chore: use team scoped context instead of org scoped context (#4612)

.circleci/config.yml

@@ -429,6 +429,9 @@ jobs:
  - checkout
  - attach_workspace:
  at: .
+ - gh/setup:
+ token: HAMMERHEAD_GITHUB_PAT
+ version: << pipeline.parameters.gh_version >>
  - aws-cli/install:
  version: << pipeline.parameters.aws_version >>
  - run:
@@ -463,7 +466,7 @@ jobs:
  - attach_workspace:
  at: .
  - gh/setup:
- token: GH_TOKEN
+ token: HAMMERHEAD_GITHUB_PAT
  version: << pipeline.parameters.gh_version >>
  - aws-cli/install:
  version: << pipeline.parameters.aws_version >>
@@ -910,7 +913,7 @@ workflows:
  - master
  - pre-release:
  name: Pre-Release
- context: nodejs-app-release
+ context: team-hammerhead-common-deploy-tokens
  requires:
  - Release?
  filters:
@@ -930,7 +933,7 @@ workflows:
  - master
  - release:
  name: Release
- context: nodejs-app-release
+ context: team-hammerhead-common-deploy-tokens
  requires:
  - Test Release (docker-node)
  - Test Release (win/default)

Makefile

@@ -208,6 +208,8 @@ release-pre:
  @./release-scripts/validate-repository.sh
  @echo "-- Validating artifacts"
  @./release-scripts/validate-checksums.sh
+ @echo "-- Validating upload permissions"
+ @./release-scripts/upload-artifacts.sh --dry-run latest github npm
  @echo "-- Publishing to S3 /version"
  @./release-scripts/upload-artifacts.sh version
 

release-scripts/upload-artifacts.sh

@@ -22,40 +22,144 @@ declare -a StaticFiles=(
 )
 
 VERSION_TAG="v$(cat binary-releases/version)"
+DRY_RUN=false
 
 if [ ${#} == 0 ]; then
  echo "No upload target defined!"
  exit 1
 fi
 
+show_help() {
+ echo "Usage: upload-artifacts.sh [options] [arguments]"
+ echo "Upload artifacts to GitHub, npm, or S3"
+ echo ""
+ echo "Options:"
+ echo " -h --help: show this help message and exit"
+ echo " --dry-run: perform a dry run of the upload"
+ echo ""
+ echo "Arguments:"
+ echo " version version tag to upload artifacts to"
+ echo " github upload artifacts to GitHub"
+ echo " npm upload artifacts to npm"
+ echo " s3 upload artifacts to S3"
+ echo ""
+ echo "Example:"
+ echo " upload-artifacts.sh v1.0.0 github npm s3"
+ echo ""
+ echo " This will upload artifacts to GitHub, npm, and S3 for version v1.0.0"
+ echo ""
+ echo " upload-artifacts.sh --dry-run v1.0.0 github npm s3"
+ echo ""
+ echo " This will perform a dry run of uploading artifacts to GitHub, npm, and S3 for version v1.0.0"
+ echo ""
+}
+
+upload_github() {
+ if [ "${DRY_RUN}" == true ]; then
+ echo "DRY RUN: uploading draft to GitHub..."
+ gh release create "${VERSION_TAG}" "${StaticFiles[@]}" \
+ --draft \
+ --target "${CIRCLE_SHA1}" \
+ --title "${VERSION_TAG}" \
+ --notes-file binary-releases/RELEASE_NOTES.md
+
+ echo "DRY RUN: deleting draft from GitHub..."
+ gh release delete "${VERSION_TAG}" \
+ --yes
+ else
+ echo "Uploading to GitHub..."
+ gh release create "${VERSION_TAG}" "${StaticFiles[@]}" \
+ --target "${CIRCLE_SHA1}" \
+ --title "${VERSION_TAG}" \
+ --notes-file binary-releases/RELEASE_NOTES.md
+ fi
+}
+
+upload_npm() {
+ if [ "${DRY_RUN}" == true ]; then
+ echo "DRY RUN: uploading to npm..."
+ npm config set '//registry.npmjs.org/:_authToken' "${HAMMERHEAD_NPM_TOKEN}"
+ npm publish --dry-run ./binary-releases/snyk-fix.tgz
+ npm publish --dry-run ./binary-releases/snyk-protect.tgz
+ npm publish --dry-run ./binary-releases/snyk.tgz
+ else
+ echo "Uploading to npm..."
+ npm config set '//registry.npmjs.org/:_authToken' "${HAMMERHEAD_NPM_TOKEN}"
+ npm publish ./binary-releases/snyk-fix.tgz
+ npm publish ./binary-releases/snyk-protect.tgz
+ npm publish ./binary-releases/snyk.tgz
+ fi
+}
+
+upload_s3() {
+ if [ "${DRY_RUN}" == true ]; then
+ echo "DRY RUN: uploading to S3..."
+ for filename in "${StaticFiles[@]}"; do
+ aws s3 cp "${filename}" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/ --dryrun
+ done
+
+ aws s3 cp "binary-releases/release.json" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/ --dryrun
+ aws s3 cp "binary-releases/version" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/ --dryrun
+ else
+ echo "Uploading to S3..."
+ for filename in "${StaticFiles[@]}"; do
+ aws s3 cp "${filename}" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/
+ done
+
+ aws s3 cp "binary-releases/release.json" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/
+ aws s3 cp "binary-releases/version" s3://"${PUBLIC_S3_BUCKET}"/cli/"${VERSION_TAG}"/
+ fi
+}
+
+# Capture valid flags
+while getopts ":h:t:-:" opt; do
+ case ${opt} in
+ h)
+ show_help
+ exit 0
+ ;;
+ -)
+ case "${OPTARG}" in
+ help)
+ show_help
+ exit 0
+ ;;
+ dry-run)
+ DRY_RUN=true
+ ;;
+ *)
+ echo "Invalid option: --${OPTARG}" >&2
+ exit 1
+ ;;
+ esac
+ ;;
+ \?)
+ echo "Invalid option: ${OPTARG}" >&2
+ exit 1
+ ;;
+ esac
+done
+
+# Remove flags from arguments
+shift $((OPTIND-1))
+
+# Interpret arguments
 for arg in "${@}"; do
  target="${arg}"
  if [ "${arg}" == "version" ]; then
  target="${VERSION_TAG}"
  fi
- echo "Uploading to ${target}"
 
  # Upload files to the GitHub release
  if [ "${arg}" == "github" ]; then
- gh release create "${VERSION_TAG}" "${StaticFiles[@]}" \
- --target "${CIRCLE_SHA1}" \
- --title "${VERSION_TAG}" \
- --notes-file binary-releases/RELEASE_NOTES.md
+ upload_github
 
  # Upload files to npm
  elif [ "${arg}" == "npm" ]; then
- npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
- npm publish ./binary-releases/snyk-fix.tgz
- npm publish ./binary-releases/snyk-protect.tgz
- npm publish ./binary-releases/snyk.tgz
+ upload_npm
 
  # Upload files to S3 bucket
  else
- for filename in "${StaticFiles[@]}"; do
- aws s3 cp "${filename}" s3://"${PUBLIC_S3_BUCKET}"/cli/"${target}"/
- done
-
- aws s3 cp "binary-releases/release.json" s3://"${PUBLIC_S3_BUCKET}"/cli/"${target}"/
- aws s3 cp "binary-releases/version" s3://"${PUBLIC_S3_BUCKET}"/cli/"${target}"/
+ upload_s3
  fi 
 done