feat(publish): publish pro repos (#5129)

* feat(publish): publish pro repos

* feat: use app token

* chore: add trigger branch

* chore: ref main

* chore: add owner

* chore: change owner

* chore: set repos

* chore: get repo name

* chore: update

* chore: update

* chore: update

* chore: update

* chore: update branch

* fix: bug

* fix: bug

* fix: private key

* feat: encrypt github app token

* fix: bug

* fix: token

* fix: output

* fix: base64

* fix: error

* fix: token cut

* fix: base64

* fix: repo name

* chore: print token

* chore: skip token revoke

* fix: clone

* fix: clone

* fix: job

* chore: shell bash

* fix: ignore

* fix: ignore

* fix: invalid

* fix: branch

* fix: bug

* fix: jq

* fix: jq

* fix: jq

* fix: remove quotes

* fix: directory

* fix: directory

* chore: update

* chore: update

* fix: invalid

* fix: branch

.github/workflows/get-nocobase-app-token.yml

@@ -0,0 +1,40 @@
+name: Get nocobase app github token
+
+on:
+  workflow_call:
+    outputs:
+      token:
+        value: ${{ jobs.get-app-token.outputs.token }}
+      user-id:
+        value: ${{ jobs.get-app-token.outputs.user-id }}
+      app-slug:
+        value: ${{ jobs.get-app-token.outputs.app-slug }}
+
+jobs:
+  get-app-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.encrypt-token.outputs.token }}
+      app-slug: ${{ steps.app-token.outputs.app-slug }}
+      user-id: ${{ steps.get-user-id.outputs.user-id }}
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
+      - name: Encrypt token
+        id: encrypt-token
+        shell: bash
+        run: |
+          APP_TOKEN=${{ steps.app-token.outputs.token  }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$APP_TOKEN" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          ENCRYPTED_SECRET=$(echo -n "$BINARY_ENCRYPTED_SECRET" | base64 -w 0);
+          echo "token=$ENCRYPTED_SECRET" >> $GITHUB_OUTPUT
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/manual-release.yml

@@ -12,14 +12,62 @@ on:
         type: boolean
 
 jobs:
-  push-commit:
+  app-token:
+    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
+    secrets: inherit
+  pre-merge-main-into-next:
+    runs-on: ubuntu-latest
+    needs: app-token
+    strategy:
+      matrix:
+        repo:
+          - 'nocobase'
+          - 'pro-plugins'
+          - ${{ fromJSON(vars.PRO_PLUGIN_REPOS) }}
+    steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # ref: 'main'
+          repository: nocobase/${{ matrix.repo }}
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+      - name: main -> next (nocobase/${{ matrix.repo }})
+        run: |
+          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+          git checkout main
+          git pull origin main
+          git checkout next
+          git merge main
+          git push origin next --tags --atomic
+  update-version:
+    needs:
+      - app-token
+      - pre-merge-main-into-next
     runs-on: ubuntu-latest
     steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@v4
         with:
           repository: nocobase/nocobase
-          ssh-key: ${{ secrets.NOCOBASE_DEPLOY_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true
           fetch-depth: 0
       - name: Checkout pro-plugins
@@ -28,43 +76,15 @@ jobs:
           repository: nocobase/pro-plugins
           path: packages/pro-plugins
           fetch-depth: 0
-          ssh-key: ${{ secrets.PRO_PLUGINS_DEPLOY_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: true
-      - name: main -> next(nocobase)
+      - name: Clone pro repos
+        shell: bash
         run: |
-          git config --global user.email "actions@github.com"
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
-          git config --global user.name "GitHub Actions Bot"
+          do
-          git checkout main
+          git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
-          git pull origin main
+          done
-          git checkout next
-          git merge main
-          git push origin next
-      - name: main -> next(pro-plugins)
-        run: |
-          cd ./packages/pro-plugins
-          git checkout main
-          git pull origin main
-          git checkout next
-          git merge main
-          git push origin next
-      - name: push pro plugins(next)
-        continue-on-error: true
-        uses: ad-m/github-push-action@master
-        with:
-          ssh: true
-          branch: next
-          directory: packages/pro-plugins
-          repository: nocobase/pro-plugins
-          tags: true
-          atomic: true
-      - name: push nocobase(next)
-        uses: ad-m/github-push-action@master
-        with:
-          branch: next
-          ssh: true
-          repository: nocobase/nocobase
-          tags: true
-          atomic: true
       - name: Set Node.js 18
         uses: actions/setup-node@v3
         with:
@@ -72,17 +92,33 @@ jobs:
       - name: Install Lerna
         run: npm install -g lerna@4 auto-changelog@2
       - name: Run release.sh
+        shell: bash
         run: |
           cd ./packages/pro-plugins
           git checkout main
+          git rm -rf --cached .
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            echo "@nocobase/$repo" >> .git/info/exclude
+          done
+          echo "$(<.git/info/exclude )"
           cd ./../..
           git checkout main
-          git config --global user.email "actions@github.com"
+          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
-          git config --global user.name "GitHub Actions Bot"
+          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
-          echo "packages/pro-plugins/" >> .git/info/exclude
+          echo "packages/pro-plugins" >> .git/info/exclude
           bash release.sh $IS_FEAT
         env:
           IS_FEAT: ${{ inputs.is_feat && '--is-feat' || '' }}
+          PRO_PLUGIN_REPOS: ${{ vars.PRO_PLUGIN_REPOS }}
+      - name: push pro repos
+        run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            cd ./packages/pro-plugins/@nocobase/$repo
+            git push origin main --atomic --tags
+            cd ../../../../
+          done
       - name: push pro plugins
         continue-on-error: true
         uses: ad-m/github-push-action@master
@@ -101,38 +137,39 @@ jobs:
           repository: nocobase/nocobase
           tags: true
           atomic: true
-      - name: main -> next
+  post-merge-main-into-next:
+    needs:
+      - app-token
+      - pre-merge-main-into-next
+      - update-version
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        repo:
+          - 'nocobase'
+          - 'pro-plugins'
+          - ${{ fromJSON(vars.PRO_PLUGIN_REPOS) }}
+    steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
         run: |
-          git config --global user.email "actions@github.com"
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          git config --global user.name "GitHub Actions Bot"
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: nocobase/${{ matrix.repo }}
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+      - name: main -> next (nocobase/${{ matrix.repo }})
+        run: |
+          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
           git checkout main
           git pull origin main
           git checkout next
           git merge -X ours main --no-edit
-          git push origin next
+          git push origin next --tags --atomic
-      - name: main -> next
-        run: |
-          cd ./packages/pro-plugins
-          git checkout main
-          git pull origin main
-          git checkout next
-          git merge -X ours main --no-edit
-          git push origin next
-      - name: push pro plugins
-        continue-on-error: true
-        uses: ad-m/github-push-action@master
-        with:
-          ssh: true
-          branch: next
-          directory: packages/pro-plugins
-          repository: nocobase/pro-plugins
-          tags: true
-          atomic: true
-      - name: push nocobase
-        uses: ad-m/github-push-action@master
-        with:
-          branch: next
-          ssh: true
-          repository: nocobase/nocobase
-          tags: true
-          atomic: true

.github/workflows/release-next.yml

@@ -8,6 +8,9 @@ on:
   workflow_dispatch:
 
 jobs:
+  app-token:
+    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
+    secrets: inherit
   publish-npm:
     runs-on: ubuntu-latest
     container: node:18
@@ -81,13 +84,28 @@ jobs:
           git commit -m "chore(versions): test publish packages xxx"
           cat lerna.json
           yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ --dist-tag=next
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout pro-plugins
         uses: actions/checkout@v3
         with:
           repository: nocobase/pro-plugins
           path: packages/pro-plugins
           ref: next
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Clone pro repos
+        shell: bash
+        run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+          git clone -b next https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
+          done
       - name: Build Pro plugins
         continue-on-error: true
         run: |

.github/workflows/release.yml

@@ -10,6 +10,9 @@ on:
       - 'v*'
 
 jobs:
+  app-token:
+    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
+    secrets: inherit
   publish-npm:
     runs-on: ubuntu-latest
     container: node:18
@@ -55,12 +58,27 @@ jobs:
           yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
           npm whoami
           yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout pro-plugins
         uses: actions/checkout@v3
         with:
           repository: nocobase/pro-plugins
           path: packages/pro-plugins
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Clone pro repos
+        shell: bash
+        run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+          git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
+          done
       - name: Build Pro plugins
         continue-on-error: true
         run: |

release.sh

@@ -12,6 +12,13 @@ fi
 
 lerna version $new_version --preid alpha --force-publish=* --no-git-tag-version -y
 
+echo $PRO_PLUGIN_REPOS | jq -r '.[]' | while read i; do
+  cd ./packages/pro-plugins/@nocobase/$i
+  git add .
+  git commit -m "chore(versions): 😊 publish v$(jq -r '.version' ../../../../lerna.json)"
+  git tag v$(jq -r '.version' ../../../../lerna.json)
+  cd ../../../../
+done
 cd ./packages/pro-plugins
 git add .
 git commit -m "chore(versions): 😊 publish v$(jq -r '.version' ../../lerna.json)"