BitGoJS/.github/workflows/npmjs-release.yml at master · BitGo/BitGoJS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
---
name: BitGoJS Release

on:
  workflow_dispatch:
    inputs:
      dry-run:
        description: |
          If true, only runs checks without performing the actual release
        type: boolean
        required: false
        default: false

permissions:
  contents: write
  id-token: write
  pull-requests: read

env:
  NX_NO_CLOUD: true
  NX_SKIP_NX_CACHE: true

jobs:
  get-release-context:
    name: Get release context
    runs-on: ${{ vars.BASE_RUNNER_TYPE || 'ubuntu-latest' }}
    timeout-minutes: 10
    outputs:
      last-release-tag: ${{ steps.get-release-info.outputs.last-release-tag }}
      last-release-sha: ${{ steps.get-release-info.outputs.last-release-sha }}
      current-master-sha: ${{ steps.get-release-info.outputs.current-master-sha }}
      commits-since-release: ${{ steps.get-release-info.outputs.commits-since-release }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: master
          fetch-depth: 0
          fetch-tags: true

      - name: Get release information
        id: get-release-info
        run: |
          # Get the latest stable release tag
          LAST_RELEASE_TAG=$(git tag --sort=-version:refname | grep -E 'bitgo@[0-9]+\.[0-9]+\.[0-9]+$' | head -n 1)

          # Get the commit SHA for that release
          LAST_RELEASE_SHA=$(git rev-parse "$LAST_RELEASE_TAG^{}")

          # Get the current master HEAD commit
          CURRENT_MASTER_SHA=$(git rev-parse HEAD)

          # Count commits since last release
          COMMITS_SINCE_RELEASE=$(git log --oneline "${LAST_RELEASE_TAG}..HEAD" | wc -l)

          # Verify we have commits to process
          if [ "$COMMITS_SINCE_RELEASE" -eq 0 ]; then
            echo "::error::No commits found since last release $LAST_RELEASE_TAG. Nothing to process."
            exit 1
          fi

          # Output the information
          echo "Last release tag: $LAST_RELEASE_TAG"
          echo "Last release SHA: $LAST_RELEASE_SHA"
          echo "Current master SHA: $CURRENT_MASTER_SHA"
          echo "Commits since release: $COMMITS_SINCE_RELEASE"

          # Set outputs
          {
            echo "last-release-tag=$LAST_RELEASE_TAG"
            echo "last-release-sha=$LAST_RELEASE_SHA"
            echo "current-master-sha=$CURRENT_MASTER_SHA"
            echo "commits-since-release=$COMMITS_SINCE_RELEASE"
          } >> "$GITHUB_OUTPUT"

          echo "Commits to process:"
          git log --oneline "${LAST_RELEASE_TAG}..HEAD"

      - name: Generate release commit summary
        run: |
          {
            echo "## Commits to be Released"
            echo ""
            echo "From ${{ steps.get-release-info.outputs.last-release-sha }} to ${{ steps.get-release-info.outputs.current-master-sha }}"
            echo ""
          } >> "$GITHUB_STEP_SUMMARY"

          # Get commits excluding merge commits
          git log --oneline --no-merges "${{ steps.get-release-info.outputs.last-release-sha }}..${{ steps.get-release-info.outputs.current-master-sha }}" | while read -r line; do
            commit_hash=$(echo "$line" | cut -d' ' -f1)
            commit_msg=$(echo "$line" | cut -d' ' -f2-)

            # Get full commit message to check for TICKET: pattern
            full_commit_msg=$(git log -1 --pretty=format:"%B" "$commit_hash")

            # Extract Jira ticket from commit message (handles multiple patterns, case insensitive)
            # 1. Direct pattern in subject: VL-1234, CORE-567, etc.
            # 2. TICKET: VL-1234 pattern in body
            jira_ticket=$(echo "$full_commit_msg" | grep -oiE '(ticket:\s*)?[A-Z]+-[0-9]+' | sed 's/[Tt][Ii][Cc][Kk][Ee][Tt]:\s*//' | head -1)

            if [[ -n "$jira_ticket" ]]; then
              jira_link="[$jira_ticket](https://bitgoinc.atlassian.net/browse/${jira_ticket})"
              echo "- \`$commit_hash\` $commit_msg - $jira_link" >> "$GITHUB_STEP_SUMMARY"
            else
              echo "- \`$commit_hash\` $commit_msg" >> "$GITHUB_STEP_SUMMARY"
            fi
          done

          echo "" >> "$GITHUB_STEP_SUMMARY"

  release-bitgojs:
    name: Release BitGoJS
    needs:
      - get-release-context
    runs-on: ${{ vars.BASE_RUNNER_TYPE || 'ubuntu-latest' }}
    timeout-minutes: 60
    environment: npmjs-release
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ needs.get-release-context.outputs.current-master-sha }}
          token: ${{ secrets.BITGOBOT_PAT_TOKEN || github.token }}
          fetch-depth: 0

      - name: Configure GPG
        if: inputs.dry-run == false
        run: |
          echo "${{ secrets.BITGOBOT_GPG_PRIVATE_KEY }}" | gpg --batch --import
          git config --global user.signingkey 67A9A0B77F0BD445E45CC8B719828A304678A92F
          git config --global commit.gpgsign true
          git config --global user.email "bitgobot@bitgo.com"
          git config --global user.name "bitgobot"

      - name: Configure npmrc
        if: inputs.dry-run == false
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          echo "engine-strict=true" > ~/.npmrc
          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc

      - name: Setup Node.js with nvm
        uses: actions/setup-node@v6
        with:
          node-version-file: ".nvmrc"

      - name: Test NPM authentication
        if: inputs.dry-run == false
        run: |
          npm whoami --registry https://registry.npmjs.org/

      - name: Switch to rel/latest branch
        run: |
          git checkout rel/latest
          git pull origin rel/latest

      - name: Merge master into rel/latest
        run: |
          echo "Merging master commit ${{ needs.get-release-context.outputs.current-master-sha }} into rel/latest"
          git merge ${{ needs.get-release-context.outputs.current-master-sha }} --no-edit

      - name: Install dependencies
        run: |
          yarn install --frozen-lockfile

      - name: Run yarn audit
        run: |
          yarn run audit-high

      - name: Run dependency check
        run: |
          yarn check-deps

      - name: Publish new version
        if: inputs.dry-run == false
        run: |
          yarn lerna publish --sign-git-tag --sign-git-commit --include-merged-tags --conventional-commits --conventional-graduate --verify-access --yes

      - name: Generate version bump summary
        id: version-bump-summary
        if: inputs.dry-run == false
        continue-on-error: true
        uses: ./.github/actions/version-bump-summary

      - name: Extract published version
        if: inputs.dry-run == false
        id: extract-version
        run: |
          NEW_VERSION=$(jq -r '.version' ./modules/bitgo/package.json)
          echo "New version: $NEW_VERSION"
          echo "new-version=$NEW_VERSION" >> "$GITHUB_OUTPUT"

      - name: Create GitHub release
        if: inputs.dry-run == false && steps.version-bump-summary.outcome == 'success'
        continue-on-error: true
        env:
          GH_TOKEN: ${{ secrets.BITGOBOT_PAT_TOKEN || github.token }}
        run: |
          gh release create "v${{ steps.extract-version.outputs.new-version }}" \
            --latest \
            --title "v${{ steps.extract-version.outputs.new-version }}" \
            --notes-file "${{ steps.version-bump-summary.outputs.text-file }}"