From 91447f8646ac085e09debd1279ab2dc89cdcc996 Mon Sep 17 00:00:00 2001 From: Michal Kinas <113341662+MichalKinas@users.noreply.github.com> Date: Thu, 27 Nov 2025 13:27:16 +0100 Subject: [PATCH] [ACS-10765] Switch to NPM trusted publishing (#11388) * [ACS-10765] Switch to NPM trusted publishing * [ACS-10765] CR fixes * [ACS-10765] Set NPM_TAG without github env usage * [ACS-10765] CR fixes * [ACS-10765] CR fix --- .github/actions/npm-check-bundle/action.yml | 3 + .github/actions/set-npm-tag/action.yml | 46 +++++---- .github/actions/setup/action.yml | 5 + .github/workflows/release-branch.yml | 108 -------------------- .github/workflows/release.yml | 26 +++-- .nvmrc | 2 +- lib/process-services-cloud/.nvmrc | 2 +- scripts/github/build/bumpversion.sh | 2 +- 8 files changed, 52 insertions(+), 142 deletions(-) delete mode 100644 .github/workflows/release-branch.yml diff --git a/.github/actions/npm-check-bundle/action.yml b/.github/actions/npm-check-bundle/action.yml index 131de31b0f..e3ab80bdcb 100644 --- a/.github/actions/npm-check-bundle/action.yml +++ b/.github/actions/npm-check-bundle/action.yml @@ -12,12 +12,15 @@ runs: steps: - name: load "NPM TAG" + id: set-npm-tag uses: ./.github/actions/set-npm-tag with: branch_name: ${{ inputs.branch_name }} - name: check npm bundle shell: bash id: sha_out + env: + TAG_NPM: ${{ steps.set-npm-tag.outputs.npm-tag }} run: | if [[ -z $TAG_NPM ]]; then echo "TAG_NPM not set, aborting" diff --git a/.github/actions/set-npm-tag/action.yml b/.github/actions/set-npm-tag/action.yml index fe6c5304ac..cbcc3a2195 100644 --- a/.github/actions/set-npm-tag/action.yml +++ b/.github/actions/set-npm-tag/action.yml @@ -2,38 +2,44 @@ name: "set npm tag" description: "se NPM tag" inputs: - event_name: - description: "override github.event_name" - required: false - default: ${{ github.event_name }} branch_name: description: "override GITHUB_REF_NAME" required: false default: ${{ github.ref_name }} +outputs: + npm-tag: + description: "NPM tag" + value: ${{ steps.set-npm-tag.outputs.npm-tag }} + runs: using: "composite" steps: - name: set TAG_NPM + id: set-npm-tag shell: bash env: BRANCH_NAME: ${{ inputs.branch_name }} run: | - TAG_NPM="alpha" - VERSION_IN_PACKAGE_JSON=$(node -p "require('./package.json')".version) - echo "version in package.json=${VERSION_IN_PACKAGE_JSON}" - if [[ $BRANCH_NAME =~ ^master(-patch.*)?$ ]]; then - # Pre-release versions - if [[ $VERSION_IN_PACKAGE_JSON =~ ^[0-9]*\.[0-9]*\.[0-9]*-A\.[0-9]*$ ]]; - then - TAG_NPM=next - # Stable major versions - else - TAG_NPM=latest - fi + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + TAG_NPM="branch" + else + TAG_NPM="alpha" + VERSION_IN_PACKAGE_JSON=$(node -p "require('./package.json')".version) + echo "version in package.json=${VERSION_IN_PACKAGE_JSON}" + if [[ $BRANCH_NAME =~ ^master(-patch.*)?$ ]]; then + # Pre-release versions + if [[ $VERSION_IN_PACKAGE_JSON =~ ^[0-9]*\.[0-9]*\.[0-9]*-A\.[0-9]*$ ]]; then + TAG_NPM=next + # Stable major versions + else + TAG_NPM=latest + fi + fi + if [[ $BRANCH_NAME =~ ^develop(-patch.*)?$ ]]; then + TAG_NPM=alpha + fi fi - if [[ $BRANCH_NAME =~ ^develop(-patch.*)?$ ]]; then - TAG_NPM=alpha - fi - echo "TAG_NPM=${TAG_NPM}" >> $GITHUB_ENV + echo "npm-tag=$TAG_NPM" >> $GITHUB_OUTPUT + echo "Computed tag: $TAG_NPM" diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 267b16d9fa..8233d155cc 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -11,6 +11,10 @@ inputs: required: false type: boolean default: 'false' +outputs: + npm-tag: + description: 'NPM tag' + value: ${{ steps.set-npm-tag.outputs.npm-tag }} runs: using: "composite" steps: @@ -38,6 +42,7 @@ runs: node_modules-${{ runner.os }}-build- node_modules-${{ runner.os }}- - name: load "NPM TAG" + id: set-npm-tag uses: ./.github/actions/set-npm-tag - name: before install script uses: ./.github/actions/before-install diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml deleted file mode 100644 index 59f115fc4a..0000000000 --- a/.github/workflows/release-branch.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: Release lib on branch -run-name: Release lib on branch ${{ github.ref_name }} - -on: - workflow_dispatch: - inputs: - dry-run-flag: - description: 'enable dry-run on artifact push' - required: false - type: boolean - default: true - -env: - BASE_REF: ${{ github.base_ref }} - HEAD_REF: ${{ github.head_ref }} - GH_COMMIT: ${{ github.sha }} - GH_BUILD_NUMBER: ${{ github.run_id }} - LOG_LEVEL: "ERROR" - NODE_OPTIONS: "--max-old-space-size=5120" - GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }} - -jobs: - setup: - timeout-minutes: 20 - name: "Setup" - runs-on: ubuntu-latest - steps: - - name: set TAG_NPM BRANCH - shell: bash - run: | - TAG_NPM="branch" - echo "Set TAG with name: ${TAG_NPM}" - echo "TAG_NPM=${TAG_NPM}" >> $GITHUB_ENV - - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - fetch-depth: 0 - - uses: ./.github/actions/setup - with: - enable-node-modules-cache: false - - name: install - run: | - npm ci - npm run bundle:js-api - npm run bundle:cli - - uses: ./.github/actions/upload-node-modules-and-artifacts - - release-npm: - needs: [setup] - timeout-minutes: 30 - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - fetch-depth: 0 - - uses: ./.github/actions/setup - with: - enable-node-modules-cache: false - - id: set-dryrun - uses: ./.github/actions/enable-dryrun - with: - dry-run-flag: ${{ inputs.dry-run-flag }} - - uses: ./.github/actions/download-node-modules-and-artifacts - - name: Set libraries versions - run: | - set -u; - ./scripts/update-version.sh -gnu || exit 1; - - name: Set migrations - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - const setMigrations = require('./scripts/github/release/set-migrations.js'); - setMigrations(); - - name: Build libraries - run: | - npm run build:libs - npm run build:schematics - - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - name: release libraries GH registry - with: - node-version-file: '.nvmrc' - registry-url: 'https://npm.pkg.github.com' - scope: '@alfresco' - - run: npm run publish -- --tag=branch || exit 1 - env: - NODE_AUTH_TOKEN: ${{ secrets.PAT_WRITE_PKG }} - - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - name: release libraries Npm registry - with: - node-version-file: '.nvmrc' - registry-url: 'https://${{ vars.NPM_REGISTRY_ADDRESS }}' - scope: '@alfresco' - - run: npm run publish -- --tag=branch || exit 1 - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_REGISTRY_TOKEN }} - - npm-check-bundle: - needs: [release-npm] - timeout-minutes: 15 - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - uses: ./.github/actions/npm-check-bundle diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7dc419a7a2..94a6683ab3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,10 @@ on: - develop-patch* - master-patch* +permissions: + id-token: write # Required for OIDC + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false @@ -34,12 +38,11 @@ env: GH_BUILD_NUMBER: ${{ github.run_id }} LOG_LEVEL: "ERROR" NODE_OPTIONS: "--max-old-space-size=5120" - GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }} jobs: setup: timeout-minutes: 20 - if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' + if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' || github.event_name == 'workflow_dispatch' name: "Setup" runs-on: ubuntu-latest steps: @@ -62,9 +65,10 @@ jobs: outputs: release_version: ${{ steps.set-version.outputs.release_version }} timeout-minutes: 30 - if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' + if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: + id-token: write # Required for OIDC contents: read packages: write steps: @@ -72,7 +76,8 @@ jobs: uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 - - uses: ./.github/actions/setup + - id: setup + uses: ./.github/actions/setup with: enable-node-modules-cache: false - id: set-dryrun @@ -101,22 +106,21 @@ jobs: node-version-file: '.nvmrc' registry-url: 'https://npm.pkg.github.com' scope: '@alfresco' - - run: npm run publish -- --tag=$TAG_NPM || exit 1 + - run: npm run publish -- --tag=${{ steps.setup.outputs.npm-tag }} env: - NODE_AUTH_TOKEN: ${{ secrets.PAT_WRITE_PKG }} + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 name: release libraries Npm registry with: node-version-file: '.nvmrc' registry-url: 'https://${{ vars.NPM_REGISTRY_ADDRESS }}' scope: '@alfresco' - - run: npm run publish -- --tag=$TAG_NPM || exit 1 - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_REGISTRY_TOKEN }} + - run: npm run publish -- --tag=${{ steps.setup.outputs.npm-tag }} create-git-tag: runs-on: ubuntu-latest needs: [setup, release-npm] + if: github.event_name != 'workflow_dispatch' name: Create github tag permissions: contents: write @@ -152,7 +156,7 @@ jobs: npm-check-bundle: needs: [release-npm] timeout-minutes: 15 - if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' + if: github.event.pull_request.merged == true || github.ref_name == 'master' || github.ref_name == 'master-patch-*' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest steps: - name: Checkout repository @@ -161,7 +165,7 @@ jobs: push-translation-keys-to-crowdin: name: Push translations keys to Crowdin - if: ${{ github.ref == 'refs/heads/develop' }} + if: github.ref_name == 'develop' && github.event_name != 'workflow_dispatch' runs-on: ubuntu-latest needs: [setup] permissions: diff --git a/.nvmrc b/.nvmrc index 7d41c735d7..9e2934aa34 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -22.14.0 +24.11.1 diff --git a/lib/process-services-cloud/.nvmrc b/lib/process-services-cloud/.nvmrc index 7d41c735d7..9e2934aa34 100644 --- a/lib/process-services-cloud/.nvmrc +++ b/lib/process-services-cloud/.nvmrc @@ -1 +1 @@ -22.14.0 +24.11.1 diff --git a/scripts/github/build/bumpversion.sh b/scripts/github/build/bumpversion.sh index 962c0a7a39..f419771563 100755 --- a/scripts/github/build/bumpversion.sh +++ b/scripts/github/build/bumpversion.sh @@ -4,7 +4,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cd $DIR/../../../ BRANCH=${GITHUB_REF##*/} -if [[ $BRANCH =~ ^develop(-patch.*)?$ ]] +if [[ ! $BRANCH =~ ^master(-patch.*)?$ ]] then echo "Replace NPM version with new Alpha tag" ./scripts/update-version.sh -gnu || exit 1;