From 4a94b8ecf99db6f4629d6c68206e4d425d4a2822 Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 13:26:41 +0100 Subject: [PATCH 1/8] Create tags on GitHub using API To allow for signed tags to be created, rather than use the git CLI to push tags, manually push each tag using the GitHub API, which will sign the tag using the built-in GitHub GPG key. --- src/gitUtils.ts | 4 ---- src/run.ts | 34 ++++++++++++++++++++++------------ 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/src/gitUtils.ts b/src/gitUtils.ts index b15151ab..b7ed3256 100644 --- a/src/gitUtils.ts +++ b/src/gitUtils.ts @@ -29,10 +29,6 @@ export const push = async ( ); }; -export const pushTags = async () => { - await exec("git", ["push", "origin", "--tags"]); -}; - export const switchToMaybeExistingBranch = async (branch: string) => { let { stderr } = await getExecOutput("git", ["checkout", branch], { ignoreReturnCode: true, diff --git a/src/run.ts b/src/run.ts index 326b9618..f8ab931e 100644 --- a/src/run.ts +++ b/src/run.ts @@ -130,8 +130,6 @@ export async function runPublish({ { cwd } ); - await gitUtils.pushTags(); - let { packages, tool } = await getPackages(cwd); let releasedPackages: Package[] = []; @@ -157,12 +155,19 @@ export async function runPublish({ if (createGithubReleases) { await Promise.all( - releasedPackages.map((pkg) => - createRelease(octokit, { - pkg, - tagName: `${pkg.packageJson.name}@${pkg.packageJson.version}`, - }) - ) + releasedPackages.map(async (pkg) => { + const tagName = `${pkg.packageJson.name}@${pkg.packageJson.version}`; + // Tag will only be created locally, + // Create it using the GitHub API so it's signed. + await octokit.rest.git.createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }); + if (createGithubReleases) { + await createRelease(octokit, { pkg, tagName }); + } + }) ); } } else { @@ -180,11 +185,16 @@ export async function runPublish({ if (match) { releasedPackages.push(pkg); + const tagName = `v${pkg.packageJson.version}`; + // Tag will only be created locally, + // Create it using the GitHub API so it's signed. + await octokit.rest.git.createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }); if (createGithubReleases) { - await createRelease(octokit, { - pkg, - tagName: `v${pkg.packageJson.version}`, - }); + await createRelease(octokit, { pkg, tagName }); } break; } From 9ae1eeaf52dbc3a71b7795af35312ec98d7df559 Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 14:25:50 +0100 Subject: [PATCH 2/8] Use ghcommit to push changes To allow for all commits to be signed, use the GitHub API to push changes. --- package.json | 17 ++++--- src/gitUtils.ts | 47 +----------------- src/run.test.ts | 1 + src/run.ts | 33 ++++++++----- tsconfig.json | 2 +- yarn.lock | 128 +++++++++++++++++++++++++++++++++++++++++++++++- 6 files changed, 159 insertions(+), 69 deletions(-) diff --git a/package.json b/package.json index 44c5af07..8b829387 100644 --- a/package.json +++ b/package.json @@ -4,23 +4,23 @@ "main": "dist/index.js", "license": "MIT", "devDependencies": { - "@changesets/changelog-github": "^0.4.2", - "@changesets/cli": "^2.20.0", - "@changesets/write": "^0.1.6", - "@vercel/ncc": "^0.36.1", - "fixturez": "^1.1.0", - "prettier": "^2.0.5", - "typescript": "^5.0.4", "@babel/core": "^7.13.10", "@babel/preset-env": "^7.13.10", "@babel/preset-typescript": "^7.13.0", + "@changesets/changelog-github": "^0.4.2", + "@changesets/cli": "^2.20.0", + "@changesets/write": "^0.1.6", "@types/fs-extra": "^8.0.0", "@types/jest": "^29.5.1", "@types/node": "^20.11.17", "@types/semver": "^7.5.0", + "@vercel/ncc": "^0.36.1", "babel-jest": "^29.5.0", + "fixturez": "^1.1.0", "husky": "^3.0.3", - "jest": "^29.5.0" + "jest": "^29.5.0", + "prettier": "^2.0.5", + "typescript": "^5.0.4" }, "scripts": { "build": "ncc build src/index.ts -o dist --transpile-only --minify", @@ -41,6 +41,7 @@ "@changesets/read": "^0.5.3", "@manypkg/get-packages": "^1.1.3", "@octokit/plugin-throttling": "^5.2.1", + "@s0/ghcommit": "^1.1.0", "fs-extra": "^8.1.0", "mdast-util-to-string": "^1.0.6", "remark-parse": "^7.0.1", diff --git a/src/gitUtils.ts b/src/gitUtils.ts index b7ed3256..16d9bf21 100644 --- a/src/gitUtils.ts +++ b/src/gitUtils.ts @@ -11,49 +11,4 @@ export const setupUser = async () => { "user.email", `"github-actions[bot]@users.noreply.github.com"`, ]); -}; - -export const pullBranch = async (branch: string) => { - await exec("git", ["pull", "origin", branch]); -}; - -export const push = async ( - branch: string, - { force }: { force?: boolean } = {} -) => { - await exec( - "git", - ["push", "origin", `HEAD:${branch}`, force && "--force"].filter( - Boolean as any - ) - ); -}; - -export const switchToMaybeExistingBranch = async (branch: string) => { - let { stderr } = await getExecOutput("git", ["checkout", branch], { - ignoreReturnCode: true, - }); - let isCreatingBranch = !stderr - .toString() - .includes(`Switched to a new branch '${branch}'`); - if (isCreatingBranch) { - await exec("git", ["checkout", "-b", branch]); - } -}; - -export const reset = async ( - pathSpec: string, - mode: "hard" | "soft" | "mixed" = "hard" -) => { - await exec("git", ["reset", `--${mode}`, pathSpec]); -}; - -export const commitAll = async (message: string) => { - await exec("git", ["add", "."]); - await exec("git", ["commit", "-m", message]); -}; - -export const checkIfClean = async (): Promise => { - const { stdout } = await getExecOutput("git", ["status", "--porcelain"]); - return !stdout.length; -}; +}; \ No newline at end of file diff --git a/src/run.test.ts b/src/run.test.ts index 15d2e096..7b06a4ce 100644 --- a/src/run.test.ts +++ b/src/run.test.ts @@ -31,6 +31,7 @@ jest.mock("@actions/github/lib/utils", () => ({ getOctokitOptions: jest.fn(), })); jest.mock("./gitUtils"); +jest.mock("@s0/ghcommit/git"); let mockedGithubMethods = { pulls: { diff --git a/src/run.ts b/src/run.ts index f8ab931e..46baf92f 100644 --- a/src/run.ts +++ b/src/run.ts @@ -17,6 +17,7 @@ import * as gitUtils from "./gitUtils"; import readChangesetState from "./readChangesetState"; import resolveFrom from "resolve-from"; import { throttling } from "@octokit/plugin-throttling"; +import { commitChangesFromRepo } from "@s0/ghcommit/git"; // GitHub Issues/PRs messages have a max size limit on the // message body payload. @@ -334,9 +335,6 @@ export async function runVersion({ let { preState } = await readChangesetState(cwd); - await gitUtils.switchToMaybeExistingBranch(versionBranch); - await gitUtils.reset(github.context.sha); - let versionsByDirectory = await getVersionsByDirectory(cwd); if (script) { @@ -377,16 +375,25 @@ export async function runVersion({ ); const finalPrTitle = `${prTitle}${!!preState ? ` (${preState.tag})` : ""}`; - - // project with `commit: true` setting could have already committed files - if (!(await gitUtils.checkIfClean())) { - const finalCommitMessage = `${commitMessage}${ - !!preState ? ` (${preState.tag})` : "" - }`; - await gitUtils.commitAll(finalCommitMessage); - } - - await gitUtils.push(versionBranch, { force: true }); + const finalCommitMessage = `${commitMessage}${ + !!preState ? ` (${preState.tag})` : "" + }`; + + await commitChangesFromRepo({ + octokit, + owner: github.context.repo.owner, + repository: github.context.repo.repo, + branch: versionBranch, + // TODO: switch this to use direct string input when supported + message: { + headline: finalCommitMessage.split("\n", 2)[0].trim(), + body: finalCommitMessage.split("\n", 2)[1]?.trim(), + }, + base: { + commit: github.context.sha, + }, + force: true, + }); let existingPullRequests = await existingPullRequestsPromise; core.info(JSON.stringify(existingPullRequests.data, null, 2)); diff --git a/tsconfig.json b/tsconfig.json index b4669823..fbffb3e1 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -39,7 +39,7 @@ // "noFallthroughCasesInSwitch": true, /* Report errors for fallthrough cases in switch statement. */ /* Module Resolution Options */ - // "moduleResolution": "node", /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */ + "moduleResolution": "nodenext", /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */ // "baseUrl": "./", /* Base directory to resolve non-absolute module names. */ // "paths": {}, /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */ // "rootDirs": [], /* List of root folders whose combined content represents the structure of the project at runtime. */ diff --git a/yarn.lock b/yarn.lock index 06c45b9a..b84975a8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1618,6 +1618,13 @@ dependencies: "@octokit/openapi-types" "^17.2.0" +"@s0/ghcommit@^1.1.0": + version "1.1.0" + resolved "https://registry.yarnpkg.com/@s0/ghcommit/-/ghcommit-1.1.0.tgz#789858feb3a9e9a799a6ce7abada988cd925c21f" + integrity sha512-1jEUzrfa9QvEdCaFicv2oc5ep9zFG4HE60vU48dIp+W1JzeOmPHOxNt9y5rE5TvXzTGAdLpoCvPnRrR6jCwFyw== + dependencies: + isomorphic-git "^1.27.1" + "@sinclair/typebox@^0.25.16": version "0.25.24" resolved "https://registry.yarnpkg.com/@sinclair/typebox/-/typebox-0.25.24.tgz#8c7688559979f7079aacaf31aa881c3aa410b718" @@ -1878,6 +1885,11 @@ arrify@^1.0.1: resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d" integrity sha512-3CYzex9M9FGQjCGMGyi6/31c8GJbgb0qGyrx5HWxPd0aCwh4cB2YjMb2Xf9UuoogrMrlO9cTqnB5rI5GHZTcUA== +async-lock@^1.4.1: + version "1.4.1" + resolved "https://registry.yarnpkg.com/async-lock/-/async-lock-1.4.1.tgz#56b8718915a9b68b10fce2f2a9a3dddf765ef53f" + integrity sha512-Az2ZTpuytrtqENulXwO3GGv1Bztugx6TT37NIo7imr/Qo0gsYiGtSdBa2B6fsXhTpVZDNfu1Qn3pk531e3q+nQ== + available-typed-arrays@^1.0.5: version "1.0.5" resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7" @@ -2161,6 +2173,11 @@ cjs-module-lexer@^1.0.0: resolved "https://registry.yarnpkg.com/cjs-module-lexer/-/cjs-module-lexer-1.2.2.tgz#9f84ba3244a512f3a54e5277e8eef4c489864e40" integrity sha512-cOU9usZw8/dXIXKtwa8pM0OTJQuJkxMN6w30csNRUerHfeQ5R6U3kkU/FtJeIf3M202OHfY2U8ccInBG7/xogA== +clean-git-ref@^2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/clean-git-ref/-/clean-git-ref-2.0.1.tgz#dcc0ca093b90e527e67adb5a5e55b1af6816dcd9" + integrity sha512-bLSptAy2P0s6hU4PzuIMKmMJJSE6gLXGH1cntDu7bWJUksvuM+7ReOK61mozULErYvP6a15rnYl0zFDef+pyPw== + cliui@^6.0.0: version "6.0.0" resolved "https://registry.yarnpkg.com/cliui/-/cliui-6.0.0.tgz#511d702c0c4e41ca156d7d0e96021f23e13225b1" @@ -2255,6 +2272,11 @@ cosmiconfig@^5.2.1: js-yaml "^3.13.1" parse-json "^4.0.0" +crc-32@^1.2.0: + version "1.2.2" + resolved "https://registry.yarnpkg.com/crc-32/-/crc-32-1.2.2.tgz#3cad35a934b8bf71f25ca524b6da51fb7eace2ff" + integrity sha512-ROmzCKrTnOwybPcJApAA6WBWij23HVfGVNKqqrZpuyZOHqK2CwHSvpGuyt/UNNvaIjEd8X5IFGp4Mh+Ie1IHJQ== + cross-spawn@^5.1.0: version "5.1.0" resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-5.1.0.tgz#e8bd0efee58fcff6f8f94510a0a554bbfa235449" @@ -2339,6 +2361,13 @@ decamelize@^1.1.0, decamelize@^1.2.0: resolved "https://registry.yarnpkg.com/decamelize/-/decamelize-1.2.0.tgz#f6534d15148269b20352e7bee26f501f9a191290" integrity sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA== +decompress-response@^6.0.0: + version "6.0.0" + resolved "https://registry.yarnpkg.com/decompress-response/-/decompress-response-6.0.0.tgz#ca387612ddb7e104bd16d85aab00d5ecf09c66fc" + integrity sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ== + dependencies: + mimic-response "^3.1.0" + dedent@^0.7.0: version "0.7.0" resolved "https://registry.yarnpkg.com/dedent/-/dedent-0.7.0.tgz#2495ddbaf6eb874abb0e1be9df22d2e5a544326c" @@ -2384,6 +2413,11 @@ diff-sequences@^29.4.3: resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-29.4.3.tgz#9314bc1fabe09267ffeca9cbafc457d8499a13f2" integrity sha512-ofrBgwpPhCD85kMKtE9RYFFq6OC1A89oW2vvgWZNCwxrUpRUILopY7lsYyMDSjc8g6U6aiO0Qubg6r4Wgt5ZnA== +diff3@0.0.3: + version "0.0.3" + resolved "https://registry.yarnpkg.com/diff3/-/diff3-0.0.3.tgz#d4e5c3a4cdf4e5fe1211ab42e693fcb4321580fc" + integrity sha512-iSq8ngPOt0K53A6eVr4d5Kn6GNrM2nQZtC740pzIriHtn4pOQ2lyzEXQMBeVcWERN0ye7fhBsk9PbLLQOnUx/g== + dir-glob@^2.0.0: version "2.2.2" resolved "https://registry.yarnpkg.com/dir-glob/-/dir-glob-2.2.2.tgz#fa09f0694153c8918b18ba0deafae94769fc50c4" @@ -2949,6 +2983,11 @@ ignore@^3.3.5: resolved "https://registry.yarnpkg.com/ignore/-/ignore-3.3.10.tgz#0a97fb876986e8081c631160f8f9f389157f0043" integrity sha512-Pgs951kaMm5GXP7MOvxERINe3gsaVjUWFm+UZPSq9xYriQAksyhg0csnS0KXSNRD5NmNdapXEpjxG49+AKh/ug== +ignore@^5.1.4: + version "5.3.2" + resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.3.2.tgz#3cd40e729f3643fd87cb04e50bf0eb722bc596f5" + integrity sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g== + ignore@^5.2.0: version "5.2.4" resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.2.4.tgz#a291c0c6178ff1b960befe47fcdec301674a6324" @@ -2988,7 +3027,7 @@ inflight@^1.0.4: once "^1.3.0" wrappy "1" -inherits@2, inherits@^2.0.0: +inherits@2, inherits@^2.0.0, inherits@^2.0.1, inherits@^2.0.3: version "2.0.4" resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== @@ -3233,6 +3272,23 @@ isexe@^2.0.0: resolved "https://registry.yarnpkg.com/isexe/-/isexe-2.0.0.tgz#e8fbf374dc556ff8947a10dcb0572d633f2cfa10" integrity sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw== +isomorphic-git@^1.27.1: + version "1.27.1" + resolved "https://registry.yarnpkg.com/isomorphic-git/-/isomorphic-git-1.27.1.tgz#a2752fce23a09f04baa590c41cfaf61e973405b3" + integrity sha512-X32ph5zIWfT75QAqW2l3JCIqnx9/GWd17bRRehmn3qmWc34OYbSXY6Cxv0o9bIIY+CWugoN4nQFHNA+2uYf2nA== + dependencies: + async-lock "^1.4.1" + clean-git-ref "^2.0.1" + crc-32 "^1.2.0" + diff3 "0.0.3" + ignore "^5.1.4" + minimisted "^2.0.0" + pako "^1.0.10" + pify "^4.0.1" + readable-stream "^3.4.0" + sha.js "^2.4.9" + simple-get "^4.0.1" + istanbul-lib-coverage@^3.0.0, istanbul-lib-coverage@^3.2.0: version "3.2.0" resolved "https://registry.yarnpkg.com/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.0.tgz#189e7909d0a39fa5a3dfad5b03f71947770191d3" @@ -3853,6 +3909,11 @@ mimic-fn@^2.1.0: resolved "https://registry.yarnpkg.com/mimic-fn/-/mimic-fn-2.1.0.tgz#7ed2c2ccccaf84d3ffcb7a69b57711fc2083401b" integrity sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg== +mimic-response@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/mimic-response/-/mimic-response-3.1.0.tgz#2d1d59af9c1b129815accc2c46a022a5ce1fa3c9" + integrity sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ== + min-indent@^1.0.0: version "1.0.1" resolved "https://registry.yarnpkg.com/min-indent/-/min-indent-1.0.1.tgz#a63f681673b30571fbe8bc25686ae746eefa9869" @@ -3874,6 +3935,18 @@ minimist-options@^4.0.2: is-plain-obj "^1.1.0" kind-of "^6.0.3" +minimist@^1.2.5: + version "1.2.8" + resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c" + integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA== + +minimisted@^2.0.0: + version "2.0.1" + resolved "https://registry.yarnpkg.com/minimisted/-/minimisted-2.0.1.tgz#d059fb905beecf0774bc3b308468699709805cb1" + integrity sha512-1oPjfuLQa2caorJUM8HV8lGgWCc0qqAO1MNv/k05G4qslmsndV/5WdNZrqCiyqiz3wohia2Ij2B7w2Dr7/IyrA== + dependencies: + minimist "^1.2.5" + mixme@^0.5.1: version "0.5.9" resolved "https://registry.yarnpkg.com/mixme/-/mixme-0.5.9.tgz#a5a58e17354632179ff3ce5b0fc130899c8ba81c" @@ -4039,6 +4112,11 @@ p-try@^2.0.0: resolved "https://registry.yarnpkg.com/p-try/-/p-try-2.2.0.tgz#cb2868540e313d61de58fafbe35ce9004d5540e6" integrity sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ== +pako@^1.0.10: + version "1.0.11" + resolved "https://registry.yarnpkg.com/pako/-/pako-1.0.11.tgz#6c9599d340d54dfd3946380252a35705a6b992bf" + integrity sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw== + parse-entities@^1.0.2, parse-entities@^1.1.0: version "1.2.2" resolved "https://registry.yarnpkg.com/parse-entities/-/parse-entities-1.2.2.tgz#c31bf0f653b6661354f8973559cb86dd1d5edf50" @@ -4244,6 +4322,15 @@ read-yaml-file@^1.1.0: pify "^4.0.1" strip-bom "^3.0.0" +readable-stream@^3.4.0: + version "3.6.2" + resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-3.6.2.tgz#56a9b36ea965c00c5a93ef31eb111a0f11056967" + integrity sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA== + dependencies: + inherits "^2.0.3" + string_decoder "^1.1.1" + util-deprecate "^1.0.1" + redent@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/redent/-/redent-3.0.0.tgz#e557b7998316bb53c9f1f56fa626352c6963059f" @@ -4408,6 +4495,11 @@ run-parallel@^1.1.9: dependencies: queue-microtask "^1.2.2" +safe-buffer@^5.0.1, safe-buffer@~5.2.0: + version "5.2.1" + resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6" + integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ== + safe-regex-test@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/safe-regex-test/-/safe-regex-test-1.0.0.tgz#793b874d524eb3640d1873aad03596db2d4f2295" @@ -4456,6 +4548,14 @@ set-blocking@^2.0.0: resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7" integrity sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw== +sha.js@^2.4.9: + version "2.4.11" + resolved "https://registry.yarnpkg.com/sha.js/-/sha.js-2.4.11.tgz#37a5cf0b81ecbc6943de109ba2960d1b26584ae7" + integrity sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ== + dependencies: + inherits "^2.0.1" + safe-buffer "^5.0.1" + shebang-command@^1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/shebang-command/-/shebang-command-1.2.0.tgz#44aac65b695b03398968c39f363fee5deafdf1ea" @@ -4494,6 +4594,20 @@ signal-exit@^3.0.0, signal-exit@^3.0.2, signal-exit@^3.0.3, signal-exit@^3.0.7: resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9" integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ== +simple-concat@^1.0.0: + version "1.0.1" + resolved "https://registry.yarnpkg.com/simple-concat/-/simple-concat-1.0.1.tgz#f46976082ba35c2263f1c8ab5edfe26c41c9552f" + integrity sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q== + +simple-get@^4.0.1: + version "4.0.1" + resolved "https://registry.yarnpkg.com/simple-get/-/simple-get-4.0.1.tgz#4a39db549287c979d352112fa03fd99fd6bc3543" + integrity sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA== + dependencies: + decompress-response "^6.0.0" + once "^1.3.1" + simple-concat "^1.0.0" + sisteransi@^1.0.5: version "1.0.5" resolved "https://registry.yarnpkg.com/sisteransi/-/sisteransi-1.0.5.tgz#134d681297756437cc05ca01370d3a7a571075ed" @@ -4636,6 +4750,13 @@ string.prototype.trimstart@^1.0.6: define-properties "^1.1.4" es-abstract "^1.20.4" +string_decoder@^1.1.1: + version "1.3.0" + resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.3.0.tgz#42f114594a46cf1a8e30b0a84f56c78c3edac21e" + integrity sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA== + dependencies: + safe-buffer "~5.2.0" + stringify-entities@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/stringify-entities/-/stringify-entities-2.0.0.tgz#fa7ca6614b355fb6c28448140a20c4ede7462827" @@ -4960,6 +5081,11 @@ update-browserslist-db@^1.0.10: escalade "^3.1.1" picocolors "^1.0.0" +util-deprecate@^1.0.1: + version "1.0.2" + resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf" + integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw== + uuid@^8.3.2: version "8.3.2" resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2" From 35f08a8ee945816fcf550977183616a72fa8b2af Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 14:30:55 +0100 Subject: [PATCH 3/8] Add changeset version --- .changeset/green-dogs-change.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .changeset/green-dogs-change.md diff --git a/.changeset/green-dogs-change.md b/.changeset/green-dogs-change.md new file mode 100644 index 00000000..05a0e5d6 --- /dev/null +++ b/.changeset/green-dogs-change.md @@ -0,0 +1,10 @@ +--- +"@changesets/action": major +--- + +Start using GitHub API to push tags and commits to repos + +Rather than use local git commands to push changes to GitHub, +this action now uses the GitHub API directly, +which means that all tags and commits will be attributed to the user whose +GITHUB_TOKEN is used, and signed. From 72e31f001810a7fc085493975e42e6abc2276b73 Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 14:55:50 +0100 Subject: [PATCH 4/8] Allow tag publish to fail, assume it was manually published --- src/run.ts | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/src/run.ts b/src/run.ts index 46baf92f..66afe6b3 100644 --- a/src/run.ts +++ b/src/run.ts @@ -160,11 +160,16 @@ export async function runPublish({ const tagName = `${pkg.packageJson.name}@${pkg.packageJson.version}`; // Tag will only be created locally, // Create it using the GitHub API so it's signed. - await octokit.rest.git.createRef({ - ...github.context.repo, - ref: `refs/tags/${tagName}`, - sha: github.context.sha, - }); + await octokit.rest.git + .createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }) + .catch((err) => { + // Assuming tag was manually pushed in custom publish script + core.warning(`Failed to create tag ${tagName}: ${err.message}`); + }); if (createGithubReleases) { await createRelease(octokit, { pkg, tagName }); } @@ -189,11 +194,16 @@ export async function runPublish({ const tagName = `v${pkg.packageJson.version}`; // Tag will only be created locally, // Create it using the GitHub API so it's signed. - await octokit.rest.git.createRef({ - ...github.context.repo, - ref: `refs/tags/${tagName}`, - sha: github.context.sha, - }); + await octokit.rest.git + .createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }) + .catch((err) => { + // Assuming tag was manually pushed in custom publish script + core.warning(`Failed to create tag ${tagName}: ${err.message}`); + }); if (createGithubReleases) { await createRelease(octokit, { pkg, tagName }); } From a8a756b58cf174afb4cd3265b9e02bb858d768ef Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 14:57:41 +0100 Subject: [PATCH 5/8] Add to changeset --- .changeset/thick-jars-chew.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/thick-jars-chew.md diff --git a/.changeset/thick-jars-chew.md b/.changeset/thick-jars-chew.md new file mode 100644 index 00000000..f5a3f095 --- /dev/null +++ b/.changeset/thick-jars-chew.md @@ -0,0 +1,5 @@ +--- +"@changesets/action": minor +--- + +Handle custom publish commands more gracefully From 50b4be2b5ce5350adb360d0ab15da3324e9976f5 Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sun, 25 Aug 2024 18:16:01 +0100 Subject: [PATCH 6/8] Update @s0/ghcommit --- .changeset/ninety-poems-explode.md | 5 +++++ package.json | 2 +- src/run.ts | 9 ++------- yarn.lock | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) create mode 100644 .changeset/ninety-poems-explode.md diff --git a/.changeset/ninety-poems-explode.md b/.changeset/ninety-poems-explode.md new file mode 100644 index 00000000..b5d592ff --- /dev/null +++ b/.changeset/ninety-poems-explode.md @@ -0,0 +1,5 @@ +--- +"@changesets/action": patch +--- + +Update to latest version of ghcommit diff --git a/package.json b/package.json index 8b829387..79716a3a 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,7 @@ "@changesets/read": "^0.5.3", "@manypkg/get-packages": "^1.1.3", "@octokit/plugin-throttling": "^5.2.1", - "@s0/ghcommit": "^1.1.0", + "@s0/ghcommit": "^1.2.0", "fs-extra": "^8.1.0", "mdast-util-to-string": "^1.0.6", "remark-parse": "^7.0.1", diff --git a/src/run.ts b/src/run.ts index 66afe6b3..25b35c93 100644 --- a/src/run.ts +++ b/src/run.ts @@ -391,14 +391,9 @@ export async function runVersion({ await commitChangesFromRepo({ octokit, - owner: github.context.repo.owner, - repository: github.context.repo.repo, + ...github.context.repo, branch: versionBranch, - // TODO: switch this to use direct string input when supported - message: { - headline: finalCommitMessage.split("\n", 2)[0].trim(), - body: finalCommitMessage.split("\n", 2)[1]?.trim(), - }, + message: finalCommitMessage, base: { commit: github.context.sha, }, diff --git a/yarn.lock b/yarn.lock index b84975a8..33800a11 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1618,10 +1618,10 @@ dependencies: "@octokit/openapi-types" "^17.2.0" -"@s0/ghcommit@^1.1.0": - version "1.1.0" - resolved "https://registry.yarnpkg.com/@s0/ghcommit/-/ghcommit-1.1.0.tgz#789858feb3a9e9a799a6ce7abada988cd925c21f" - integrity sha512-1jEUzrfa9QvEdCaFicv2oc5ep9zFG4HE60vU48dIp+W1JzeOmPHOxNt9y5rE5TvXzTGAdLpoCvPnRrR6jCwFyw== +"@s0/ghcommit@^1.2.0": + version "1.2.0" + resolved "https://registry.yarnpkg.com/@s0/ghcommit/-/ghcommit-1.2.0.tgz#27b7e474653f98fb8126e249db929180b025082c" + integrity sha512-v3HlIX/OYWG32mT97JLPJQ2iCFI7hWtC2OONFoEAeiySAnbLhiToC1xlbT7fdlUcXTT2FktEJosfNbEbS9LniQ== dependencies: isomorphic-git "^1.27.1" From 67a10a13a7dd20a47115c415473f7c7dd8dc937c Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sat, 2 Nov 2024 11:05:38 +0000 Subject: [PATCH 7/8] Update ghcommit to fix missing ref bug --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 79716a3a..fc3a84f1 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,7 @@ "@changesets/read": "^0.5.3", "@manypkg/get-packages": "^1.1.3", "@octokit/plugin-throttling": "^5.2.1", - "@s0/ghcommit": "^1.2.0", + "@s0/ghcommit": "^1.2.1", "fs-extra": "^8.1.0", "mdast-util-to-string": "^1.0.6", "remark-parse": "^7.0.1", diff --git a/yarn.lock b/yarn.lock index 33800a11..007d3dcb 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1618,10 +1618,10 @@ dependencies: "@octokit/openapi-types" "^17.2.0" -"@s0/ghcommit@^1.2.0": - version "1.2.0" - resolved "https://registry.yarnpkg.com/@s0/ghcommit/-/ghcommit-1.2.0.tgz#27b7e474653f98fb8126e249db929180b025082c" - integrity sha512-v3HlIX/OYWG32mT97JLPJQ2iCFI7hWtC2OONFoEAeiySAnbLhiToC1xlbT7fdlUcXTT2FktEJosfNbEbS9LniQ== +"@s0/ghcommit@^1.2.1": + version "1.2.1" + resolved "https://registry.yarnpkg.com/@s0/ghcommit/-/ghcommit-1.2.1.tgz#b906c164c453de5deb776f265f0f591f6f299bce" + integrity sha512-bsW81c87V5P6Prn4lqxCoMlO4dot1RpcnyT1er4gE8ytFxY1cEMZUkTd4HGk+8wTS4hpYB4f/42WIYXP4gHPXg== dependencies: isomorphic-git "^1.27.1" From 893ba16eb15f436c0f29fa125b17858767f08f4e Mon Sep 17 00:00:00 2001 From: Sam Lanning Date: Sat, 2 Nov 2024 11:27:25 +0000 Subject: [PATCH 8/8] Make using GitHub API Optional Change this to a minor version bump, with a new feature that allows for using the GitHub API to create tags and commits. --- .changeset/green-dogs-change.md | 12 ++-- .changeset/ninety-poems-explode.md | 5 -- .changeset/thick-jars-chew.md | 5 -- README.md | 1 + action.yml | 7 ++ src/gitUtils.ts | 51 ++++++++++++++- src/index.ts | 4 ++ src/run.ts | 100 ++++++++++++++++++----------- 8 files changed, 131 insertions(+), 54 deletions(-) delete mode 100644 .changeset/ninety-poems-explode.md delete mode 100644 .changeset/thick-jars-chew.md diff --git a/.changeset/green-dogs-change.md b/.changeset/green-dogs-change.md index 05a0e5d6..4820bebb 100644 --- a/.changeset/green-dogs-change.md +++ b/.changeset/green-dogs-change.md @@ -1,10 +1,10 @@ --- -"@changesets/action": major +"@changesets/action": minor --- -Start using GitHub API to push tags and commits to repos +Introduce a new input commitUsingApi that allows pushing tags and commits +using the GitHub API instead of the git CLI. -Rather than use local git commands to push changes to GitHub, -this action now uses the GitHub API directly, -which means that all tags and commits will be attributed to the user whose -GITHUB_TOKEN is used, and signed. +When used, this means means that all tags and commits will be attributed +to the user whose GITHUB_TOKEN is used, +and also signed using GitHub's internal GPG key. diff --git a/.changeset/ninety-poems-explode.md b/.changeset/ninety-poems-explode.md deleted file mode 100644 index b5d592ff..00000000 --- a/.changeset/ninety-poems-explode.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@changesets/action": patch ---- - -Update to latest version of ghcommit diff --git a/.changeset/thick-jars-chew.md b/.changeset/thick-jars-chew.md deleted file mode 100644 index f5a3f095..00000000 --- a/.changeset/thick-jars-chew.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@changesets/action": minor ---- - -Handle custom publish commands more gracefully diff --git a/README.md b/README.md index cc7f703b..c531e98d 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This action for [Changesets](https://github.com/atlassian/changesets) creates a - title - The pull request title. Default to `Version Packages` - setupGitUser - Sets up the git user for commits as `"github-actions[bot]"`. Default to `true` - createGithubReleases - A boolean value to indicate whether to create Github releases after `publish` or not. Default to `true` +- commitUsingApi - A boolean value to indicate whether to use the GitHub API to push changes or not, so changes are GPG-signed. Default to `false` - cwd - Changes node's `process.cwd()` if the project is not located on the root. Default to `process.cwd()` ### Outputs diff --git a/action.yml b/action.yml index 86b97909..d067082e 100644 --- a/action.yml +++ b/action.yml @@ -28,6 +28,13 @@ inputs: description: "A boolean value to indicate whether to create Github releases after `publish` or not" required: false default: true + commitUsingApi: + description: > + A boolean value to indicate whether to push changes via Github API or not, + this will mean all commits and tags are signed using GitHub's GPG key, + and attributed to the user or app who owns the GITHUB_TOKEN + required: false + default: false branch: description: Sets the branch in which the action will run. Default to `github.ref_name` if not provided required: false diff --git a/src/gitUtils.ts b/src/gitUtils.ts index 16d9bf21..b15151ab 100644 --- a/src/gitUtils.ts +++ b/src/gitUtils.ts @@ -11,4 +11,53 @@ export const setupUser = async () => { "user.email", `"github-actions[bot]@users.noreply.github.com"`, ]); -}; \ No newline at end of file +}; + +export const pullBranch = async (branch: string) => { + await exec("git", ["pull", "origin", branch]); +}; + +export const push = async ( + branch: string, + { force }: { force?: boolean } = {} +) => { + await exec( + "git", + ["push", "origin", `HEAD:${branch}`, force && "--force"].filter( + Boolean as any + ) + ); +}; + +export const pushTags = async () => { + await exec("git", ["push", "origin", "--tags"]); +}; + +export const switchToMaybeExistingBranch = async (branch: string) => { + let { stderr } = await getExecOutput("git", ["checkout", branch], { + ignoreReturnCode: true, + }); + let isCreatingBranch = !stderr + .toString() + .includes(`Switched to a new branch '${branch}'`); + if (isCreatingBranch) { + await exec("git", ["checkout", "-b", branch]); + } +}; + +export const reset = async ( + pathSpec: string, + mode: "hard" | "soft" | "mixed" = "hard" +) => { + await exec("git", ["reset", `--${mode}`, pathSpec]); +}; + +export const commitAll = async (message: string) => { + await exec("git", ["add", "."]); + await exec("git", ["commit", "-m", message]); +}; + +export const checkIfClean = async (): Promise => { + const { stdout } = await getExecOutput("git", ["status", "--porcelain"]); + return !stdout.length; +}; diff --git a/src/index.ts b/src/index.ts index 194204dc..8b85e450 100644 --- a/src/index.ts +++ b/src/index.ts @@ -27,6 +27,8 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined; await gitUtils.setupUser(); } + const commitUsingApi = core.getBooleanInput("commitUsingApi"); + core.info("setting GitHub credentials"); await fs.writeFile( `${process.env.HOME}/.netrc`, @@ -88,6 +90,7 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined; script: publishScript, githubToken, createGithubReleases: core.getBooleanInput("createGithubReleases"), + commitUsingApi }); if (result.published) { @@ -109,6 +112,7 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined; prTitle: getOptionalInput("title"), commitMessage: getOptionalInput("commit"), hasPublishScript, + commitUsingApi, branch: getOptionalInput("branch"), }); diff --git a/src/run.ts b/src/run.ts index 25b35c93..c1ea9efd 100644 --- a/src/run.ts +++ b/src/run.ts @@ -101,6 +101,7 @@ type PublishOptions = { script: string; githubToken: string; createGithubReleases: boolean; + commitUsingApi: boolean; cwd?: string; }; @@ -119,6 +120,7 @@ export async function runPublish({ script, githubToken, createGithubReleases, + commitUsingApi, cwd = process.cwd(), }: PublishOptions): Promise { const octokit = setupOctokit(githubToken); @@ -131,6 +133,10 @@ export async function runPublish({ { cwd } ); + if (!commitUsingApi) { + await gitUtils.pushTags(); + } + let { packages, tool } = await getPackages(cwd); let releasedPackages: Package[] = []; @@ -158,21 +164,21 @@ export async function runPublish({ await Promise.all( releasedPackages.map(async (pkg) => { const tagName = `${pkg.packageJson.name}@${pkg.packageJson.version}`; - // Tag will only be created locally, - // Create it using the GitHub API so it's signed. - await octokit.rest.git - .createRef({ - ...github.context.repo, - ref: `refs/tags/${tagName}`, - sha: github.context.sha, - }) - .catch((err) => { - // Assuming tag was manually pushed in custom publish script - core.warning(`Failed to create tag ${tagName}: ${err.message}`); - }); - if (createGithubReleases) { - await createRelease(octokit, { pkg, tagName }); + if (commitUsingApi) { + // Tag will usually only be created locally, + // Create it using the GitHub API so it's signed. + await octokit.rest.git + .createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }) + .catch((err) => { + // Assuming tag was manually pushed in custom publish script + core.warning(`Failed to create tag ${tagName}: ${err.message}`); + }); } + await createRelease(octokit, { pkg, tagName }); }) ); } @@ -191,20 +197,22 @@ export async function runPublish({ if (match) { releasedPackages.push(pkg); - const tagName = `v${pkg.packageJson.version}`; - // Tag will only be created locally, - // Create it using the GitHub API so it's signed. - await octokit.rest.git - .createRef({ - ...github.context.repo, - ref: `refs/tags/${tagName}`, - sha: github.context.sha, - }) - .catch((err) => { - // Assuming tag was manually pushed in custom publish script - core.warning(`Failed to create tag ${tagName}: ${err.message}`); - }); if (createGithubReleases) { + const tagName = `v${pkg.packageJson.version}`; + if (commitUsingApi) { + // Tag will only be created locally, + // Create it using the GitHub API so it's signed. + await octokit.rest.git + .createRef({ + ...github.context.repo, + ref: `refs/tags/${tagName}`, + sha: github.context.sha, + }) + .catch((err) => { + // Assuming tag was manually pushed in custom publish script + core.warning(`Failed to create tag ${tagName}: ${err.message}`); + }); + } await createRelease(octokit, { pkg, tagName }); } break; @@ -320,6 +328,7 @@ type VersionOptions = { commitMessage?: string; hasPublishScript?: boolean; prBodyMaxCharacters?: number; + commitUsingApi: boolean; branch?: string; }; @@ -335,6 +344,7 @@ export async function runVersion({ commitMessage = "Version Packages", hasPublishScript = false, prBodyMaxCharacters = MAX_CHARACTERS_PER_MESSAGE, + commitUsingApi, branch, }: VersionOptions): Promise { const octokit = setupOctokit(githubToken); @@ -345,6 +355,11 @@ export async function runVersion({ let { preState } = await readChangesetState(cwd); + if (!commitUsingApi) { + await gitUtils.switchToMaybeExistingBranch(versionBranch); + await gitUtils.reset(github.context.sha); + } + let versionsByDirectory = await getVersionsByDirectory(cwd); if (script) { @@ -389,16 +404,27 @@ export async function runVersion({ !!preState ? ` (${preState.tag})` : "" }`; - await commitChangesFromRepo({ - octokit, - ...github.context.repo, - branch: versionBranch, - message: finalCommitMessage, - base: { - commit: github.context.sha, - }, - force: true, - }); + if (commitUsingApi) { + await commitChangesFromRepo({ + octokit, + ...github.context.repo, + branch: versionBranch, + message: finalCommitMessage, + base: { + commit: github.context.sha, + }, + force: true, + }); + } else { + // project with `commit: true` setting could have already committed files + if (!(await gitUtils.checkIfClean())) { + await gitUtils.commitAll(finalCommitMessage); + } + } + + if (!commitUsingApi) { + await gitUtils.push(versionBranch, { force: true }); + } let existingPullRequests = await existingPullRequestsPromise; core.info(JSON.stringify(existingPullRequests.data, null, 2));