diff --git a/.github/workflows/get-nocobase-app-token.yml b/.github/workflows/get-nocobase-app-token.yml new file mode 100644 index 0000000000..abfc2b1b2c --- /dev/null +++ b/.github/workflows/get-nocobase-app-token.yml @@ -0,0 +1,40 @@ +name: Get nocobase app github token + +on: + workflow_call: + outputs: + token: + value: ${{ jobs.get-app-token.outputs.token }} + user-id: + value: ${{ jobs.get-app-token.outputs.user-id }} + app-slug: + value: ${{ jobs.get-app-token.outputs.app-slug }} + +jobs: + get-app-token: + runs-on: ubuntu-latest + outputs: + token: ${{ steps.encrypt-token.outputs.token }} + app-slug: ${{ steps.app-token.outputs.app-slug }} + user-id: ${{ steps.get-user-id.outputs.user-id }} + steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.NOCOBASE_APP_ID }} + private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }} + repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }} + skip-token-revoke: true + - name: Encrypt token + id: encrypt-token + shell: bash + run: | + APP_TOKEN=${{ steps.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$APP_TOKEN" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + ENCRYPTED_SECRET=$(echo -n "$BINARY_ENCRYPTED_SECRET" | base64 -w 0); + echo "token=$ENCRYPTED_SECRET" >> $GITHUB_OUTPUT + - name: Get GitHub App User ID + id: get-user-id + run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml index 2c5378b214..f7565d4ce1 100644 --- a/.github/workflows/manual-release.yml +++ b/.github/workflows/manual-release.yml @@ -12,14 +12,62 @@ on: type: boolean jobs: - push-commit: + app-token: + uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main + secrets: inherit + pre-merge-main-into-next: + runs-on: ubuntu-latest + needs: app-token + strategy: + matrix: + repo: + - 'nocobase' + - 'pro-plugins' + - ${{ fromJSON(vars.PRO_PLUGIN_REPOS) }} + steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT + - name: Checkout + uses: actions/checkout@v4 + with: + # ref: 'main' + repository: nocobase/${{ matrix.repo }} + fetch-depth: 0 + token: ${{ steps.app-token.outputs.token }} + - name: main -> next (nocobase/${{ matrix.repo }}) + run: | + git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]' + git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' + git checkout main + git pull origin main + git checkout next + git merge main + git push origin next --tags --atomic + update-version: + needs: + - app-token + - pre-merge-main-into-next runs-on: ubuntu-latest steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@v4 with: repository: nocobase/nocobase - ssh-key: ${{ secrets.NOCOBASE_DEPLOY_KEY }} + token: ${{ steps.app-token.outputs.token }} persist-credentials: true fetch-depth: 0 - name: Checkout pro-plugins @@ -28,43 +76,15 @@ jobs: repository: nocobase/pro-plugins path: packages/pro-plugins fetch-depth: 0 - ssh-key: ${{ secrets.PRO_PLUGINS_DEPLOY_KEY }} + token: ${{ steps.app-token.outputs.token }} persist-credentials: true - - name: main -> next(nocobase) + - name: Clone pro repos + shell: bash run: | - git config --global user.email "actions@github.com" - git config --global user.name "GitHub Actions Bot" - git checkout main - git pull origin main - git checkout next - git merge main - git push origin next - - name: main -> next(pro-plugins) - run: | - cd ./packages/pro-plugins - git checkout main - git pull origin main - git checkout next - git merge main - git push origin next - - name: push pro plugins(next) - continue-on-error: true - uses: ad-m/github-push-action@master - with: - ssh: true - branch: next - directory: packages/pro-plugins - repository: nocobase/pro-plugins - tags: true - atomic: true - - name: push nocobase(next) - uses: ad-m/github-push-action@master - with: - branch: next - ssh: true - repository: nocobase/nocobase - tags: true - atomic: true + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo + done - name: Set Node.js 18 uses: actions/setup-node@v3 with: @@ -72,17 +92,33 @@ jobs: - name: Install Lerna run: npm install -g lerna@4 auto-changelog@2 - name: Run release.sh + shell: bash run: | cd ./packages/pro-plugins git checkout main + git rm -rf --cached . + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + echo "@nocobase/$repo" >> .git/info/exclude + done + echo "$(<.git/info/exclude )" cd ./../.. git checkout main - git config --global user.email "actions@github.com" - git config --global user.name "GitHub Actions Bot" - echo "packages/pro-plugins/" >> .git/info/exclude + git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]' + git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' + echo "packages/pro-plugins" >> .git/info/exclude bash release.sh $IS_FEAT env: IS_FEAT: ${{ inputs.is_feat && '--is-feat' || '' }} + PRO_PLUGIN_REPOS: ${{ vars.PRO_PLUGIN_REPOS }} + - name: push pro repos + run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + cd ./packages/pro-plugins/@nocobase/$repo + git push origin main --atomic --tags + cd ../../../../ + done - name: push pro plugins continue-on-error: true uses: ad-m/github-push-action@master @@ -101,38 +137,39 @@ jobs: repository: nocobase/nocobase tags: true atomic: true - - name: main -> next + post-merge-main-into-next: + needs: + - app-token + - pre-merge-main-into-next + - update-version + runs-on: ubuntu-latest + strategy: + matrix: + repo: + - 'nocobase' + - 'pro-plugins' + - ${{ fromJSON(vars.PRO_PLUGIN_REPOS) }} + steps: + - name: Decrypt app token + id: app-token + shell: bash run: | - git config --global user.email "actions@github.com" - git config --global user.name "GitHub Actions Bot" + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT + - name: Checkout + uses: actions/checkout@v4 + with: + repository: nocobase/${{ matrix.repo }} + fetch-depth: 0 + token: ${{ steps.app-token.outputs.token }} + - name: main -> next (nocobase/${{ matrix.repo }}) + run: | + git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]' + git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>' git checkout main git pull origin main git checkout next git merge -X ours main --no-edit - git push origin next - - name: main -> next - run: | - cd ./packages/pro-plugins - git checkout main - git pull origin main - git checkout next - git merge -X ours main --no-edit - git push origin next - - name: push pro plugins - continue-on-error: true - uses: ad-m/github-push-action@master - with: - ssh: true - branch: next - directory: packages/pro-plugins - repository: nocobase/pro-plugins - tags: true - atomic: true - - name: push nocobase - uses: ad-m/github-push-action@master - with: - branch: next - ssh: true - repository: nocobase/nocobase - tags: true - atomic: true \ No newline at end of file + git push origin next --tags --atomic diff --git a/.github/workflows/release-next.yml b/.github/workflows/release-next.yml index 1638cf45fd..0040206bf9 100644 --- a/.github/workflows/release-next.yml +++ b/.github/workflows/release-next.yml @@ -8,6 +8,9 @@ on: workflow_dispatch: jobs: + app-token: + uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main + secrets: inherit publish-npm: runs-on: ubuntu-latest container: node:18 @@ -81,13 +84,28 @@ jobs: git commit -m "chore(versions): test publish packages xxx" cat lerna.json yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ --dist-tag=next + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout pro-plugins uses: actions/checkout@v3 with: repository: nocobase/pro-plugins path: packages/pro-plugins ref: next - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} + - name: Clone pro repos + shell: bash + run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + git clone -b next https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo + done - name: Build Pro plugins continue-on-error: true run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c102d6a28..f9fc38012e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,9 @@ on: - 'v*' jobs: + app-token: + uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main + secrets: inherit publish-npm: runs-on: ubuntu-latest container: node:18 @@ -55,12 +58,27 @@ jobs: yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} npm whoami yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout pro-plugins uses: actions/checkout@v3 with: repository: nocobase/pro-plugins path: packages/pro-plugins - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} + - name: Clone pro repos + shell: bash + run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo + done - name: Build Pro plugins continue-on-error: true run: | diff --git a/release.sh b/release.sh index e8e6753047..323c82a3a0 100755 --- a/release.sh +++ b/release.sh @@ -12,6 +12,13 @@ fi lerna version $new_version --preid alpha --force-publish=* --no-git-tag-version -y +echo $PRO_PLUGIN_REPOS | jq -r '.[]' | while read i; do + cd ./packages/pro-plugins/@nocobase/$i + git add . + git commit -m "chore(versions): 😊 publish v$(jq -r '.version' ../../../../lerna.json)" + git tag v$(jq -r '.version' ../../../../lerna.json) + cd ../../../../ +done cd ./packages/pro-plugins git add . git commit -m "chore(versions): 😊 publish v$(jq -r '.version' ../../lerna.json)"