Create Github workflows for release process

Author: arr00

.github/workflows/release-cycle.yml

@@ -0,0 +1,226 @@
+#  D: Manual Dispatch
+#  M: Merge release PR
+#  C: Commit
+#  ┌───────────┐     ┌─────────────┐     ┌────────────────┐
+#  │Development├──D──►RC-Unreleased│  ┌──►Final-Unreleased│
+#  └───────────┘     └─┬─────────▲─┘  │  └─┬────────────▲─┘
+#                      │         │    │    │            │
+#                      M         C    D    M            C
+#                      │         │    │    │            │
+#                     ┌▼─────────┴┐   │   ┌▼────────────┴┐
+#                     │RC-Released├───┘   │Final-Released│
+#                     └───────────┘       └──────────────┘
+name: Release Cycle
+
+on:
+  push:
+    branches:
+      - release-v*
+  workflow_dispatch: {}
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  state:
+    name: Check state
+    permissions:
+      pull-requests: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - id: state
+        name: Get state
+        uses: actions/github-script@v7
+        env:
+          TRIGGERING_ACTOR: ${{ github.triggering_actor }}
+        with:
+          result-encoding: string
+          script: await require('./scripts/release/workflow/state.js')({ github, context, core })
+    outputs:
+      # Job Flags
+      start: ${{ steps.state.outputs.start }}
+      changesets: ${{ steps.state.outputs.changesets }}
+      promote: ${{ steps.state.outputs.promote }}
+      publish: ${{ steps.state.outputs.publish }}
+      merge: ${{ steps.state.outputs.merge }}
+
+      # Global variables
+      is_prerelease: ${{ steps.state.outputs.is_prerelease }}
+
+  start:
+    needs: state
+    name: Start new release candidate
+    permissions:
+      contents: write
+      actions: write
+    if: needs.state.outputs.start == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - run: bash scripts/git-user-config.sh
+      - id: start
+        name: Create branch with release candidate
+        run: bash scripts/release/workflow/start.sh
+      - name: Re-run workflow
+        uses: actions/github-script@v7
+        env:
+          REF: ${{ steps.start.outputs.branch }}
+        with:
+          script: await require('./scripts/release/workflow/rerun.js')({ github, context })
+
+  promote:
+    needs: state
+    name: Promote to final release
+    permissions:
+      contents: write
+      actions: write
+    if: needs.state.outputs.promote == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - run: bash scripts/git-user-config.sh
+      - name: Exit prerelease state
+        if: needs.state.outputs.is_prerelease == 'true'
+        run: bash scripts/release/workflow/exit-prerelease.sh
+      - name: Re-run workflow
+        uses: actions/github-script@v7
+        with:
+          script: await require('./scripts/release/workflow/rerun.js')({ github, context })
+
+  changesets:
+    needs: state
+    name: Update PR to release
+    permissions:
+      contents: write
+      pull-requests: write
+    if: needs.state.outputs.changesets == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # To get all tags
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - name: Set release title
+        uses: actions/github-script@v7
+        with:
+          result-encoding: string
+          script: await require('./scripts/release/workflow/set-changesets-pr-title.js')({ core })
+      - name: Create PR
+        uses: changesets/action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+        with:
+          version: npm run version
+          title: ${{ env.TITLE }}
+          commit: ${{ env.TITLE }}
+          body: | # Wait for support on this https://github.com/changesets/action/pull/250
+            This is an automated PR for releasing ${{ github.repository }}
+            Check [CHANGELOG.md](${{ github.repository }}/CHANGELOG.md)
+
+  publish:
+    needs: state
+    name: Publish to npm
+    environment: npm
+    permissions:
+      contents: write
+      id-token: write
+    if: needs.state.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - id: pack
+        name: Pack
+        run: bash scripts/release/workflow/pack.sh
+        env:
+          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.ref_name }}
+          path: ${{ steps.pack.outputs.tarball }}
+      - name: Publish
+        run: bash scripts/release/workflow/publish.sh
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          TARBALL: ${{ steps.pack.outputs.tarball }}
+          TAG: ${{ steps.pack.outputs.tag }}
+          NPM_CONFIG_PROVENANCE: true
+      - name: Create Github Release
+        uses: actions/github-script@v7
+        env:
+          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+        with:
+          script: await require('./scripts/release/workflow/github-release.js')({ github, context })
+    outputs:
+      tarball_name: ${{ steps.pack.outputs.tarball_name }}
+
+  integrity_check:
+    needs: publish
+    name: Tarball Integrity Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Download tarball artifact
+        id: artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ github.ref_name }}
+      - name: Check integrity
+        run: bash scripts/release/workflow/integrity-check.sh
+        env:
+          TARBALL: ${{ steps.artifact.outputs.download-path }}/${{ needs.publish.outputs.tarball_name }}
+
+  merge:
+    needs: state
+    name: Create PR back to master
+    permissions:
+      contents: write
+      pull-requests: write
+    if: needs.state.outputs.merge == 'true'
+    runs-on: ubuntu-latest
+    env:
+      MERGE_BRANCH: merge/${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # All branches
+          submodules: recursive
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - run: bash scripts/git-user-config.sh
+      - name: Create branch to merge
+        run: |
+          git checkout -B "$MERGE_BRANCH" "$GITHUB_REF_NAME"
+          git push -f origin "$MERGE_BRANCH"
+      - name: Create PR back to master
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: process.env.MERGE_BRANCH,
+              base: 'master',
+              title: '${{ format('Merge {0} branch', github.ref_name) }}'
+            });

contracts/package.json

@@ -13,7 +13,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-confidential.git"
+    "url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts.git"
   },
   "keywords": [
     "solidity",
@@ -28,10 +28,11 @@
   "author": "OpenZeppelin Community <maintainers@openzeppelin.org>",
   "license": "MIT",
   "bugs": {
-    "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-confidential/issues"
+    "url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts/issues"
   },
   "homepage": "https://openzeppelin.com/contracts/",
   "peerDependencies": {
+    "@fhevm/solidity": "0.7.0",
     "@openzeppelin/contracts": "5.3.0"
   }
 }

package.json

@@ -19,8 +19,10 @@
     "lint:js:fix": "prettier --loglevel warn '**/*.{js,ts}' --write && eslint . --fix",
     "lint:sol": "prettier --loglevel warn '{contracts,test}/**/*.sol' --check && solhint '{contracts,test}/**/*.sol'",
     "lint:sol:fix": "prettier --loglevel warn '{contracts,test}/**/*.sol' --write",
+    "prepack": "scripts/prepack.sh",
     "prepare": "husky",
     "prepare-docs": "scripts/prepare-docs.sh",
+    "version": "scripts/release/version.sh",
     "test": "hardhat test",
     "test:gas": "REPORT_GAS=true hardhat test",
     "test:generation": "scripts/checks/generation.sh",

scripts/release/format-changelog.js

@@ -0,0 +1 @@
+../../lib/openzeppelin-contracts/scripts/release/format-changelog.js

scripts/release/synchronize-versions.js

@@ -0,0 +1 @@
+../../lib/openzeppelin-contracts/scripts/release/synchronize-versions.js

scripts/release/update-comment.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+const fs = require('fs');
+const proc = require('child_process');
+const semver = require('semver');
+const run = (cmd, ...args) => proc.execFileSync(cmd, args, { encoding: 'utf8' }).trim();
+
+const gitStatus = run('git', 'status', '--porcelain', '-uno', 'contracts/**/*.sol');
+if (gitStatus.length > 0) {
+  console.error('Contracts directory is not clean');
+  process.exit(1);
+}
+
+const { version } = require('../../package.json');
+
+// Get latest tag according to semver.
+const [tag] = run('git', 'tag')
+  .split(/\r?\n/)
+  .filter(semver.coerce) // check version can be processed
+  .filter(v => semver.satisfies(v, `< ${version}`)) // ignores prereleases unless currently a prerelease
+  .sort(semver.rcompare);
+
+// Ordering tag → HEAD is important here.
+const files = run('git', 'diff', tag, 'HEAD', '--name-only', 'contracts/**/*.sol')
+  .split(/\r?\n/)
+  .filter(file => file && !file.match(/mock/i) && fs.existsSync(file));
+
+for (const file of files) {
+  const current = fs.readFileSync(file, 'utf8');
+  const updated = current.replace(
+    /(\/\/ SPDX-License-Identifier:.*)$(\n\/\/ OpenZeppelin Confidential Contracts .*$)?/m,
+    `$1\n// OpenZeppelin Confidential Contracts (last updated v${version}) (${file.replace('contracts/', '')})`,
+  );
+  ``;
+  fs.writeFileSync(file, updated);
+}

scripts/release/version.sh

@@ -0,0 +1 @@
+../../lib/openzeppelin-contracts/scripts/release/version.sh

scripts/release/workflow/exit-prerelease.sh

@@ -0,0 +1 @@
+../../../lib/openzeppelin-contracts/scripts/release/workflow/exit-prerelease.sh

scripts/release/workflow/github-release.js

@@ -0,0 +1,48 @@
+const { readFileSync } = require('fs');
+const { join } = require('path');
+const { version } = require(join(__dirname, '../../../package.json'));
+
+module.exports = async ({ github, context }) => {
+  const changelog = readFileSync('CHANGELOG.md', 'utf8');
+
+  await github.rest.repos.createRelease({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    tag_name: `v${version}`,
+    target_commitish: github.ref_name,
+    body: extractSection(changelog, version),
+    prerelease: process.env.PRERELEASE === 'true',
+  });
+};
+
+// From https://github.com/frangio/extract-changelog/blob/master/src/utils/word-regexp.ts
+function makeWordRegExp(word) {
+  const start = word.length > 0 && /\b/.test(word[0]) ? '\\b' : '';
+  const end = word.length > 0 && /\b/.test(word[word.length - 1]) ? '\\b' : '';
+  return new RegExp(start + [...word].map(c => (/[a-z0-9]/i.test(c) ? c : '\\' + c)).join('') + end);
+}
+
+// From https://github.com/frangio/extract-changelog/blob/master/src/core.ts
+function extractSection(document, wantedHeading) {
+  // ATX Headings as defined in GitHub Flavored Markdown (https://github.github.com/gfm/#atx-headings)
+  const heading = /^ {0,3}(?<lead>#{1,6})(?: [ \t\v\f]*(?<text>.*?)[ \t\v\f]*)?(?:[\n\r]+|$)/gm;
+
+  const wantedHeadingRe = makeWordRegExp(wantedHeading);
+
+  let start, end;
+
+  for (const m of document.matchAll(heading)) {
+    if (!start) {
+      if (m.groups.text.search(wantedHeadingRe) === 0) {
+        start = m;
+      }
+    } else if (m.groups.lead.length <= start.groups.lead.length) {
+      end = m;
+      break;
+    }
+  }
+
+  if (start) {
+    return document.slice(start.index + start[0].length, end?.index);
+  }
+}

scripts/release/workflow/integrity-check.sh

@@ -0,0 +1 @@
+../../../lib/openzeppelin-contracts/scripts/release/workflow/integrity-check.sh