Skip to content

chore: dependency pinning and auditing #8938

chore: dependency pinning and auditing

chore: dependency pinning and auditing #8938

name: Validate Changesets
on:
pull_request:
types:
- opened
- edited
- synchronize
permissions:
contents: write
jobs:
create-changeset:
name: Create Changeset
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.client_payload.ref }}
# workaround to ensure changeset file is pushed with REPO_TOKEN owner's account
# see https://github.com/changesets/action/issues/70
persist-credentials: false
- name: Get PR's changeset file
run: |
echo "CHANGESET_FILE=$(git diff --diff-filter=A --name-only origin/${{ github.base_ref }} .changeset/*.md)" >> $GITHUB_ENV
- name: Setup PNPM
if: env.CHANGESET_FILE == ''
uses: pnpm/action-setup@v4
with:
version: 9.4.0
run_install: true
- name: Install jq
if: env.CHANGESET_FILE == ''
run: sudo apt-get install -y jq
- name: Run dependabot changeset script
if: env.CHANGESET_FILE == ''
run: pnpm changeset:dependabot
env:
PR_TITLE: ${{ github.event.pull_request.title }}
- name: Set up .netrc file
if: env.CHANGESET_FILE == ''
run: |
echo "machine github.com" > $HOME/.netrc
echo "login github-actions[bot]" >> $HOME/.netrc
echo "password ${{ secrets.REPO_TOKEN }}" >> $HOME/.netrc
chmod 600 $HOME/.netrc
- name: Commit Changeset
if: env.CHANGESET_FILE == ''
run: |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git add .
git commit -m "build: update dependency changeset"
git push origin HEAD:${{ github.event.pull_request.head.ref }}
env:
GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }}
validate-changeset:
name: Validate PR Changeset
if: startsWith(github.head_ref, 'changeset-release') != true
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: CI Setup
uses: ./.github/actions/ci-setup
- name: Validate Changeset
run: pnpm changeset status --since=origin/${{ github.base_ref }}
- name: Validate Changeset Content
run: |
CHANGESET_FILE=$(git diff --diff-filter=A --name-only origin/${{ github.base_ref }} .changeset/*.md)
if [ -z "$CHANGESET_FILE" ]; then
# A PR doesn't have to have a changeset when packages aren't affected
# e.g. when a script is added in the scripts folder
exit 0
fi
echo "CHANGESET_FILE=$(echo "$CHANGESET_FILE")" >> $GITHUB_ENV
AFFECTED_PACKAGES=$(sed -n '/---/,/---/p' "$CHANGESET_FILE" | sed '/---/d')
if [ -z "$AFFECTED_PACKAGES" ]; then
# The changelog logic ignores changesets that don't affect any packages so we can ignore them here as well,
# because this changeset linting logic is only for changesets who's PRs will be referenced in the changelog.
# The relevant changelog logic is here:
# https://github.com/FuelLabs/fuels-ts/blob/155b6f2fe28e988b277dac231af6d6a0cff1df0c/scripts/changeset/get-full-changelog.mts#L77
exit 0
fi
# TODO: Remove once v1.0.0 is released.
# Minor changes are treated as breaking until v1.0.0 is released.
if echo "$AFFECTED_PACKAGES" | grep -q 'minor'; then
if ! echo "$PR_TITLE" | grep -q '!'; then
echo "Changeset has `minor` changes. Please mark the PR as breaking by adding an exclamation mark to its title (e.g. fix!: xxx) or use a `patch` instead."
exit 1
fi
fi
# Check if the PR title contains an exclamation mark (breaking)
if echo "$PR_TITLE" | grep -q '!'; then
# If the PR is breaking, ensure that the changeset contains minor changes
if ! echo "$AFFECTED_PACKAGES" | grep -q 'minor'; then
echo "PR is marked as breaking but changeset does not contain minor changes."
echo "Changeset file: $CHANGESET_FILE"
echo "Changeset content:"
cat "$CHANGESET_FILE"
exit 1
fi
fi
CHANGESET_DESCRIPTION=$(sed 's/^\s*\|\s*$//g' "$CHANGESET_FILE" | tail -n1)
if [ "$CHANGESET_DESCRIPTION" != "$PR_TITLE" ]; then
echo "Changeset content does not match PR title. Please update the changeset to match the PR title."
echo "Changeset file: $CHANGESET_FILE"
echo "Changeset content:"
cat "$CHANGESET_FILE"
exit 1
fi
env:
PR_TITLE: ${{ github.event.pull_request.title }}
- name: Validate added changeset will be deleted
if: ${{ env.CHANGESET_FILE != '' }}
run: |
pnpm changeset version
if git status --porcelain .changeset | grep -q "D $CHANGESET_FILE"; then
git reset --hard
exit 0
fi
# Throw if changeset not in deleted changesets
echo "Changeset file $CHANGESET_FILE will not get deleted in the changesets PR. Check its affected packages."
exit 1
env:
CHANGESET_FILE: ${{ env.CHANGESET_FILE }}
- name: Validate release/* branch changesets
if: startsWith(github.base_ref, 'release/')
run: |
LATEST_RELEASE=$(pnpm run --silent changeset:get-latest-release)
pnpm changeset version
RELEASE_VERSION=v$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json)
git reset --hard
pnpm add --global semver
RELEASE_VERSION_HIGHER_THAN_LATEST=$(semver $LATEST_RELEASE $RELEASE_VERSION | tail -n1 | grep ${RELEASE_VERSION#v} --silent && echo true || echo false)
CHANGES=$(sed -n '/---/,/---/p' .changeset/*.md)
if [ "$RELEASE_VERSION_HIGHER_THAN_LATEST" = "true" ]; then
echo $CHANGES | grep -E 'patch|minor' --silent && echo "Patch or minor changes found." || (echo "No patch nor minor changes found." && exit 1)
echo $CHANGES | grep -E 'major' --silent && echo "The latest release can have a patch or minor version update; no major version updates allowed." && exit 1 || echo "No major changes."
else
echo $CHANGES | grep -E 'patch' --silent && echo "Patch changes found." || (echo "No patch changes found." && exit 1)
echo $CHANGES | grep -E 'minor|major' --silent && echo "Old releases can only be patched; no minor and major version updates allowed." && exit 1 || echo "No minor nor major changes."
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Validate that there was no release for the next version
run: |
OLD_VERSION=$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json)
pnpm changeset version
NEW_VERSION=$(sed -nE 's/^\s*"version": "(.*?)",$/\1/p' packages/fuels/package.json)
git reset --hard
if [ "$OLD_VERSION" = "$NEW_VERSION" ]; then
# the versions didn't change so we won't be releasing it anyways
exit 0
fi
STATUS_CODE=$(curl -s -w '%{http_code}\n' "https://www.npmjs.com/package/fuels/v/$NEW_VERSION" | tail -n1)
if [[ $STATUS_CODE != 404 ]]; then
echo "Release for version $NEW_VERSION already exists or curl received an unexpected result (result is $STATUS_CODE). Exiting."
exit 1
else
exit 0
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}