Add release-please and renovate

2024-12-04 15:20:19 +00:00 · 2023-01-30 11:06:17 +02:00 · 2023-01-30 11:06:17 +02:00 · a37a4e2a59
commit a37a4e2a59
parent c717e4dc73
9 changed files with 278 additions and 149 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@ -0,0 +1,3 @@
+self-hosted-runner:
+  labels:
+    - builder
--- a/.github/download_marine.sh
+++ b/.github/download_marine.sh
@ -1,14 +0,0 @@
-#!/bin/bash
-set -o pipefail -o errexit -o nounset
-set -x
-
-MARINE_RELEASE="https://api.github.com/repos/fluencelabs/marine/releases/latest"
-OUT_DIR=~/.bin
-
-# get metadata about release
-curl -s -H "Accept: application/vnd.github.v3+json" $MARINE_RELEASE |
-    # extract url and name for asset with name "marine"
-    # also append $OUT_DIR to each name so file is saved to $OUT_DIR
-    jq -r ".assets | .[] | select(.name == \"marine\") | \"\(.browser_download_url) $OUT_DIR/\(.name)\"" |
-    # download assets
-    xargs -n2 bash -c 'curl -L $0 -o $1 && chmod +x $1'
--- a/.github/release-please/config.json
+++ b/.github/release-please/config.json
@ -0,0 +1,35 @@
+{
+  "release-type": "rust",
+  "bump-minor-pre-major": true,
+  "bump-patch-for-minor-pre-major": true,
+  "plugins": [
+    {
+      "type": "cargo-workspace",
+      "merge": false
+    },
+    {
+      "type": "linked-versions",
+      "groupName": "trust-graph, wasm and api",
+      "components": [
+        "trust-graph",
+        "trust-graph-api",
+        "trust-graph-wasm"
+      ]
+    }
+  ],
+  "packages": {
+    ".": {
+      "component": "trust-graph"
+    },
+    "aqua": {
+      "release-type": "node",
+      "component": "trust-graph-api"
+    },
+    "service": {
+      "component": "trust-graph-wasm"
+    },
+    "keypair": {
+      "component": "keypair"
+    }
+  }
+}
--- a/.github/release-please/manifest.json
+++ b/.github/release-please/manifest.json
@ -0,0 +1,6 @@
+{
+  ".": "0.3.2",
+  "aqua": "0.3.2",
+  "service": "0.3.2",
+  "keypair": "0.9.0"
+}
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base",
+    ":semanticCommitTypeAll(chore)"
+  ],
+  "enabledManagers": ["cargo", "npm", "github-actions", "pip_requirements"],
+  "rangeStrategy": "pin",
+  "schedule": "every weekend",
+  "packageRules": [
+    {
+      "matchManagers": ["cargo", "npm"],
+      "matchPackagePatterns": [
+        "@fluencelabs/.*",
+        "fluence-.*",
+        "marine-.*"
+      ],
+      "semanticCommitType": "fix",
+      "semanticCommitScope": "deps",
+      "schedule": "at any time"
+    },
+    {
+      "matchDepTypes": ["devDependencies"],
+      "prPriority": -1,
+      "semanticCommitType": "chore",
+      "semanticCommitScope": "deps"
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "prConcurrentLimit": 1
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "groupName": "all github-actions",
+      "prPriority": -1
+    }
+  ]
+}
--- a/.github/workflows/changelog_config.json
+++ b/.github/workflows/changelog_config.json
@ -1,6 +0,0 @@
-{
-    "template": "## Changes since ${{FROM_TAG}}\n\n${{CHANGELOG}}\n\n${{UNCATEGORIZED}}",
-    "pr_template": "- #${{NUMBER}} ${{TITLE}}",
-    "empty_template": "## No changes since ${{FROM_TAG}}",
-    "sort": "DESC"
-}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -0,0 +1,35 @@
+name: lint
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  pr:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  reviewdog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Lint actions
+        uses: reviewdog/action-actionlint@v1
+        env:
+          SHELLCHECK_OPTS: "-e SC2086 -e SC2207 -e SC2128"
+        with:
+          reporter: github-pr-check
+          fail_on_error: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,134 +1,191 @@
-name: "publish-release"
+name: "release"

 on:
  push:
-    tags:
-      - "v*"
+    branches:
+      - "master"
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"

 jobs:
-  release:
-    name: "Publish"
-    runs-on: builder
+  release-please:
+    runs-on: ubuntu-latest
+
+    outputs:
+      releases-created: ${{ steps.release.outputs['releases_created'] }}
+      trust-graph-api-release-created: ${{ steps.release.outputs['aqua--release-created'] }}
+      trust-graph-release-created: ${{ steps.release.outputs['release-created'] }}
+      trust-graph-tag-name: ${{ steps.release.outputs['tag_name'] }}

    steps:
-### Setup
-      - name: Checkout repository
+      - name: Run release-please
+        id: release
+        uses: google-github-actions/release-please-action@v3
+        with:
+          token: ${{ secrets.FLUENCEBOT_RELEASE_PLEASE_PAT }}
+          command: manifest
+          config-file: .github/release-please/config.json
+          manifest-file: .github/release-please/manifest.json
+
+      - name: Show output from release-please
+        if: steps.release.outputs.releases_created
+        env:
+          RELEASE_PLEASE_OUTPUT: ${{ toJSON(steps.release.outputs) }}
+        run: echo "${RELEASE_PLEASE_OUTPUT}" | jq
+
+  publish:
+    runs-on: builder
+
+    needs: release-please
+    if: needs.release-please.outputs.releases-created
+
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout
        uses: actions/checkout@v3

-      - name: Set env
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
-
-      - uses: actions/setup-node@v3
+      - name: Import secrets
+        uses: hashicorp/vault-action@v2.4.3
        with:
-          node-version: "15"
-          registry-url: "https://registry.npmjs.org"
-          cache: npm
-          cache-dependency-path: "aqua/package-lock.json"
-
-      - run: mkdir -p ~/.bin
-      - run: echo "~/.bin" >> $GITHUB_PATH
+          url: https://vault.fluence.dev
+          path: jwt/github
+          role: ci
+          method: jwt
+          jwtGithubAudience: "https://github.com/fluencelabs"
+          jwtTtl: 300
+          exportToken: false
+          secrets: |
+            kv/npmjs/fluencebot token | NODE_AUTH_TOKEN ;
+            kv/crates.io/fluencebot token | CARGO_REGISTRY_TOKEN

      - name: Setup Rust toolchain
        uses: actions-rust-lang/setup-rust-toolchain@v1

-      - name: Download marine
-        run: bash $GITHUB_WORKSPACE/.github/download_marine.sh
-
-      - name: Build trust-graph
-        working-directory: ./service
-        run: ./build.sh
-
-      - name: Check Aqua compiles
-        working-directory: ./aqua
-        run: |
-          npm i
-          npm run build
-
-      - name: Create distribution package
-        run: |
-          ./builtin-package/package.sh
-
-      - name: Build Changelog
-        id: changelog
-        uses: mikepenz/release-changelog-builder-action@v1
+      - name: Install cargo-workspaces
+        uses: baptiste0928/cargo-install@v1.3.0
        with:
-          configuration: ".github/workflows/changelog_config.json"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          crate: cargo-workspaces

-### Publish
-      - name: Release to GitHub
-        id: release
+      - name: Publish to crates.io
+        run: |
+          cargo ws publish \
+            --no-git-commit \
+            --allow-dirty \
+            --from-git \
+            --skip-published \
+            --yes
+
+      - name: Install Marine
+        uses: baptiste0928/cargo-install@v1.3.0
+        with:
+          crate: marine
+
+      - name: Build service
+        run: ./build.sh
+        working-directory: service
+
+      - name: Setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          registry-url: "https://registry.npmjs.org"
+          cache-dependency-path: "aqua/package-lock.json"
+          cache: "npm"
+
+      - run: npm i
+        working-directory: aqua
+
+      - run: npm run build
+        working-directory: aqua
+
+      - name: Publish to NPM registry
+        if: needs.release-please.outputs.trust-graph-api-release-created
+        run: npm publish --access public
+        working-directory: aqua
+
+      - name: Create builtin distribution package
+        if: needs.release-please.outputs.trust-graph-release-created
+        run: ./builtin-package/package.sh
+
+      - name: Calculate SHA256
+        if: needs.release-please.outputs.trust-graph-release-created
+        id: sha
+        run: |
+          # Calculate sha256
+          du -hs trust-graph.tar.gz
+          sha256sum trust-graph.tar.gz
+          sha=($(sha256sum trust-graph.tar.gz))
+          echo "sha256=${sha}" >> $GITHUB_OUTPUT
+
+      - name: Upload trust-graph package
+        if: needs.release-please.outputs.trust-graph-release-created
        uses: softprops/action-gh-release@v1
        with:
-          name: trust-graph ${{ env.RELEASE_VERSION }}
-          tag_name: ${{ env.RELEASE_VERSION }}
-          files: |
-            ./trust-graph.tar.gz
-          body: ${{steps.changelog.outputs.changelog}}
-          draft: false
-          prerelease: false
-          fail_on_unmatched_files: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    ### Publish Aqua API
-      - name: Publish Aqua API to NPM
-        run: |
-          npm version ${{ env.RELEASE_VERSION }}
-          npm publish --access public
-        env:
-            NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        working-directory: ./aqua
-
-## Update node-distro repo
-      - name: Calculate SHA256
-        run: |
-            du -hs trust-graph.tar.gz
-            echo $(sha256sum trust-graph.tar.gz)
-            echo "SHA256=$(sha256sum trust-graph.tar.gz | awk '{ print $1 }')" >> $GITHUB_ENV
-
-      - name: Get tar.gz URL
-        id: package-url
-        uses: actions/github-script@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          result-encoding: string
-          script: |
-            try {
-                let assets = await github.repos.listReleaseAssets({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  release_id: "${{ steps.release.outputs.id }}",
-                });
-                console.dir(assets);
-                let package = assets.data.find((a) => a.name === 'trust-graph.tar.gz');
-                let url = package.browser_download_url;
-                console.log("URL: " + url);
-                return url;
-            } catch (e) {
-              console.log("Err: " + e);
-              throw e;
-            }
+          files: trust-graph.tar.gz
+          tag_name: ${{ needs.release-please.outputs.trust-graph-tag-name }}

      - name: Update version in node-distro repo
+        if: needs.release-please.outputs.trust-graph-release-created
        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: update_service
          repo: fluencelabs/node-distro
-          ref: 'main'
+          ref: "main"
          token: ${{ secrets.PERSONAL_TOKEN }}
          inputs: '{
            "name": "trust-graph",
-            "version": "${{ env.RELEASE_VERSION }}",
-            "url": "${{ steps.package-url.outputs.result }}",
-            "sha256": "${{ env.SHA256 }}"
+            "version": "${{ needs.release-please.outputs.version }}",
+            "url": "https://github.com/fluencelabs/aqua-ipfs/releases/download/${{ needs.release-please.outputs.trust-graph-tag-name }}/trust-graph.tar.gz",
+            "sha256": "${{ steps.sha.outputs.sha256 }}"
          }'

-      - name: Log notice
-        uses: actions/github-script@v4
+  slack:
+    if: always()
+    name: "Notify"
+    runs-on: ubuntu-latest
+
+    needs:
+      - release-please
+      - trust-graph
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: lwhiteley/dependent-jobs-result-check@v1
+        id: status
        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-              console.dir(core);
-              core.info("trust-graph was updated to ${{ env.RELEASE_VERSION }} in node-distro repo");
+          statuses: failure
+          dependencies: ${{ tojson(needs) }}
+
+      - name: log output
+        run: |
+          echo "statuses:" "${{ steps.status.outputs.statuses }}"
+          echo "jobs:" "${{ steps.status.outputs.jobs }}"
+          echo "found any?:" "${{ steps.status.outputs.found }}"
+
+      - name: import secrets
+        uses: hashicorp/vault-action@v2.4.3
+        with:
+          url: https://vault.fluence.dev
+          path: jwt/github
+          role: ci
+          method: jwt
+          jwtgithubaudience: "https://github.com/fluencelabs"
+          jwtttl: 300
+          exporttoken: false
+          secrets: |
+            kv/slack/release-please webhook | slack_webhook_url
+
+      - uses: ravsamhq/notify-slack-action@v2
+        if: steps.status.outputs.found == 'true'
+        with:
+          status: "failure"
+          notification_title: "*{workflow}* has {status_message}"
+          message_format: "${{ steps.status.outputs.jobs }} {status_message} in <{repo_url}|{repo}>"
+          footer: "<{run_url}>"
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -1,25 +0,0 @@
-name: "tag"
-
-on:
-  workflow_dispatch:
-
-jobs:
-  tag:
-    name: "Tag"
-    runs-on: "ubuntu-latest"
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Get branch
-        run: |
-          BRANCH=${GITHUB_REF#refs/*/}
-          SANITIZED=$(echo "$BRANCH" | sed -e 's/[^a-zA-Z0-9-]/-/g')
-          echo "BRANCH=$SANITIZED" >> $GITHUB_ENV
-
-      - name: Bump version and push tag
-        id: tag_version
-        uses: mathieudutour/github-tag-action@v5.5
-        with:
-          append_to_pre_release_tag: ${{ env.BRANCH }}
-          github_token: ${{ secrets.PERSONAL_TOKEN }}