Skip to content

Update workflows to use MetaMask/action-checkout-and-setup #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mrtenz merged 2 commits into from
Mar 31, 2025
Merged

Update workflows to use MetaMask/action-checkout-and-setup #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a25f937
Update workflows to use `MetaMask/action-checkout-and-setup`
Mrtenz Mar 31, 2025
a32a2e3
Update .github/workflows/publish-release.yml
Mrtenz Mar 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 38 additions & 40 deletions .github/workflows/build-lint-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,29 +7,30 @@ jobs:
prepare:
name: Prepare
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install Yarn dependencies
run: yarn --immutable
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
cache-node-modules: ${{ matrix.node-version == '22.x' }}

build:
name: Build
needs: prepare
runs-on: ubuntu-latest
needs:
- prepare
strategy:
matrix:
node-version: [22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- run: yarn --immutable --immutable-cache
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
- run: yarn build
- name: Require clean working directory
shell: bash
Expand All @@ -41,17 +42,17 @@ jobs:

lint:
name: Lint
needs: prepare
runs-on: ubuntu-latest
needs:
- prepare
strategy:
matrix:
node-version: [22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- run: yarn --immutable --immutable-cache
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
- run: yarn lint
- name: Validate RC changelog
if: ${{ startsWith(github.head_ref, 'release/') }}
Expand All @@ -69,20 +70,17 @@ jobs:

test:
name: Test
needs: prepare
runs-on: ubuntu-latest
needs:
- prepare
strategy:
matrix:
node-version: [18.x, 20.x]
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
cache: 'yarn'
- run: yarn --immutable --immutable-cache
- run: yarn test
- name: Require clean working directory
shell: bash
Expand All @@ -94,25 +92,25 @@ jobs:

compatibility-test:
name: Compatibility test
needs: prepare
runs-on: ubuntu-latest
needs:
- prepare
strategy:
matrix:
node-version: [18.x, 20.x]
node-version: [18.x, 20.x, 22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: false
node-version: ${{ matrix.node-version }}
cache: 'yarn'
- run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn
- name: Install dependencies via Yarn
run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn
- run: yarn test
- name: Restore lockfile
run: git restore yarn.lock
- name: Require clean working directory
shell: bash
run: |
git restore yarn.lock
if ! git diff --exit-code; then
echo "Working tree dirty at end of job"
exit 1
Expand Down
21 changes: 11 additions & 10 deletions .github/workflows/create-release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,22 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
# This is to guarantee that the most recent tag is fetched.
# This can be configured to a more reasonable value by consumers.
is-high-risk-environment: true

# This is to guarantee that the most recent tag is fetched. This can
# be configured to a more reasonable value by consumers.
fetch-depth: 0

# We check out the specified branch, which will be used as the base
# branch for all git operations and the release PR.
ref: ${{ github.event.inputs.base-branch }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
- uses: MetaMask/action-create-release-pr@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: MetaMask/action-create-release-pr@v4
with:
release-type: ${{ github.event.inputs.release-type }}
release-version: ${{ github.event.inputs.release-version }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
18 changes: 17 additions & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,10 @@ jobs:
name: Check workflows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: false
- name: Download actionlint
id: download-actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.23
Expand All @@ -19,6 +22,18 @@ jobs:
run: ${{ steps.download-actionlint.outputs.executable }} -color
shell: bash

analyse-code:
name: Code scanner
needs: check-workflows
uses: ./.github/workflows/security-code-scanner.yml
permissions:
actions: read
contents: read
security-events: write
secrets:
SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}

build-lint-test:
name: Build, lint, and test
uses: ./.github/workflows/build-lint-test.yml
Expand All @@ -28,6 +43,7 @@ jobs:
runs-on: ubuntu-latest
needs:
- check-workflows
- analyse-code
- build-lint-test
outputs:
PASSED: ${{ steps.set-output.outputs.PASSED }}
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/publish-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,10 @@ jobs:
- name: Ensure `destination_dir` is not empty
if: ${{ inputs.destination_dir == '' }}
run: exit 1
- name: Checkout the repository
uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install npm dependencies
run: yarn --immutable
is-high-risk-environment: true
- name: Run build script
run: yarn build:docs
- name: Deploy to `${{ inputs.destination_dir }}` directory of `gh-pages` branch
Expand Down
64 changes: 29 additions & 35 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,75 +9,69 @@ on:
required: true
PUBLISH_DOCS_TOKEN:
required: true

jobs:
publish-release:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
ref: ${{ github.sha }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
- uses: MetaMask/action-publish-release@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install
run: |
yarn install
yarn build
- uses: actions/cache@v3
id: restore-build
- run: yarn build
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: publish-release-artifacts-${{ github.sha }}
retention-days: 4
include-hidden-files: true
path: |
./dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}

publish-npm-dry-run:
runs-on: ubuntu-latest
needs: publish-release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
ref: ${{ github.sha }}
- uses: actions/cache@v3
id: restore-build
- name: Restore build artifacts
uses: actions/download-artifact@v4
with:
path: |
./dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}
name: publish-release-artifacts-${{ github.sha }}
- name: Dry Run Publish
# omit npm-token token to perform dry run publish
uses: MetaMask/action-npm-publish@v4
uses: MetaMask/action-npm-publish@v5
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
subteam: S042S7RE4AE # @metamask-npm-publishers
env:
SKIP_PREPACK: true

publish-npm:
environment: npm-publish
runs-on: ubuntu-latest
needs: publish-npm-dry-run
runs-on: ubuntu-latest
environment: npm-publish
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
ref: ${{ github.sha }}
- uses: actions/cache@v3
id: restore-build
- name: Restore build artifacts
uses: actions/download-artifact@v4
with:
path: |
./dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}
name: publish-release-artifacts-${{ github.sha }}
- name: Publish
uses: MetaMask/action-npm-publish@v2
uses: MetaMask/action-npm-publish@v5
with:
# This `NPM_TOKEN` needs to be manually set per-repository.
# Look in the repository settings under "Environments", and set this token in the `npm-publish` environment.
Expand All @@ -86,8 +80,8 @@ jobs:
SKIP_PREPACK: true

get-release-version:
runs-on: ubuntu-latest
needs: publish-npm
runs-on: ubuntu-latest
outputs:
RELEASE_VERSION: ${{ steps.get-release-version.outputs.RELEASE_VERSION }}
steps:
Expand All @@ -99,8 +93,8 @@ jobs:
run: ./scripts/get.sh ".version" "RELEASE_VERSION"

publish-release-to-gh-pages:
needs: get-release-version
name: Publish docs to `${{ needs.get-release-version.outputs.RELEASE_VERSION }}` directory of `gh-pages` branch
needs: get-release-version
permissions:
contents: write
uses: ./.github/workflows/publish-docs.yml
Expand All @@ -110,8 +104,8 @@ jobs:
PUBLISH_DOCS_TOKEN: ${{ secrets.PUBLISH_DOCS_TOKEN }}

publish-release-to-latest-gh-pages:
needs: publish-npm
name: Publish docs to `latest` directory of `gh-pages` branch
needs: publish-npm
permissions:
contents: write
uses: ./.github/workflows/publish-docs.yml
Expand Down
15 changes: 8 additions & 7 deletions .github/workflows/security-code-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,24 @@
name: MetaMask Security Code Scanner

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_call:
secrets:
SECURITY_SCAN_METRICS_TOKEN:
required: false
APPSEC_BOT_SLACK_WEBHOOK:
required: false
workflow_dispatch:

jobs:
run-security-scan:
name: Run security scan
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: MetaMask Security Code Scanner
- name: Analyse code
uses: MetaMask/action-security-code-scanner@v1
with:
repo: ${{ github.repository }}
Expand Down
Loading