From 6c71f61ff3a0a02e451dc3655299fb52dc187c8f Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 12:16:20 -0800 Subject: [PATCH 01/18] m --- .github/workflows/daily_ci.yaml | 2 +- .github/workflows/prod-release.yml | 91 ++++++++++++++++++++++++++++++ .github/workflows/pull.yaml | 2 +- .github/workflows/push.yaml | 2 +- .github/workflows/shared-ci.yml | 59 +++++++++++++++++++ 5 files changed, 153 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/prod-release.yml create mode 100644 .github/workflows/shared-ci.yml diff --git a/.github/workflows/daily_ci.yaml b/.github/workflows/daily_ci.yaml index c52f16de..8b249860 100644 --- a/.github/workflows/daily_ci.yaml +++ b/.github/workflows/daily_ci.yaml @@ -7,4 +7,4 @@ on: jobs: daily-ci-js-helpers: - uses: ./.github/workflows/ci-unit-tests.yaml \ No newline at end of file + uses: ./.github/workflows/shared-ci.yml diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml new file mode 100644 index 00000000..1742e36c --- /dev/null +++ b/.github/workflows/prod-release.yml @@ -0,0 +1,91 @@ +name: Release +permissions: + contents: read + id-token: write + +on: + workflow_dispatch: + inputs: + version_bump: + required: false + description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)' + default: '' + dist_tag: + description: 'NPM distribution tag' + required: false + default: 'latest' + branch: + description: 'The branch to release from' + required: false + default: 'master' + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + pre-release-ci: + uses: ./.github/workflows/shared-ci.yml + + # Once all tests have passed, run semantic versioning + version: + runs-on: ubuntu-latest + needs: [pre-release-ci] + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Node.js 20 + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Configure git + env: + BRANCH: ${{ github.event.inputs.branch }} + run: | + git config --global user.name "aws-crypto-tools-ci-bot" + git config --global user.email "no-reply@noemail.local" + git checkout $BRANCH + + - name: Version packages and push + env: + VERSION_BUMP: ${{ github.event.inputs.version_bump }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Generate new version and CHANGELOG entry and push it + npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish} + # Log the commit for posterity + git log -n 1 + + publish: + runs-on: ubuntu-latest + needs: [pre-release-ci, version] + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' + + # Ensure npm 11.5.1 or later is installed + - name: Update npm + run: npm install -g npm@latest + - run: npm ci --unsafe-perm + - run: npm run build --if-present + - run: npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }} + + # Once publishing is complete, validate that the published packages are useable + validate: + uses: ./.github/workflows/shared-ci.yml + needs: [publish] + with: + test-published-packages: true diff --git a/.github/workflows/pull.yaml b/.github/workflows/pull.yaml index 266509cb..124fb918 100644 --- a/.github/workflows/pull.yaml +++ b/.github/workflows/pull.yaml @@ -6,4 +6,4 @@ on: jobs: pr-ci-js-helpers-test: - uses: ./.github/workflows/ci-unit-tests.yaml \ No newline at end of file + uses: ./.github/workflows/shared-ci.yml diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index ed7d8b55..3056c217 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -8,4 +8,4 @@ on: jobs: push-ci-js-helpers-test: - uses: ./.github/workflows/ci-unit-tests.yaml \ No newline at end of file + uses: ./.github/workflows/shared-ci.yml diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml new file mode 100644 index 00000000..c6c9db61 --- /dev/null +++ b/.github/workflows/shared-ci.yml @@ -0,0 +1,59 @@ +name: Shared CI Tests + +on: + workflow_call: + inputs: + test-published-packages: + description: 'Test against published packages instead of checked out code' + required: false + type: boolean + default: false + +env: + NODE_OPTIONS: "--max-old-space-size=4096" + NPM_CONFIG_UNSAFE_PERM: true + +jobs: + test: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + node-version: ['16.x', '18.x', '20.x', 'latest'] + # Determine test categories based on whether testing published packages or source code: + # - Testing published packages: only run vector tests (don't have build artifacts to test coverage) + # - Testing source code: run unit tests and vector tests + test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["unit", "vectors"]') }} + name: test-${{ matrix.test-category }}-${{ matrix.os }}-${{ matrix.node-version }} + steps: + - name: Checkout code + # Always need repo for test scripts and configuration, even when testing published packages + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: 'npm' + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Build (for source code testing) + if: ${{ !inputs.test-published-packages }} + run: npm run build + + - name: Run unit tests + if: ${{ matrix.test-category == 'unit' }} + run: npm test + + - name: Publish locally for vector tests + if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }} + run: npm run verdaccio-publish + + - name: Run vector tests + if: ${{ matrix.test-category == 'vectors' }} + run: npm run verdaccio-verify-publish -- ${{ inputs.test-published-packages && 'public' || 'ci' }} From 131fdedcf195fa97d288582b7b5591dcadf65f83 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 12:17:37 -0800 Subject: [PATCH 02/18] m --- .github/workflows/ci-unit-tests.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/ci-unit-tests.yaml diff --git a/.github/workflows/ci-unit-tests.yaml b/.github/workflows/ci-unit-tests.yaml deleted file mode 100644 index 8f0d7581..00000000 --- a/.github/workflows/ci-unit-tests.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Unit tests - -on: workflow_call - -jobs: - ci-unit-tests: - runs-on: ${{ matrix.os }} - strategy: - fail-fast: true - matrix: - os: - - ubuntu-latest - - windows-latest - - macos-latest - node: - - 16 - - 18 - - 20 - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node }} - - uses: bahmutov/npm-install@v1 - - run: npm test From fc95c8edf55c247ae3518408693074824cdc1d07 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 13:34:00 -0800 Subject: [PATCH 03/18] m --- .github/workflows/pull.yaml | 10 ++++++ .github/workflows/shared-ci.yml | 55 ++++++++++++--------------------- 2 files changed, 30 insertions(+), 35 deletions(-) diff --git a/.github/workflows/pull.yaml b/.github/workflows/pull.yaml index 124fb918..a954e9fd 100644 --- a/.github/workflows/pull.yaml +++ b/.github/workflows/pull.yaml @@ -7,3 +7,13 @@ on: jobs: pr-ci-js-helpers-test: uses: ./.github/workflows/shared-ci.yml + pr-ci-all-required: + if: always() + needs: + - pr-ci-js-helpers-test + runs-on: ubuntu-22.04 + steps: + - name: Verify all required jobs passed + uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index c6c9db61..50de32d2 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -14,46 +14,31 @@ env: NPM_CONFIG_UNSAFE_PERM: true jobs: - test: + ci-unit-tests: runs-on: ${{ matrix.os }} strategy: - fail-fast: false + fail-fast: true matrix: os: [ubuntu-latest, windows-latest, macos-latest] - node-version: ['16.x', '18.x', '20.x', 'latest'] - # Determine test categories based on whether testing published packages or source code: - # - Testing published packages: only run vector tests (don't have build artifacts to test coverage) - # - Testing source code: run unit tests and vector tests - test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["unit", "vectors"]') }} - name: test-${{ matrix.test-category }}-${{ matrix.os }}-${{ matrix.node-version }} + node: [16, 18, 20] steps: - - name: Checkout code - # Always need repo for test scripts and configuration, even when testing published packages - uses: actions/checkout@v4 + - uses: actions/checkout@v2 + - uses: actions/setup-node@v1 with: - fetch-depth: 0 - - - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: 'npm' - - - name: Install dependencies - run: npm ci --unsafe-perm - - - name: Build (for source code testing) - if: ${{ !inputs.test-published-packages }} - run: npm run build - - - name: Run unit tests - if: ${{ matrix.test-category == 'unit' }} - run: npm test - + node-version: ${{ matrix.node }} + - uses: bahmutov/npm-install@v1 + - run: npm test + + # Run vector tests for all CI runs - name: Publish locally for vector tests - if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }} + if: ${{ !inputs.test-published-packages }} run: npm run verdaccio-publish - - - name: Run vector tests - if: ${{ matrix.test-category == 'vectors' }} - run: npm run verdaccio-verify-publish -- ${{ inputs.test-published-packages && 'public' || 'ci' }} + + - name: Run local test (local packages) + if: ${{ !inputs.test-published-packages }} + run: npm run verdaccio-verify-publish -- ci + + # Run vector tests against published packages (release workflow validation) + - name: Run vector tests (published packages) + if: ${{ inputs.test-published-packages }} + run: npm run verdaccio-verify-publish -- public From 88d6359888e7e9a60c7de52316ae5e4c7e66e02a Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 13:37:52 -0800 Subject: [PATCH 04/18] m --- .github/workflows/shared-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 50de32d2..fc28fc6e 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -29,16 +29,16 @@ jobs: - uses: bahmutov/npm-install@v1 - run: npm test - # Run vector tests for all CI runs + # Run vector tests for all CI runs (Ubuntu only) - name: Publish locally for vector tests - if: ${{ !inputs.test-published-packages }} + if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} run: npm run verdaccio-publish - - name: Run local test (local packages) - if: ${{ !inputs.test-published-packages }} + - name: Run vector tests (local packages) + if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} run: npm run verdaccio-verify-publish -- ci - # Run vector tests against published packages (release workflow validation) + # Run vector tests against published packages (release workflow validation, Ubuntu only) - name: Run vector tests (published packages) - if: ${{ inputs.test-published-packages }} + if: ${{ inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} run: npm run verdaccio-verify-publish -- public From 1b99627a25418b46681a2d7eac93c6c31d553abe Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 13:49:36 -0800 Subject: [PATCH 05/18] m --- .github/workflows/shared-ci.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index fc28fc6e..e62bb42d 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -22,11 +22,28 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] node: [16, 18, 20] steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/checkout@v4 + + - name: Setup Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node }} - - uses: bahmutov/npm-install@v1 + node-version: ${{ matrix.node-version }} + cache: 'npm' + + # - name: Configure AWS Credentials for Tests + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # aws-region: us-west-2 + # role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 + # role-session-name: JavaScriptTests + + - name: Install dependencies + run: npm ci --unsafe-perm + + - name: Build (for source code testing) + if: ${{ !inputs.test-published-packages }} + run: npm run build + - run: npm test # Run vector tests for all CI runs (Ubuntu only) From 80016a0a39e354b8b5e9407a7c915ab0a3e5cae1 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 13:52:26 -0800 Subject: [PATCH 06/18] m --- .github/workflows/shared-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index e62bb42d..e29b0986 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -24,10 +24,10 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Setup Node.js ${{ matrix.node-version }} + - name: Setup Node.js ${{ matrix.node }} uses: actions/setup-node@v4 with: - node-version: ${{ matrix.node-version }} + node-version: ${{ matrix.node }} cache: 'npm' # - name: Configure AWS Credentials for Tests @@ -43,13 +43,13 @@ jobs: - name: Build (for source code testing) if: ${{ !inputs.test-published-packages }} run: npm run build - - - run: npm test # Run vector tests for all CI runs (Ubuntu only) - name: Publish locally for vector tests if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} run: npm run verdaccio-publish + + - run: npm test - name: Run vector tests (local packages) if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} From c23f1bd70c14c572798c12746bdf9a21aa6df3ce Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 13:58:00 -0800 Subject: [PATCH 07/18] m --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index e29b0986..6b66c957 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -20,7 +20,7 @@ jobs: fail-fast: true matrix: os: [ubuntu-latest, windows-latest, macos-latest] - node: [16, 18, 20] + node: ["18.x", "20.x", "22.x", "latest"] steps: - uses: actions/checkout@v4 From d9f322cc216094db936e7a0d666c5e24f710b9bf Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:02:27 -0800 Subject: [PATCH 08/18] m --- util/local_verdaccio_publish | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/util/local_verdaccio_publish b/util/local_verdaccio_publish index 6a423871..a5a56fc7 100755 --- a/util/local_verdaccio_publish +++ b/util/local_verdaccio_publish @@ -10,9 +10,7 @@ // but now the portability problems loom large. const { spawn, execSync } = require('child_process') -const { readFileSync } = require('fs') const pipeStdIo = { stdio: [process.stdin, process.stdout, process.stderr] } -const { workspaces } = JSON.parse(readFileSync("package.json", 'utf8')) // Always clear storage so the latest versions are published // I am not worried about _what_ version number is published @@ -24,6 +22,12 @@ const verdaccio = spawn('npx', ['verdaccio', '-c', 'verdaccio/config.yaml'], pip .on('error', e => { throw e }) + .on('close', (code, signal) => { + console.log(`verdaccio process closed with code ${code} or signal ${signal}`); + }) + .on('exit', (code, signal) => { + console.log(`verdaccio process exited with code ${code} or signal ${signal}`); + }) // Publish all changed packages the local verdaccio server. // Anything that has not been changed will match what is in npm @@ -37,21 +41,33 @@ const args = [ '--no-git-reset', '--preid', 'ci', '--no-verify-access', - '--force-publish' + '--force-publish', + '--loglevel', 'warn', + '--no-progress' ] -spawn('npx', args, pipeStdIo) - .on('close', (code) => { - // Kill the background verdaccio server - verdaccio.kill() - +timeout = 60000 * 2 +console.log(`Starting lerna publish with timeout of ${timeout}`); +spawn('npx', args, { + stdio: [process.stdin, process.stdout, process.stderr], + timeout: timeout +}).on('close', (code, signal) => { + console.log(`lerna terminated due to receipt of signal ${signal} or code ${code}`); // The above command will make some modifications, // Roll them back // Ideally, we would find a way to not have to do this - workspaces.forEach(workspace => execSync(`git checkout -- ${workspace}/package.json`)) + execSync('git checkout -- modules/**/package.json') execSync('git checkout -- lerna.json') + execSync('git restore package-lock.json') + // Kill the background verdaccio server + verdaccioKilledStatus = verdaccio.kill() + console.log(`killing Verdaccio returned ${verdaccioKilledStatus}`); + // If this command had an error, // we need to forward this. // Otherwise the entire CI build may think that things succeeded. if (code !== 0) throw Error(`Exit code: ${code}`) - }) \ No newline at end of file + + process.exit() + }) + From 4b1d15aeffc9348d5164ddfbf1bccc37cdf206c5 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:04:29 -0800 Subject: [PATCH 09/18] m --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 6b66c957..8e6ad659 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -17,7 +17,7 @@ jobs: ci-unit-tests: runs-on: ${{ matrix.os }} strategy: - fail-fast: true + fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] node: ["18.x", "20.x", "22.x", "latest"] From b8fa035c869230a65f3b5f8e8be061327d366bc1 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:35:51 -0800 Subject: [PATCH 10/18] m --- .github/workflows/shared-ci.yml | 2 +- util/local_verdaccio_publish | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 8e6ad659..2d9f23d8 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -20,7 +20,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, windows-latest, macos-latest] - node: ["18.x", "20.x", "22.x", "latest"] + node: ["16.x", "18.x", "20.x"] steps: - uses: actions/checkout@v4 diff --git a/util/local_verdaccio_publish b/util/local_verdaccio_publish index a5a56fc7..388ca7a0 100755 --- a/util/local_verdaccio_publish +++ b/util/local_verdaccio_publish @@ -55,7 +55,6 @@ spawn('npx', args, { // The above command will make some modifications, // Roll them back // Ideally, we would find a way to not have to do this - execSync('git checkout -- modules/**/package.json') execSync('git checkout -- lerna.json') execSync('git restore package-lock.json') From b2db65368e62eafa61d06517561c220359439232 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:41:27 -0800 Subject: [PATCH 11/18] m --- .github/workflows/shared-ci.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 2d9f23d8..bd4fd1d1 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -43,19 +43,20 @@ jobs: - name: Build (for source code testing) if: ${{ !inputs.test-published-packages }} run: npm run build + + - run: npm test # Run vector tests for all CI runs (Ubuntu only) - - name: Publish locally for vector tests - if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} + # Verdaccio is only supported on Node.js v18 and higher + - name: Publish locally for vector tests (except Node.js 16) + if: ${{ !inputs.test-published-packages && matrix.node != '16.x' }} run: npm run verdaccio-publish - - - run: npm test - name: Run vector tests (local packages) - if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} + if: ${{ !inputs.test-published-packages && matrix.node != '16.x' }} run: npm run verdaccio-verify-publish -- ci # Run vector tests against published packages (release workflow validation, Ubuntu only) - name: Run vector tests (published packages) - if: ${{ inputs.test-published-packages && matrix.os == 'ubuntu-latest' }} + if: ${{ inputs.test-published-packages && matrix.node != '16.x' }} run: npm run verdaccio-verify-publish -- public From e8c6d92861fb7a224523cb28e00fc6b49bb03b7e Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:45:32 -0800 Subject: [PATCH 12/18] m --- .github/workflows/shared-ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index bd4fd1d1..76b097ac 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -48,15 +48,16 @@ jobs: # Run vector tests for all CI runs (Ubuntu only) # Verdaccio is only supported on Node.js v18 and higher + # Weird syntax issues on Windows prevent us from running these tests there - name: Publish locally for vector tests (except Node.js 16) - if: ${{ !inputs.test-published-packages && matrix.node != '16.x' }} + if: ${{ !inputs.test-published-packages && matrix.node != '16.x' && matrix.os != 'windows-latest' }} run: npm run verdaccio-publish - name: Run vector tests (local packages) - if: ${{ !inputs.test-published-packages && matrix.node != '16.x' }} + if: ${{ !inputs.test-published-packages && matrix.node != '16.x' && matrix.os != 'windows-latest' }} run: npm run verdaccio-verify-publish -- ci # Run vector tests against published packages (release workflow validation, Ubuntu only) - name: Run vector tests (published packages) - if: ${{ inputs.test-published-packages && matrix.node != '16.x' }} + if: ${{ inputs.test-published-packages && matrix.node != '16.x' && matrix.os != 'windows-latest' }} run: npm run verdaccio-verify-publish -- public From 6f7ace12e21bc7b9835e027f8b126854ba5d215a Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:54:09 -0800 Subject: [PATCH 13/18] test published --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 76b097ac..683a3792 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -7,7 +7,7 @@ on: description: 'Test against published packages instead of checked out code' required: false type: boolean - default: false + default: true env: NODE_OPTIONS: "--max-old-space-size=4096" From 43fb081f32d4aeb53b083d579c3b7d91357e11da Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 14:59:19 -0800 Subject: [PATCH 14/18] m --- .github/workflows/shared-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 683a3792..44f0978f 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -40,11 +40,11 @@ jobs: - name: Install dependencies run: npm ci --unsafe-perm + - run: npm test + - name: Build (for source code testing) if: ${{ !inputs.test-published-packages }} run: npm run build - - - run: npm test # Run vector tests for all CI runs (Ubuntu only) # Verdaccio is only supported on Node.js v18 and higher From 468d9289d1dc2951fd796a96635d6146777013c5 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 15:05:00 -0800 Subject: [PATCH 15/18] m --- .github/workflows/shared-ci.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 44f0978f..a3dedbec 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -30,17 +30,14 @@ jobs: node-version: ${{ matrix.node }} cache: 'npm' - # - name: Configure AWS Credentials for Tests - # uses: aws-actions/configure-aws-credentials@v4 - # with: - # aws-region: us-west-2 - # role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2 - # role-session-name: JavaScriptTests - - - name: Install dependencies + - name: Install local dependencies + if: ${{ !inputs.test-published-packages }} run: npm ci --unsafe-perm - - run: npm test + # This only works for local code, testing published packages requires setup + - name: Test local code + if: ${{ !inputs.test-published-packages }} + run: npm test - name: Build (for source code testing) if: ${{ !inputs.test-published-packages }} From e980b4c16e83f4d7ea33cd841912d965d5f0f1b0 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 15:06:52 -0800 Subject: [PATCH 16/18] m --- .github/workflows/shared-ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index a3dedbec..27853e9f 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -30,11 +30,10 @@ jobs: node-version: ${{ matrix.node }} cache: 'npm' - - name: Install local dependencies - if: ${{ !inputs.test-published-packages }} + - name: Install dependencies run: npm ci --unsafe-perm - # This only works for local code, testing published packages requires setup + # `npm test` only works for local code, testing published packages requires setup - name: Test local code if: ${{ !inputs.test-published-packages }} run: npm test From d2f1c05d19f4ebbaf3d86d9823b98ed9be452d62 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 15:10:15 -0800 Subject: [PATCH 17/18] m --- .github/workflows/shared-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml index 27853e9f..b4e2bc49 100644 --- a/.github/workflows/shared-ci.yml +++ b/.github/workflows/shared-ci.yml @@ -7,7 +7,7 @@ on: description: 'Test against published packages instead of checked out code' required: false type: boolean - default: true + default: false env: NODE_OPTIONS: "--max-old-space-size=4096" From 10d46e4800ad93ff7e550ca0cdf735f149295d59 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Fri, 21 Nov 2025 15:10:39 -0800 Subject: [PATCH 18/18] Potential fix for code scanning alert no. 11: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/pull.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull.yaml b/.github/workflows/pull.yaml index a954e9fd..47ada50b 100644 --- a/.github/workflows/pull.yaml +++ b/.github/workflows/pull.yaml @@ -1,5 +1,7 @@ # This workflow runs for every pull request name: PR CI +permissions: + contents: read on: pull_request: