From a5ccf862040ed1cf3652e217f59fe828670dd5cb Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 13:13:19 +0100 Subject: [PATCH 1/6] Update `build-lint-test` workflow --- .github/workflows/build-lint-test.yml | 161 ++++++++++---------------- 1 file changed, 62 insertions(+), 99 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index dee9bdb81f..3926b4c49c 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -17,25 +17,24 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: yarn + cache-node-modules: ${{ matrix.node-version == '20.x' }} - run: yarn --immutable - - name: Cache "@metamask/snaps-execution-environments" build - id: cache-snaps-execution-environments-build - uses: actions/cache@v4 - with: - path: | - packages/snaps-execution-environments/dist/browserify - key: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - name: Prepare "@metamask/snaps-execution-environments" build - if: steps.cache-snaps-execution-environments-build.outputs.cache-hit != 'true' run: yarn workspace @metamask/snaps-execution-environments run build:lavamoat + - name: Save "@metamask/snaps-execution-environments" build + id: cache-snaps-execution-environments-build + uses: actions/upload-artifact@v4 + with: + name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} + retention-days: 1 + path: packages/snaps-execution-environments/dist/browserify - name: Fetch workspace package names id: workspace-package-names run: | @@ -51,21 +50,18 @@ jobs: runs-on: ubuntu-latest needs: prepare steps: - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false - name: Build run: yarn build:ci - - name: Cache build files - uses: actions/cache@v4 + - name: Save build files + uses: actions/upload-artifact@v4 with: - path: | - packages/*/dist - key: build-source-${{ runner.os }}-${{ github.sha }} + name: build-source-${{ runner.os }}-${{ github.sha }} + retention-days: 1 + path: packages/*/dist - name: Require clean working directory shell: bash run: | @@ -79,20 +75,15 @@ jobs: runs-on: ubuntu-latest needs: prepare steps: - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false - name: Restore "@metamask/snaps-execution-environments" build - uses: actions/cache@v4 + uses: actions/download-artifact@v4 with: - path: | - packages/snaps-execution-environments/dist/browserify - key: snaps-execution-environments-build-${{ runner.os }}-18.x-${{ github.sha }} - fail-on-cache-miss: true + name: snaps-execution-environments-build-${{ runner.os }}-22.x-${{ github.sha }} + path: packages/snaps-execution-environments/dist/browserify - name: Cache Webpack vendor id: cache-webpack-vendor uses: actions/cache@v4 @@ -105,13 +96,6 @@ jobs: run: yarn workspace @metamask/snaps-simulator run build:vendor - name: Build run: yarn workspace @metamask/snaps-simulator run build:webpack - - name: Cache "@metamask/snaps-simulator" build - id: cache-e2e-simulator-build - uses: actions/cache@v4 - with: - path: | - packages/snaps-simulator/dist/webpack - key: e2e-simulator-build-${{ runner.os }}-${{ github.sha }} - name: Require clean working directory shell: bash run: | @@ -125,13 +109,10 @@ jobs: runs-on: ubuntu-latest needs: prepare steps: - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false - name: Build run: yarn workspace @metamask/test-snaps run build - name: Require clean working directory @@ -147,13 +128,11 @@ jobs: runs-on: ubuntu-latest needs: prepare steps: - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} - name: Generate LavaMoat policy run: yarn workspace @metamask/snaps-execution-environments build:lavamoat:policy - name: Require clean working directory @@ -169,13 +148,11 @@ jobs: runs-on: ubuntu-latest needs: prepare steps: - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable --immutable-cache + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} - name: Lint run: yarn lint - name: Require clean working directory @@ -195,31 +172,26 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] package-name: ${{ fromJson(needs.prepare.outputs.test-workspace-package-names) }} steps: - - uses: actions/checkout@v4 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: yarn - name: Restore "@metamask/snaps-execution-environments" build - uses: actions/cache@v4 + uses: actions/download-artifact@v4 with: - path: | - packages/snaps-execution-environments/dist/browserify - key: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - fail-on-cache-miss: true + name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} + path: packages/snaps-execution-environments/dist/browserify - name: Restore build files - uses: actions/cache@v4 + uses: actions/download-artifact@v4 with: - path: | - packages/*/dist - key: build-source-${{ runner.os }}-${{ github.sha }} - fail-on-cache-miss: true - - run: yarn --immutable --immutable-cache + name: build-source-${{ runner.os }}-${{ github.sha }} + path: packages/*/dist - name: Install Google Chrome + if: ${{ matrix.package-name == '@metamask/snaps-controllers' || matrix.package-name == '@metamask/snaps-execution-environments' || matrix.package-name == '@metamask/snaps-utils' }} run: yarn install-chrome - run: yarn workspace ${{ matrix.package-name }} run test - name: Get coverage folder @@ -230,7 +202,7 @@ jobs: echo "artifact-name=$(echo ${{ matrix.package-name }} | sed 's:.*/::')" >> "$GITHUB_OUTPUT" shell: bash - name: Upload coverage artifact - if: ${{ matrix.node-version == '18.x' }} + if: ${{ matrix.node-version == '22.x' }} uses: actions/upload-artifact@v4 with: name: coverage-${{ steps.get-coverage-folder.outputs.artifact-name }} @@ -273,30 +245,24 @@ jobs: strategy: fail-fast: false matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] package-name: ${{ fromJson(needs.prepare.outputs.e2e-workspace-package-names) }} steps: - - uses: actions/checkout@v4 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: yarn - name: Restore "@metamask/snaps-execution-environments" build - uses: actions/cache@v4 + uses: actions/download-artifact@v4 with: - path: | - packages/snaps-execution-environments/dist/browserify - key: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - fail-on-cache-miss: true + name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} + path: packages/snaps-execution-environments/dist/browserify - name: Restore build files - uses: actions/cache@v4 + uses: actions/download-artifact@v4 with: - path: | - packages/*/dist - key: build-source-${{ runner.os }}-${{ github.sha }} - fail-on-cache-miss: true - - run: yarn --immutable --immutable-cache + name: build-source-${{ runner.os }}-${{ github.sha }} + path: packages/*/dist - name: Build snap run: yarn workspace ${{ matrix.package-name }} run build - name: Run E2E test @@ -317,12 +283,9 @@ jobs: matrix: os: [macOS-latest, windows-latest] steps: - - uses: actions/checkout@v4 - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable + is-high-risk-environment: false - run: yarn build:ci - run: yarn workspace @metamask/snaps-cli run test From 46f6e0e1e83f76ce90ff7c303a90bf87bf4dca8b Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 13:15:18 +0100 Subject: [PATCH 2/6] Update Actionlint to `1.7.7` --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ba7898d5f9..d87f10575f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@v4 - name: Download actionlint id: download-actionlint - run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.25 + run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.7.7 shell: bash - name: Check workflow files run: ${{ steps.download-actionlint.outputs.executable }} -color From 47b977169f35e134e8889d8afde0acc453613485 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 13:16:06 +0100 Subject: [PATCH 3/6] Remove `node-version` from jobs not using matrix --- .github/workflows/build-lint-test.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 3926b4c49c..35b50bf9a3 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -132,7 +132,6 @@ jobs: uses: MetaMask/action-checkout-and-setup@v1 with: is-high-risk-environment: false - node-version: ${{ matrix.node-version }} - name: Generate LavaMoat policy run: yarn workspace @metamask/snaps-execution-environments build:lavamoat:policy - name: Require clean working directory @@ -152,7 +151,6 @@ jobs: uses: MetaMask/action-checkout-and-setup@v1 with: is-high-risk-environment: false - node-version: ${{ matrix.node-version }} - name: Lint run: yarn lint - name: Require clean working directory From 27c9ab98acd4b9fa055148485903e635a2d895df Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 13:18:53 +0100 Subject: [PATCH 4/6] Remove redundant Yarn install step --- .github/workflows/build-lint-test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 35b50bf9a3..e05aa34ab4 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -25,7 +25,6 @@ jobs: is-high-risk-environment: false node-version: ${{ matrix.node-version }} cache-node-modules: ${{ matrix.node-version == '20.x' }} - - run: yarn --immutable - name: Prepare "@metamask/snaps-execution-environments" build run: yarn workspace @metamask/snaps-execution-environments run build:lavamoat - name: Save "@metamask/snaps-execution-environments" build From 6db70e7311782360b737ba80aed12a7a13424f68 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 13:34:42 +0100 Subject: [PATCH 5/6] Add dummy file to preserve directory structure --- .github/workflows/build-lint-test.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index e05aa34ab4..0e8f3ddde2 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -33,7 +33,9 @@ jobs: with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} retention-days: 1 - path: packages/snaps-execution-environments/dist/browserify + path: | + .nvmrc + packages/snaps-execution-environments/dist/browserify - name: Fetch workspace package names id: workspace-package-names run: | @@ -60,7 +62,9 @@ jobs: with: name: build-source-${{ runner.os }}-${{ github.sha }} retention-days: 1 - path: packages/*/dist + path: | + .nvmrc + packages/*/dist - name: Require clean working directory shell: bash run: | @@ -82,7 +86,6 @@ jobs: uses: actions/download-artifact@v4 with: name: snaps-execution-environments-build-${{ runner.os }}-22.x-${{ github.sha }} - path: packages/snaps-execution-environments/dist/browserify - name: Cache Webpack vendor id: cache-webpack-vendor uses: actions/cache@v4 @@ -181,12 +184,10 @@ jobs: uses: actions/download-artifact@v4 with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - path: packages/snaps-execution-environments/dist/browserify - name: Restore build files uses: actions/download-artifact@v4 with: name: build-source-${{ runner.os }}-${{ github.sha }} - path: packages/*/dist - name: Install Google Chrome if: ${{ matrix.package-name == '@metamask/snaps-controllers' || matrix.package-name == '@metamask/snaps-execution-environments' || matrix.package-name == '@metamask/snaps-utils' }} run: yarn install-chrome @@ -194,7 +195,6 @@ jobs: - name: Get coverage folder id: get-coverage-folder run: | - echo "stub" >> stub echo "coverage-folder=$(yarn workspaces list --json | grep ${{ matrix.package-name }} | jq -r '.location')/coverage" >> "$GITHUB_OUTPUT" echo "artifact-name=$(echo ${{ matrix.package-name }} | sed 's:.*/::')" >> "$GITHUB_OUTPUT" shell: bash @@ -204,7 +204,7 @@ jobs: with: name: coverage-${{ steps.get-coverage-folder.outputs.artifact-name }} path: | - stub + .nvmrc ${{ steps.get-coverage-folder.outputs.coverage-folder }}/**/coverage-final.json if-no-files-found: warn retention-days: 1 @@ -254,12 +254,10 @@ jobs: uses: actions/download-artifact@v4 with: name: snaps-execution-environments-build-${{ runner.os }}-${{ matrix.node-version }}-${{ github.sha }} - path: packages/snaps-execution-environments/dist/browserify - name: Restore build files uses: actions/download-artifact@v4 with: name: build-source-${{ runner.os }}-${{ github.sha }} - path: packages/*/dist - name: Build snap run: yarn workspace ${{ matrix.package-name }} run build - name: Run E2E test From 1da051d0112749046f1fde03c03a7bd36117f0a4 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 11 Mar 2025 14:34:01 +0100 Subject: [PATCH 6/6] Update other workflows --- .github/workflows/publish-environment.yml | 8 +- .github/workflows/publish-github-pages.yml | 8 +- .github/workflows/publish-preview.yml | 8 +- .github/workflows/publish-release.yml | 77 ++++++------ .github/workflows/security-code-scanner.yml | 2 +- .github/workflows/update-pull-request.yml | 132 +++++++++----------- 6 files changed, 107 insertions(+), 128 deletions(-) diff --git a/.github/workflows/publish-environment.yml b/.github/workflows/publish-environment.yml index 76797d0c68..068a53acb8 100644 --- a/.github/workflows/publish-environment.yml +++ b/.github/workflows/publish-environment.yml @@ -19,12 +19,10 @@ jobs: - name: Ensure `destination_dir` is not empty if: ${{ inputs.destination_dir == '' }} run: exit 1 - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - run: yarn --immutable + is-high-risk-environment: true - run: yarn build:lavamoat - name: configure AWS credentials uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef diff --git a/.github/workflows/publish-github-pages.yml b/.github/workflows/publish-github-pages.yml index 55839a62ea..ebc047e44d 100644 --- a/.github/workflows/publish-github-pages.yml +++ b/.github/workflows/publish-github-pages.yml @@ -33,12 +33,10 @@ jobs: - name: Ensure `publish_dir` is not empty if: ${{ inputs.publish_dir == '' }} run: exit 1 - - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - run: yarn --immutable + is-high-risk-environment: true - name: Run build script run: ${{ inputs.build_script }} - name: Deploy to `${{ inputs.destination_dir }}` directory of `gh-pages` branch diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml index 162ab2599e..3316533d2c 100644 --- a/.github/workflows/publish-preview.yml +++ b/.github/workflows/publish-preview.yml @@ -35,12 +35,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} - - name: Setup Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: yarn - - run: yarn --immutable + is-high-risk-environment: true - name: Get commit SHA id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 47966fb1e8..59c779970d 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -33,14 +33,11 @@ jobs: outputs: tag: ${{ steps.get-release-tag.outputs.tag }} steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - run: yarn install --immutable - name: Get release tag id: get-release-tag run: echo "tag=$(yarn get-release-tag)" >> "$GITHUB_OUTPUT" @@ -53,14 +50,13 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - uses: MetaMask/action-publish-release@v3 + - name: Publish release to GitHub + uses: MetaMask/action-publish-release@v3 id: publish-release with: npm-tag: ${{ needs.get-release-tag.outputs.tag }} @@ -70,32 +66,31 @@ jobs: run: | yarn install --immutable yarn build - - uses: actions/cache@v4 - id: restore-build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 with: + name: publish-release-artifacts-${{ github.sha }} + include-hidden-files: true + retention-days: 4 path: | ./packages/**/dist - ./node_modules - key: ${{ github.sha }} + ./node_modules/.yarn-state.yml npm-publish-dry-run: name: Publish to NPM (dry run) runs-on: ubuntu-latest needs: publish-release steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - uses: actions/cache@v4 - id: restore-build + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - path: | - ./packages/**/dist - ./node_modules - key: ${{ github.sha }} - fail-on-cache-miss: true - - run: npm config set ignore-scripts true - - name: Dry Run Publish + name: publish-release-artifacts-${{ github.sha }} + - name: Dry run publish to NPM uses: MetaMask/action-npm-publish@v5 with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -110,17 +105,15 @@ jobs: - npm-publish-dry-run - get-release-tag steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - uses: actions/cache@v4 - id: restore-build + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - path: | - ./packages/**/dist - ./node_modules - key: ${{ github.sha }} - fail-on-cache-miss: true + name: publish-release-artifacts-${{ github.sha }} - name: Publish ${{ needs.get-release-tag.outputs.tag }} to NPM uses: MetaMask/action-npm-publish@v5 with: @@ -134,8 +127,10 @@ jobs: outputs: IS_ENVIRONMENT_RELEASE: ${{ steps.is-environment-release.outputs.IS_ENVIRONMENT_RELEASE }} steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} fetch-depth: 2 - name: Check if this is an environment release @@ -154,8 +149,10 @@ jobs: outputs: version: ${{ steps.version.outputs.VERSION }} steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - id: version name: Get release version @@ -219,8 +216,10 @@ jobs: IS_TEST_SNAPS_RELEASE: ${{ steps.set-output.outputs.IS_TEST_SNAPS_RELEASE }} TEST_SNAPS_VERSION: ${{ steps.set-output.outputs.TEST_SNAPS_VERSION }} steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} fetch-depth: 2 - name: Check if this is a test snaps release @@ -270,8 +269,10 @@ jobs: IS_SIMULATOR_RELEASE: ${{ steps.set-output.outputs.IS_SIMULATOR_RELEASE }} SIMULATOR_VERSION: ${{ steps.set-output.outputs.SIMULATOR_VERSION }} steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} fetch-depth: 2 - name: Check if this is a simulator release diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 79fc9d1d93..9f0aa9fed7 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -19,7 +19,7 @@ jobs: security-events: write steps: - name: Analyse code - uses: MetaMask/Security-Code-Scanner@main + uses: MetaMask/action-security-code-scanner@v1 with: repo: ${{ github.repository }} paths_ignored: | diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 30bf4af82e..820529c4fb 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -30,7 +30,8 @@ jobs: outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - name: Determine whether this PR is from a fork id: is-fork run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}" )" >> "$GITHUB_OUTPUT" @@ -78,13 +79,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - - name: Use Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install Yarn dependencies - run: yarn --immutable + is-high-risk-environment: false + cache-node-modules: true - name: Get commit SHA id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" @@ -101,20 +100,17 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - - name: Setup Node.js - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install dependencies from cache - run: yarn --immutable --immutable-cache + is-high-risk-environment: false - name: Deduplicate yarn.lock run: yarn dedupe - - name: Cache yarn.lock - uses: actions/cache/save@v4 + - name: Save yarn.lock + uses: actions/upload-artifact@v4 with: + name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} path: yarn.lock - key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} regenerate-lavamoat-policies: name: Regenerate LavaMoat policies @@ -131,25 +127,22 @@ jobs: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: yarn.lock - key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true - - name: Setup Node.js - uses: actions/setup-node@v4 + name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install dependencies from cache - run: yarn --immutable + is-high-risk-environment: false - name: Regenerate LavaMoat policies run: yarn build:lavamoat:policy - - name: Cache LavaMoat policies - uses: actions/cache/save@v4 + - name: Save LavaMoat policies + uses: actions/upload-artifact@v4 with: - path: packages/snaps-execution-environments/lavamoat - key: cache-lavamoat-${{ needs.prepare.outputs.COMMIT_SHA }} + name: lavamoat-policies-${{ needs.prepare.outputs.COMMIT_SHA }} + path: | + .nvmrc + packages/snaps-execution-environments/lavamoat update-examples: name: Update examples @@ -166,28 +159,25 @@ jobs: GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: yarn.lock - key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true - - name: Setup Node.js - uses: actions/setup-node@v4 + name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install dependencies from cache - run: yarn --immutable + is-high-risk-environment: false - name: Build dependencies run: | yarn build:ci - name: Update examples run: yarn build:examples - - name: Cache examples - uses: actions/cache/save@v4 + - name: Save examples + uses: actions/upload-artifact@v4 with: - path: packages/examples/packages - key: cache-examples-${{ needs.prepare.outputs.COMMIT_SHA }} + name: examples-${{ needs.prepare.outputs.COMMIT_SHA }} + path: | + .nvmrc + packages/examples/packages update-chrome: name: Update Chrome @@ -199,26 +189,28 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Checkout pull request + run: gh pr checkout "${PR_NUMBER}" + env: + GITHUB_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} + PR_NUMBER: ${{ inputs.pull-request != 0 && inputs.pull-request || github.event.issue.number }} - name: Restore yarn.lock - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: yarn.lock - key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true - - name: Setup Node.js - uses: actions/setup-node@v4 + name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - name: Install dependencies from cache - run: yarn --immutable + is-high-risk-environment: false - name: Update Chrome run: yarn update-chrome - - name: Cache install script - uses: actions/cache/save@v4 + - name: Save install script + uses: actions/upload-artifact@v4 with: - path: scripts/install-chrome.sh - key: cache-chrome-${{ needs.prepare.outputs.COMMIT_SHA }} + name: chrome-install-script-${{ needs.prepare.outputs.COMMIT_SHA }} + path: | + .nvmrc + scripts/install-chrome.sh commit-result: name: Commit result @@ -251,11 +243,9 @@ jobs: id: commit-sha run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Restore yarn.lock - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: yarn.lock - key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true + name: yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Set commit prefix if: ${{ inputs.dependabot == true }} run: echo "COMMIT_PREFIX=[dependabot skip] " >> "$GITHUB_ENV" @@ -264,32 +254,26 @@ jobs: git add yarn.lock git commit -m "${COMMIT_PREFIX}Deduplicate yarn.lock" || true - name: Restore LavaMoat policies - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: packages/snaps-execution-environments/lavamoat - key: cache-lavamoat-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true + name: lavamoat-policies-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Commit LavaMoat policies run: | git add packages/snaps-execution-environments/lavamoat git commit -m "${COMMIT_PREFIX}Update LavaMoat policies" || true - name: Restore examples - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: packages/examples/packages - key: cache-examples-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true + name: examples-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Commit examples run: | git add packages/examples/packages git commit -m "${COMMIT_PREFIX}Update example snaps" || true - name: Restore install script if: ${{ inputs.dependabot == true && contains(inputs.pull-request-title, 'chromedriver') }} - uses: actions/cache/restore@v4 + uses: actions/download-artifact@v4 with: - path: scripts/install-chrome.sh - key: cache-chrome-${{ needs.prepare.outputs.COMMIT_SHA }} - fail-on-cache-miss: true + name: chrome-install-script-${{ needs.prepare.outputs.COMMIT_SHA }} - name: Commit install script if: ${{ inputs.dependabot == true && contains(inputs.pull-request-title, 'chromedriver') }} run: |