diff --git a/.github/workflows/ensure-blocking-pr-labels-absent.yml b/.github/workflows/ensure-blocking-pr-labels-absent.yml index 65708cdee6f..8b570a95699 100644 --- a/.github/workflows/ensure-blocking-pr-labels-absent.yml +++ b/.github/workflows/ensure-blocking-pr-labels-absent.yml @@ -13,19 +13,10 @@ jobs: permissions: pull-requests: read steps: - - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: 'yarn' - - run: yarn --immutable + is-high-risk-environment: false - name: Run command uses: actions/github-script@v7 with: diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index b5c0fc8c1ba..8f61318e431 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -9,23 +9,15 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] outputs: child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }} steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false + cache-node-modules: ${{ matrix.node-version == '22.x' }} - name: Fetch workspace package names id: workspace-package-names run: | @@ -38,21 +30,12 @@ jobs: needs: prepare strategy: matrix: - node-version: [20.x] + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - run: yarn lint - name: Require clean working directory shell: bash @@ -68,22 +51,13 @@ jobs: needs: prepare strategy: matrix: - node-version: [20.x] + node-version: [22.x] package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - run: yarn workspace ${{ matrix.package-name }} changelog:validate - name: Require clean working directory shell: bash @@ -99,21 +73,12 @@ jobs: needs: prepare strategy: matrix: - node-version: [20.x] + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - run: yarn build - name: Require clean working directory shell: bash @@ -129,22 +94,13 @@ jobs: needs: prepare strategy: matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - - uses: actions/checkout@v4 - - name: Install Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version: ${{ matrix.node-version }} - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - run: yarn test:scripts - run: yarn workspace ${{ matrix.package-name }} run test - name: Require clean working directory diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 999156c7772..1ac4179f232 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,7 +10,7 @@ jobs: name: Check workflows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.25 @@ -19,6 +19,18 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash + analyse-code: + name: Code scanner + needs: check-workflows + uses: ./.github/workflows/security-code-scanner.yml + permissions: + actions: read + contents: read + security-events: write + secrets: + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + lint-build-test: name: Lint, build, and test needs: check-workflows @@ -59,7 +71,9 @@ jobs: all-jobs-complete: name: All jobs complete runs-on: ubuntu-latest - needs: lint-build-test + needs: + - analyse-code + - lint-build-test outputs: passed: ${{ steps.set-output.outputs.passed }} steps: diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 3dcce39e9aa..5a333edc486 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -35,18 +35,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable + is-high-risk-environment: true - name: Get commit SHA id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 452a9fc403f..fc85cc25c30 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -14,85 +14,60 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: yarn - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + is-high-risk-environment: true - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - run: yarn --immutable - run: yarn build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: publish-release-artifacts-${{ github.sha }} + include-hidden-files: true + retention-days: 4 + path: | + ./packages/**/dist + ./node_modules/.yarn-state.yml publish-npm-dry-run: + name: Dry run publish to NPM runs-on: ubuntu-latest needs: publish-release steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} - fail-on-cache-miss: true - - name: Dry Run Publish - # omit npm-token token to perform dry run publish + name: publish-release-artifacts-${{ github.sha }} + - name: Dry run publish to NPM uses: MetaMask/action-npm-publish@v5 with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} subteam: S042S7RE4AE # @metamask-npm-publishers - env: - SKIP_PREPACK: true publish-npm: + name: Publish to NPM environment: npm-publish runs-on: ubuntu-latest needs: publish-npm-dry-run steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Node - uses: actions/setup-node@v4 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - uses: actions/cache@v4 - with: - path: | - ./packages/**/dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} - fail-on-cache-miss: true - - name: Publish + name: publish-release-artifacts-${{ github.sha }} + - name: Publish to NPM uses: MetaMask/action-npm-publish@v5 with: npm-token: ${{ secrets.NPM_TOKEN }} - env: - SKIP_PREPACK: true diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 9da72d25602..ababbbeb6fd 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -1,33 +1,47 @@ name: MetaMask Security Code Scanner on: - push: - branches: - - main - pull_request: - branches: - - main + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false workflow_dispatch: jobs: run-security-scan: + name: Run security scan runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - - name: MetaMask Security Code Scanner - uses: MetaMask/Security-Code-Scanner@main + - name: Analyse code + uses: MetaMask/action-security-code-scanner@v1 with: repo: ${{ github.repository }} paths_ignored: | + .storybook/ + '**/__snapshots__/' + '**/*.snap' + '**/*.stories.js' + '**/*.stories.tsx' + '**/*.test.browser.ts*' + '**/*.test.js*' + '**/*.test.ts*' + '**/fixtures/' + '**/jest.config.js' + '**/jest.environment.js' + '**/mocks/' '**/test*/' docs/ - '**/*.test.js' - '**/*.test.ts' - node_modules + e2e/ merged-packages/ - '**/jest.environment.js' - project_metrics_token: ${{secrets.SECURITY_SCAN_METRICS_TOKEN}} + node_modules + storybook/ + test*/ + rules_excluded: example + project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}