From e5f4004d0e93ba03cdfcb5306234d5cb3badd7dc Mon Sep 17 00:00:00 2001 From: Taylor Smock Date: Wed, 21 Aug 2024 08:25:58 -0600 Subject: [PATCH] Add an end-to-end workflow for scheduled updates * Use GH API when performing actions which could be signed Docs indicate that this might allow for signed tags in CI (as "github-actions[bot]") For details, see https://github.blog/engineering/commit-signing-support-for-bots-and-other-github-apps/ * Fix release.yaml (add -npmjs to publish-npm-registry for publish-webjar-test-echo) * Update package URLs --- .github/workflows/release.yaml | 19 ++++-- .github/workflows/scheduled_update.yaml | 80 ++++++++++++++++++++++--- package.json | 4 +- taginfo.json | 2 +- 4 files changed, 88 insertions(+), 17 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4c6d79f..80d4633 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,11 +2,14 @@ name: NPM CI release on: release: types: [created] + workflow_call: jobs: build: name: build runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -26,8 +29,9 @@ jobs: needs: build runs-on: ubuntu-latest permissions: - id-token: write attestations: write + contents: read + id-token: write steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -41,8 +45,9 @@ jobs: needs: build runs-on: ubuntu-latest permissions: - id-token: write attestations: write + contents: read + id-token: write packages: write steps: - uses: actions/checkout@v4 @@ -50,14 +55,16 @@ jobs: with: node-version: 20 registry-url: 'https://npm.pkg.github.com' - - run: npm publish --provenance + - run: npm publish env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - publish-webjar-test-echo: - needs: publish-npm-registry + publish-webjar: + needs: publish-npm-registry-npmjs runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - - run: echo curl "https://www.webjars.org/deploy?webJarType=npm&nameOrUrlish=tag2link&version=$(jq -r '.version' package.json)" + - run: curl "https://www.webjars.org/deploy?webJarType=npm&nameOrUrlish=tag2link&version=$(jq -r '.version' package.json)" diff --git a/.github/workflows/scheduled_update.yaml b/.github/workflows/scheduled_update.yaml index c39fca9..c68ac8c 100644 --- a/.github/workflows/scheduled_update.yaml +++ b/.github/workflows/scheduled_update.yaml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + outputs: + sha: ${{ steps.git-push.outputs.sha }} steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -24,17 +26,79 @@ jobs: - run: python3 osm_wikidata.py - run: npm install - run: npm run build - - run: | - git config --global user.name 'Github tag2link Action' - git config --global user.email 'tsmock@users.noreply.github.com' - git commit -am "Automated update" - git push + - id: git-push + run: | + set -ex + git diff --name-only + if [ $(git diff --name-only | wc -l) -gt 0 ]; then + tag=$(jq -r '.version' package.json) + # The GH api only allows for single file commits right now + for file in $(git diff --name-only); do + gh api --method PUT -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${{ github.repository }}/contents/$file" \ + --field "message=Automatic update for ${tag}: ${file}" \ + --field "encoding=base64" \ + --field "branch=${{ github.ref_name }}" \ + --field "content=$(base64 -i "${file}")" \ + --field "sha=$(git rev-parse "${{ github.ref_name }}:${file}")" | \ + jq -r '.commit.sha' | sed '1s@^@sha=@' >> "$GITHUB_OUTPUT" + done + fi + env: + GH_TOKEN: ${{ github.token }} tag: runs-on: ubuntu-latest permissions: contents: write + needs: update + env: + GH_TOKEN: ${{ github.token }} + outputs: + release_needed: ${{ steps.tag.outputs.release_needed }} steps: - uses: actions/checkout@v4 - - run: git tag $(jq -r '.version' package.json) -sm $(jq -r '.version' package.json) - - run: git push -u origin - - run: gh release create $(jq -r '.version' package.json) --generate-notes + with: + fetch-depth: 0 + - id: tag + run: | + gh repo sync + tag=$(git describe --tags --abbrev=0) || release_needed="true" + sha=${{ needs.update.outputs.sha }} + if [ -z "${sha}" ]; then sha="HEAD"; fi + for file in $(git diff ${tag}..${sha} --name-only); do + if [ $file == "taginfo.json" ] || [ $file == "index.json" ] || [ $file == "package.json"] ; then + release_needed="true" + break + fi + done + if [ $release_needed == "true" ]; then + tag=$(jq -r '.version' package.json) + object=$(git rev-parse --verify ${sha}) + gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/git/tags \ + --field "tag=${tag}" \ + --field "message=${tag}" \ + --field "object=${object}" \ + --field "type=commit" \ + --field "tagger[name]=github-actions[bot]" \ + --field "tagger[email]=41898282+github-actions[bot]@users.noreply.github.com" \ + --field "tagger[date]=$(date --iso-8601=seconds)" + gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/git/refs \ + --field "ref=refs/tags/${tag}" \ + --field "sha=${object}" + gh release create ${tag} --generate-notes + echo "release_needed=true" >> "$GITHUB_OUTPUT" + else + echo "release_needed=false" >> "$GITHUB_OUTPUT" + fi + publish: + needs: tag + if: needs.tag.outputs.release_needed + uses: ./.github/workflows/release.yaml + secrets: inherit + permissions: + attestations: write + contents: read + id-token: write + packages: write diff --git a/package.json b/package.json index bd7a346..9d63482 100644 --- a/package.json +++ b/package.json @@ -13,10 +13,10 @@ "scripts": { "build": "npx ts-node build.ts" }, - "homepage": "https://github.com/osmlab/tag2link", + "homepage": "https://github.com/JOSM/tag2link", "repository": { "type": "git", - "url": "git+https://github.com/osmlab/tag2link.git" + "url": "https://github.com/JOSM/tag2link" }, "author": "Simon Legner ", "license": "ISC", diff --git a/taginfo.json b/taginfo.json index 7aebada..4948cd7 100644 --- a/taginfo.json +++ b/taginfo.json @@ -1,6 +1,6 @@ { "data_format": 1, - "data_updated": "20240821T080000Z", + "data_updated": "20240821T160000Z", "project": { "name": "tag2link", "description": "Formatter URLs for OpenStreetMap tags",