From 8e86338cfdb37c3ae28dc5beb4ce3a7364400018 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Thu, 4 Dec 2025 14:27:36 -0800 Subject: [PATCH 1/9] chore: merge prerelease into publish-v2 job --- .../workflows/feature-branch-prerelease.yml | 134 ------------------ .github/workflows/publish-v2.yml | 104 +++++++++++++- 2 files changed, 103 insertions(+), 135 deletions(-) delete mode 100644 .github/workflows/feature-branch-prerelease.yml diff --git a/.github/workflows/feature-branch-prerelease.yml b/.github/workflows/feature-branch-prerelease.yml deleted file mode 100644 index b9f30c97a..000000000 --- a/.github/workflows/feature-branch-prerelease.yml +++ /dev/null @@ -1,134 +0,0 @@ -name: Prerelease feature branch - -on: - workflow_dispatch: - inputs: - releaseType: - type: choice - description: Select dry-run for testing before real prerelease - required: true - options: - - dry-run - - prerelease - - -jobs: - check-npm-token: - name: Check NPM Token - runs-on: ubuntu-latest - steps: - - name: Check NPM token validity - run: | - RESPONSE=$(curl -s -H "Authorization: Bearer ${{ secrets.NPM_PUBLISH_TOKEN }}" https://registry.npmjs.org/-/whoami) - USERNAME=$(echo "$RESPONSE" | jq -r '.username') - if [ "$USERNAME" != "sdk.dev" ]; then - echo "❌ NPM token validation failed!" - echo "Expected username: sdk.dev" - echo "Got username: $USERNAME" - echo "Full response: $RESPONSE" - echo "" - echo "The token may have expired or been revoked." - echo "📖 Token rotation guide: https://amplitude.atlassian.net/wiki/spaces/DBS/pages/3425271816/Migration+plan+Trusted+publisher+OIDC#Granular-access-token" - exit 1 - fi - echo "✅ NPM token is valid (username: $USERNAME)" - - authorize: - name: Authorize - runs-on: ubuntu-latest - needs: [check-npm-token] - steps: - - name: ${{ github.actor }} permission check to do a release - uses: 'lannonbr/repo-permission-check-action@2.0.2' - with: - permission: 'write' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - deploy: - name: Deploy - runs-on: ubuntu-latest - needs: [authorize] - permissions: - id-token: write - contents: write - strategy: - matrix: - node-version: [20.x] - - steps: - - name: Get branch name - id: branch-name - uses: tj-actions/branch-name@v7 - - - name: Check out git repository - uses: actions/checkout@v3 - with: - ref: ${{ steps.branch-name.outputs.ref_branch }} - fetch-depth: 0 - - - name: Cache dependencies - uses: actions/cache@v3 - with: - path: '**/node_modules' - key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - - name: Install project dependencies - run: | - yarn install --frozen-lockfile - - - name: Build all packages - run: | - yarn build - - - name: Test all packages - run: | - yarn test - - - name: Lint all packages - run: | - yarn lint - - - name: Configure Git User - run: | - git config --global user.name amplitude-sdk-bot - git config --global user.email amplitude-sdk-bot@users.noreply.github.com - - - name: Configure NPM User - run: | - echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" > ~/.npmrc - npm whoami - - # Keep alphanumeric characters and hyphens, remove other invalid characters - # Examples: - # - SR-1858 -> SR-1858 - # - feature/my-branch -> featuremy-branch - # - fix_bug_123 -> fixbug123 - # - user@company.com -> usercompanycom - - name: Transform feature branch name - run: | - echo "PREID=$(echo '${{ steps.branch-name.outputs.current_branch }}' | tr -cd '[:alnum:]-')" >> $GITHUB_ENV - - # Use --no-push to prevent pushing to remote - # Version example: 1.0.0 -> 1.1.0-{preid}.0 - - name: Dry run pre-release version - if: ${{ github.event.inputs.releaseType == 'dry-run' }} - run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --no-changelog --no-push - - - name: Pre-release version - if: ${{ github.event.inputs.releaseType == 'prerelease' }} - run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --create-release github - - # Use 'from git' option if `lerna version` has already been run - - name: Publish Release to NPM - if: ${{ github.event.inputs.releaseType == 'prerelease' }} - run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:publish -- from-git -y --ignore-scripts --pre-dist-tag ${{ env.PREID }} - diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index 600d23439..0c145bce7 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -3,9 +3,18 @@ name: Publish v2.x on: workflow_dispatch: inputs: + releaseType: + type: choice + description: Release type (release for main branch, prerelease for feature branches) + required: true + default: release + options: + - release + - prerelease + - dry-run publishFrom: type: string - description: Publish source (leave empty for from-git, or enter "from-package") + description: Publish source (leave empty for from-git, or enter "from-package"). Only applies to 'release' type. required: false jobs: @@ -24,6 +33,7 @@ jobs: name: Deploy runs-on: ubuntu-latest needs: [authorize] + if: ${{ github.event.inputs.releaseType == 'release' }} permissions: id-token: write # Required for OIDC contents: write @@ -119,3 +129,95 @@ jobs: GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:publish -- ${{ env.PUBLISH_FROM }} -y --pre-dist-tag beta --loglevel silly env: S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }} + + prerelease: + name: Prerelease feature branch + runs-on: ubuntu-latest + needs: [authorize] + if: ${{ github.event.inputs.releaseType != 'release' }} + permissions: + id-token: write # Required for OIDC + contents: write + strategy: + matrix: + node-version: [24.x] # Ensure npm 11.5.1 or later is installed for OIDC, node 24.6 is minimal + + steps: + - name: Get branch name + id: branch-name + uses: tj-actions/branch-name@v7 + + - name: Check out git repository + uses: actions/checkout@v3 + with: + ref: ${{ steps.branch-name.outputs.ref_branch }} + fetch-depth: 0 + + - name: Cache dependencies + uses: actions/cache@v3 + with: + path: '**/node_modules' + key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node-version }} + registry-url: 'https://registry.npmjs.org' + + - name: Install project dependencies + run: | + yarn install --frozen-lockfile + + - name: Build all packages + run: | + yarn build + + - name: Test all packages + run: | + yarn test + + - name: Lint all packages + run: | + yarn lint + + - name: Configure Git User + run: | + git config --global user.name amplitude-sdk-bot + git config --global user.email amplitude-sdk-bot@users.noreply.github.com + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::358203115967:role/github-actions-role + aws-region: us-west-2 + + # Keep alphanumeric characters and hyphens, remove other invalid characters + # Examples: + # - SR-1858 -> SR-1858 + # - feature/my-branch -> featuremy-branch + # - fix_bug_123 -> fixbug123 + # - user@company.com -> usercompanycom + - name: Transform feature branch name + run: | + echo "PREID=$(echo '${{ steps.branch-name.outputs.current_branch }}' | tr -cd '[:alnum:]-')" >> $GITHUB_ENV + + # Use --no-push to prevent pushing to remote + # Version example: 1.0.0 -> 1.1.0-{preid}.0 + - name: Dry run pre-release version + if: ${{ github.event.inputs.releaseType == 'dry-run' }} + run: | + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --no-changelog --no-push + + - name: Pre-release version + if: ${{ github.event.inputs.releaseType == 'prerelease' }} + run: | + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --create-release github + + # Use 'from git' option if `lerna version` has already been run + - name: Publish Release to NPM + if: ${{ github.event.inputs.releaseType == 'prerelease' }} + run: | + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:publish -- from-git -y --ignore-scripts --pre-dist-tag ${{ env.PREID }} + env: + S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }} From 8f4a2811b9928e84ba71870aa59c05613768a653 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 05:16:30 -0800 Subject: [PATCH 2/9] again --- .github/workflows/publish-v2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index 0c145bce7..3359eda2d 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -207,7 +207,7 @@ jobs: - name: Dry run pre-release version if: ${{ github.event.inputs.releaseType == 'dry-run' }} run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --no-changelog --no-push + echo "Dry run pre-release" - name: Pre-release version if: ${{ github.event.inputs.releaseType == 'prerelease' }} From 774d03a734c4ab06e2c2e9d984f19b698c364d02 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 08:23:21 -0800 Subject: [PATCH 3/9] Update .github/workflows/publish-v2.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/publish-v2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index 3359eda2d..cacac947b 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -207,7 +207,7 @@ jobs: - name: Dry run pre-release version if: ${{ github.event.inputs.releaseType == 'dry-run' }} run: | - echo "Dry run pre-release" + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --no-changelog --no-push --no-git-tag-version - name: Pre-release version if: ${{ github.event.inputs.releaseType == 'prerelease' }} From bc7f1bc3beda5c58a436f24bdeaa12eaf186c909 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 09:37:28 -0800 Subject: [PATCH 4/9] move build and test steps into a helper --- .github/workflows/publish-v2.yml | 76 ++------------------------------ 1 file changed, 4 insertions(+), 72 deletions(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index cacac947b..a8ca15ee1 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -49,44 +49,10 @@ jobs: with: fetch-depth: 0 - - name: Cache dependencies - uses: actions/cache@v3 - with: - path: '**/node_modules' - key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + - name: Build and Test + uses: ./.github/actions/build-and-test with: node-version: ${{ matrix.node-version }} - registry-url: 'https://registry.npmjs.org' - - - name: Install project dependencies - run: | - yarn install --frozen-lockfile - - - name: Build all packages - run: | - yarn build - - - name: Test all packages - run: | - yarn test - - - name: Lint all packages - run: | - yarn lint - - - name: Configure Git User - run: | - git config --global user.name amplitude-sdk-bot - git config --global user.email amplitude-sdk-bot@users.noreply.github.com - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::358203115967:role/github-actions-role - aws-region: us-west-2 # Only create release version when using from-git (default behavior) # from-package mode uses existing package.json versions and doesn't need git tags @@ -153,44 +119,10 @@ jobs: ref: ${{ steps.branch-name.outputs.ref_branch }} fetch-depth: 0 - - name: Cache dependencies - uses: actions/cache@v3 - with: - path: '**/node_modules' - key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 + - name: Build and Test + uses: ./.github/actions/build-and-test with: node-version: ${{ matrix.node-version }} - registry-url: 'https://registry.npmjs.org' - - - name: Install project dependencies - run: | - yarn install --frozen-lockfile - - - name: Build all packages - run: | - yarn build - - - name: Test all packages - run: | - yarn test - - - name: Lint all packages - run: | - yarn lint - - - name: Configure Git User - run: | - git config --global user.name amplitude-sdk-bot - git config --global user.email amplitude-sdk-bot@users.noreply.github.com - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::358203115967:role/github-actions-role - aws-region: us-west-2 # Keep alphanumeric characters and hyphens, remove other invalid characters # Examples: From ddc04c10c15835d81b35e59c92920ed2c56f8a8a Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 09:38:11 -0800 Subject: [PATCH 5/9] again --- .github/workflows/publish-v2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index a8ca15ee1..f87aad445 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -100,7 +100,7 @@ jobs: name: Prerelease feature branch runs-on: ubuntu-latest needs: [authorize] - if: ${{ github.event.inputs.releaseType != 'release' }} + if: ${{ github.event.inputs.releaseType == 'prerelease' || github.event.inputs.releaseType == 'dry-run' }} permissions: id-token: write # Required for OIDC contents: write From b900e683d3d0dbe5604d05aee97141898f2f2917 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 09:46:06 -0800 Subject: [PATCH 6/9] again --- .github/workflows/publish-v2.yml | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index f87aad445..6d5995764 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -16,12 +16,25 @@ on: type: string description: Publish source (leave empty for from-git, or enter "from-package"). Only applies to 'release' type. required: false + branch: + type: string + description: Branch to create pre-release from (only applies to prerelease/dry-run). Leave empty to use current branch. + required: false jobs: authorize: name: Authorize runs-on: ubuntu-latest steps: + # - name: Check branch protection + # run: | + # if [ "${{ github.ref_name }}" != "main" ]; then + # echo "❌ This workflow can only be triggered from the main branch." + # echo "Current branch: ${{ github.ref_name }}" + # exit 1 + # fi + # echo "✅ Branch check passed: running from main" + - name: ${{ github.actor }} permission check to do a release uses: 'lannonbr/repo-permission-check-action@2.0.2' with: @@ -109,14 +122,19 @@ jobs: node-version: [24.x] # Ensure npm 11.5.1 or later is installed for OIDC, node 24.6 is minimal steps: - - name: Get branch name - id: branch-name - uses: tj-actions/branch-name@v7 + - name: Determine branch to use + id: determine-branch + run: | + if [ -n "${{ github.event.inputs.branch }}" ]; then + echo "branch=${{ github.event.inputs.branch }}" >> $GITHUB_OUTPUT + else + echo "branch=${{ github.ref_name }}" >> $GITHUB_OUTPUT + fi - name: Check out git repository uses: actions/checkout@v3 with: - ref: ${{ steps.branch-name.outputs.ref_branch }} + ref: ${{ steps.determine-branch.outputs.branch }} fetch-depth: 0 - name: Build and Test @@ -132,19 +150,19 @@ jobs: # - user@company.com -> usercompanycom - name: Transform feature branch name run: | - echo "PREID=$(echo '${{ steps.branch-name.outputs.current_branch }}' | tr -cd '[:alnum:]-')" >> $GITHUB_ENV + echo "PREID=$(echo '${{ steps.determine-branch.outputs.branch }}' | tr -cd '[:alnum:]-')" >> $GITHUB_ENV # Use --no-push to prevent pushing to remote # Version example: 1.0.0 -> 1.1.0-{preid}.0 - name: Dry run pre-release version if: ${{ github.event.inputs.releaseType == 'dry-run' }} run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --no-changelog --no-push --no-git-tag-version + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.determine-branch.outputs.branch }} --no-changelog --no-push --no-git-tag-version - name: Pre-release version if: ${{ github.event.inputs.releaseType == 'prerelease' }} run: | - GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.branch-name.outputs.current_branch }} --create-release github + GH_TOKEN=${{ secrets.GH_PUBLISH_TOKEN }} npm run deploy:version -- -y --no-private --conventional-prerelease --preid ${{ env.PREID }} --allow-branch ${{ steps.determine-branch.outputs.branch }} --create-release github # Use 'from git' option if `lerna version` has already been run - name: Publish Release to NPM From 8add761978eacdf3facde4fcc117e684c3bbd4db Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 09:48:12 -0800 Subject: [PATCH 7/9] again --- .github/actions/build-and-test/action.yml | 54 +++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/actions/build-and-test/action.yml diff --git a/.github/actions/build-and-test/action.yml b/.github/actions/build-and-test/action.yml new file mode 100644 index 000000000..d56a386f5 --- /dev/null +++ b/.github/actions/build-and-test/action.yml @@ -0,0 +1,54 @@ +name: 'Build and Test' +description: 'Install dependencies, build, test, and lint packages' +inputs: + node-version: + description: 'Node.js version to use' + required: true + +runs: + using: "composite" + steps: + - name: Cache dependencies + uses: actions/cache@v3 + with: + path: '**/node_modules' + key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} + + - name: Setup Node.js ${{ inputs.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ inputs.node-version }} + registry-url: 'https://registry.npmjs.org' + + - name: Install project dependencies + shell: bash + run: | + yarn install --frozen-lockfile + + - name: Build all packages + shell: bash + run: | + yarn build + + - name: Test all packages + shell: bash + run: | + yarn test + + - name: Lint all packages + shell: bash + run: | + yarn lint + + - name: Configure Git User + shell: bash + run: | + git config --global user.name amplitude-sdk-bot + git config --global user.email amplitude-sdk-bot@users.noreply.github.com + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::358203115967:role/github-actions-role + aws-region: us-west-2 + From 2580d7e603fdd5be8e992194a77d5b34edd6de93 Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Mon, 8 Dec 2025 10:00:44 -0800 Subject: [PATCH 8/9] again --- .github/workflows/publish-v2.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/publish-v2.yml b/.github/workflows/publish-v2.yml index 6d5995764..89ff0fcc9 100644 --- a/.github/workflows/publish-v2.yml +++ b/.github/workflows/publish-v2.yml @@ -26,14 +26,14 @@ jobs: name: Authorize runs-on: ubuntu-latest steps: - # - name: Check branch protection - # run: | - # if [ "${{ github.ref_name }}" != "main" ]; then - # echo "❌ This workflow can only be triggered from the main branch." - # echo "Current branch: ${{ github.ref_name }}" - # exit 1 - # fi - # echo "✅ Branch check passed: running from main" + - name: Check branch protection + run: | + if [ "${{ github.ref_name }}" != "main" ]; then + echo "❌ This workflow can only be triggered from the main branch." + echo "Current branch: ${{ github.ref_name }}" + exit 1 + fi + echo "✅ Branch check passed: running from main" - name: ${{ github.actor }} permission check to do a release uses: 'lannonbr/repo-permission-check-action@2.0.2' From 14e94427df8ed0fbab94decb38a3116457b1d2ff Mon Sep 17 00:00:00 2001 From: Daniel Graham Date: Fri, 12 Dec 2025 15:00:48 -0800 Subject: [PATCH 9/9] again --- .github/actions/build-and-test/action.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/actions/build-and-test/action.yml b/.github/actions/build-and-test/action.yml index d56a386f5..ebad37549 100644 --- a/.github/actions/build-and-test/action.yml +++ b/.github/actions/build-and-test/action.yml @@ -21,30 +21,25 @@ runs: registry-url: 'https://registry.npmjs.org' - name: Install project dependencies - shell: bash run: | yarn install --frozen-lockfile - name: Build all packages - shell: bash run: | yarn build - name: Test all packages - shell: bash run: | yarn test - name: Lint all packages - shell: bash run: | yarn lint - name: Configure Git User - shell: bash run: | - git config --global user.name amplitude-sdk-bot - git config --global user.email amplitude-sdk-bot@users.noreply.github.com + git config --global user.name amplitude-sdk-dev + git config --global user.email 249154226+amplitude-sdk-dev@users.noreply.github.com - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2