-
Notifications
You must be signed in to change notification settings - Fork 1
211 lines (204 loc) · 9.22 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
name: Publish Extension
on:
release:
# This limits the workflow to releases that are not pre-releases.
# From the docs: A release was published, or a pre-release was changed to a release.
types: [released]
# Button for publishing main branch in case there's a failure on the release.
workflow_dispatch:
inputs:
tag:
description: Tag to be published
type: string
required: true
jobs:
validate-release-environment:
runs-on: ubuntu-latest
# The `publish` environment is inherited from the org level, and means the job
# can't proceed until someone with appropriate permissions approves it.
environment: publish
steps:
# Check out the main branch and get its head commit as output for later.
- uses: actions/checkout@v4
with:
ref: 'main'
- id: get-main-head
run: echo "COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
# Check out the tag to be released and get its head commit as output for later.
- uses: actions/checkout@v4
with:
ref: ${{ github.event.release.tag_name || inputs.tag }}
- id: get-tag-head
run: echo "COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
# If the two commits aren't identical, the tag isn't eligible for release.
- name: Fail non-matching commits
if: ${{ steps.get-main-head.outputs.COMMIT_ID != steps.get-tag-head.outputs.COMMIT_ID }}
run: |
echo "Tag commit must match latest commit in main branch. Branch head is ${{ steps.get-main-head.outputs.COMMIT_ID }}. Tag head is ${{ steps.get-tag-head.outputs.COMMIT_ID }}."
exit 1
# Get the `version` property from `package.json` as output for later.
- name: Get package.json version property
id: get-package-version
run: |
echo "PACKAGE_VERSION=$(cat package.json | jq '.version' | xargs)" >> $GITHUB_OUTPUT
- run: echo "Package Version is ${{ steps.get-package-version.outputs.PACKAGE_VERSION }}"
# Verify that the tag is of the format "vX.Y.Z", exactly matching the corresponding values in the `package.json` version property.
- name: Compare tag to package.json
run: |
TAG=${{ github.event.release.tag_name || inputs.tag }}
PACKAGE_VERSION=v${{ steps.get-package-version.outputs.PACKAGE_VERSION }}
[[ ${TAG} == ${PACKAGE_VERSION} ]] || (echo "Tag name must match package.json version, prefixed by lowercase v" && exit 1)
# Set other miscellaneous environment variables as outputs for later.
run-tests:
name: 'Test against production scanner'
needs: [ 'validate-release-environment' ]
uses: ./.github/workflows/run-tests.yml
with:
# Before publishing, we want to test the extension against whatever
# version of the scanner is currently live.
use-scanner-tarball: false
publish-vscode:
name: 'Publish to VSCode Marketplace'
needs: [ 'run-tests' ]
runs-on: ubuntu-latest
env:
VSCE_PERSONAL_ACCESS_TOKEN: ${{ secrets.VSCE_PERSONAL_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
steps:
- name: Checkout the release tag
uses: actions/checkout@v4
with:
ref: ${{ github.event.release.tag_name || inputs.tag }}
token: ${{ env.GITHUB_TOKEN }}
# Set up node and install dependencies.
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '11'
- run: yarn install --frozen-lockfile
# Download the .vsix attached to the release.
- name: Download Extension From Release
run: |
mkdir ./extensions
gh release download ${{ github.event.release.tag_name || inputs.tag }} -D ./extensions
- name: Display downloaded VSIX
run: ls -R ./extensions
- name: Publish the VSIX
run: find ./extensions -type f -name "*.vsix" -exec npx vsce publish --pat ${{ env.VSCE_PERSONAL_ACCESS_TOKEN }} --packagePath {} \;
- run: echo "SUCCESSFULLY PUBLISHED"
publish-openvsx:
name: 'Publish to OpenVSX marketplace'
needs: [ 'run-tests' ]
runs-on: ubuntu-latest
env:
IDEE_OVSX_PAT: ${{ secrets.IDEE_OVSX_PAT }}
GITHUB_TOKEN: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
steps:
- name: Checkout the release tag
uses: actions/checkout@v4
with:
ref: ${{ github.event.release.tag_name || inputs.tag }}
token: ${{ env.GITHUB_TOKEN }}
# Set up node and install dependencies.
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '11'
- run: yarn install --frozen-lockfile
# Download the .vsix attached to the release.
- name: Download Extension From Release
run: |
mkdir ./extensions
gh release download ${{ github.event.release.tag_name || inputs.tag }} -D ./extensions
- name: Display downloaded VSIX
run: ls -R ./extensions
- name: Publish the VSIX
run: find ./extensions -type f -name "*.vsix" -exec npx ovsx publish {} -p ${{ env.IDEE_OVSX_PAT }} \;
- run: echo "SUCCESSFULLY PUBLISHED"
create-main2dev-pull-request:
needs: [publish-openvsx, publish-vscode]
runs-on: macos-latest
env:
GH_TOKEN: ${{ secrets.SVC_CLI_BOT_GITHUB_TOKEN }}
permissions:
contents: write
pull-requests: write
steps:
# Check out `main`
- uses: actions/checkout@v4
with:
ref: 'main'
# Create a new branch based on `main`, so that merge conflicts can be resolved manually if need be.
- run: |
NEW_VERSION=$(jq -r ".version" package.json)
git checkout -b m2d/v$NEW_VERSION
git push --set-upstream origin m2d/v$NEW_VERSION
# Download the VSIX attached to the release, get its SHA sum, and update the SHA file accordingly.
- name: Download Extension From Release
run: |
mkdir ./extensions
gh release download ${{ github.event.release.tag_name || inputs.tag }} -D ./extensions
find . -type f -name "*.vsix" -exec shasum -a 256 {} \; >> SHA_INFO
SHA_INFO=$(cat SHA_INFO)
cat templates/SHA256.md > SHA256.md
sed -i -e "s|<<SHA_VALUE>>|$SHA_INFO|g" SHA256.md
# Use the GraphQL API to create a signed commit that updates SHA256.md as appropriate
- run: |
# GraphQL needs to know what branch to push to.
BRANCH=$(git rev-parse --abbrev-ref HEAD)
# GraphQL needs a message for the commit.
NEW_VERSION=$(jq -r ".version" package.json)
MESSAGE="Updating SHA256.md after $NEW_VERSION release"
# GraphQL needs the latest version of the file we changed, as a Base64 encoded string.
NEW_SHA256="$(cat SHA256.md | base64)"
gh api graphql -F message="$MESSAGE" -F branch="$BRANCH" -F newSha="$NEW_SHA256" \
-F oldOid=`git rev-parse HEAD` -f query='
mutation ($message: String!, $branch: String!, $newSha: Base64String!, $oldOid: GitObjectID!) {
createCommitOnBranch(input: {
branch: {
repositoryNameWithOwner: "forcedotcom/sfdx-code-analyzer-vscode",
branchName: $branch
},
message: {
headline: $message
},
fileChanges: {
additions: [
{
path: "SHA256.md",
contents: $newSha
}
]
},
expectedHeadOid: $oldOid
}) {
commit {
id
}
}
}'
# Create the pull request between branches
- run: |
NEW_VERSION=$(jq -r ".version" package.json)
# For whatever reason, the version of 'echo' on GHAs doesn't process backspace by default.
# The non-POSIX-standard -e flag causes it to do that.
echo -e "This branch and PR were automatically created following the successful release of v$NEW_VERSION.\n\
It must be MERGED into dev, NOT SQUASHED OR REBASED. Squashing or rebasing this branch onto dev can cause potentially irreconcilable merge conflicts later.\n\
As an additional safeguard and reminder, the title of this PR MUST include the word 'merging' in the description portion of the PR title, e.g., 'Main2Dev @W-XXXXXX@ Merging main to dev after vX.Y.Z'.\n\
If there are conflicts between dev and this branch, you should do the following locally:\n\
- $ git checkout dev\n\
- $ git pull\n\
- $ git fetch --all\n\
- $ git checkout m2d/v$NEW_VERSION\n\
- $ git pull origin dev --no-rebase # You MUST include this flag, or someone's day will be ruined.\n\
- Resolve the merge conflicts manually. When in doubt, ask the code's author for help.\n\
- $ git commit\n\
- $ git push" > body.txt
# Create the pull request
gh pr create -B dev -H m2d/v$NEW_VERSION --title "Filler title. Read description and rename." -F body.txt