diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index b62e1b880..d33ea6761 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -10,27 +10,14 @@ jobs: strategy: matrix: node-version: [20.x, 22.x] - outputs: - child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }} steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 yarn --immutable - - name: Fetch workspace package names - id: workspace-package-names - run: | - echo "child-workspace-package-names=$(yarn workspaces list --json | jq --slurp --raw-output 'map(.name) | @json')" >> "$GITHUB_OUTPUT" - shell: bash + is-high-risk-environment: false + cache-node-modules: ${{ matrix.node-version == '22.x' }} + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 lint: name: Lint @@ -40,19 +27,12 @@ jobs: matrix: node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 yarn --immutable + is-high-risk-environment: false + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - run: yarn lint - name: Require clean working directory shell: bash @@ -70,19 +50,12 @@ jobs: matrix: node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 yarn --immutable + is-high-risk-environment: false + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - run: yarn changelog:validate - name: Require clean working directory shell: bash @@ -100,19 +73,12 @@ jobs: matrix: node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 yarn --immutable + is-high-risk-environment: false + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - run: yarn build - name: Require clean working directory shell: bash @@ -130,19 +96,12 @@ jobs: matrix: node-version: [20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - name: Rebuild SQLite3 run: | cd node_modules/better-sqlite3 @@ -158,6 +117,29 @@ jobs: exit 1 fi + integration: + name: Integration Tests + runs-on: ubuntu-latest + needs: [prepare] + strategy: + matrix: + node-version: [20.x, 22.x] + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: false + env: + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 + - run: yarn test:integration + - name: Require clean working directory + shell: bash + run: | + if ! git diff --exit-code; then + echo "Working tree dirty at end of job" + exit 1 + fi + e2e: name: E2E Tests runs-on: ubuntu-latest @@ -166,19 +148,10 @@ jobs: matrix: node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - name: Rebuild SQLite3 run: | cd node_modules/better-sqlite3 @@ -201,33 +174,3 @@ jobs: echo "Working tree dirty at end of job" exit 1 fi - - integration: - name: Integration Tests - runs-on: ubuntu-latest - needs: [prepare] - strategy: - matrix: - node-version: [20.x, 22.x] - steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable - - run: yarn test:integration - - name: Require clean working directory - shell: bash - run: | - if ! git diff --exit-code; then - echo "Working tree dirty at end of job" - exit 1 - fi diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2cdf00de2..aa2deb3d9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,10 @@ on: branches: [main] pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ !contains(github.ref, 'refs/heads/main') }} + jobs: check-workflows: name: Check workflows @@ -19,6 +23,18 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash + analyse-code: + name: Code scanner + needs: check-workflows + uses: ./.github/workflows/security-code-scanner.yml + permissions: + actions: read + contents: read + security-events: write + secrets: + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + lint-build-test: name: Lint, build, and test needs: check-workflows @@ -27,18 +43,15 @@ jobs: is-release: name: Determine whether this is a release merge commit needs: lint-build-test + if: github.event_name == 'push' runs-on: ubuntu-latest - # Filtering by `push` events ensures that we only release from the `main` branch, which is a - # requirement for our npm publishing environment. - # The commit author should always be 'github-actions' for releases created by the - # 'create-release-pr' workflow, so we filter by that as well to prevent accidentally - # triggering a release. - if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions') outputs: IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }} steps: - id: is-release - uses: MetaMask/action-is-release@v1 + uses: MetaMask/action-is-release@dc4672b05e3b1d464cdaf783579b04a4e43f8b02 + with: + commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`' publish-release: name: Publish release @@ -54,7 +67,9 @@ jobs: all-jobs-complete: name: All jobs complete runs-on: ubuntu-latest - needs: lint-build-test + needs: + - analyse-code + - lint-build-test outputs: passed: ${{ steps.set-output.outputs.passed }} steps: diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 3dcce39e9..5a333edc4 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -35,18 +35,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable + is-high-risk-environment: true - name: Get commit SHA id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 452a9fc40..fc85cc25c 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -14,85 +14,60 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: yarn - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + is-high-risk-environment: true - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - run: yarn --immutable - run: yarn build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: publish-release-artifacts-${{ github.sha }} + include-hidden-files: true + retention-days: 4 + path: | + ./packages/**/dist + ./node_modules/.yarn-state.yml publish-npm-dry-run: + name: Dry run publish to NPM runs-on: ubuntu-latest needs: publish-release steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} - fail-on-cache-miss: true - - name: Dry Run Publish - # omit npm-token token to perform dry run publish + name: publish-release-artifacts-${{ github.sha }} + - name: Dry run publish to NPM uses: MetaMask/action-npm-publish@v5 with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} subteam: S042S7RE4AE # @metamask-npm-publishers - env: - SKIP_PREPACK: true publish-npm: + name: Publish to NPM environment: npm-publish runs-on: ubuntu-latest needs: publish-npm-dry-run steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} - fail-on-cache-miss: true - - name: Publish + name: publish-release-artifacts-${{ github.sha }} + - name: Publish to NPM uses: MetaMask/action-npm-publish@v5 with: npm-token: ${{ secrets.NPM_TOKEN }} - env: - SKIP_PREPACK: true