Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 27 additions & 21 deletions .github/workflows/publish-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,8 @@ permissions:
contents: write # Required for the draft release

jobs:
pre-release-checks:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Install node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 22.19.0
- name: Install project dependencies
run: yarn install --immutable --mode=skip-build
- name: Check NPM packages
run: yarn check-npm-packages
env:
# Used to post comments on the PR
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

create-draft-release:
runs-on: ubuntu-latest
needs: pre-release-checks
outputs:
release-id: ${{ steps.draft-release.outputs.result }}
steps:
Expand Down Expand Up @@ -268,11 +249,34 @@ jobs:
data: await fs.readFile('./datadog-ci_darwin-arm64'),
})

pre-approval-checks:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Install node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: 22.19.0
- run: yarn install --immutable --mode=skip-build
- name: Check NPM packages
run: yarn check-npm-packages
env:
# Used to post comments on the PR
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# Requires an approval
npm-publish:
runs-on: ubuntu-latest
environment: npm
needs: [build-binary-ubuntu, build-binary-windows, build-binary-macos]
needs:
- pre-approval-checks
- build-binary-ubuntu
- build-binary-ubuntu-arm
- build-binary-windows
- build-binary-macos
- build-binary-macos-arm
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
Expand All @@ -281,7 +285,9 @@ jobs:
registry-url: 'https://registry.npmjs.org'
- run: yarn install --immutable
- run: yarn build
- run: yarn publish:all --provenance
# Given every package is version X.X.X (enforced by `yarn lint:packages`), we can skip
# already published packages with `--tolerate-republish` (for example when OIDC was not yet enabled)
- run: yarn publish:all --provenance --tolerate-republish

bump-ci-integrations:
name: Bump datadog-ci in integration
Expand Down
69 changes: 59 additions & 10 deletions bin/check-npm-packages.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ set -euo pipefail

MODE="check"
DRY_RUN=false
GITHUB_REPOSITORY=DataDog/datadog-ci

while [[ $# -gt 0 ]]; do
case $1 in
Expand Down Expand Up @@ -63,7 +64,42 @@ while IFS= read -r pkg; do
fi
done <<< "$local_packages"

# Exit early if everything is good
# Fetch PR information
PR_RESPONSE=""
PR_LABELS=""
if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls")
PR_LABELS=$(echo "$PR_RESPONSE" | jq '[.[0].labels[].name]' 2>/dev/null || true)

echo -e "${BLUE}PR labels:${NC} $PR_LABELS"
echo
fi

# Check the labels on the PR if any
# Required labels are checked by `.github/workflows/pr-required-labels.yml`
if [ -n "$PR_LABELS" ]; then
# Fail if `Do Not Merge` is set
if echo "$PR_LABELS" | grep -q "Do Not Merge"; then
echo -e "${RED}This PR is marked as \"Do Not Merge\" ❌${NC}"
exit 1
fi

# Fail if the PR has `oidc-setup-required ⚠️` WITHOUT `oidc-setup-done ✅`
if echo "$PR_LABELS" | grep -q "oidc-setup-required ⚠️"; then
if ! echo "$PR_LABELS" | grep -q "oidc-setup-done ✅"; then
echo -e "${RED}This PR requires OIDC setup on some packages. Please ask an admin to follow the instructions at https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC}"
exit 1
else
echo 'Continuing... No need to remove the `oidc-setup-required ⚠️` label.'
fi
else
echo 'Continuing... for the `oidc-setup-required ⚠️` label to possibly be added.'
fi
echo
fi

# Everything is good.
if [ ${#missing_packages[@]} -eq 0 ]; then
echo -e "${GREEN}All local packages exist on NPM ✅${NC}"
exit 0
Expand All @@ -74,13 +110,10 @@ echo -e "${RED}The following packages are not published to NPM yet:${NC}"
for pkg in "${missing_packages[@]}"; do
echo " - $pkg"
done
echo

# In CI environment, post a comment on the PR
if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
# Get the PR number and author associated with this commit
PR_RESPONSE=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/pulls")

if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_SHA:-}" ]; then
PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.[0].number // empty')
PR_AUTHOR=$(echo "$PR_RESPONSE" | jq -r '.[0].user.login // empty')

Expand All @@ -99,29 +132,35 @@ Hi @$PR_AUTHOR, please **ask an admin** to follow the instructions at https://da
# Post comment on the PR
curl -s -X POST \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
-d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')" > /dev/null

echo -e "${BLUE}Posted comment on PR #$PR_NUMBER (author: @$PR_AUTHOR)${NC}"

# Add the 'oidc-setup-required ⚠️' label to the PR
curl -s -X POST \
-H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/labels" \
-d '{"labels":["oidc-setup-required ⚠️"]}' > /dev/null

echo -e "${BLUE}Added 'oidc-setup-required ⚠️' label to PR #$PR_NUMBER${NC}"
else
# Fallback when PR is not found
echo -e "${RED}No PR found for commit $GITHUB_SHA${NC}"
echo -e "${BLUE}This would be the comment body:${NC}"
echo "$COMMENT_BODY"
fi
echo
fi

# Do not continue if we are in check mode
if [ "$MODE" = "check" ]; then
echo
echo -e "${BOLD}Run with --fix to publish these packages${NC}"
echo -e "See instructions at ${BLUE}https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC}"
exit 1
fi

# Fix mode - publish missing packages
echo
echo -e "${BOLD}Publishing missing packages to NPM...${NC}"
echo
echo -e "${BOLD}Please read the instructions${NC} at ${BLUE}https://datadoghq.atlassian.net/wiki/x/QYDRaQE${NC} before proceeding."
Expand Down Expand Up @@ -174,10 +213,20 @@ done

echo -e "${BOLD}Cleaning up...${NC}"
yarn config unset npmAuthToken

echo

if [ "$DRY_RUN" = true ]; then
echo -e "${GREEN}[DRY-RUN] Would have published ${#missing_packages[@]} package(s)${NC}"
else
echo -e "${GREEN}Successfully published ${#missing_packages[@]} package(s)${NC}"
fi
echo

echo -e "${RED}${BOLD}⚠️ You are not done!${NC} Please setup OIDC on each package at the links below."
echo

for pkg in "${missing_packages[@]}"; do
echo -e " - Opening ${BLUE}https://www.npmjs.com/package/$pkg/access${NC}"
open "https://www.npmjs.com/package/$pkg/access"
done
echo
Comment on lines +223 to +232
Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image