Create release #242
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#TODO: Split into smaller chunks/actions/reusable workflows | |
name: Create release | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: '⚠ be sure of yourself ⚠' | |
required: false | |
default: '' | |
debug: | |
description: 'Add DEBUG=* to the env if true' | |
type: boolean | |
default: false | |
required: false | |
env: | |
# Platform environment to log into for the e2e tests. | |
PLATFORM_ENV: 'stg' | |
# Username used to log into the organization whose ID is stored in the ORG_ID variable | |
PLATFORM_USER_NAME: ${{ secrets.PLATFORM_USER_NAME }} | |
# Password used to log into the organization whose ID is stored in the ORG_ID variable | |
PLATFORM_USER_PASSWORD: ${{ secrets.PLATFORM_USER_PASSWORD }} | |
# API key to delete all the API keys created by the e2e tests | |
PLATFORM_API_KEY: ${{ secrets.PLATFORM_API_KEY }} | |
# ID of the organization to log into for the e2e tests | |
ORG_ID: ${{ secrets.ORG_ID }} | |
# Passphrase use to encode/decode cliConfig | |
E2E_TOKEN_PASSPHRASE: ${{ secrets.E2E_TOKEN_PASSPHRASE }} | |
jobs: | |
e2e-setup-login: | |
name: End-to-end login | |
runs-on: 'ubuntu-20.04' | |
timeout-minutes: 30 | |
outputs: | |
cliConfigJson: ${{ steps.setup.outputs.cliConfigJson}} | |
env: | |
# ID of the test run to identify resources to teardown. | |
TEST_RUN_ID: 'idubuntu-20.04-${{ github.sha }}-${{ github.run_attempt }}-releaseg' | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Install Coveo CLI | |
run: npm i -g @coveo/cli@latest | |
- uses: ./.github/actions/e2e-login | |
id: setup | |
release-npm: | |
environment: 'Release' | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master | |
outputs: | |
shouldReleaseCli: $${{steps.release.outputs.shouldReleaseCli}} | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
registry-url: 'https://registry.npmjs.org' | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Install dependencies | |
run: npm ci | |
- name: Release NPM | |
run: npm run release:npm | |
id: release | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
VERSION: ${{ inputs.version }} | |
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} | |
DEBUG: ${{ inputs.debug && '*' || '' }} | |
- name: Prepare artifacts | |
run: | | |
git add . | |
git commit -m "patch" | |
git format-patch HEAD^1 --output=release.patch | |
- name: Upload artifacts | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 | |
with: | |
name: npm-release | |
path: | | |
release.patch | |
.git-message | |
# RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }} | |
# RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }} | |
# RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }} | |
# RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }} | |
# RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }} | |
# DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} | |
e2e: | |
name: End-to-end tests | |
runs-on: ubuntu-20.04 | |
needs: [release-npm, e2e-setup-login] | |
timeout-minutes: 60 | |
env: | |
TEST_RUN_ID: 'idubuntu-20.04-${{ github.sha }}-${{ github.run_attempt }}-releaseg' # ID of the test run to identify resources to teardown. | |
COVEO_DISABLE_AUTOUPDATE: true | |
CLI_CONFIG_JSON: ${{needs.e2e-setup-login.outputs.cliConfigJson}} | |
strategy: | |
fail-fast: false | |
matrix: | |
spec: | |
[ | |
'angular.specs.ts', | |
'atomic.specs.ts', | |
'auth.specs.ci.ts', | |
'orgList.specs.ts', | |
'orgResources.specs.ts', | |
'react.specs.ts', | |
'vue.specs.ts', | |
] | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
registry-url: 'https://registry.npmjs.org' | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Download artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: npm-release | |
- name: Apply & delete the patch | |
run: | | |
git apply release.patch | |
rm release.patch | |
- name: Install dependencies | |
run: npm ci | |
- name: Install Coveo CLI | |
run: npm i -g @coveo/cli@latest | |
- uses: ./.github/actions/e2e-run | |
with: | |
os: 'ubuntu-20.04' | |
node: 18 | |
spec: ${{ matrix.spec }} | |
cliConfigJson: ${{ env.CLI_CONFIG_JSON }} | |
jestFlags: '-u' | |
- name: Find modified Snapshots | |
id: snapshots-path | |
run: | | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "snapshotsPath<<$EOF" >> "$GITHUB_ENV" | |
git diff --name-only *.yml >> "$GITHUB_ENV" | |
echo "$EOF" >> "$GITHUB_ENV" | |
- name: Upload Jest Snapshots | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 | |
with: | |
name: release-e2e-snaps | |
path: ${{ env.snapshotsPath }} | |
e2e-teardown: | |
name: End-to-end teardown | |
if: ${{ always() }} | |
needs: [e2e, e2e-setup-login] | |
runs-on: ubuntu-20.04 | |
env: | |
# ID of the test run to identify resources to teardown. | |
TEST_RUN_ID: '${{ github.sha }}-${{ github.run_attempt }}-releaseg' | |
CLI_CONFIG_JSON: ${{needs.e2e-setup-login.outputs.cliConfigJson}} | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
# pulls all tags (needed for computing the next version) | |
- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* | |
- name: Checkout last tag | |
run: git checkout $(git describe --abbrev=0 --tags) | |
- uses: ./.github/actions/e2e-clean | |
with: | |
cliConfigJson: ${{ env.CLI_CONFIG_JSON }} | |
release-git: | |
needs: [release-npm] | |
environment: 'Release' | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
registry-url: 'https://registry.npmjs.org' | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Download NPM artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: npm-release | |
- name: Apply & delete the patch | |
run: | | |
git apply release.patch | |
rm release.patch | |
- name: Download E2E artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: release-e2e-snaps | |
- name: Install dependencies | |
run: npm ci | |
- name: Release Git | |
run: npm run release:git | |
env: | |
VERSION: ${{ inputs.version }} | |
DEBUG: ${{ inputs.debug && '*' || '' }} | |
RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }} | |
RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }} | |
RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }} | |
RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }} | |
RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }} | |
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} | |
build-binaries: | |
needs: [release-npm] | |
if: ${{needs.release-npm.outputs.shouldReleaseCli}} | |
environment: 'Release' | |
env: | |
GITHUB_CREDENTIALS: ${{ secrets.GITHUB_TOKEN }} | |
# Base64 of the certificat | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
# Certificat password | |
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
# Keychain password | |
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }} | |
# Apple developer email, the same used for the Apple Developer subscription | |
MACOS_APP_USERNAME: ${{ secrets.MACOS_APP_USERNAME }} | |
# App-specific password generated in apple.com for the notarization step | |
MACOS_APP_SPECIFIC_PWD: ${{ secrets.MACOS_APP_SPECIFIC_PWD }} | |
# Team ID from the Apple Developer subscription | |
MACOS_WWDR_TEAM_ID: ${{ secrets.MACOS_WWDR_TEAM_ID }} | |
name: Package for ${{ matrix.for }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: macos-latest | |
pack-command: ' macos' | |
for: 'macos install kit' | |
- os: windows-latest | |
pack-command: ' win' | |
for: 'windows install kit' | |
- os: ubuntu-20.04 | |
pack-command: ' deb' | |
for: 'linux install kit' | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for finding the @coveo/cli version to release) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
registry-url: 'https://registry.npmjs.org' | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Download artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: npm-release | |
- name: Apply & delete the patch | |
run: | | |
git apply release.patch | |
rm release.patch | |
- name: Install dependencies | |
run: npm ci | |
- name: Get CLI version | |
run: | | |
echo "cliVersion=" >> "$GITHUB_ENV" | |
cat packages/cli/core/package.json | jq '.version' >> "$GITHUB_ENV" | |
- name: Build | |
run: npm run build | |
- name: Setup Temporary Keychain | |
if: ${{matrix.os == 'macos-latest'}} | |
run: | | |
echo "Decoding base64 certificate" | |
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12 | |
echo "Creating temporary keychain" | |
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | |
echo "Adding certificate to keychain" | |
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign -T /usr/bin/productsign | |
echo "Enabling productsign from a non user interactive shell" | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain | |
- name: Create install kits | |
working-directory: ./packages/cli/core | |
run: ../../../node_modules/oclif/bin/run pack${{ matrix.pack-command }} | |
- name: Create packages | |
working-directory: ./packages/cli/core | |
if: ${{matrix.os == 'ubuntu-20.04'}} | |
run: ../../../node_modules/oclif/bin/run pack tarballs | |
- name: Get commit hash of binaries | |
run: node ../../../scripts/get-commit-short-hash.mjs | |
working-directory: ./packages/cli/core | |
- name: Sign Executable (Windows) | |
working-directory: ./packages/cli/core | |
if: ${{matrix.os == 'windows-latest'}} | |
run: | | |
New-Item -Force -ItemType directory -Path tmp | |
echo "${{ secrets.COVEO_PFX }}" > ./tmp/cert.txt | |
certutil -decode ./tmp/cert.txt ./tmp/cert.pfx | |
Start-Process -FilePath "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" -ArgumentList "sign /f ./tmp/cert.pfx /p ${{ secrets.COVEO_PFX_PWD }} /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ./dist/win32/coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64.exe" -PassThru | Wait-Process | |
Start-Process -FilePath "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" -ArgumentList "sign /f ./tmp/cert.pfx /p ${{ secrets.COVEO_PFX_PWD }} /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ./dist/win32/coveo-${{env.cliversion}}-${{env.commitSHA1}}-x86.exe" -PassThru | Wait-Process | |
- name: Sign Executable (macOS) | |
working-directory: ./packages/cli/core/dist/macos | |
if: ${{matrix.os == 'macos-latest'}} | |
run: | | |
echo "Signing for ARM64 architecture" | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | |
productsign --sign $MACOS_WWDR_TEAM_ID coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64.pkg coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64-signed.pkg --keychain build.keychain | |
echo "Signing for X64 architecture" | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | |
productsign --sign $MACOS_WWDR_TEAM_ID coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64.pkg coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64-signed.pkg --keychain build.keychain | |
- name: Notarize Executable (macOS) | |
working-directory: ./packages/cli/core/dist/macos | |
if: ${{matrix.os == 'macos-latest'}} | |
run: | | |
echo "Unlocking the keychain" | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain | |
echo "Creating keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.MACOS_APP_USERNAME }}" --team-id "${{ secrets.MACOS_WWDR_TEAM_ID }}" --password "${{ secrets.MACOS_APP_SPECIFIC_PWD }}" | |
echo "Creating temp notarization archive" | |
ditto -c -k --keepParent "coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64-signed.pkg" "notarization-arm64.zip" | |
ditto -c -k --keepParent "coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64-signed.pkg" "notarization-x64.zip" | |
echo "Notarizing app" | |
xcrun notarytool submit "notarization-arm64.zip" --keychain-profile "notarytool-profile" --wait | |
xcrun notarytool submit "notarization-x64.zip" --keychain-profile "notarytool-profile" --wait | |
echo "Attaching staple" | |
xcrun stapler staple "coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64-signed.pkg" | |
xcrun stapler staple "coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64-signed.pkg" | |
echo "Deleting unsigned packages" | |
mv "coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64-signed.pkg" "coveo-${{env.cliversion}}-${{env.commitSHA1}}-x64.pkg" | |
mv "coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64-signed.pkg" "coveo-${{env.cliversion}}-${{env.commitSHA1}}-arm64.pkg" | |
rm notarization-arm64.zip notarization-x64.zip | |
- name: Upload binaries | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3 | |
with: | |
name: release-binaries | |
path: ./packages/cli/core/dist/**/* | |
release-github: | |
needs: [release-git, release-npm, build-binaries] | |
if: ${{needs.release-npm.outputs.shouldReleaseCli}} | |
environment: 'Release' | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master | |
steps: | |
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 | |
with: | |
# pulls all commits (needed for computing the next version) | |
fetch-depth: 0 | |
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 | |
with: | |
registry-url: 'https://registry.npmjs.org' | |
cache: 'npm' | |
node-version-file: '.nvmrc' | |
- name: Download NPM artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: npm-release | |
- name: Download binaries artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 | |
with: | |
name: release-binaries | |
- name: Apply & delete the patch | |
run: | | |
git apply release.patch | |
rm release.patch | |
- name: Install dependencies | |
run: npm ci | |
- name: Release GitHub | |
run: npm run release:github | |
env: | |
VERSION: ${{ inputs.version }} | |
DEBUG: ${{ inputs.debug && '*' || '' }} | |
RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }} | |
RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }} | |
RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }} | |
RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }} | |
RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }} | |
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} | |
- name: Upload binaries | |
uses: svenstaro/upload-release-action@7319e4733ec7a184d739a6f412c40ffc339b69c7 # 2.5.0 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: ./packages/cli/core/dist/**/* | |
file_glob: true | |
tag: ${{ env.tag }} |