Skip to content

chore: Migrate publishing to GHA, consolidate CI workflows #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lucasmcdonald3 wants to merge 18 commits into
base: master
Choose a base branch
from
Open

chore: Migrate publishing to GHA, consolidate CI workflows #879

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
6c71f61
m
Nov 21, 2025
131fded
m
Nov 21, 2025
fc95c8e
m
Nov 21, 2025
88d6359
m
Nov 21, 2025
1b99627
m
Nov 21, 2025
80016a0
m
Nov 21, 2025
c23f1bd
m
Nov 21, 2025
d9f322c
m
Nov 21, 2025
4b1d15a
m
Nov 21, 2025
b8fa035
m
Nov 21, 2025
b2db653
m
Nov 21, 2025
e8c6d92
m
Nov 21, 2025
6f7ace1
test published
Nov 21, 2025
43fb081
m
Nov 21, 2025
468d928
m
Nov 21, 2025
e980b4c
m
Nov 21, 2025
d2f1c05
m
Nov 21, 2025
10d46e4
Potential fix for code scanning alert no. 11: Workflow does not conta…
lucasmcdonald3 Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 0 additions & 25 deletions .github/workflows/ci-unit-tests.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/daily_ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@

jobs:
daily-ci-js-helpers:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

To fix the problem, you should add an explicit permissions block to the workflow. Ideally, place it at the top/root level (directly under the name: and above the on: key) so it applies to all jobs not specifying their own permissions. If only read access to repository contents and metadata is required, set it as:

permissions:
  contents: read

If your jobs require more privileges, you can expand this as needed. In this case, since jobs are not detailed and just call another workflow, it's safest to start with a minimal read permission as suggested. You should edit the .github/workflows/daily_ci.yaml file, after the name: key and before on:, to include this block.

Suggested changeset 1
.github/workflows/daily_ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/daily_ci.yaml b/.github/workflows/daily_ci.yaml
--- a/.github/workflows/daily_ci.yaml
+++ b/.github/workflows/daily_ci.yaml
@@ -1,5 +1,7 @@
 # This workflow runs every weekday at 15:00 UTC (8AM PDT)
 name: Daily CI
+permissions:
+  contents: read
 
 on:
   schedule:
EOF
@@ -1,5 +1,7 @@
# This workflow runs every weekday at 15:00 UTC (8AM PDT)
name: Daily CI
permissions:
contents: read

on:
schedule:
Copilot is powered by AI and may make mistakes. Always verify output.
91 changes: 91 additions & 0 deletions .github/workflows/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Release
permissions:
contents: read
id-token: write

on:
workflow_dispatch:
inputs:
version_bump:
required: false
description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
default: ''
dist_tag:
description: 'NPM distribution tag'
required: false
default: 'latest'
branch:
description: 'The branch to release from'
required: false
default: 'master'

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
pre-release-ci:
uses: ./.github/workflows/shared-ci.yml

# Once all tests have passed, run semantic versioning
version:
runs-on: ubuntu-latest
needs: [pre-release-ci]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Configure git
env:
BRANCH: ${{ github.event.inputs.branch }}
run: |
git config --global user.name "aws-crypto-tools-ci-bot"
git config --global user.email "[email protected]"
git checkout $BRANCH

- name: Version packages and push
env:
VERSION_BUMP: ${{ github.event.inputs.version_bump }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Generate new version and CHANGELOG entry and push it
npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
# Log the commit for posterity
git log -n 1

publish:
runs-on: ubuntu-latest
needs: [pre-release-ci, version]
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'

# Ensure npm 11.5.1 or later is installed
- name: Update npm
run: npm install -g npm@latest
- run: npm ci --unsafe-perm
- run: npm run build --if-present
- run: npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }}

# Once publishing is complete, validate that the published packages are useable
validate:
uses: ./.github/workflows/shared-ci.yml
needs: [publish]
with:
test-published-packages: true
2 changes: 1 addition & 1 deletion .github/workflows/pull.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@

jobs:
pr-ci-js-helpers-test:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml
2 changes: 1 addition & 1 deletion .github/workflows/push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@

jobs:
push-ci-js-helpers-test:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

To fix this, add a permissions: block at the workflow root (before on:) in .github/workflows/push.yaml to grant only the minimum permissions required for the jobs in this workflow. Since the workflow simply uses a reusable workflow, unless more granular permissions are needed, a starting point is to set contents: read, which is the most restrictive typical value for read-only operations. If more permissions are required by the reused workflow, those can be added (but based only on what is shown, start with contents: read). This is accomplished by editing .github/workflows/push.yaml and inserting the permissions block after the workflow name.

Suggested changeset 1
.github/workflows/push.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -1,5 +1,7 @@
 # This workflow runs for every push to master
 name: Push CI
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,5 +1,7 @@
# This workflow runs for every push to master
name: Push CI
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
59 changes: 59 additions & 0 deletions .github/workflows/shared-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Shared CI Tests

on:
workflow_call:
inputs:
test-published-packages:
description: 'Test against published packages instead of checked out code'
required: false
type: boolean
default: false

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
node-version: ['16.x', '18.x', '20.x', 'latest']
# Determine test categories based on whether testing published packages or source code:
# - Testing published packages: only run vector tests (don't have build artifacts to test coverage)
# - Testing source code: run unit tests and vector tests
test-category: ${{ fromJSON(inputs['test-published-packages'] && '["vectors"]' || '["unit", "vectors"]') }}
name: test-${{ matrix.test-category }}-${{ matrix.os }}-${{ matrix.node-version }}
steps:
- name: Checkout code
# Always need repo for test scripts and configuration, even when testing published packages
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Build (for source code testing)
if: ${{ !inputs.test-published-packages }}
run: npm run build

- name: Run unit tests
if: ${{ matrix.test-category == 'unit' }}
run: npm test

- name: Publish locally for vector tests
if: ${{ matrix.test-category == 'vectors' && !inputs.test-published-packages }}
run: npm run verdaccio-publish

- name: Run vector tests
if: ${{ matrix.test-category == 'vectors' }}
run: npm run verdaccio-verify-publish -- ${{ inputs.test-published-packages && 'public' || 'ci' }}
Loading