.github/workflows/publish-registry.yml

name: Publish Registry

on:
  workflow_call:
    inputs:
      slack-channel:
        required: false
        type: string
        default: 'metamask-snaps-deployments'
      slack-icon-url:
        required: false
        type: string
        default: 'https://raw.githubusercontent.com/MetaMask/action-npm-publish/main/robo.png'
      slack-subteam:
        required: false
        type: string
      slack-username:
        required: false
        type: string
        default: 'MetaMask bot'
    secrets:
      REGISTRY_PRIVATE_KEY:
        required: true
      SLACK_WEBHOOK_URL:
        required: false
      REPUBLISH_DIRECTORY_TOKEN:
        required: true

jobs:
  check-updated:
    name: Check if registry file was updated
    runs-on: ubuntu-latest
    outputs:
      UPDATED: ${{ steps.updated.outputs.UPDATED }}
    steps:
      - uses: actions/checkout@v3
      - name: Check if registry file was updated
        id: updated
        run: |
          git fetch --prune --unshallow
          if git diff --name-only HEAD^ HEAD | grep src/registry.json
          then
            echo "UPDATED=true" >> "$GITHUB_OUTPUT"
          else
            echo "UPDATED=false" >> "$GITHUB_OUTPUT"
          fi

  announce-publish-registry:
    name: Announce registry publish
    needs: check-updated
    if: ${{ needs.check-updated.outputs.UPDATED == 'true' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - id: name-hash
        name: Get Slack name and hash
        shell: bash
        if: inputs.slack-subteam != ''
        run: |
          NAME_TEXT=$(jq --raw-output '.name' package.json)
          NAME_TEXT_STRIPPED="${NAME_TEXT#@}"
          NAME_TEXT_WITH_HASH="$NAME_TEXT_STRIPPED@${GITHUB_SHA:0:7}"
          echo "NAME_HASH=$NAME_TEXT_WITH_HASH" >> "$GITHUB_OUTPUT"
      - id: final-text
        name: Get Slack final text
        shell: bash
        if: inputs.slack-subteam != ''
        run: |
          DEFAULT_TEXT="\`${{ steps.name-hash.outputs.NAME_HASH }}\` is awaiting \`registry.json\` deployment :rocket: \n <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/|→ Click here to review deployment>"
          SUBTEAM_TEXT="${{ inputs.slack-subteam }}"
          FINAL_TEXT="$DEFAULT_TEXT"
          if [[ ! "$SUBTEAM_TEXT" == "" ]]; then
            FINAL_TEXT="<!subteam^$SUBTEAM_TEXT> $DEFAULT_TEXT"
          fi
          echo "FINAL_TEXT=$FINAL_TEXT" >> "$GITHUB_OUTPUT"
      - name: Post to a Slack channel
        if: inputs.slack-subteam != ''
        uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
        with:
          payload: |
            {
              "text": "${{ steps.final-text.outputs.FINAL_TEXT }}",
              "icon_url": "${{ inputs.slack-icon-url }}",
              "username": "${{ inputs.slack-username }}",
              "channel": "#${{ inputs.slack-channel }}"
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

  publish-registry:
    name: Deploy registry to remote storage
    # It's not possible to set the env using input variables - https://github.com/actions/runner/issues/998
    # Hardcoded for now
    environment: deploy-prod
    needs:
      - announce-publish-registry
      - check-updated
    if: ${{ needs.check-updated.outputs.UPDATED == 'true' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'
      - name: Install Yarn dependencies
        run: yarn --immutable
      - name: Sign registry
        run: yarn sign
        env:
          REGISTRY_PRIVATE_KEY: ${{ secrets.REGISTRY_PRIVATE_KEY }}
      - name: Verify registry
        run: yarn verify
        env:
          PUBLIC_KEY_PATH: ./secp256k1-key.pub
          REGISTRY_PATH: ./src/registry.json
          SIGNATURE_PATH: ./src/signature.json
      - run: |
          mkdir -p dist
          cp src/registry.json dist/registry.json
          cp src/signature.json dist/signature.json
      - name: configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef
        with:
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          role-session-name: ghactionssession
          aws-region: ${{ vars.AWS_REGION }}
      - name: Deploy registry
        run: |
          aws s3 cp ./dist s3://${{ vars.AWS_BUCKET_NAME }}/latest --recursive --acl private
          aws cloudfront create-invalidation --distribution-id ${{ vars.AWS_CF_DISTRIBUTION_ID }} --paths "/latest/*"
          aws cloudfront create-invalidation --distribution-id ${{ vars.AWS_CF_SECONDARY_DISTRIBUTION_ID }} --paths "/latest/*"

  republish-directory:
    name: Republish directory
    needs:
      - publish-registry
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@v6
        with:
          github-token: ${{ secrets.REPUBLISH_DIRECTORY_TOKEN }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: 'snaps-directory',
              workflow_id: 'republish-release.yml',
              ref: 'main',
            });