diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 1ab024e77..87c15dd02 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -10,27 +10,8 @@ permissions: contents: write # Required for the draft release jobs: - pre-release-checks: - runs-on: ubuntu-latest - permissions: - pull-requests: write - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Install node - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 - with: - node-version: 22.19.0 - - name: Install project dependencies - run: yarn install --immutable --mode=skip-build - - name: Check NPM packages - run: yarn check-npm-packages - env: - # Used to post comments on the PR - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - create-draft-release: runs-on: ubuntu-latest - needs: pre-release-checks outputs: release-id: ${{ steps.draft-release.outputs.result }} steps: @@ -268,11 +249,34 @@ jobs: data: await fs.readFile('./datadog-ci_darwin-arm64'), }) + pre-approval-checks: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Install node + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + with: + node-version: 22.19.0 + - run: yarn install --immutable --mode=skip-build + - name: Check NPM packages + run: yarn check-npm-packages + env: + # Used to post comments on the PR + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Requires an approval npm-publish: runs-on: ubuntu-latest environment: npm - needs: [build-binary-ubuntu, build-binary-windows, build-binary-macos] + needs: + - pre-approval-checks + - build-binary-ubuntu + - build-binary-ubuntu-arm + - build-binary-windows + - build-binary-macos + - build-binary-macos-arm steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 @@ -281,7 +285,9 @@ jobs: registry-url: 'https://registry.npmjs.org' - run: yarn install --immutable - run: yarn build - - run: yarn publish:all --provenance + # Given every package is version X.X.X (enforced by `yarn lint:packages`), we can skip + # already published packages with `--tolerate-republish` (for example when OIDC was not yet enabled) + - run: yarn publish:all --provenance --tolerate-republish bump-ci-integrations: name: Bump datadog-ci in integration diff --git a/bin/check-npm-packages.sh b/bin/check-npm-packages.sh index 61ab49c20..afdda6310 100755 --- a/bin/check-npm-packages.sh +++ b/bin/check-npm-packages.sh @@ -12,6 +12,7 @@ set -euo pipefail MODE="check" DRY_RUN=false +GITHUB_REPOSITORY=DataDog/datadog-ci while [[ $# -gt 0 ]]; do case $1 in @@ -63,7 +64,42 @@ while IFS= read -r pkg; do fi done <<< "$local_packages" -# Exit early if everything is good +# Fetch PR information +PR_RESPONSE="" +PR_LABELS="" +if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then + PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ + "https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls") + PR_LABELS=$(echo "$PR_RESPONSE" | jq '[.[0].labels[].name]' 2>/dev/null || true) + + echo -e "${BLUE}PR labels:${NC} $PR_LABELS" + echo +fi + +# Check the labels on the PR if any +# Required labels are checked by `.github/workflows/pr-required-labels.yml` +if [ -n "$PR_LABELS" ]; then + # Fail if `Do Not Merge` is set + if echo "$PR_LABELS" | grep -q "Do Not Merge"; then + echo -e "${RED}This PR is marked as \"Do Not Merge\" ❌${NC}" + exit 1 + fi + + # Fail if the PR has `oidc-setup-required ⚠️` WITHOUT `oidc-setup-done ✅` + if echo "$PR_LABELS" | grep -q "oidc-setup-required ⚠️"; then + if ! echo "$PR_LABELS" | grep -q "oidc-setup-done ✅"; then + echo -e "${RED}This PR requires OIDC setup on some packages. Please ask an admin to follow the instructions at https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC}" + exit 1 + else + echo 'Continuing... No need to remove the `oidc-setup-required ⚠️` label.' + fi + else + echo 'Continuing... for the `oidc-setup-required ⚠️` label to possibly be added.' + fi + echo +fi + +# Everything is good. if [ ${#missing_packages[@]} -eq 0 ]; then echo -e "${GREEN}All local packages exist on NPM ✅${NC}" exit 0 @@ -74,13 +110,10 @@ echo -e "${RED}The following packages are not published to NPM yet:${NC}" for pkg in "${missing_packages[@]}"; do echo " - $pkg" done +echo # In CI environment, post a comment on the PR -if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then - # Get the PR number and author associated with this commit - PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ - "https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls") - +if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty') PR_AUTHOR=$(echo "$PR_RESPONSE" | jq -r '.[0].user.login // empty') @@ -99,29 +132,35 @@ Hi @$PR_AUTHOR, please **ask an admin** to follow the instructions at https://da # Post comment on the PR curl -s -X POST \ -H "Authorization: token $GITHUB_TOKEN" \ - -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \ -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')" > /dev/null echo -e "${BLUE}Posted comment on PR #$PR_NUMBER (author: @$PR_AUTHOR)${NC}" + + # Add the 'oidc-setup-required ⚠️' label to the PR + curl -s -X POST \ + -H "Authorization: token $GITHUB_TOKEN" \ + "https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/labels" \ + -d '{"labels":["oidc-setup-required ⚠️"]}' > /dev/null + + echo -e "${BLUE}Added 'oidc-setup-required ⚠️' label to PR #$PR_NUMBER${NC}" else # Fallback when PR is not found echo -e "${RED}No PR found for commit $GITHUB_SHA${NC}" echo -e "${BLUE}This would be the comment body:${NC}" echo "$COMMENT_BODY" fi + echo fi # Do not continue if we are in check mode if [ "$MODE" = "check" ]; then - echo echo -e "${BOLD}Run with --fix to publish these packages${NC}" echo -e "See instructions at ${BLUE}https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC}" exit 1 fi # Fix mode - publish missing packages -echo echo -e "${BOLD}Publishing missing packages to NPM...${NC}" echo echo -e "${BOLD}Please read the instructions${NC} at ${BLUE}https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC} before proceeding." @@ -174,10 +213,20 @@ done echo -e "${BOLD}Cleaning up...${NC}" yarn config unset npmAuthToken - echo + if [ "$DRY_RUN" = true ]; then echo -e "${GREEN}[DRY-RUN] Would have published ${#missing_packages[@]} package(s)${NC}" else echo -e "${GREEN}Successfully published ${#missing_packages[@]} package(s)${NC}" fi +echo + +echo -e "${RED}${BOLD}⚠️ You are not done!${NC} Please setup OIDC on each package at the links below." +echo + +for pkg in "${missing_packages[@]}"; do + echo -e " - Opening ${BLUE}https://www.npmjs.com/package/$pkg/access${NC}" + open "https://www.npmjs.com/package/$pkg/access" +done +echo \ No newline at end of file