + shell: bash + + analyse-code: + name: Code scanner + needs: check-workflows + uses: ./.github/workflows/security-code-scanner.yml + permissions: + actions: read + contents: read + security-events: write + secrets: + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + + build-lint-test: + name: Build, lint, and test + uses: ./.github/workflows/build-lint-test.yml + + all-jobs-completed: + name: All jobs completed + runs-on: ubuntu-latest + needs: + - check-workflows + - analyse-code + - build-lint-test + outputs: + PASSED: ${{ steps.set-output.outputs.PASSED }} + steps: + - name: Set PASSED output + id: set-output + run: echo "PASSED=true" >> "$GITHUB_OUTPUT" + + all-jobs-pass: + name: All jobs pass + if: ${{ always() }} + runs-on: ubuntu-latest + needs: all-jobs-completed + steps: + - name: Check that all jobs have passed + run: | + passed="${{ needs.all-jobs-completed.outputs.PASSED }}" + if [[ $passed != "true" ]]; then + exit 1 + fi + + is-release: + # Filtering by `push` events ensures that we only release from the `main` branch, which is a + # requirement for our npm publishing environment. + # The commit author should always be 'github-actions' for releases created by the + # 'create-release-pr' workflow, so we filter by that as well to prevent accidentally + # triggering a release. + if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions') + needs: all-jobs-pass + outputs: + IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }} + runs-on: ubuntu-latest + steps: + - uses: MetaMask/action-is-release@v1 + id: is-release + + publish-release: + needs: is-release + if: needs.is-release.outputs.IS_RELEASE == 'true' + name: Publish release + permissions: + contents: write + uses: ./.github/workflows/publish-release.yml + secrets: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + PUBLISH_DOCS_TOKEN: ${{ secrets.PUBLISH_DOCS_TOKEN }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 06f24438..46587154 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -1,32 +1,80 @@ name: Publish Release on: - pull_request: - types: [closed] - + workflow_call: + secrets: + NPM_TOKEN: + required: true + SLACK_WEBHOOK_URL: + required: true + PUBLISH_DOCS_TOKEN: + required: true jobs: publish-release: permissions: contents: write - if: | - github.event.pull_request.merged == true && - startsWith(github.event.pull_request.head.ref, 'release/') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: 'yarn' - - uses: MetaMask/action-publish-release@v1 + - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - run: yarn build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: publish-release-artifacts-${{ github.sha }} + retention-days: 4 + include-hidden-files: true + path: | + ./dist + ./node_modules/.yarn-state.yml + + publish-npm-dry-run: + needs: publish-release + runs-on: ubuntu-latest + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: true + ref: ${{ github.sha }} + - name: Restore build artifacts + uses: actions/download-artifact@v4 + with: + name: publish-release-artifacts-${{ github.sha }} + - name: Dry Run Publish + # omit npm-token token to perform dry run publish + uses: MetaMask/action-npm-publish@v5 + with: + slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} + subteam: S042S7RE4AE # @metamask-npm-publishers + env: + SKIP_PREPACK: true + + publish-npm: + needs: publish-npm-dry-run + runs-on: ubuntu-latest + environment: npm-publish + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: true + ref: ${{ github.sha }} + - name: Restore build artifacts + uses: actions/download-artifact@v4 + with: + name: publish-release-artifacts-${{ github.sha }} + - name: Publish + uses: MetaMask/action-npm-publish@v5 + with: + # This `NPM_TOKEN` needs to be manually set per-repository. + # Look in the repository settings under "Environments", and set this token in the `npm-publish` environment. + npm-token: ${{ secrets.NPM_TOKEN }} + env: + SKIP_PREPACK: true diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 9a32836b..ababbbeb 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -1,23 +1,24 @@ name: MetaMask Security Code Scanner on: - push: - branches: - - main - pull_request: - branches: - - main + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false workflow_dispatch: jobs: run-security-scan: + name: Run security scan runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - - name: MetaMask Security Code Scanner + - name: Analyse code uses: MetaMask/action-security-code-scanner@v1 with: repo: ${{ github.repository }} diff --git a/scripts/get.sh b/scripts/get.sh new file mode 100755 index 00000000..9c988bb8 --- /dev/null +++ b/scripts/get.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -e +set -u +set -o pipefail + +if [[ ${RUNNER_DEBUG:-0} == 1 ]]; then + set -x +fi + +KEY="${1}" +OUTPUT="${2}" + +if [[ -z $KEY ]]; then + echo "Error: KEY not specified." + exit 1 +fi + +if [[ -z $OUTPUT ]]; then + echo "Error: OUTPUT not specified." + exit 1 +fi + +echo "$OUTPUT=$(jq --raw-output "$KEY" package.json)" >> "$GITHUB_OUTPUT"