fix: template-oss

lukekarrys · lukekarrys · commit da02fdd4658d · 2023-02-14T09:06:51.000-07:00
diff --git a/.github/actions/audit/action.yml b/.github/actions/audit/action.yml
@@ -10,8 +10,11 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Run Audit
+    - name: Run Production Audit
       shell: ${{ inputs.shell }}
       run: |
         npm audit --omit=dev
+    - name: Run Full Audit
+      shell: ${{ inputs.shell }}
+      run: |
         npm audit --audit-level=none
diff --git a/.github/actions/changed-files/action.yml b/.github/actions/changed-files/action.yml
@@ -8,7 +8,7 @@ inputs:
     required: true
 
 outputs:
-  files:
+  names:
     value: ${{ steps.files.outputs.result }}
 
 runs:
diff --git a/.github/actions/changed-workspaces/action.yml b/.github/actions/changed-workspaces/action.yml
@@ -5,15 +5,8 @@ name: Get Changed Workspaces
 inputs:
   token:
     description: GitHub token to use
-  shell:
-    description: shell to run on
-    default: bash
-  all:
-    default: false
-    type: boolean
   files:
-    description: json stringified array of file names
-    type: string
+    description: json stringified array of file names or --all
 
 outputs:
   flags:
@@ -24,14 +17,14 @@ runs:
   steps:
     - name: Get Changed Files
       uses: ./.github/actions/changed-files
-      if: ${{ !inputs.all && !inputs.files }}
+      if: ${{ !inputs.files }}
       id: files
       with:
         token: ${{ inputs.token }}
 
     - name: Get Workspaces
-      shell: ${{ inputs.shell }}
+      shell: bash
       id: workspaces
       run: |
-        flags=$(npm exec --offline -- template-oss-changed-workspaces '${{ (inputs.all && '--all') || (inputs.files || steps.files.outputs.result) }}')
+        flags=$(npm exec --offline -- template-oss-changed-workspaces '${{ inputs.files || steps.files.outputs.names }}')
         echo "flags=${flags}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml
@@ -16,4 +16,7 @@ runs:
       shell: ${{ inputs.shell }}
       run: |
         npm run lint --ignore-scripts ${{ inputs.flags }}
+    - name: Post Lint
+      shell: ${{ inputs.shell }}
+      run: |
         npm run postlint --ignore-scripts ${{ inputs.flags }}
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -12,15 +12,13 @@ inputs:
     default: latest
   cache:
     description: whether to cache npm install or not
-    type: boolean
     default: true
   shell:
     description: shell to run on
     default: bash
   deps:
     description: whether to run the deps step
-    type: boolean
-    default: true
+    default: 'true'
   deps-command:
     description: command to run for the dependencies step
     default: install --ignore-scripts --no-audit --no-fund
@@ -40,12 +38,12 @@ runs:
       uses: actions/setup-node@v3
       with:
         node-version: ${{ inputs.node-version }}
-        cache: ${{ (inputs.cache && 'npm') || null }}
+        cache: ${{ (inputs.cache == 'true' && 'npm') || '' }}
 
     - name: Check Node Version
       if: inputs.npm-version
       id: node-version
-      shell: ${{ inputs.shell }}
+      shell: bash
       run: |
         NODE_VERSION=$(node --version)
         echo $NODE_VERSION
@@ -83,13 +81,13 @@ runs:
       run: npm -v
 
     - name: Setup Dependencies
-      if: inputs.deps
+      if: inputs.deps == 'true'
       uses: ./.github/actions/deps
       with:
         command: ${{ inputs.deps-command }}
         flags: ${{ inputs.deps-flags }}
 
     - name: Add Problem Matcher
-      shell: ${{ inputs.shell }}
+      shell: bash
       run: |
         [[ -f ./.github/matchers/tap.json ]] && echo "::add-matcher::.github/matchers/tap.json"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -15,75 +15,3 @@ updates:
       prefix-development: chore
     labels:
       - "Dependencies"
-  - package-ecosystem: npm
-    directory: pkg1/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
-  - package-ecosystem: npm
-    directory: pkg2/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
-  - package-ecosystem: npm
-    directory: pkg3/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
-  - package-ecosystem: npm
-    directory: workspaces/arbitrary-name/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
-  - package-ecosystem: npm
-    directory: workspaces/not-the-name/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
-  - package-ecosystem: npm
-    directory: workspaces/pkg6/
-    schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: deps
-      prefix-development: chore
-    labels:
-      - "Dependencies"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -67,7 +67,7 @@ jobs:
         uses: ./.github/actions/changed-workspaces
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          all: ${{ inputs.all }}
+          files: ${{ (inputs.all && '--all') || '' }}
 
       - name: Lint
         uses: ./.github/actions/lint
@@ -107,6 +107,7 @@ jobs:
     steps:
       - name: Continue Matrix Run
         id: continue-matrix
+        shell: bash
         run: |
           if [[ "${{ matrix.node-version }}" == "14.17.0" || "${{ inputs.all }}" == "true" ]]; then
             echo "result=true" >> $GITHUB_OUTPUT 
@@ -142,9 +143,8 @@ jobs:
         continue-on-error: ${{ !!steps.check.outputs.check-id }}
         uses: ./.github/actions/changed-workspaces
         with:
-          shell: ${{ matrix.platform.shell }}
           token: ${{ secrets.GITHUB_TOKEN }}
-          all: ${{ inputs.all }}
+          files: ${{ (inputs.all && '--all') || '' }}
 
       - name: Test
         if: steps.continue-matrix.outputs.result
diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml
@@ -2,13 +2,28 @@
 
 name: Post Dependabot
 
-on: pull_request
+on:
+  # workflow dispatch is only for testing
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: ref to test
+      directory:
+        description: package directory to test
+      update-type:
+        description: update type to test
+  pull_request:
+
 
 jobs:
-  template-oss:
-    name: template-oss
+  dependency:
+    name: "@npmcli/template-oss"
     permissions:
       contents: write
+    outputs:
+      sha: ${{ steps.push-on-error.outputs.sha || steps.push.outputs.sha }}
+      changes: ${{ steps.apply.outputs.changes }}
+      message: ${{ steps.apply.outputs.message }}
     if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     defaults:
@@ -17,20 +32,21 @@ jobs:
     steps:
       - name: Fetch Dependabot Metadata
         id: metadata
+        if: github.event_name != 'workflow_dispatch'
         uses: dependabot/fetch-metadata@v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Is Dependency
-        if: contains(steps.metadata.outputs.dependency-names, '@npmcli/template-oss')
+        if: github.event_name == 'workflow_dispatch' || contains(steps.metadata.outputs.dependency-names, '@npmcli/template-oss')
         id: dependency
         run: echo "continue=true" >> $GITHUB_OUTPUT
 
       - name: Checkout
         if: steps.dependency.outputs.continue
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ inputs.ref || github.event.pull_request.head.ref }}
 
       - name: Setup
         if: steps.dependency.outputs.continue
@@ -42,7 +58,7 @@ jobs:
         id: workspaces
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          files: '["${{ steps.metadata.outputs.directory }}"]'
+          files: '["${{ inputs.directory || steps.metadata.outputs.directory }}"]'
 
       - name: Apply Changes
         if: steps.workspaces.outputs.flags
@@ -55,7 +71,7 @@ jobs:
           # This only sets the conventional commit prefix. This workflow can't reliably determine
           # what the breaking change is though. If a BREAKING CHANGE message is required then
           # this PR check will fail and the commit will be amended with stafftools
-          if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then
+          if [[ "${{ inputs.update-type || steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then
             prefix='feat!'
           else
             prefix='chore'
@@ -74,12 +90,14 @@ jobs:
         run: |
           git commit -am "${{ steps.apply.outputs.message }}"
           git push
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
 
       # If the previous step failed, then reset the commit and remove any workflow changes
       # and attempt to commit and push again. This is helpful because we will have a commit
       # with the correct prefix that we can then --amend with @npmcli/stafftools later.
       - name: Push All Changes Except Workflows
         if: steps.apply.outputs.changes && steps.push.outcome == 'failure'
+        id: push-on-error
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -88,22 +106,29 @@ jobs:
           git clean -fd .github/workflows/
           git commit -am "${{ steps.apply.outputs.message }}"
           git push
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
 
-      # Check if all the necessary template-oss changes were applied. Since we continued
-      # on errors in one of the previous steps, this check will fail if our follow up
-      # only applied a portion of the changes and we need to followup manually.
-      #
-      # Note that this used to run `lint` and `postlint` but that will fail this action
-      # if we've also shipped any linting changes separate from template-oss. We do
-      # linting in another action, so we want to fail this one only if there are
-      # template-oss changes that could not be applied.
-      - name: Check Changes
-        if: steps.apply.outputs.changes
-        run: |
-          npm exec --offline ${{ steps.workspaces.outputs.flags }} -- template-oss-check
+  ci:
+    name: Dependency - CI
+    needs: [ dependency ]
+    continue-on-error: true
+    if: needs.dependency.outputs.changes
+    uses: ./.github/workflows/ci.yml
+    with:
+      ref: ${{ inputs.ref || github.base_ref }}
+      check-sha: ${{ needs.dependency.outputs.sha }}
 
+  post-ci:
+    name: Dependency - Post CI
+    needs: [ ci, dependency ]
+    if: needs.dependency.outputs.changes
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
       - name: Fail on Breaking Change
-        if: steps.apply.outputs.changes && startsWith(steps.apply.outputs.message, 'feat!')
+        if: needs.dependency.outputs.changes && startsWith(needs.dependency.outputs.message, 'feat!')
         run: |
           echo "This PR has a breaking change. Run 'npx -p @npmcli/stafftools gh template-oss-fix'"
           echo "for more information on how to fix this with a BREAKING CHANGE footer."
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,11 +4,10 @@ GitHub takes the security of our software products and services seriously, inclu
 
 If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. 
 
-If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com).
 
 If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
 Thanks for helping make GitHub safe for everyone.
-
diff --git a/package-lock.json b/package-lock.json
diff --git a/scripts/npmcli-template-oss.tgz b/scripts/npmcli-template-oss.tgz
