diff --git a/.github/workflows/analyze-commits.yml b/.github/workflows/analyze-commits.yml index 2407b59..79b327b 100644 --- a/.github/workflows/analyze-commits.yml +++ b/.github/workflows/analyze-commits.yml @@ -38,7 +38,7 @@ jobs: fi - if: ${{ env.PACKAGE_MANAGER == 'pnpm' }} name: 'Install pnpm' - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 - name: 'Install latest node version' @@ -61,7 +61,7 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT shell: bash - if: ${{ failure() && steps.commitlint.outcome == 'failure' }} - uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 with: header: Commitlint recreate: true @@ -81,7 +81,7 @@ jobs: ### Commitlint Errors ${{ steps.commitlint_formatted_results.outputs.formatted }} - if: ${{ success() }} - uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 with: header: Commitlint hide: true @@ -104,7 +104,7 @@ jobs: uses: fingerprintjs/action-semantic-release-info@v1 - if: ${{ steps.semantic_release_info.outputs.no_release == 'false' }} name: Add comment to the PR - uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 with: header: ReleasePreview recreate: true @@ -114,7 +114,7 @@ jobs: ${{steps.semantic_release_info.outputs.notes}} - if: ${{ steps.semantic_release_info.outputs.no_release == 'true' }} name: Add comment to the PR - uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 with: header: ReleasePreview recreate: true diff --git a/.github/workflows/build-typescript-project.yml b/.github/workflows/build-typescript-project.yml index 8b7b3c4..2df9495 100644 --- a/.github/workflows/build-typescript-project.yml +++ b/.github/workflows/build-typescript-project.yml @@ -52,7 +52,7 @@ jobs: - if: ${{ env.PACKAGE_MANAGER == 'pnpm' }} name: 'Install pnpm' - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 diff --git a/.github/workflows/coverage-diff.yml b/.github/workflows/coverage-diff.yml index ab21f0a..bb599a5 100644 --- a/.github/workflows/coverage-diff.yml +++ b/.github/workflows/coverage-diff.yml @@ -37,7 +37,7 @@ jobs: - if: ${{ env.PACKAGE_MANAGER == 'pnpm' }} name: 'Install pnpm' - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 @@ -66,14 +66,14 @@ jobs: - name: Jest coverage comment id: coverage - uses: ArtiomTr/jest-coverage-report-action@df2b025553c31d68f84be6337843e277e2576844 + uses: ArtiomTr/jest-coverage-report-action@c026e98ae079f4b0b027252c8e957f5ebd420610 with: package-manager: ${{ env.PACKAGE_MANAGER }} output: report-markdown test-script: ${{ inputs.testScript }} - name: Add comment with coverage report - uses: marocchino/sticky-pull-request-comment@adca94abcaf73c10466a71cc83ae561fd66d1a56 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 with: message: | ${{ steps.coverage.outputs.report }} diff --git a/.github/workflows/docs-and-coverage.yml b/.github/workflows/docs-and-coverage.yml index aaca4fa..1200718 100644 --- a/.github/workflows/docs-and-coverage.yml +++ b/.github/workflows/docs-and-coverage.yml @@ -45,7 +45,7 @@ jobs: - if: ${{ env.PACKAGE_MANAGER == 'pnpm' }} name: 'Install pnpm' - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 @@ -73,7 +73,7 @@ jobs: run: $PACKAGE_MANAGER test:coverage - name: Create Coverage Badges - uses: jaywcjlove/coverage-badges-cli@e07f25709cd25486855c1ba1b26da53576ff3620 + uses: jaywcjlove/coverage-badges-cli@df58615045079f1c827de7867044bbab3ec22b43 with: source: coverage/coverage-summary.json output: coverage/lcov-report/badges.svg @@ -84,7 +84,7 @@ jobs: ${{ inputs.prepare-gh-pages-commands }} - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@8817a56e5bfec6e2b08345c81f4d422db53a2cdc + uses: JamesIves/github-pages-deploy-action@65b5dfd4f5bcd3a7403bbc2959c144256167464e with: branch: gh-pages folder: gh-pages diff --git a/.github/workflows/release-dx-packages.yml b/.github/workflows/release-dx-packages.yml index b1b8659..8f30713 100644 --- a/.github/workflows/release-dx-packages.yml +++ b/.github/workflows/release-dx-packages.yml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@v4 - name: Install pnpm - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 diff --git a/.github/workflows/release-server-sdk.yml b/.github/workflows/release-server-sdk.yml index a3edf7a..16eb709 100644 --- a/.github/workflows/release-server-sdk.yml +++ b/.github/workflows/release-server-sdk.yml @@ -23,10 +23,17 @@ on: description: 'Additional plugins to install for the semantic-release action.' required: false type: string + appId: + type: string + required: false + description: 'GitHub app id for release process.' secrets: GH_RELEASE_TOKEN: description: 'GitHub token with permissions to create releases and perform other necessary operations.' required: true + APP_PRIVATE_KEY: + description: 'GitHub App token to request GitHub token.' + required: false PYPI_TOKEN: description: 'PyPI token used for publishing Python packages. Required only for Python projects.' required: false @@ -89,7 +96,7 @@ jobs: run: ${{ inputs.prepare-command }} - name: 'Semantic Release' - uses: cycjimmy/semantic-release-action@91ab76a4a393a8d0c4739e9aea1818b56bc953ea + uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 with: extra_plugins: | @semantic-release/exec@6.0.3 diff --git a/.github/workflows/release-typescript-project.yml b/.github/workflows/release-typescript-project.yml index c9ad734..a2cdc8e 100644 --- a/.github/workflows/release-typescript-project.yml +++ b/.github/workflows/release-typescript-project.yml @@ -10,15 +10,24 @@ on: runAfterInstall: type: string required: false - description: Commands to run after installing dependencies. + description: 'Commands to run after installing dependencies' distFolderNeedForRelease: type: boolean required: false - description: Flag that we need `dist` folder to start release process + description: 'Flag that we need `dist` folder to start release process' + appId: + type: string + required: false + description: 'GitHub app id for release process' secrets: GH_RELEASE_TOKEN: - required: true + description: 'GitHub token with permissions to create releases and perform other necessary operations' + required: false + APP_PRIVATE_KEY: + description: 'GitHub App token to request GitHub token' + required: false NPM_AUTH_TOKEN: + description: 'NPM authentication token for publishing packages' required: false jobs: @@ -54,7 +63,7 @@ jobs: - if: ${{ env.PACKAGE_MANAGER == 'pnpm' }} name: 'Install pnpm' - uses: pnpm/action-setup@ebcfd6995dade4b0104ac774445cef8b3b4635b0 + uses: pnpm/action-setup@129abb77bf5884e578fcaf1f37628e41622cc371 with: version: 8 @@ -80,14 +89,22 @@ jobs: run: ${{ inputs.runAfterInstall }} if: ${{ inputs.runAfterInstall != '' }} + - name: 'Get token for the GitHub App' + if: ${{ inputs.appId != '' }} + uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c + id: app-token + with: + app-id: ${{ inputs.appId }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: 'Semantic Release' - uses: cycjimmy/semantic-release-action@91ab76a4a393a8d0c4739e9aea1818b56bc953ea + uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 with: extra_plugins: | @semantic-release/exec@6.0.3 conventional-changelog-conventionalcommits@5.0.0 env: - GITHUB_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ inputs.appId != '' && steps.app-token.outputs.token || secrets.GH_RELEASE_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} HUSKY: 0 diff --git a/README.md b/README.md index df7d4c6..140f6f8 100644 --- a/README.md +++ b/README.md @@ -248,10 +248,11 @@ a semantic release. The workflow expects the following secrets to be provided: -| Secret Name | Description | -|--------------------|--------------------------------------------------| -| `GH_RELEASE_TOKEN` | GitHub token for creating releases | -| `NPM_AUTH_TOKEN` | NPM authentication token for publishing packages | +| Secret Name | Description | +|--------------------|------------------------------------------------------------------| +| `GH_RELEASE_TOKEN` | GitHub token for creating releases | +| `APP_PRIVATE_KEY` | GitHub App private key for creating GitHub token for the release | +| `NPM_AUTH_TOKEN` | NPM authentication token for publishing packages | #### Inputs @@ -260,6 +261,7 @@ The workflow expects the following secrets to be provided: | `runAfterInstall` | No | String | `""` | Commands to run after installing dependencies. | | `distFolderNeedForRelease` | No | Boolean | `false` | Flag that we need `dist` folder to start release process. | | `nodeVersion` | No | String | `lts/*` | Node version to use | +| `appId` | No | String | `""` | GitHub App Id for creating GitHub token for the release | #### Usage @@ -273,8 +275,10 @@ on: jobs: release-workflow: uses: fingerprintjs/dx-team-toolkit/.github/workflows/release-typescript-project.yml@v1 + with: + appId: ${{ vars.APP_ID }} secrets: - GH_RELEASE_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }} + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} ``` @@ -301,23 +305,24 @@ determine the next version number and generate release notes based on commit mes The workflow accepts the following input parameters: -| Input Parameter | Required | Type | Default | Description | -|----------------------------------|----------|--------|---------|----------------------------------------------------------------------------------------------------------------| -| `language` | Yes | String | - | Programming language for the project. Supported are `java`, `dotnet`, `python`, `golang`, `flutter` and `php`. | -| `language-version` | Yes | String | - | Version of the programming language to set up. | -| `prepare-command` | No | String | - | Command(s) to run for project preparation, such as installing dependencies. | -| `java-version` | No | String | `11` | Version of Java to set up. | -| `semantic-release-extra-plugins` | No | String | - | Additional plugins to install for the semantic-release action. | - +| Input Parameter | Required | Type | Default | Description | +|----------------------------------|----------|---------|------|----------------------------------------------------------------------------------------------------------------| +| `language` | Yes | String | - | Programming language for the project. Supported are `java`, `dotnet`, `python`, `golang`, `flutter` and `php`. | +| `language-version` | Yes | String | - | Version of the programming language to set up. | +| `prepare-command` | No | String | - | Command(s) to run for project preparation, such as installing dependencies. | +| `java-version` | No | String | `11` | Version of Java to set up. | +| `semantic-release-extra-plugins` | No | String | - | Additional plugins to install for the semantic-release action. | +| `appId` | No | String | - | GitHub App Id for creating GitHub token for the release | #### Workflow Secrets The workflow expects the following secrets to be provided: -| Secret Name | Description | Required For | -|--------------------|-------------------------------------------------------------|-----------------| -| `GH_RELEASE_TOKEN` | GitHub token used for making releases and other operations. | All projects | -| `PYPI_TOKEN` | PyPI token used for publishing Python packages. | Python projects | -| `NUGET_API_KEY` | NuGet API key for publishing .NET packages. | DotNET projects | +| Secret Name | Description | Required For | +|--------------------|------------------------------------------------------------------|-----------------| +| `APP_PRIVATE_KEY` | GitHub App private key for creating GitHub token for the release | All projects | +| `GH_RELEASE_TOKEN` | GitHub token used for making releases and other operations. | All projects | +| `PYPI_TOKEN` | PyPI token used for publishing Python packages. | Python projects | +| `NUGET_API_KEY` | NuGet API key for publishing .NET packages. | DotNET projects | #### Example of usage: @@ -333,6 +338,7 @@ jobs: name: 'Publish new version' uses: fingerprintjs/dx-team-toolkit/.github/workflows/release-server-sdk.yml@v1 with: + appId: ${{ vars.APP_ID }} language: python language-version: '3.9' prepare-command: | @@ -341,7 +347,7 @@ jobs: pip install wheel pip install twine secrets: - GH_RELEASE_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }} + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} ```