ci: enable preview builds

Author: mikesposito

.github/workflows/publish-preview.yml

@@ -0,0 +1,62 @@
+name: Publish a preview build
+
+on:
+  issue_comment:
+    types: created
+
+jobs:
+  is-fork-pull-request:
+    name: Determine whether this issue comment was on a pull request from a fork
+    if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot publish-preview') }}
+    runs-on: ubuntu-latest
+    outputs:
+      IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Determine whether this PR is from a fork
+        id: is-fork
+        run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+
+  publish-preview:
+    name: Publish build preview
+    needs: is-fork-pull-request
+    permissions:
+      pull-requests: write
+    # This ensures we don't publish on forks. We can't trust forks with this token.
+    if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Check out pull request
+        run: gh pr checkout "${PR_NUMBER}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v2
+        with:
+          is-high-risk-environment: true
+      - name: Build
+      - run: |
+          export NODE_OPTIONS="--max_old_space_size=4096"
+          yarn build
+      - name: Get commit SHA
+        id: commit-sha
+        run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+      - name: Prepare preview builds
+        run: yarn prepare-preview-builds @metamask-previews ${{ steps.commit-sha.outputs.COMMIT_SHA }}
+      - name: Publish preview build
+        run: yarn publish-previews
+        env:
+          YARN_NPM_AUTH_TOKEN: ${{ secrets.PUBLISH_PREVIEW_NPM_TOKEN }}
+      - name: Generate preview build message
+        run: yarn tsx scripts/generate-preview-build-message.ts
+      - name: Post build preview in comment
+        run: gh pr comment "${PR_NUMBER}" --body-file preview-build-message.txt
+        env:
+          COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}

package.json

@@ -27,6 +27,8 @@
     "lint:fix": "yarn workspaces foreach --all --parallel --verbose run lint:fix",
     "lint:misc": "yarn workspaces foreach --all --parallel --verbose run lint:misc",
     "lint:types": "yarn workspaces foreach --all --parallel --verbose run lint:types",
+    "prepare-preview-builds": "./scripts/prepare-preview-builds.sh",
+    "publish-previews": "yarn workspaces foreach --all --no-private --parallel --verbose run publish:preview",
     "start": "yarn workspaces foreach --all --parallel --verbose --interlaced run start",
     "test": "yarn workspace @metamask/bitcoin-wallet-snap run test",
     "test:integration": "yarn workspace @metamask/bitcoin-wallet-snap run test:integration"

packages/snap/package.json

@@ -31,6 +31,7 @@
     "lint:fix": "yarn lint:eslint --fix && yarn lint:misc --write",
     "lint:misc": "prettier '**/*.json' '**/*.md' --check",
     "lint:types": "tsc --noEmit",
+    "publish:preview": "yarn npm publish --tag preview",
     "prepublishOnly": "mm-snap manifest",
     "serve": "mm-snap serve",
     "start": "concurrently \"mm-snap watch\" \"yarn build:locale:watch\"",

scripts/prepare-preview-builds.jq

@@ -0,0 +1,9 @@
+# The name is overwritten, causing the package to get published under a
+# different NPM scope than non-preview builds.
+.name |= sub("@metamask/"; "\($npm_scope)/") |
+
+# The prerelease version is overwritten, preserving the non-prerelease portion
+# of the version. Technically we'd want to bump the non-prerelease portion as
+# well if we wanted this to be SemVer-compliant, but it was simpler not to.
+# This is just for testing, it doesn't need to strictly follow SemVer.
+.version |= split("-")[0] + "-preview-\($hash)"

scripts/prepare-preview-builds.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# This script prepares a package to be published as a preview build
+# to GitHub Packages.
+
+if [[ $# -eq 0 ]]; then
+  echo "Missing commit hash."
+  exit 1
+fi
+
+# We don't want to assume that preview builds will be published alongside
+# "production" versions. There are security- and aesthetic-based advantages to
+# keeping them separate.
+npm_scope="$1"
+
+# We use the short commit hash as the prerelease version. This ensures each
+# preview build is unique and can be linked to a specific commit.
+shorthash="$2"
+
+prepare-preview-manifest() {
+  local manifest_file="$1"
+
+  # jq does not support in-place modification of files, so a temporary file is
+  # used to store the result of the operation. The original file is then
+  # overwritten with the temporary file.
+  jq --raw-output --arg npm_scope "$npm_scope" --arg hash "$shorthash" --from-file scripts/prepare-preview-builds.jq "$manifest_file" > temp.json
+  mv temp.json "$manifest_file"
+}
+
+echo "Preparing manifests..."
+while IFS=$'\t' read -r location name; do
+  echo "- $name"
+  prepare-preview-manifest "$location/package.json"
+done < <(yarn workspaces list --no-private --json | jq --slurp --raw-output 'map(select(.location != ".")) | map([.location, .name]) | map(@tsv) | .[]')
+
+echo "Installing dependencies..."
+yarn install --no-immutable