tools: update create-release-proposal workflow

Author: aduh95

.github/workflows/create-release-proposal.yml

@@ -1,7 +1,6 @@
 # This action requires the following secrets to be set on the repository:
 #   GH_USER_NAME: GitHub user whose Jenkins and GitHub token are defined below
 #   GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
-#   JENKINS_TOKEN: Jenkins token, to be used to check CI status
 
 name: Create Release Proposal
 
@@ -25,7 +24,7 @@ env:
   NODE_VERSION: lts/*
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   releasePrepare:
@@ -39,9 +38,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
         with:
           ref: ${{ env.STAGING_BRANCH }}
-          # Needs the whole git history for ncu to work
-          # See https://github.com/nodejs/node-core-utils/pull/486
-          fetch-depth: 0
+          persist-credentials: false
 
       # Install dependencies
       - name: Install Node.js
@@ -58,29 +55,33 @@ jobs:
           ncu-config set upstream origin
           ncu-config set username "$USERNAME"
           ncu-config set token "$GH_TOKEN"
-          ncu-config set jenkins_token "$JENKINS_TOKEN"
           ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
           ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
         env:
           USERNAME: ${{ secrets.JENKINS_USER }}
-          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-          JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: Set up ghauth config (Ubuntu)
         run: |
-          mkdir -p ~/.config/changelog-maker/
-          echo '{
-            "user": "'$(ncu-config get username)'",
-            "token": "'$(ncu-config get token)'"
-          }' > ~/.config/changelog-maker/config.json
+          mkdir -p "${XDG_CONFIG_HOME:-~/.config}/changelog-maker"
+          echo '{}' | jq '{user: env.USERNAME, token: env.TOKEN}' > "${XDG_CONFIG_HOME:-~/.config}/changelog-maker/config.json"
+        env:
+          USERNAME: ${{ secrets.JENKINS_USER }}
+          TOKEN: ${{ github.token }}
 
       - name: Setup git author
         run: |
           git config --local user.email "[email protected]"
           git config --local user.name "Node.js GitHub Bot"
+          # Workaround, see https://github.com/nodejs/node-core-utils/pull/876
+          git fetch origin --shallow-exclude v23.3.0 v23.x-staging
+          git fetch origin --deepen=1 v23.x-staging
 
       - name: Start git node release prepare
+        # The curl command is to make sure we run the version of the script corresponding to the current workflow.
         run: |
+          curl -L https://github.com/${GITHUB_REPOSITORY}/raw/${GITHUB_SHA}/tools/actions/create-release.sh > tools/actions/create-release.sh
           ./tools/actions/create-release.sh "${RELEASE_DATE}" "${RELEASE_LINE}"
         env:
-          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+          BOT_TOKEN: ${{ secrets.GH_USER_TOKEN }}

doc/contributing/releases.md

@@ -33,7 +33,8 @@ official release builds for Node.js, hosted on <https://nodejs.org/>.
   * [17. Create a blog post](#17-create-a-blog-post)
   * [18. Create the release on GitHub](#18-create-the-release-on-github)
   * [19. Announce](#19-announce)
-  * [20. Celebrate](#20-celebrate)
+  * [20. Re-enable the backport-queue workflow](#20-re-enable-the-backport-queue-workflow)
+  * [21. Celebrate](#21-celebrate)
 * [LTS releases](#lts-releases)
 * [Major releases](#major-releases)
 
@@ -140,6 +141,11 @@ of the `nodejs-private/node-private` repository a day or so before the
 [CI lockdown procedure][] begins. This is to confirm that Jenkins can properly
 access the private repository.
 
+### 1. Disable the backport-queue workflow
+
+Having the staging branch and the proposal branch starting to differ will make
+the release work harder.
+
 ### 1. Update the staging branch
 
 Checkout the staging branch locally.
@@ -1096,7 +1102,9 @@ Let the security release steward know the releases are available.
 
 </details>
 
-### 20. Celebrate
+### 20. Re-enable the backport-queue workflow
+
+### 21. Celebrate
 
 _In whatever form you do this..._
 

tools/actions/create-release.sh

@@ -10,24 +10,87 @@ if [ -z "$RELEASE_DATE" ] || [ -z "$RELEASE_LINE" ]; then
   exit 1
 fi
 
+createCommitAPICall() {
+  commit="${1:-HEAD}"
+  cat - <<'EOF'
+mutation ($repo: String! $branch: String!, $parent: GitObjectID!, $commit_title: String!, $commit_body: String) {
+  createCommitOnBranch(input: {
+    branch: {
+      repositoryNameWithOwner: $repo,
+      branchName: $branch
+    },
+    message: {
+      headline: $commit_title,
+      body: $commit_body
+    },
+    expectedHeadOid: $parent,
+    fileChanges: {
+      additions: [
+EOF
+  git show "$commit" --diff-filter=d --name-only --format= | while read -r FILE; do
+    printf "          { path: "
+    node -p 'JSON.stringify(process.argv[1])' "$FILE"
+    printf "          , contents: \""
+    base64 -w 0 -i "$FILE"
+    echo "\"},"
+  done
+  echo '      ], deletions: ['
+  git show "$commit" --diff-filter=D --name-only --format= | while read -r FILE; do
+    echo "        $(node -p 'JSON.stringify(process.argv[1])' "$FILE"),"
+  done
+  cat - <<'EOF'
+      ]
+    }
+  }) {
+    commit {
+      url
+    }
+  }
+}
+EOF
+}
+
 git node release --prepare --skipBranchDiff --yes --releaseDate "$RELEASE_DATE"
-# We use it to not specify the branch name as it changes based on
-# the commit list (semver-minor/semver-patch)
-git config push.default current
-git push
+
+HEAD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+HEAD_SHA="$(git rev-parse HEAD^)"
 
 TITLE=$(awk "/^## ${RELEASE_DATE}/ { print substr(\$0, 4) }" "doc/changelogs/CHANGELOG_V${RELEASE_LINE}.md")
 
 # Use a temporary file for the PR body
 TEMP_BODY="$(awk "/## ${RELEASE_DATE}/,/^<a id=/{ if (!/^<a id=/) print }" "doc/changelogs/CHANGELOG_V${RELEASE_LINE}.md")"
 
-PR_URL="$(gh pr create --title "$TITLE" --body "$TEMP_BODY" --base "v$RELEASE_LINE.x")"
-
-# Amend commit message so it contains the correct PR-URL trailer.
-AMENDED_COMMIT_MSG="$(git log -1 --pretty=%B | sed "s|PR-URL: TODO|PR-URL: $PR_URL|")"
+# Create the proposal branch
+gh api \
+  --method POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  "/repos/${GITHUB_REPOSITORY}/git/refs" \
+   -f "ref=refs/heads/$HEAD_BRANCH" -f "sha=$HEAD_SHA"
 
-# Replace "TODO" with the PR URL in the last commit
-git commit --amend --no-edit -m "$AMENDED_COMMIT_MSG" || true
+# Create the proposal PR
+PR_URL="$(gh api \
+  --method POST \
+  --jq .html_url \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  "/repos/${GITHUB_REPOSITORY}/pulls" \
+   -f "title=$TITLE" -f "body=$TEMP_BODY" -f "head=$HEAD_BRANCH" -f "base=v$RELEASE_LINE.x")"
 
-# Force-push the amended commit
-git push --force
+# Push the release commit to the proposal branch
+createCommitAPICall | node --input-type=module -e 'console.log(JSON.stringify({
+  query: Buffer.concat(await process.stdin.toArray()).toString(),
+  variables: {
+    repo: process.argv[1],
+    branch: process.argv[2],
+    parent: process.argv[3],
+    commit_title: process.argv[4],
+    commit_body: process.argv[5]
+  }
+}))' \
+    "$GITHUB_REPOSITORY" \
+    "$HEAD_BRANCH" \
+    "$HEAD_SHA" \
+    "$(git log -1 HEAD --format=%s)" \
+    "$(git log -1 HEAD --format=%b | sed "s|PR-URL: TODO|PR-URL: $PR_URL|")" \
+| curl -fS -H "Authorization: bearer ${BOT_TOKEN}" -X POST --data @- https://api.github.com/graphql