ci: use GHA for CFA releases (#149)

dsanders11 · web-flow · commit c2099bf3481f · 2024-09-04T10:36:12.000-07:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -0,0 +1,62 @@
+name: Publish npm Release
+
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+    with:
+      electron-version: ${{ github.ref_name }}
+  release:
+    runs-on: ubuntu-latest
+    needs: test
+    environment: npm
+    permissions:
+      contents: write # for creating new release
+      id-token: write # for CFA
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: "Use Node.js ${{ matrix.node-version }}"
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: "20.16.0"
+      - name: Update Version
+        run: node script/update-version.js ${{ github.ref_name }}
+      - name: Confirm Version Updated
+        run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)"
+      - name: Install Dependencies
+        run: npm ci
+      - name: Obtain OIDC token
+        id: oidc
+        run: |
+          token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=continuousauth.dev" | jq -r '.value')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+      - name: Obtain GitHub credentials
+        id: github_creds
+        run: |
+          token=$(curl --fail "https://continuousauth.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
+            --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+      - name: Set NPM Credentials
+        run: echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} > ~/.npmrc
+      - name: Check NPM Credentials
+        run: npm whoami
+      - name: CFA Publish
+        env:
+          CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }}
+          CFA_SECRET: ${{ secrets.CFA_SECRET }}
+          GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }}
+        run: node script/publish.js
+      - name: Create Release
+        env:
+          GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
+        run: gh release create ${{ github.ref_name }} -t ${{ github.ref_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,36 +7,26 @@ on:
           description: Electron version to use with "v" prefix (e.g. v30.0.0)
           required: true
 
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
 jobs:
-  smoke_test:
+  test:
+    uses: ./.github/workflows/test.yml
+    with:
+      electron-version: ${{ github.event.inputs.version }}
+  tag_new_version:
     runs-on: ubuntu-latest
+    environment: deps-releaser
+    needs: test
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup Node.js
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+      - name: Generate GitHub App token
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        id: generate-token
         with:
-          node-version: "20.10.0"
-      - name: Update Version
-        run: node script/update-version.js ${{ github.event.inputs.version }}
-      - name: Install Dependencies
-        run: npm i
-      - name: Run Tests
-        run: npm test
-  create_new_version:
-    runs-on: ubuntu-latest
-    needs: smoke_test
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      # Tag here, the CircleCI workflow will trigger on the new tag and do the CFA publish
+          creds: ${{ secrets.DEPS_RELEASER_GH_APP_CREDS }}
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+      # Tag here, the publish-npm.yml workflow will trigger on the new tag and do the CFA publish
       - name: Push New Tag
         run: |
           git tag ${{ github.event.inputs.version }}
           git push origin ${{ github.event.inputs.version }}
-      - name: Create Release
-        run: |
-          gh release create ${{ github.event.inputs.version }} -t ${{ github.event.inputs.version }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,60 @@
+name: Test
+
+on:
+  workflow_call:
+    inputs:
+      electron-version:
+        required: true
+        type: string
+  workflow_dispatch:
+  schedule:
+    - cron: '0 19 * * 1-5'
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    defaults:
+      run:
+        shell: bash
+    strategy:
+      matrix:
+        node-version:
+          - '20.16.0'
+          - '18.20.4'
+          - '16.20.2'
+          - '14.21.3'
+        os:
+          - macos-latest
+          - ubuntu-latest
+          - windows-latest
+        exclude:
+          - os: macos-latest
+            node-version: 14.21.3
+    runs-on: "${{ matrix.os }}"
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: "Use Node.js ${{ matrix.node-version }}"
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: "${{ matrix.node-version }}"
+      - name: Update Version
+        if: ${{ inputs.electron-version != '' }}
+        run: node script/update-version.js ${{ inputs.electron-version }}
+      - name: Use Latest Electron Version
+        if: ${{ inputs.electron-version == '' }}
+        run: echo "ELECTRON_CHROMEDRIVER_STABLE_FALLBACK=1" >> $GITHUB_ENV
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run Tests
+        run: |
+          node --version
+          npm --version
+          npm test
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Electron ChromeDriver
 
-[![CircleCI Status](https://circleci.com/gh/electron/chromedriver/tree/main.svg?style=shield)](https://circleci.com/gh/electron/chromedriver/tree/main)
+[![Test](https://github.com/electron/chromedriver/actions/workflows/test.yml/badge.svg)](https://github.com/electron/chromedriver/actions/workflows/test.yml)
 [![npm:](https://img.shields.io/npm/v/electron-chromedriver.svg)](https://www.npmjs.com/package/electron-chromedriver)
 <br>
 [![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](https://standardjs.com/)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -25,7 +25,7 @@
     "extract-zip": "^2.0.0"
   },
   "devDependencies": {
-    "@continuous-auth/client": "^2.2.2",
+    "@continuous-auth/client": "^2.3.0",
     "@electron/fiddle-core": "^1.3.3",
     "mocha": "^10.1.0",
     "standard": "^13.1.0"
