1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-22 09:23:21 +01:00

Add bot command to update LavaMoat policies (#19675)

A bot command has been added that can update LavaMoat policies
automatically. This helps contributors without a Linux machine to
produce policy files that match exactly what CI expects.

The README has been updated with instructions for this new workflow.
This commit is contained in:
Mark Stacey 2023-06-21 09:17:30 -02:30 committed by GitHub
parent e58e5e166b
commit 20d79cf46e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 189 additions and 13 deletions

View File

@ -0,0 +1,172 @@
name: Update LavaMoat policies
on:
issue_comment:
types: created
jobs:
is-fork-pull-request:
name: Determine whether this issue comment was on a pull request from a fork
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-policies') }}
runs-on: ubuntu-latest
outputs:
IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
steps:
- uses: actions/checkout@v3
- name: Determine whether this PR is from a fork
id: is-fork
run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
prepare:
name: Prepare dependencies
runs-on: ubuntu-latest
needs: is-fork-pull-request
# Early exit if this is a fork, since later steps are skipped for forks
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
- uses: actions/checkout@v3
- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install Yarn dependencies
run: yarn --immutable
update-lavamoat-build-policy:
name: Update LavaMoat build policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat build policy
run: yarn lavamoat:build:auto
- name: Cache build policy
uses: actions/cache/save@v3
with:
path: lavamoat/build-system
key: cache-build-${{ github.run_id }}-${{ github.run_attempt }}
update-lavamoat-webapp-policy:
strategy:
matrix:
# Ensure this is synchronized with the list below in the "commit-updated-policies" job
# and with the build type list in `builds.yml`
build-type: [main, beta, flask, mmi, desktop]
name: Update LavaMoat ${{ matrix.build-type }} application policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat ${{ matrix.build-type }} policy
run: yarn lavamoat:webapp:auto:ci '--build-types=${{ matrix.build-type }}'
env:
INFURA_PROJECT_ID: 00000000000
- name: Cache ${{ matrix.build-type }} application policy
uses: actions/cache/save@v3
with:
path: lavamoat/browserify/${{ matrix.build-type }}
key: cache-${{ matrix.build-type }}-${{ github.run_id }}-${{ github.run_attempt }}
commit-updated-policies:
name: Commit the updated LavaMoat policies
runs-on: ubuntu-latest
needs:
- is-fork-pull-request
- update-lavamoat-build-policy
- update-lavamoat-webapp-policy
# Ensure forks don't get access to the LavaMoat update token
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
- uses: actions/checkout@v3
with:
# Use PAT to ensure that the commit later can trigger status check workflows
token: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
- name: Restore build policy
uses: actions/cache/restore@v3
with:
path: lavamoat/build-system
key: cache-build-${{ github.run_id }}-${{ github.run_attempt }}
# One restore step per build type: [main, beta, flask, mmi, desktop]
# Ensure this is synchronized with the list above in the "update-lavamoat-webapp-policy" job
# and with the build type list in `builds.yml`
- name: Restore main application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/main
key: cache-main-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore beta application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/beta
key: cache-beta-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore flask application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/flask
key: cache-flask-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore mmi application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/mmi
key: cache-mmi-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore desktop application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/desktop
key: cache-desktop-${{ github.run_id }}-${{ github.run_attempt }}
- name: Check whether there are policy changes
id: policy-changes
run: |
if git diff --exit-code
then
echo "HAS_CHANGES=false" >> "$GITHUB_OUTPUT"
else
echo "HAS_CHANGES=true" >> "$GITHUB_OUTPUT"
fi
- name: Commit the updated policies
if: steps.policy-changes.outputs.HAS_CHANGES == 'true'
run: |
git config --global user.name 'MetaMask Bot'
git config --global user.email 'metamaskbot@users.noreply.github.com'
git commit -am "Update LavaMoat policies"
git push
- name: Post comment
run: |
if [[ $HAS_CHANGES == 'true' ]]
then
gh pr comment "${PR_NUMBER}" --body 'Policies updated'
else
gh pr comment "${PR_NUMBER}" --body 'No policy changes'
fi
env:
HAS_CHANGES: ${{ steps.policy-changes.outputs.HAS_CHANGES }}
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}

View File

@ -112,19 +112,22 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
- The `allow-scripts` configuration in `package.json`
- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
- Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
- The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details:
- There are two sets of LavaMoat policy files:
- The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`. Add `--help` for usage.
- These should be regenerated whenever the production dependencies for the background change.
- The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
- This should be regenerated whenever the dependencies used by the build system itself change.
- Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
- Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
macOS and Windows users may see extraneous changes relating to optional dependencies.
- If you keep getting policy failures even after regenerating the policy files, try regenerating the policies after a clean install by doing:
- `rm -rf node_modules/ && yarn && yarn lavamoat:auto`
- Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
Refer to the LavaMoat documentation or ask for help if you run into any issues.
- The LavaMoat policy files
- If you are a MetaMask team member and your PR is on a repository branch, you can use the bot command `@metamaskbot update-policies` to ask the MetaMask bot to automatically update the policies for you.
- If your PR is from a fork, you can ask a MetaMask team member to help with updating the policy files.
- Manual update instructions: The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details:
- There are two sets of LavaMoat policy files:
- The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`. Add `--help` for usage.
- These should be regenerated whenever the production dependencies for the background change.
- The build system LavaMoat policy file (`lavamoat/build-system/policy.json`), which is re-generated using `yarn lavamoat:build:auto`.
- This should be regenerated whenever the dependencies used by the build system itself change.
- Whenever you regenerate a policy file, review the changes to determine whether the access granted to each package seems appropriate.
- Unfortunately, `yarn lavamoat:auto` will behave inconsistently on different platforms.
macOS and Windows users may see extraneous changes relating to optional dependencies.
- If you keep getting policy failures even after regenerating the policy files, try regenerating the policies after a clean install by doing:
- `rm -rf node_modules/ && yarn && yarn lavamoat:auto`
- Keep in mind that any kind of dynamic import or dynamic use of globals may elude LavaMoat's static analysis.
Refer to the LavaMoat documentation or ask for help if you run into any issues.
## Architecture

View File

@ -11,6 +11,7 @@ default: &default main
# Declaration of build types
# Each build type is composed of features, env variables and assets.
# Also known as productFlavors in Android lingo
# Note: These build types should be kept in sync with the list in `.github/workflows/update-lavamoat-policies.yml`
buildTypes:
main:
features: