From 68df2854a01c406562956d4ed574c3c7768fb76a Mon Sep 17 00:00:00 2001 From: Ze Date: Fri, 5 Jan 2024 13:21:36 -0800 Subject: [PATCH 1/4] Add back CI workflows (#11) (#12) * Add back CI workflows * Use environment to separate secrets * Update syntax * Add runs-on * Fix --- .github/workflows/build-and-test.yaml | 118 ++++++++++++++++++++++++++ .github/workflows/external-pr.yaml | 43 ++++++++++ .github/workflows/internal-pr.yaml | 41 +++++++++ 3 files changed, 202 insertions(+) create mode 100644 .github/workflows/build-and-test.yaml create mode 100644 .github/workflows/external-pr.yaml create mode 100644 .github/workflows/internal-pr.yaml diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml new file mode 100644 index 00000000..261005be --- /dev/null +++ b/.github/workflows/build-and-test.yaml @@ -0,0 +1,118 @@ +name: Build and Test + +on: + workflow_call: + inputs: + sha: + required: true + type: string + ENVIRONMENT: + required: true + type: string + secrets: + API_BASE_URL: + required: true + STORY_PROTOCOL_CONTRACT: + required: true + IP_ASSET_REGISTRY_CONTRACT: + required: true + IP_ORG_CONTROLLER_CONTRACT: + required: true + RELATIONSHIP_MODULE_CONTRACT: + required: true + REGISTRATION_MODULE_CONTRACT: + required: true + LICENSE_REGISTRY_CONTRACT: + required: true + MODULE_REGISTRY_CONTRACT: + required: true + LICENSE_MODULE_CONTRACT: + required: true + RPC_PROVIDER_URL: + required: true + WALLET_PRIVATE_KEY: + required: true + TEST_WALLET_ADDRESS: + required: true + TEST_IPORG_ID: + required: true + TEST_IPORG_ID_WITH_HOOK: + required: true + TEST_IPASSET_ID1: + required: true + TEST_IPASSET_ID2: + required: true + TEST_RELATIONSHIP_ID: + required: true + TEST_RELATIONSHIP_TYPE: + required: true + TEST_LICENSE_ID: + required: true + TEST_HOOK_ID: + required: true + TEST_MODULE_ID: + required: true + TEST_TRANSACTION_ID: + required: true + +jobs: + build: + name: Build and Test + timeout-minutes: 15 + runs-on: ubuntu-latest + ## Example to fix envrionment secret not passing in: https://github.com/AllanOricil/workflow-template-bug/blob/master/.github/workflows/workflow-template-fix-without-required-secret.yml + environment: ${{ inputs.ENVIRONMENT }} + env: + ## To use Remote Caching, uncomment the next lines and follow the steps below. + # TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} + # TURBO_TEAM: ${{ vars.TURBO_TEAM }} + NEXT_PUBLIC_API_BASE_URL: ${{ secrets.API_BASE_URL }} + NEXT_PUBLIC_STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }} + NEXT_PUBLIC_IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} + NEXT_PUBLIC_IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }} + NEXT_PUBLIC_RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }} + NEXT_PUBLIC_REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }} + NEXT_PUBLIC_LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }} + NEXT_PUBLIC_MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }} + NEXT_PUBLIC_LICENSE_MODULE_CONTRACT: ${{secrets.LICENSE_MODULE_CONTRACT}} + RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }} + WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }} + TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }} + TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }} + TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }} + TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }} + TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }} + TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }} + TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }} + TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }} + TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }} + TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }} + TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }} + + steps: + - name: Check out code + uses: actions/checkout@v3 + with: + ref: ${{ inputs.sha }} + + - uses: pnpm/action-setup@v2.0.1 + with: + version: 8.8.0 + + - name: Setup Node.js environment + uses: actions/setup-node@v3 + with: + node-version: 20.0.0 + cache: pnpm + + - name: Install dependencies + run: pnpm install + + - name: Fix + run: pnpm fix + + - name: Test + run: pnpm test + + - name: Build + run: pnpm build \ No newline at end of file diff --git a/.github/workflows/external-pr.yaml b/.github/workflows/external-pr.yaml new file mode 100644 index 00000000..757983d8 --- /dev/null +++ b/.github/workflows/external-pr.yaml @@ -0,0 +1,43 @@ +name: External PR + +on: + pull_request_target: + types: [opened, synchronize] + +jobs: + authorize: + if: github.event.pull_request.head.repo.full_name != github.repository + environment: 'external' + runs-on: ubuntu-latest + steps: + - run: true + build_and_test: + needs: authorize + uses: ./.github/workflows/build-and-test.yaml + with: + sha: ${{ github.event.pull_request.head.sha }} + ENVIRONMENT: 'alpha-sepolia' + secrets: + API_BASE_URL: ${{ secrets.API_BASE_URL }} + STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }} + IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} + IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }} + RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }} + REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }} + LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }} + MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }} + LICENSE_MODULE_CONTRACT: ${{ secrets.LICENSE_MODULE_CONTRACT }} + RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }} + WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }} + TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }} + TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }} + TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }} + TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }} + TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }} + TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }} + TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }} + TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }} + TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }} + TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }} + TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }} + \ No newline at end of file diff --git a/.github/workflows/internal-pr.yaml b/.github/workflows/internal-pr.yaml new file mode 100644 index 00000000..bc93d2f1 --- /dev/null +++ b/.github/workflows/internal-pr.yaml @@ -0,0 +1,41 @@ +name: Internal PR + +on: + push: + branches: + - main + - dev + pull_request: + branches: + - main + - dev + +jobs: + build_and_test: + uses: ./.github/workflows/build-and-test.yaml + with: + sha: ${{ github.event.pull_request.head.sha }} + ENVIRONMENT: 'alpha-sepolia' + secrets: + API_BASE_URL: ${{ secrets.API_BASE_URL }} + STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }} + IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} + IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }} + RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }} + REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }} + LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }} + MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }} + LICENSE_MODULE_CONTRACT: ${{ secrets.LICENSE_MODULE_CONTRACT }} + RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }} + WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }} + TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }} + TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }} + TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }} + TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }} + TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }} + TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }} + TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }} + TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }} + TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }} + TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }} + TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }} From 85c4de85bb6766e0e822a19a9fdb125773496f3a Mon Sep 17 00:00:00 2001 From: Andy Wu Date: Tue, 9 Jan 2024 15:45:26 -0800 Subject: [PATCH 2/4] Create scorecard.yml (#13) --- .github/workflows/scorecard.yml | 72 +++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..50502975 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '25 1 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif From c84d715292cc43d44d6981060d3310f8558a683f Mon Sep 17 00:00:00 2001 From: Andy Wu Date: Tue, 16 Jan 2024 12:54:10 -0800 Subject: [PATCH 3/4] [security] delete the insecure workflow (#21) [feat] add CODEOWNERS [fix] pr triggered only from internal repo --- .github/CODEOWNERS | 1 + .github/workflows/external-pr.yaml | 43 ------------------------------ .github/workflows/internal-pr.yaml | 1 + 3 files changed, 2 insertions(+), 43 deletions(-) create mode 100644 .github/CODEOWNERS delete mode 100644 .github/workflows/external-pr.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..33529d61 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @DonFungible @edisonz0718 diff --git a/.github/workflows/external-pr.yaml b/.github/workflows/external-pr.yaml deleted file mode 100644 index 757983d8..00000000 --- a/.github/workflows/external-pr.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: External PR - -on: - pull_request_target: - types: [opened, synchronize] - -jobs: - authorize: - if: github.event.pull_request.head.repo.full_name != github.repository - environment: 'external' - runs-on: ubuntu-latest - steps: - - run: true - build_and_test: - needs: authorize - uses: ./.github/workflows/build-and-test.yaml - with: - sha: ${{ github.event.pull_request.head.sha }} - ENVIRONMENT: 'alpha-sepolia' - secrets: - API_BASE_URL: ${{ secrets.API_BASE_URL }} - STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }} - IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} - IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }} - RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }} - REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }} - LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }} - MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }} - LICENSE_MODULE_CONTRACT: ${{ secrets.LICENSE_MODULE_CONTRACT }} - RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }} - WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }} - TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }} - TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }} - TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }} - TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }} - TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }} - TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }} - TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }} - TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }} - TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }} - TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }} - TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }} - \ No newline at end of file diff --git a/.github/workflows/internal-pr.yaml b/.github/workflows/internal-pr.yaml index bc93d2f1..491a6f9a 100644 --- a/.github/workflows/internal-pr.yaml +++ b/.github/workflows/internal-pr.yaml @@ -12,6 +12,7 @@ on: jobs: build_and_test: + if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} uses: ./.github/workflows/build-and-test.yaml with: sha: ${{ github.event.pull_request.head.sha }} From 3380fd42f5eaf10cd2e15b32d1bd8553bbb7e3e4 Mon Sep 17 00:00:00 2001 From: Andy Wu Date: Tue, 16 Jan 2024 18:11:54 -0800 Subject: [PATCH 4/4] [feat] add ci workflow to publish package to npm registry (#22) --- .github/workflows/ci-publish.yaml | 107 ++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 .github/workflows/ci-publish.yaml diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml new file mode 100644 index 00000000..3015fc14 --- /dev/null +++ b/.github/workflows/ci-publish.yaml @@ -0,0 +1,107 @@ +name: CI workflow to publish to npm + +on: + pull_request: + # PR is targeting main branch + branches: + - main2 + # Triggered only when package.json is modified + paths: + - 'package.json' + # Triggered only the PR is merged + # types: [closed] + +jobs: + # Add timestamp + timestamp: + runs-on: ubuntu-latest + # Trigger the workflow only if the PR is from dev branch + if: github.event.pull_request.head.repo.full_name == 'dev2' + steps: + - name: Generate timestamp + run: | + echo "TIMESTAMP=$(TZ='America/Los_Angeles' date +'%Y-%m-%d %H:%M:%S')" >> $GITHUB_ENV + + - name: Print timestamp + run: | + echo "Execution time (Pacific Time Zone): $TIMESTAMP" + + # Parse version from main branch + parse-package-version-main: + runs-on: ubuntu-latest + needs: timestamp + # Trigger the workflow only if the PR is from dev branch + if: github.event.pull_request.head.repo.full_name == 'dev2' + outputs: + MAIN_VERSION: ${{ steps.parse_package_json.outputs.MAIN_VERSION }} + steps: + # checkout the main branch + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: main2 + + - name: Parse package.json + id: parse_package_json + run: | + content=$(cat package.json) + echo "MAIN_VERSION=$(echo $content | jq -r '.version')" >> $GITHUB_OUTPUT + echo "MAIN_VERSION=$MAIN_VERSION" + + # Parse version from dev branch + parse-package-version-dev: + runs-on: ubuntu-latest + needs: timestamp + # Trigger the workflow only if the PR is from dev branch + if: github.event.pull_request.head.repo.full_name == 'dev2' + outputs: + DEV_VERSION: ${{ steps.parse_package_json.outputs.DEV_VERSION }} + steps: + # checkout the dev branch + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: dev2 + + - name: Parse package.json + id: parse_package_json + run: | + content=$(cat package.json) + echo "DEV_VERSION=$(echo $content | jq -r '.version')" >> $GITHUB_OUTPUT + echo "DEV_VERSION=$DEV_VERSION" + + build-test-publish: + runs-on: ubuntu-latest + needs: [parse-package-version-main, parse-package-version-dev] + # Trigger the workflow only if the PR is from dev branch, and DEV_VERSION is different from MAIN_VERSION + if: github.event.pull_request.head.repo.full_name == 'dev2' && needs.parse-package-version-main.outputs.MAIN_VERSION != needs.parse-package-version-dev.outputs.DEV_VERSION + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0 + with: + version: 8.8.0 + + - name: Setup Node.js environment + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + with: + node-version: 20.0.0 + cache: pnpm + registry-url: https://registry.npmjs.org/ + + - name: Install dependencies + run: pnpm install + + - name: Build + run: pnpm build + + # Disabled test for now for later validation + # - name: Test + # run: pnpm test + + - name: Publish to npm + run: | + npm publish + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file