m/metamask-extension
1
0
Fork 0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-22 18:00:18 +01:00
Code
acf386c609
metamask-extension/.github/workflows/update-lavamoat-policies.yml

260 lines
9.5 KiB
YAML
Raw Normal View History

Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
name: Update LavaMoat policies
on:
issue_comment:
types: created
jobs:
is-fork-pull-request:
name: Determine whether this issue comment was on a pull request from a fork
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-policies') }}
runs-on: ubuntu-latest
outputs:
IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
steps:
- uses: actions/checkout@v3
- name: Determine whether this PR is from a fork
id: is-fork
run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Add reaction when a policy update is requested (#19776) This lets the commenter know that the process has started.
2023-06-28 18:35:54 +02:00
react-to-comment:
name: React to the comment
runs-on: ubuntu-latest
needs: is-fork-pull-request
# Early exit if this is a fork, since later steps are skipped for forks
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: React to the comment
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \
-f content='+1'
env:
COMMENT_ID: ${{ github.event.comment.id }}
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
REPO: ${{ github.repository }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
prepare:
name: Prepare dependencies
runs-on: ubuntu-latest
needs: is-fork-pull-request
# Early exit if this is a fork, since later steps are skipped for forks
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
outputs:
COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
steps:
Fix update lavamoat policies workflow (#19774) The update lavamoat policies workflow was installing dependencies from the `develop` branch rather than the PR. This resulted in invalid policy updates. It has been updated to use the PR branch in each step instead.
2023-06-27 12:19:48 +02:00
- name: Checkout repository
uses: actions/checkout@v3
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install Yarn dependencies
run: yarn --immutable
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
- name: Get commit SHA
id: commit-sha
run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
update-lavamoat-build-policy:
name: Update LavaMoat build policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
Fix update lavamoat policies workflow (#19774) The update lavamoat policies workflow was installing dependencies from the `develop` branch rather than the PR. This resulted in invalid policy updates. It has been updated to use the PR branch in each step instead.
2023-06-27 12:19:48 +02:00
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat build policy
run: yarn lavamoat:build:auto
- name: Cache build policy
uses: actions/cache/save@v3
with:
path: lavamoat/build-system
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-build-${{ needs.prepare.outputs.COMMIT_SHA }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
update-lavamoat-webapp-policy:
strategy:
matrix:
# Ensure this is synchronized with the list below in the "commit-updated-policies" job
# and with the build type list in `builds.yml`
build-type: [main, beta, flask, mmi, desktop]
name: Update LavaMoat ${{ matrix.build-type }} application policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
Fix update lavamoat policies workflow (#19774) The update lavamoat policies workflow was installing dependencies from the `develop` branch rather than the PR. This resulted in invalid policy updates. It has been updated to use the PR branch in each step instead.
2023-06-27 12:19:48 +02:00
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat ${{ matrix.build-type }} policy
run: yarn lavamoat:webapp:auto:ci '--build-types=${{ matrix.build-type }}'
env:
INFURA_PROJECT_ID: 00000000000
- name: Cache ${{ matrix.build-type }} application policy
uses: actions/cache/save@v3
with:
path: lavamoat/browserify/${{ matrix.build-type }}
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-${{ matrix.build-type }}-${{ needs.prepare.outputs.COMMIT_SHA }}
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
commit-updated-policies:
name: Commit the updated LavaMoat policies
runs-on: ubuntu-latest
needs:
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
- prepare
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- is-fork-pull-request
- update-lavamoat-build-policy
- update-lavamoat-webapp-policy
# Ensure forks don't get access to the LavaMoat update token
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
Fix update lavamoat policies workflow (#19774) The update lavamoat policies workflow was installing dependencies from the `develop` branch rather than the PR. This resulted in invalid policy updates. It has been updated to use the PR branch in each step instead.
2023-06-27 12:19:48 +02:00
- name: Checkout repository
uses: actions/checkout@v3
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
with:
# Use PAT to ensure that the commit later can trigger status check workflows
token: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
- name: Get commit SHA
id: commit-sha
run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Restore build policy
uses: actions/cache/restore@v3
with:
path: lavamoat/build-system
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-build-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
# One restore step per build type: [main, beta, flask, mmi, desktop]
# Ensure this is synchronized with the list above in the "update-lavamoat-webapp-policy" job
# and with the build type list in `builds.yml`
- name: Restore main application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/main
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-main-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Restore beta application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/beta
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-beta-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Restore flask application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/flask
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-flask-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Restore mmi application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/mmi
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-mmi-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Restore desktop application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/desktop
Allow partially re-running a policy update (#19773) Today if you try to re-run failed jobs in a policy update, it will fail to restore caches from jobs that were successful. This could result in a partial update, or a misleading "No policy changes" message when there are policy changes to make. It's only safe to re- run the entire workflow. The cache key has been updated to reference the commit hash instead of the run ID, making it safe to re-run just the failed jobs.
2023-06-30 17:31:17 +02:00
key: cache-desktop-${{ needs.prepare.outputs.COMMIT_SHA }}
Fail policy update on cache miss (#19775) If there is a cache miss during the policy update workflow, the result would be invalid (either a partial update or a misleading "no policy changes" message). To prevent this, the cache step will now fail if it is not able to restore the cache.
2023-06-27 13:55:50 +02:00
fail-on-cache-miss: true
Add bot command to update LavaMoat policies (#19675) A bot command has been added that can update LavaMoat policies automatically. This helps contributors without a Linux machine to produce policy files that match exactly what CI expects. The README has been updated with instructions for this new workflow.
2023-06-21 13:47:30 +02:00
- name: Check whether there are policy changes
id: policy-changes
run: |
if git diff --exit-code
then
echo "HAS_CHANGES=false" >> "$GITHUB_OUTPUT"
else
echo "HAS_CHANGES=true" >> "$GITHUB_OUTPUT"
fi
- name: Commit the updated policies
if: steps.policy-changes.outputs.HAS_CHANGES == 'true'
run: |
git config --global user.name 'MetaMask Bot'
git config --global user.email 'metamaskbot@users.noreply.github.com'
git commit -am "Update LavaMoat policies"
git push
- name: Post comment
run: |
if [[ $HAS_CHANGES == 'true' ]]
then
gh pr comment "${PR_NUMBER}" --body 'Policies updated'
else
gh pr comment "${PR_NUMBER}" --body 'No policy changes'
fi
env:
HAS_CHANGES: ${{ steps.policy-changes.outputs.HAS_CHANGES }}
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
Add metamaskbot comment when policy update fails (#19772) The `metamaskbot` account now comments with a failure message when the policy update fails. This comment also includes a link to the specific run that failed, so that the PR author can review the log and/or retry the policy update.
2023-07-01 01:58:19 +02:00
check-status:
name: Check whether the policy update succeeded
runs-on: ubuntu-latest
needs:
- commit-updated-policies
outputs:
PASSED: ${{ steps.set-output.outputs.PASSED }}
steps:
- name: Set PASSED output
id: set-output
run: echo "PASSED=true" >> "$GITHUB_OUTPUT"
failure-comment:
name: Comment about the policy update failure
if: ${{ always() && needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
runs-on: ubuntu-latest
needs:
- is-fork-pull-request
- check-status
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
- name: Post comment if the update failed
run: |
passed="${{ needs.check-status.outputs.PASSED }}"
if [[ $passed != "true" ]]; then
gh pr comment "${PR_NUMBER}" --body "Policy update failed. You can [review the logs or retry the policy update here](${ACTION_RUN_URL})"
fi
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
ACTION_RUN_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
Copy Permalink