From 62d3184f4ba93cd697663a3ae69bc79afe4fbdbe Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 17 Nov 2025 13:09:23 +0100 Subject: [PATCH 1/3] chore: refactor workflows Signed-off-by: Ruben Romero Montes --- .github/workflows/integration.yml | 13 ++- .github/workflows/publish-prerelease.yml | 81 -------------- .github/workflows/publish-release.yml | 112 ------------------- .github/workflows/publish-switch.yml | 34 ------ .github/workflows/publish.yml | 130 +++++++++++++++++++++++ .github/workflows/release.yml | 112 +++++++++++++++++-- .github/workflows/stage.yml | 128 ---------------------- .github/workflows/{pr.yml => test.yml} | 12 ++- 8 files changed, 254 insertions(+), 368 deletions(-) delete mode 100644 .github/workflows/publish-prerelease.yml delete mode 100644 .github/workflows/publish-release.yml delete mode 100644 .github/workflows/publish-switch.yml create mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/stage.yml rename .github/workflows/{pr.yml => test.yml} (94%) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index e8462a3..4a5841a 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -1,8 +1,12 @@ # yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json --- -name: Integration +name: Integration Tests on: + workflow_run: + workflows: ["Test"] + types: + - completed workflow_dispatch: pull_request: branches: @@ -14,8 +18,13 @@ concurrency: jobs: call-shared: + # Only run if the test workflow succeeded, or if triggered directly + if: | + (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' uses: trustification/exhort-integration-tests/.github/workflows/integration.yml@main with: language: javascript repo-url: ${{ github.event.pull_request.head.repo.full_name || github.repository }} - commit-sha: ${{ github.event.pull_request.head.sha || github.sha }} + commit-sha: ${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }} diff --git a/.github/workflows/publish-prerelease.yml b/.github/workflows/publish-prerelease.yml deleted file mode 100644 index bd0091d..0000000 --- a/.github/workflows/publish-prerelease.yml +++ /dev/null @@ -1,81 +0,0 @@ -# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json ---- -name: Publish Prerelease - -on: - workflow_call: - inputs: - ref: - description: 'Git ref to publish' - required: true - type: string - -jobs: - publish: - runs-on: ubuntu-latest - environment: staging - name: Publish prerelease to NPM - permissions: - contents: write - id-token: write - steps: - - name: Checkout sources - uses: actions/checkout@v4 - with: - ref: ${{ inputs.ref }} - fetch-depth: 0 - - - name: Install node 24 - uses: actions/setup-node@v5 - with: - node-version: 24 - cache: npm - - - name: Update npm - run: npm install -g npm@latest - - - name: Configure git - run: | - git config user.name "${{ github.actor }}" - git config user.email "${{ github.actor }}@users.noreply.github.com" - - - name: Update package with new version - id: bump - run: | - echo "version=$(npm version prerelease --no-git-tag-version --preid ea)" >> "$GITHUB_OUTPUT" - - - name: Install project modules - run: npm ci - - - name: Compile project - run: npm run compile - - - name: Publish package - env: - NPM_CONFIG_PROVENANCE: true - run: npm publish --verbose --tag prerelease - - - name: Commit and push package modifications - run: | - git add package.json - git add package-lock.json - git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]" - git push - - - name: Create and push new tag - run: | - git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}" - git push origin ${{ steps.bump.outputs.version }} - - - name: Create a release - uses: actions/github-script@v6.4.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const repo_name = context.payload.repository.full_name - const response = await github.request('POST /repos/' + repo_name + '/releases', { - tag_name: '${{ steps.bump.outputs.version }}', - name: '${{ steps.bump.outputs.version }}', - prerelease: true, - generate_release_notes: true - }) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml deleted file mode 100644 index 0e86c4a..0000000 --- a/.github/workflows/publish-release.yml +++ /dev/null @@ -1,112 +0,0 @@ -# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json ---- -name: Publish Release - -on: - workflow_call: - inputs: - ref: - description: 'Git ref to publish' - required: true - type: string - version_type: - description: 'Type of version bump' - required: true - type: string - -jobs: - publish: - runs-on: ubuntu-latest - environment: staging - name: Publish release to NPM - permissions: - contents: write - id-token: write - steps: - - name: Checkout sources - uses: actions/checkout@v4 - with: - ref: ${{ inputs.ref }} - fetch-depth: 0 - - - name: Install node 24 - uses: actions/setup-node@v5 - with: - node-version: 24 - cache: npm - - - name: Update npm - run: npm install -g npm@latest - - - name: Configure git - run: | - git config user.name "${{ github.actor }}" - git config user.email "${{ github.actor }}@users.noreply.github.com" - - - name: Get previous released annotated tag - id: last-release - run: | - echo "base-tag=$(git describe | awk -F '-' '{print $1}')" >> "$GITHUB_OUTPUT" - echo "full-tag=$(git describe)" >> "$GITHUB_OUTPUT" - - - name: Get first tag in current development iteration - id: fetch-tag - if: contains(steps.last-release.outputs.full-tag , '-ea.') - run: | - echo "oldest-tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ${{ steps.last-release.outputs.base-tag }} | head -n 1)" >> "$GITHUB_OUTPUT" - - - name: Update package with new version - id: bump - run: | - echo "version=$(npm version ${{ inputs.version_type }} --no-git-tag-version )" >> "$GITHUB_OUTPUT" - - - name: Install project modules - run: npm ci - - - name: Compile project - run: npm run compile - - - name: Publish package - env: - NPM_CONFIG_PROVENANCE: true - run: npm publish --verbose - - - name: Commit and push package modifications - run: | - git add package.json - git add package-lock.json - git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]" - git push - - - name: Create and push new tag - run: | - git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}" - git push origin ${{ steps.bump.outputs.version }} - - - name: Create release notes - uses: actions/github-script@v6 - id: release-notes - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const repo_name = context.payload.repository.full_name - const response = await github.request('POST /repos/' + repo_name + '/releases/generate-notes', { - tag_name: '${{ steps.bump.outputs.version }}', - previous_tag_name: '${{ steps.fetch-tag.outputs.oldest-tag != '' && steps.fetch-tag.outputs.oldest-tag || steps.last-release.outputs.base-tag }}' - }) - return response.data.body - - - name: Create a release - uses: actions/github-script@v6.4.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const repo_name = context.payload.repository.full_name - const response = await github.request('POST /repos/' + repo_name + '/releases', { - tag_name: '${{ steps.bump.outputs.version }}', - name: '${{ steps.bump.outputs.version }}', - draft: false, - body: ${{ steps.release-notes.outputs.result }}, - prerelease: false, - make_latest: 'true' - }) diff --git a/.github/workflows/publish-switch.yml b/.github/workflows/publish-switch.yml deleted file mode 100644 index 24dc215..0000000 --- a/.github/workflows/publish-switch.yml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json ---- -name: Publish Switch - -on: - workflow_call: - inputs: - ref: - description: 'Git ref to publish' - required: true - type: string - is_prerelease: - description: 'Whether to publish as prerelease' - required: true - type: boolean - version_type: - description: 'Type of version bump (patch/minor/major/prerelease)' - required: false - type: string - default: 'prerelease' - -jobs: - prerelease: - if: inputs.is_prerelease == true || inputs.is_prerelease == 'true' - uses: ./.github/workflows/publish-prerelease.yml - with: - ref: ${{ inputs.ref || github.ref }} - - release: - if: inputs.is_prerelease == false || inputs.is_prerelease == 'false' - uses: ./.github/workflows/publish-release.yml - with: - ref: ${{ inputs.ref || github.ref }} - version_type: ${{ inputs.version_type || 'patch' }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..6fc551f --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,130 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- +name: Publish + +on: + workflow_run: + workflows: ["Integration Tests"] + types: + - completed + branches: + - main + push: + tags: + - 'v*.*.*' + - '*.*.*' + +permissions: + contents: write + id-token: write + +jobs: + publish-ea: + if: | + github.event_name == 'workflow_run' && + github.event.workflow_run.head_branch == 'main' + runs-on: ubuntu-latest + name: Publish EA release to NPM + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha }} + fetch-depth: 0 + + - name: Install node 24 + uses: actions/setup-node@v5 + with: + node-version: 24 + cache: npm + registry-url: 'https://registry.npmjs.org' + + - name: Update npm + run: npm install -g npm@latest + + - name: Configure git + run: | + git config user.name "${{ github.actor }}" + git config user.email "${{ github.actor }}@users.noreply.github.com" + + - name: Get current version + id: current-version + run: | + VERSION=$(node -p "require('./package.json').version") + # Remove both -ea. and -ea- formats for compatibility + BASE_VERSION=$(echo "$VERSION" | sed -E 's/-ea[.-][0-9]+$//') + echo "base-version=$BASE_VERSION" >> "$GITHUB_OUTPUT" + echo "current-version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Update package with EA version + id: bump + run: | + EA_VERSION="${{ steps.current-version.outputs.base-version }}-ea-${{ github.run_number }}" + npm version "$EA_VERSION" --no-git-tag-version + echo "version=$EA_VERSION" >> "$GITHUB_OUTPUT" + + - name: Install project modules + run: npm ci + + - name: Compile project + run: npm run compile + + - name: Publish package + run: npm publish --verbose --tag ea --access public --provenance + + - name: Commit and push package modifications + run: | + git add package.json + git add package-lock.json + git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]" + git push + + - name: Create and push new tag + run: | + git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}" + git push origin ${{ steps.bump.outputs.version }} + + publish-release: + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + runs-on: ubuntu-latest + name: Publish release to NPM + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + fetch-depth: 0 + + - name: Install node 24 + uses: actions/setup-node@v5 + with: + node-version: 24 + cache: npm + registry-url: 'https://registry.npmjs.org' + + - name: Update npm + run: npm install -g npm@latest + + - name: Get tag name + id: tag + run: | + TAG_NAME=${GITHUB_REF#refs/tags/} + echo "name=$TAG_NAME" >> "$GITHUB_OUTPUT" + + - name: Update package.json with tag version + id: update-version + run: | + TAG_NAME="${{ steps.tag.outputs.name }}" + # Remove 'v' prefix if present + VERSION=${TAG_NAME#v} + npm version "$VERSION" --no-git-tag-version + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Install project modules + run: npm ci + + - name: Compile project + run: npm run compile + + - name: Publish package + run: npm publish --verbose --access public --provenance diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d74886e..903bf42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,10 +15,110 @@ on: - minor - major +permissions: + contents: write + jobs: - publish-release: - uses: ./.github/workflows/publish-switch.yml - with: - ref: ${{ github.ref }} - is_prerelease: false - version_type: ${{ inputs.version_type }} + create-release: + runs-on: ubuntu-latest + name: Create release + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install node 24 + uses: actions/setup-node@v5 + with: + node-version: 24 + cache: npm + + - name: Configure git + run: | + git config user.name "${{ github.actor }}" + git config user.email "${{ github.actor }}@users.noreply.github.com" + + - name: Get previous released annotated tag + id: last-release + run: | + # Get the latest tag that doesn't have -ea suffix (handles both -ea. and -ea- formats) + TAG=$(git tag -l --sort=-version:refname | grep -vE -- '-ea[.-]' | head -n 1) + if [ -z "$TAG" ]; then + # If no release tag exists, use the base version from package.json + BASE_VERSION=$(node -p "require('./package.json').version" | sed -E 's/-ea[.-][0-9]+$//') + echo "base-tag=$BASE_VERSION" >> "$GITHUB_OUTPUT" + echo "full-tag=$BASE_VERSION" >> "$GITHUB_OUTPUT" + else + echo "base-tag=$TAG" >> "$GITHUB_OUTPUT" + echo "full-tag=$TAG" >> "$GITHUB_OUTPUT" + fi + + - name: Get first tag in current development iteration + id: fetch-tag + run: | + BASE_TAG="${{ steps.last-release.outputs.base-tag }}" + # Find the oldest EA tag for this base version (handles both -ea. and -ea- formats) + OLDEST_EA_TAG=$(git tag -l --sort=creatordate | grep -E "^${BASE_TAG}-ea[.-]" | head -n 1) + if [ -n "$OLDEST_EA_TAG" ]; then + echo "oldest-tag=$OLDEST_EA_TAG" >> "$GITHUB_OUTPUT" + else + echo "oldest-tag=$BASE_TAG" >> "$GITHUB_OUTPUT" + fi + + - name: Update package with new version + id: bump + run: | + # Get base version (remove -ea suffix if present, handles both -ea. and -ea- formats) + BASE_VERSION=$(node -p "require('./package.json').version" | sed -E 's/-ea[.-][0-9]+$//') + # Bump the version + NEW_VERSION=$(npm version ${{ inputs.version_type }} --no-git-tag-version | sed 's/v//') + echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT" + + - name: Install project modules + run: npm ci + + - name: Commit and push package modifications + run: | + git add package.json + git add package-lock.json + git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]" + git push + + - name: Create and push new tag + run: | + git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}" + git push origin ${{ steps.bump.outputs.version }} + + - name: Create release notes + uses: actions/github-script@v6 + id: release-notes + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const repo_name = context.payload.repository.full_name + const previousTag = '${{ steps.fetch-tag.outputs.oldest-tag }}' + const currentTag = '${{ steps.bump.outputs.version }}' + + const response = await github.request('POST /repos/' + repo_name + '/releases/generate-notes', { + tag_name: currentTag, + previous_tag_name: previousTag || undefined + }) + return response.data.body + + - name: Create a release + uses: actions/github-script@v6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const repo_name = context.payload.repository.full_name + const response = await github.request('POST /repos/' + repo_name + '/releases', { + tag_name: '${{ steps.bump.outputs.version }}', + name: '${{ steps.bump.outputs.version }}', + draft: false, + body: ${{ steps.release-notes.outputs.result }}, + prerelease: false, + make_latest: 'true' + }) + diff --git a/.github/workflows/stage.yml b/.github/workflows/stage.yml deleted file mode 100644 index 70f8b7f..0000000 --- a/.github/workflows/stage.yml +++ /dev/null @@ -1,128 +0,0 @@ -# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json ---- -name: Stage - -on: - pull_request_target: - types: - - closed - - branches: - - main - - 'release/*' - - paths: - - "src/**" - - "test/**" - - "package-lock.json" - - "package.json" - - "tsconfig.json" - - ".github/workflows/stage.yml" - - ".github/workflows/publish-prerelease.yml" - - ".github/workflows/publish-switch.yml" - - "docker-image/**" - -permissions: - contents: write - id-token: write - -jobs: - test: - runs-on: ubuntu-latest - if: github.repository_owner == 'guacsec' && github.event.pull_request.merged == true && !startsWith(github.head_ref, 'release/') - name: Test before staging - steps: - - name: Checkout sources - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install node 24 - uses: actions/setup-node@v5 - with: - node-version: 24 - cache: npm - - - name: Update npm - run: npm install -g npm@latest - - - name: Enable Corepack - run: corepack enable - - - name: Prepare Yarn - run: corepack prepare yarn@4.9.1 --activate - - - name: Prepare PNPM - run: corepack prepare pnpm@latest --activate - - - name: Setup Java 17 - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17 - cache: maven - - - name: setup go - uses: actions/setup-go@v5 - with: - go-version: '1.20.1' - - - name: Setup Gradle - uses: gradle/gradle-build-action@v3 - - - name: Setup syft - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: anchore/syft - platform: linux - arch: amd64 - - - name: Setup skopeo - run: sudo apt update && sudo apt-get -y install skopeo - - - name: Install project modules - run: npm ci - - - name: Compile project - run: npm run compile - - - name: Check if re-test is needed - id: test-check - uses: zvigrinberg/git-retest-checkup-action@v1.1 - with: - base-ref: ${{ github.base_ref }} - pr-ref: ${{ github.head_ref }} - file-pattern-regex: "^src/.*|^test/.*" - - - name: setup Python - uses: actions/setup-python@v4 - if: steps.test-check.outputs.retest-is-needed == 'true' - with: - python-version: '3.9' - cache: 'pip' - - - name: get Python location - id: python-location - run: | - echo "python-bin-location=$(echo $pythonLocation)/bin" >> $GITHUB_OUTPUT - - - name: re-test Unit-Tests + Integration Tests - if: steps.test-check.outputs.retest-is-needed == 'true' - env: - TRIGGERING_FILE: ${{ steps.test-check.outputs.triggering-file}} - TRUSTIFY_DA_DEV_MODE: 'true' - DEV_TRUSTIFY_DA_BACKEND_URL: 'https://exhort.stage.devshift.net' - run: | - echo "Re-test was triggered!!, triggering changed file - $TRIGGERING_FILE" - echo "Running Again Unit-tests =>" - npm run test - echo "Running Again Integration tests =>" - npm run integration-tests - - publish-prerelease: - needs: test - uses: ./.github/workflows/publish-switch.yml - with: - ref: ${{ github.sha }} - is_prerelease: true - version_type: prerelease diff --git a/.github/workflows/pr.yml b/.github/workflows/test.yml similarity index 94% rename from .github/workflows/pr.yml rename to .github/workflows/test.yml index da740af..afc48de 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/test.yml @@ -1,12 +1,14 @@ # yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json --- -name: Pull request build +name: Test on: pull_request: branches: - main - - 'release/*' + push: + branches: + - main concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -18,9 +20,9 @@ jobs: name: Lint and test project strategy: matrix: - node: ['18', 'latest'] + node: ['24', 'latest'] env: - MAIN_NODE_VER: '18' + MAIN_NODE_VER: '24' steps: - name: Checkout sources uses: actions/checkout@v4 @@ -72,7 +74,6 @@ jobs: repo: anchore/syft platform: linux arch: amd64 - # tag: the latest one, so we can catch changes - name: Setup skopeo run: sudo apt update && sudo apt-get -y install skopeo @@ -113,3 +114,4 @@ jobs: with: name: coverage path: ./coverage/coverage-final.json + From 94273adfb828b4babf5b024b54bbeb6c2629136e Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 17 Nov 2025 13:25:05 +0100 Subject: [PATCH 2/3] fix: only the release should create the tag Signed-off-by: Ruben Romero Montes --- .github/workflows/publish.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6fc551f..a4fc8d7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -79,11 +79,6 @@ jobs: git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]" git push - - name: Create and push new tag - run: | - git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}" - git push origin ${{ steps.bump.outputs.version }} - publish-release: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-latest From 38519b1d58e358f6d47efbcadfed3117f7dd4c1c Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 17 Nov 2025 13:51:30 +0100 Subject: [PATCH 3/3] fix: add more node versions to the matrix Signed-off-by: Ruben Romero Montes --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index afc48de..d8b4eb6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,7 +20,7 @@ jobs: name: Lint and test project strategy: matrix: - node: ['24', 'latest'] + node: ['18', '20', '24', 'latest'] env: MAIN_NODE_VER: '24' steps: