From 60561e8ffe47975586169bb09a9adff8cbc84f05 Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 27 Nov 2024 14:16:07 +0100 Subject: [PATCH 1/2] chore(ci): use github app instead of bot user --- .github/workflows/bump-packages.yaml | 51 +++++++-------- .github/workflows/check-test.yaml | 10 +-- .github/workflows/publish-packages.yaml | 84 ++++++++++++------------- .github/workflows/update-cidrs.yaml | 39 +++++------- 4 files changed, 85 insertions(+), 99 deletions(-) diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index f8297678..3ebccd5c 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -10,25 +10,39 @@ jobs: name: Bump packages runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} + + - name: Get GitHub App User ID + id: get-user-id + run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + shell: bash + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + + - name: Set up Git + run: | + git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]' + git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' + shell: bash + + - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} # this is important so git log can pick up on # the whole history to generate the list of AUTHORS - fetch-depth: '0' - - - name: Setup git - run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + fetch-depth: "0" - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 20.x - cache: 'npm' + cache: "npm" - name: Install npm run: npm install -g npm@8 @@ -46,21 +60,4 @@ jobs: npm run bump-packages git add . git commit --no-allow-empty -m "chore(ci): bump packages" || true - - - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v6 - with: - commit-message: 'chore(ci): bump packages' - branch: ci/bump-packages - title: 'chore(ci): bump packages' - body: | - - Bump package versions - - - name: Merge PR - if: ${{steps.cpr.outputs.pull-request-operation == 'created'}} - env: - PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}} - GITHUB_TOKEN: ${{secrets.PAT}} - run: | - gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch + git push diff --git a/.github/workflows/check-test.yaml b/.github/workflows/check-test.yaml index dfad7792..f8c0291a 100644 --- a/.github/workflows/check-test.yaml +++ b/.github/workflows/check-test.yaml @@ -46,15 +46,15 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 20.x - cache: 'npm' + cache: "npm" - name: Install npm run: npm install -g npm@8 @@ -62,9 +62,9 @@ jobs: - name: Use python@3.11 # Default Python (3.12) doesn't have support for distutils # https://github.com/nodejs/node-gyp/issues/2869 - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: - python-version: '3.11' + python-version: "3.11" - name: Install Dependencies run: | diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml index 8ed48e64..cd8c21a4 100644 --- a/.github/workflows/publish-packages.yaml +++ b/.github/workflows/publish-packages.yaml @@ -18,45 +18,45 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - with: - # don't checkout a detatched HEAD - ref: ${{ github.head_ref }} - - # this is important so git log has the whole history - fetch-depth: '0' - - - name: Setup git - run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" - - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version: 20.x - cache: 'npm' - - - name: Install npm - run: npm install -g npm@8 - - - name: Install Dependencies - run: | - npm run bootstrap-ci - shell: bash - - - name: "Publish what is not already in NPM" - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc - git update-index --assume-unchanged .npmrc - npm run publish-packages - - - name: "Publish tags" - run: | - npx lerna list -a --json | \ - jq -r '.[] | .name + "@" + .version' | \ - xargs -i sh -c "git tag -a {} -m {} || true" - git push --follow-tags - + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} + + - uses: actions/checkout@v4 + with: + # don't checkout a detatched HEAD + ref: ${{ github.head_ref }} + + # this is important so git log has the whole history + fetch-depth: "0" + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20.x + cache: "npm" + + - name: Install npm + run: npm install -g npm@8 + + - name: Install Dependencies + run: | + npm run bootstrap-ci + shell: bash + + - name: "Publish what is not already in NPM" + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + run: | + echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc + git update-index --assume-unchanged .npmrc + npm run publish-packages + + - name: "Publish tags" + run: | + npx lerna list -a --json | \ + jq -r '.[] | .name + "@" + .version' | \ + xargs -i sh -c "git tag -a {} -m {} || true" + git push --follow-tags diff --git a/.github/workflows/update-cidrs.yaml b/.github/workflows/update-cidrs.yaml index bf2fe12a..91b717d8 100644 --- a/.github/workflows/update-cidrs.yaml +++ b/.github/workflows/update-cidrs.yaml @@ -11,15 +11,18 @@ jobs: name: Update automatically generated files runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/create-github-app-token@v1 + id: app-token with: - node-version: ^18.x - cache: 'npm' + app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} + private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} - - name: Install npm@8 - run: | - npm install -g npm@8 + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ^20.x + cache: "npm" - name: Install Dependencies run: | @@ -31,22 +34,8 @@ jobs: - name: Update cidrs.json run: npm run -w packages/mongodb-cloud-info update-cidrs - - name: Create Pull Request - id: cpr - uses: peter-evans/create-pull-request@v6 - with: - commit-message: Update report - branch: ci/update-cidrs - title: 'chore: update cidrs.json' - add-paths: | - resources/cidrs.json - body: | - - Update `cidrs.json` - - - name: Merge PR - env: - PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}} - # NOTE: we don't use a PAT so to not trigger further automation - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Commit and push run: | - gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch \ No newline at end of file + git add resources/cidrs.json + git commit --no-allow-empty -m "chore: update cidrs.json [skip ci]" || true + git push From c40bedd5e21101edf8747f8d61d8e96de301de7d Mon Sep 17 00:00:00 2001 From: Nikola Irinchev Date: Wed, 27 Nov 2024 14:25:28 +0100 Subject: [PATCH 2/2] Cleanup --- .github/workflows/bump-packages.yaml | 16 +---- .github/workflows/codeql.yml | 80 ++++++++++++------------- .github/workflows/publish-packages.yaml | 3 +- .github/workflows/update-cidrs.yaml | 6 +- 4 files changed, 49 insertions(+), 56 deletions(-) diff --git a/.github/workflows/bump-packages.yaml b/.github/workflows/bump-packages.yaml index 3ebccd5c..ef8b700b 100644 --- a/.github/workflows/bump-packages.yaml +++ b/.github/workflows/bump-packages.yaml @@ -10,29 +10,17 @@ jobs: name: Bump packages runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} - - name: Get GitHub App User ID - id: get-user-id - run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - shell: bash - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - - - name: Set up Git - run: | - git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]' - git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' - shell: bash - - uses: actions/checkout@v4 with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} + token: ${{ steps.app-token.outputs.token }} # this is important so git log can pick up on # the whole history to generate the list of AUTHORS diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 613448b8..f701e457 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,12 +13,12 @@ name: "CodeQL" on: push: - branches: [ "main" ] + branches: ["main"] pull_request: # The branches below must be a subset of the branches above - branches: [ "main" ] + branches: ["main"] schedule: - - cron: '30 14 * * 4' + - cron: "30 14 * * 4" jobs: analyze: @@ -33,53 +33,53 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript-typescript' ] + language: ["javascript-typescript"] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] # Use only 'java' to analyze code written in Java, Kotlin or both # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - config: | - paths-ignore: - - '**/*.test.js' - - '**/*.spec.js' - - '**/*.test.ts' - - '**/*.spec.ts' - - '**/*.test.tsx' - - '**/*.spec.tsx' - - 'scripts/**' + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + config: | + paths-ignore: + - '**/*.test.js' + - '**/*.spec.js' + - '**/*.test.ts' + - '**/*.spec.ts' + - '**/*.test.tsx' + - '**/*.spec.tsx' + - 'scripts/**' - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml index cd8c21a4..a3f70f74 100644 --- a/.github/workflows/publish-packages.yaml +++ b/.github/workflows/publish-packages.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main id: app-token with: app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} @@ -28,6 +28,7 @@ jobs: with: # don't checkout a detatched HEAD ref: ${{ github.head_ref }} + token: ${{ steps.app-token.outputs.token }} # this is important so git log has the whole history fetch-depth: "0" diff --git a/.github/workflows/update-cidrs.yaml b/.github/workflows/update-cidrs.yaml index 91b717d8..0e463c83 100644 --- a/.github/workflows/update-cidrs.yaml +++ b/.github/workflows/update-cidrs.yaml @@ -18,6 +18,10 @@ jobs: private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} - uses: actions/checkout@v4 + with: + # don't checkout a detatched HEAD + ref: ${{ github.head_ref }} + token: ${{ steps.app-token.outputs.token }} - uses: actions/setup-node@v4 with: @@ -27,7 +31,7 @@ jobs: - name: Install Dependencies run: | npm -v - npm i + npm ci # make sure precommit.js is compiled npm run bootstrap-ci -- --scope @mongodb-js/monorepo-tools --stream --include-dependencies