chore: dependency pinning and auditing #8938
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate Changesets | |
on: | |
pull_request: | |
types: | |
- opened | |
- edited | |
- synchronize | |
permissions: | |
contents: write | |
jobs: | |
create-changeset: | |
name: Create Changeset | |
runs-on: ubuntu-latest | |
if: github.actor == 'dependabot[bot]' | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.client_payload.ref }} | |
# workaround to ensure changeset file is pushed with REPO_TOKEN owner's account | |
# see https://github.com/changesets/action/issues/70 | |
persist-credentials: false | |
- name: Get PR's changeset file | |
run: | | |
echo "CHANGESET_FILE=$(git diff --diff-filter=A --name-only origin/${{ github.base_ref }} .changeset/*.md)" >> $GITHUB_ENV | |
- name: Setup PNPM | |
if: env.CHANGESET_FILE == '' | |
uses: pnpm/action-setup@v4 | |
with: | |
version: 9.4.0 | |
run_install: true | |
- name: Install jq | |
if: env.CHANGESET_FILE == '' | |
run: sudo apt-get install -y jq | |
- name: Run dependabot changeset script | |
if: env.CHANGESET_FILE == '' | |
run: pnpm changeset:dependabot | |
env: | |
PR_TITLE: ${{ github.event.pull_request.title }} | |
- name: Set up .netrc file | |
if: env.CHANGESET_FILE == '' | |
run: | | |
echo "machine github.com" > $HOME/.netrc | |
echo "login github-actions[bot]" >> $HOME/.netrc | |
echo "password ${{ secrets.REPO_TOKEN }}" >> $HOME/.netrc | |
chmod 600 $HOME/.netrc | |
- name: Commit Changeset | |
if: env.CHANGESET_FILE == '' | |
run: | | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git config user.name "github-actions[bot]" | |
git add . | |
git commit -m "build: update dependency changeset" | |
git push origin HEAD:${{ github.event.pull_request.head.ref }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }} | |
validate-changeset: | |
name: Validate PR Changeset | |
if: startsWith(github.head_ref, 'changeset-release') != true | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: CI Setup | |
uses: ./.github/actions/ci-setup | |
- name: Validate Changeset | |
run: pnpm changeset status --since=origin/${{ github.base_ref }} | |
- name: Validate Changeset Content | |
run: | | |
CHANGESET_FILE=$(git diff --diff-filter=A --name-only origin/${{ github.base_ref }} .changeset/*.md) | |
if [ -z "$CHANGESET_FILE" ]; then | |
# A PR doesn't have to have a changeset when packages aren't affected | |
# e.g. when a script is added in the scripts folder | |
exit 0 | |
fi | |
echo "CHANGESET_FILE=$(echo "$CHANGESET_FILE")" >> $GITHUB_ENV | |
AFFECTED_PACKAGES=$(sed -n '/---/,/---/p' "$CHANGESET_FILE" | sed '/---/d') | |
if [ -z "$AFFECTED_PACKAGES" ]; then | |
# The changelog logic ignores changesets that don't affect any packages so we can ignore them here as well, | |
# because this changeset linting logic is only for changesets who's PRs will be referenced in the changelog. | |
# The relevant changelog logic is here: | |
# https://github.com/FuelLabs/fuels-ts/blob/155b6f2fe28e988b277dac231af6d6a0cff1df0c/scripts/changeset/get-full-changelog.mts#L77 | |
exit 0 | |
fi | |
# TODO: Remove once v1.0.0 is released. | |
# Minor changes are treated as breaking until v1.0.0 is released. | |
if echo "$AFFECTED_PACKAGES" | grep -q 'minor'; then | |
if ! echo "$PR_TITLE" | grep -q '!'; then | |
echo "Changeset has `minor` changes. Please mark the PR as breaking by adding an exclamation mark to its title (e.g. fix!: xxx) or use a `patch` instead." | |
exit 1 | |
fi | |
fi | |
# Check if the PR title contains an exclamation mark (breaking) | |
if echo "$PR_TITLE" | grep -q '!'; then | |
# If the PR is breaking, ensure that the changeset contains minor changes | |
if ! echo "$AFFECTED_PACKAGES" | grep -q 'minor'; then | |
echo "PR is marked as breaking but changeset does not contain minor changes." | |
echo "Changeset file: $CHANGESET_FILE" | |
echo "Changeset content:" | |
cat "$CHANGESET_FILE" | |
exit 1 | |
fi | |
fi | |
CHANGESET_DESCRIPTION=$(sed 's/^\s*\|\s*$//g' "$CHANGESET_FILE" | tail -n1) | |
if [ "$CHANGESET_DESCRIPTION" != "$PR_TITLE" ]; then | |
echo "Changeset content does not match PR title. Please update the changeset to match the PR title." | |
echo "Changeset file: $CHANGESET_FILE" | |
echo "Changeset content:" | |
cat "$CHANGESET_FILE" | |
exit 1 | |
fi | |
env: | |
PR_TITLE: ${{ github.event.pull_request.title }} | |
- name: Validate added changeset will be deleted | |
if: ${{ env.CHANGESET_FILE != '' }} | |
run: | | |
pnpm changeset version | |
if git status --porcelain .changeset | grep -q "D $CHANGESET_FILE"; then | |
git reset --hard | |
exit 0 | |
fi | |
# Throw if changeset not in deleted changesets | |
echo "Changeset file $CHANGESET_FILE will not get deleted in the changesets PR. Check its affected packages." | |
exit 1 | |
env: | |
CHANGESET_FILE: ${{ env.CHANGESET_FILE }} | |
- name: Validate release/* branch changesets | |
if: startsWith(github.base_ref, 'release/') | |
run: | | |
LATEST_RELEASE=$(pnpm run --silent changeset:get-latest-release) | |
pnpm changeset version | |
RELEASE_VERSION=v$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json) | |
git reset --hard | |
pnpm add --global semver | |
RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false) | |
CHANGES=$(sed -n '/---/,/---/p' .changeset/*.md) | |
if [ "$RELEASE_VERSION_HIGHER_THAN_LATEST" = "true" ]; then | |
echo $CHANGES | grep -E 'patch|minor' --silent && echo "Patch or minor changes found." || (echo "No patch nor minor changes found." && exit 1) | |
echo $CHANGES | grep -E 'major' --silent && echo "The latest release can have a patch or minor version update; no major version updates allowed." && exit 1 || echo "No major changes." | |
else | |
echo $CHANGES | grep -E 'patch' --silent && echo "Patch changes found." || (echo "No patch changes found." && exit 1) | |
echo $CHANGES | grep -E 'minor|major' --silent && echo "Old releases can only be patched; no minor and major version updates allowed." && exit 1 || echo "No minor nor major changes." | |
fi | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Validate that there was no release for the next version | |
run: | | |
OLD_VERSION=$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json) | |
pnpm changeset version | |
NEW_VERSION=$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json) | |
git reset --hard | |
if [ "$OLD_VERSION" = "$NEW_VERSION" ]; then | |
# the versions didn't change so we won't be releasing it anyways | |
exit 0 | |
fi | |
STATUS_CODE=$(curl -s -w '%{http_code}\n' "https://www.npmjs.com/package/fuels/v/$NEW_VERSION" | tail -n1) | |
if [[ $STATUS_CODE != 404 ]]; then | |
echo "Release for version $NEW_VERSION already exists or curl received an unexpected result (result is $STATUS_CODE). Exiting." | |
exit 1 | |
else | |
exit 0 | |
fi | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |