From a25f937ba7ab3fd5a433b6c5555de022e06d148a Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 31 Mar 2025 12:58:54 +0200 Subject: [PATCH 1/2] Update workflows to use `MetaMask/action-checkout-and-setup` --- .github/workflows/build-lint-test.yml | 78 ++++++++++----------- .github/workflows/create-release-pr.yml | 21 +++--- .github/workflows/main.yml | 18 ++++- .github/workflows/publish-docs.yml | 11 +-- .github/workflows/publish-release.yml | 65 ++++++++--------- .github/workflows/security-code-scanner.yml | 15 ++-- 6 files changed, 107 insertions(+), 101 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index cf43ffeb..2334065a 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -7,29 +7,30 @@ jobs: prepare: name: Prepare runs-on: ubuntu-latest + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install Yarn dependencies - run: yarn --immutable + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} + cache-node-modules: ${{ matrix.node-version == '22.x' }} build: name: Build + needs: prepare runs-on: ubuntu-latest - needs: - - prepare + strategy: + matrix: + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} - run: yarn build - name: Require clean working directory shell: bash @@ -41,17 +42,17 @@ jobs: lint: name: Lint + needs: prepare runs-on: ubuntu-latest - needs: - - prepare + strategy: + matrix: + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} - run: yarn lint - name: Validate RC changelog if: ${{ startsWith(github.head_ref, 'release/') }} @@ -69,20 +70,17 @@ jobs: test: name: Test + needs: prepare runs-on: ubuntu-latest - needs: - - prepare strategy: matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - - run: yarn --immutable --immutable-cache - run: yarn test - name: Require clean working directory shell: bash @@ -94,25 +92,25 @@ jobs: compatibility-test: name: Compatibility test + needs: prepare runs-on: ubuntu-latest - needs: - - prepare strategy: matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - - run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn + - name: Install dependencies via Yarn + run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn - run: yarn test + - name: Restore lockfile + run: git restore yarn.lock - name: Require clean working directory shell: bash run: | - git restore yarn.lock if ! git diff --exit-code; then echo "Working tree dirty at end of job" exit 1 diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 344014af..5197d088 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -21,21 +21,22 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - # This is to guarantee that the most recent tag is fetched. - # This can be configured to a more reasonable value by consumers. + is-high-risk-environment: true + + # This is to guarantee that the most recent tag is fetched. This can + # be configured to a more reasonable value by consumers. fetch-depth: 0 + # We check out the specified branch, which will be used as the base # branch for all git operations and the release PR. ref: ${{ github.event.inputs.base-branch }} - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - uses: MetaMask/action-create-release-pr@v3 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: MetaMask/action-create-release-pr@v4 with: release-type: ${{ github.event.inputs.release-type }} release-version: ${{ github.event.inputs.release-version }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8382408d..21493f84 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,7 +10,10 @@ jobs: name: Check workflows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: false - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.23 @@ -19,6 +22,18 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash + analyse-code: + name: Code scanner + needs: check-workflows + uses: ./.github/workflows/security-code-scanner.yml + permissions: + actions: read + contents: read + security-events: write + secrets: + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + build-lint-test: name: Build, lint, and test uses: ./.github/workflows/build-lint-test.yml @@ -28,6 +43,7 @@ jobs: runs-on: ubuntu-latest needs: - check-workflows + - analyse-code - build-lint-test outputs: PASSED: ${{ steps.set-output.outputs.PASSED }} diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index dd1c3fa5..5e66e52c 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -21,15 +21,10 @@ jobs: - name: Ensure `destination_dir` is not empty if: ${{ inputs.destination_dir == '' }} run: exit 1 - - name: Checkout the repository - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install npm dependencies - run: yarn --immutable + is-high-risk-environment: true - name: Run build script run: yarn build:docs - name: Deploy to `${{ inputs.destination_dir }}` directory of `gh-pages` branch diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 778b47cb..ce04df5d 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -9,52 +9,48 @@ on: required: true PUBLISH_DOCS_TOKEN: required: true - jobs: publish-release: permissions: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Install - run: | - yarn install - yarn build - - uses: actions/cache@v3 - id: restore-build + - run: yarn --immutable + - run: yarn build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 with: + name: publish-release-artifacts-${{ github.sha }} + retention-days: 4 + include-hidden-files: true path: | ./dist ./node_modules/.yarn-state.yml - key: ${{ github.sha }} publish-npm-dry-run: - runs-on: ubuntu-latest needs: publish-release + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - uses: actions/cache@v3 - id: restore-build + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - path: | - ./dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + name: publish-release-artifacts-${{ github.sha }} - name: Dry Run Publish # omit npm-token token to perform dry run publish - uses: MetaMask/action-npm-publish@v4 + uses: MetaMask/action-npm-publish@v5 with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} subteam: S042S7RE4AE # @metamask-npm-publishers @@ -62,22 +58,21 @@ jobs: SKIP_PREPACK: true publish-npm: - environment: npm-publish - runs-on: ubuntu-latest needs: publish-npm-dry-run + runs-on: ubuntu-latest + environment: npm-publish steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - uses: actions/cache@v3 - id: restore-build + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - path: | - ./dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + name: publish-release-artifacts-${{ github.sha }} - name: Publish - uses: MetaMask/action-npm-publish@v2 + uses: MetaMask/action-npm-publish@v5 with: # This `NPM_TOKEN` needs to be manually set per-repository. # Look in the repository settings under "Environments", and set this token in the `npm-publish` environment. @@ -86,8 +81,8 @@ jobs: SKIP_PREPACK: true get-release-version: - runs-on: ubuntu-latest needs: publish-npm + runs-on: ubuntu-latest outputs: RELEASE_VERSION: ${{ steps.get-release-version.outputs.RELEASE_VERSION }} steps: @@ -99,8 +94,8 @@ jobs: run: ./scripts/get.sh ".version" "RELEASE_VERSION" publish-release-to-gh-pages: - needs: get-release-version name: Publish docs to `${{ needs.get-release-version.outputs.RELEASE_VERSION }}` directory of `gh-pages` branch + needs: get-release-version permissions: contents: write uses: ./.github/workflows/publish-docs.yml @@ -110,8 +105,8 @@ jobs: PUBLISH_DOCS_TOKEN: ${{ secrets.PUBLISH_DOCS_TOKEN }} publish-release-to-latest-gh-pages: - needs: publish-npm name: Publish docs to `latest` directory of `gh-pages` branch + needs: publish-npm permissions: contents: write uses: ./.github/workflows/publish-docs.yml diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 9a32836b..ababbbeb 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -1,23 +1,24 @@ name: MetaMask Security Code Scanner on: - push: - branches: - - main - pull_request: - branches: - - main + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false workflow_dispatch: jobs: run-security-scan: + name: Run security scan runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - - name: MetaMask Security Code Scanner + - name: Analyse code uses: MetaMask/action-security-code-scanner@v1 with: repo: ${{ github.repository }} From a32a2e397fd37dfa0b791a19928d57fe1fa42dd8 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 31 Mar 2025 13:35:49 +0200 Subject: [PATCH 2/2] Update .github/workflows/publish-release.yml Co-authored-by: Frederik Bolding --- .github/workflows/publish-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index ce04df5d..b4872262 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -23,7 +23,6 @@ jobs: - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - run: yarn --immutable - run: yarn build - name: Upload build artifacts uses: actions/upload-artifact@v4