1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-22 01:47:00 +01:00

Add bot command to update LavaMoat policies (#19675)

A bot command has been added that can update LavaMoat policies
automatically. This helps contributors without a Linux machine to
produce policy files that match exactly what CI expects.

The README has been updated with instructions for this new workflow.
This commit is contained in:
Mark Stacey 2023-06-21 09:17:30 -02:30 committed by GitHub
parent e58e5e166b
commit 20d79cf46e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 189 additions and 13 deletions

View File

@ -0,0 +1,172 @@
name: Update LavaMoat policies
on:
issue_comment:
types: created
jobs:
is-fork-pull-request:
name: Determine whether this issue comment was on a pull request from a fork
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-policies') }}
runs-on: ubuntu-latest
outputs:
IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
steps:
- uses: actions/checkout@v3
- name: Determine whether this PR is from a fork
id: is-fork
run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
prepare:
name: Prepare dependencies
runs-on: ubuntu-latest
needs: is-fork-pull-request
# Early exit if this is a fork, since later steps are skipped for forks
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
- uses: actions/checkout@v3
- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install Yarn dependencies
run: yarn --immutable
update-lavamoat-build-policy:
name: Update LavaMoat build policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat build policy
run: yarn lavamoat:build:auto
- name: Cache build policy
uses: actions/cache/save@v3
with:
path: lavamoat/build-system
key: cache-build-${{ github.run_id }}-${{ github.run_attempt }}
update-lavamoat-webapp-policy:
strategy:
matrix:
# Ensure this is synchronized with the list below in the "commit-updated-policies" job
# and with the build type list in `builds.yml`
build-type: [main, beta, flask, mmi, desktop]
name: Update LavaMoat ${{ matrix.build-type }} application policy
runs-on: ubuntu-latest
needs:
- prepare
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- name: Install dependencies from cache
run: yarn --immutable --immutable-cache
- name: Update LavaMoat ${{ matrix.build-type }} policy
run: yarn lavamoat:webapp:auto:ci '--build-types=${{ matrix.build-type }}'
env:
INFURA_PROJECT_ID: 00000000000
- name: Cache ${{ matrix.build-type }} application policy
uses: actions/cache/save@v3
with:
path: lavamoat/browserify/${{ matrix.build-type }}
key: cache-${{ matrix.build-type }}-${{ github.run_id }}-${{ github.run_attempt }}
commit-updated-policies:
name: Commit the updated LavaMoat policies
runs-on: ubuntu-latest
needs:
- is-fork-pull-request
- update-lavamoat-build-policy
- update-lavamoat-webapp-policy
# Ensure forks don't get access to the LavaMoat update token
if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
steps:
- uses: actions/checkout@v3
with:
# Use PAT to ensure that the commit later can trigger status check workflows
token: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
- name: Checkout pull request
run: gh pr checkout "${PR_NUMBER}"
env:
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
- name: Restore build policy
uses: actions/cache/restore@v3
with:
path: lavamoat/build-system
key: cache-build-${{ github.run_id }}-${{ github.run_attempt }}
# One restore step per build type: [main, beta, flask, mmi, desktop]
# Ensure this is synchronized with the list above in the "update-lavamoat-webapp-policy" job
# and with the build type list in `builds.yml`
- name: Restore main application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/main
key: cache-main-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore beta application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/beta
key: cache-beta-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore flask application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/flask
key: cache-flask-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore mmi application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/mmi
key: cache-mmi-${{ github.run_id }}-${{ github.run_attempt }}
- name: Restore desktop application policy
uses: actions/cache/restore@v3
with:
path: lavamoat/browserify/desktop
key: cache-desktop-${{ github.run_id }}-${{ github.run_attempt }}
- name: Check whether there are policy changes
id: policy-changes
run: |
if git diff --exit-code
then
echo "HAS_CHANGES=false" >> "$GITHUB_OUTPUT"
else
echo "HAS_CHANGES=true" >> "$GITHUB_OUTPUT"
fi
- name: Commit the updated policies
if: steps.policy-changes.outputs.HAS_CHANGES == 'true'
run: |
git config --global user.name 'MetaMask Bot'
git config --global user.email 'metamaskbot@users.noreply.github.com'
git commit -am "Update LavaMoat policies"
git push
- name: Post comment
run: |
if [[ $HAS_CHANGES == 'true' ]]
then
gh pr comment "${PR_NUMBER}" --body 'Policies updated'
else
gh pr comment "${PR_NUMBER}" --body 'No policy changes'
fi
env:
HAS_CHANGES: ${{ steps.policy-changes.outputs.HAS_CHANGES }}
GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}

View File

@ -112,7 +112,10 @@ Whenever you change dependencies (adding, removing, or updating, either in `pack
- The `allow-scripts` configuration in `package.json`
- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run. Review each new package to determine whether the install script needs to run or not, testing if necessary.
- Unfortunately, `yarn allow-scripts auto` will behave inconsistently on different platforms. macOS and Windows users may see extraneous changes relating to optional dependencies.
- The LavaMoat policy files. The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details:
- The LavaMoat policy files
- If you are a MetaMask team member and your PR is on a repository branch, you can use the bot command `@metamaskbot update-policies` to ask the MetaMask bot to automatically update the policies for you.
- If your PR is from a fork, you can ask a MetaMask team member to help with updating the policy files.
- Manual update instructions: The _tl;dr_ is to run `yarn lavamoat:auto` to update these files, but there can be devils in the details:
- There are two sets of LavaMoat policy files:
- The production LavaMoat policy files (`lavamoat/browserify/*/policy.json`), which are re-generated using `yarn lavamoat:background:auto`. Add `--help` for usage.
- These should be regenerated whenever the production dependencies for the background change.

View File

@ -11,6 +11,7 @@ default: &default main
# Declaration of build types
# Each build type is composed of features, env variables and assets.
# Also known as productFlavors in Android lingo
# Note: These build types should be kept in sync with the list in `.github/workflows/update-lavamoat-policies.yml`
buildTypes:
main:
features: