From df97bb559ddbe6491a9c31a93631bfba4833e561 Mon Sep 17 00:00:00 2001 From: Andy Wu Date: Thu, 18 Jan 2024 12:41:25 -0800 Subject: [PATCH] [test] bump up package version --- .github/workflows/ci-publish.yaml | 120 +++++++++++++++++++++++++++++ .github/workflows/external-pr.yaml | 43 ----------- .github/workflows/internal-pr.yaml | 1 + .github/workflows/scorecard.yml | 72 +++++++++++++++++ package.json | 2 +- 5 files changed, 194 insertions(+), 44 deletions(-) create mode 100644 .github/workflows/ci-publish.yaml delete mode 100644 .github/workflows/external-pr.yaml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml new file mode 100644 index 00000000..b676f051 --- /dev/null +++ b/.github/workflows/ci-publish.yaml @@ -0,0 +1,120 @@ +name: CI workflow to publish to npm + +on: + pull_request: + # PR is targeting main branch + branches: + - main + # Triggered only when package.json is modified + paths: + - 'package.json' + # Triggered only the PR is merged + types: [opened, synchronize, reopened, closed] + +jobs: + # Add timestamp + timestamp: + runs-on: ubuntu-latest + outputs: + PR_BRANCH_NAME: ${{ steps.get_pr_branch_name.outputs.PR_BRANCH_NAME }} + steps: + - name: Generate timestamp + run: | + echo "TIMESTAMP=$(TZ='America/Los_Angeles' date +'%Y-%m-%d %H:%M:%S')" >> $GITHUB_ENV + echo ${{ github.head_ref }} + + - name: Print timestamp + run: | + echo "Execution time (Pacific Time Zone): $TIMESTAMP" + + - name: Get PR branch name + id: get_pr_branch_name + run: | + echo "PR_BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_OUTPUT + + # Parse version from main branch + parse-package-version-main: + runs-on: ubuntu-latest + needs: timestamp + # Trigger the workflow only if the PR is from dev branch + if: ${{ needs.timestamp.outputs.PR_BRANCH_NAME == 'dev' }} + outputs: + MAIN_VERSION: ${{ steps.parse_package_json.outputs.MAIN_VERSION }} + steps: + # checkout the main branch + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: main + + - name: Parse package.json + id: parse_package_json + run: | + content=$(cat package.json) + echo "MAIN_VERSION=$(echo $content | jq -r '.version')" >> $GITHUB_OUTPUT + + # Parse version from dev branch + parse-package-version-dev: + runs-on: ubuntu-latest + needs: timestamp + # Trigger the workflow only if the PR is from dev branch + if: ${{ needs.timestamp.outputs.PR_BRANCH_NAME == 'dev' }} + outputs: + DEV_VERSION: ${{ steps.parse_package_json.outputs.DEV_VERSION }} + steps: + # checkout the dev branch + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: dev2 + + - name: Parse package.json + id: parse_package_json + run: | + content=$(cat package.json) + echo "DEV_VERSION=$(echo $content | jq -r '.version')" >> $GITHUB_OUTPUT + + build-test-publish: + runs-on: ubuntu-latest + needs: [timestamp, parse-package-version-main, parse-package-version-dev] + # Trigger the workflow only if the PR is from dev branch, and DEV_VERSION is different from MAIN_VERSION + if: ${{ needs.timestamp.outputs.PR_BRANCH_NAME == 'dev' }} && needs.parse-package-version-main.outputs.MAIN_VERSION != needs.parse-package-version-dev.outputs.DEV_VERSION + steps: + - name: QA Check + run: | + echo "MAIN_VERSION=${{ needs.parse-package-version-main.outputs.MAIN_VERSION }}" + echo "DEV_VERSION=${{ needs.parse-package-version-dev.outputs.DEV_VERSION }}" + if [ "${{ needs.parse-package-version-main.outputs.MAIN_VERSION }}" == "${{ needs.parse-package-version-dev.outputs.DEV_VERSION }}" ]; then + echo "QA Check failed: MAIN_VERSION and DEV_VERSION are the same" + exit 1 + fi + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0 + with: + version: 8.8.0 + + - name: Setup Node.js environment + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + with: + node-version: 20.0.0 + cache: pnpm + registry-url: https://registry.npmjs.org/ + + - name: Install dependencies + run: pnpm install + + - name: Build + run: pnpm build + + # Disabled test for now for later validation + # - name: Test + # run: pnpm test + + - name: Publish to npm + run: | + npm publish + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/external-pr.yaml b/.github/workflows/external-pr.yaml deleted file mode 100644 index 757983d8..00000000 --- a/.github/workflows/external-pr.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: External PR - -on: - pull_request_target: - types: [opened, synchronize] - -jobs: - authorize: - if: github.event.pull_request.head.repo.full_name != github.repository - environment: 'external' - runs-on: ubuntu-latest - steps: - - run: true - build_and_test: - needs: authorize - uses: ./.github/workflows/build-and-test.yaml - with: - sha: ${{ github.event.pull_request.head.sha }} - ENVIRONMENT: 'alpha-sepolia' - secrets: - API_BASE_URL: ${{ secrets.API_BASE_URL }} - STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }} - IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} - IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }} - RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }} - REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }} - LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }} - MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }} - LICENSE_MODULE_CONTRACT: ${{ secrets.LICENSE_MODULE_CONTRACT }} - RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }} - WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }} - TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }} - TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }} - TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }} - TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }} - TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }} - TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }} - TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }} - TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }} - TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }} - TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }} - TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }} - \ No newline at end of file diff --git a/.github/workflows/internal-pr.yaml b/.github/workflows/internal-pr.yaml index bc93d2f1..491a6f9a 100644 --- a/.github/workflows/internal-pr.yaml +++ b/.github/workflows/internal-pr.yaml @@ -12,6 +12,7 @@ on: jobs: build_and_test: + if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} uses: ./.github/workflows/build-and-test.yaml with: sha: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..50502975 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '25 1 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/package.json b/package.json index 3eaf1593..685850cc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "typescript-sdk", - "version": "0.0.0", + "version": "0.0.3", "private": true, "repository": "https://github.com/storyprotocol/typescript-sdk", "author": "storyprotocol engineering ",