update release-plan (#2649)

Author: mansona

.github/workflows/plan-release.yml

@@ -1,80 +1,91 @@
-name: Release Plan Review
+name: Plan Release
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
       - master
-  pull_request:
+  pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     types:
       - labeled
+      - unlabeled
 
 concurrency:
   group: plan-release # only the latest one of these should ever be running
   cancel-in-progress: true
 
 jobs:
-  check-plan:
-    name: "Check Release Plan"
+  is-this-a-release:
+    name: "Is this a release?"
     runs-on: ubuntu-latest
     outputs:
       command: ${{ steps.check-release.outputs.command }}
 
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 2
           ref: 'main'
-      # This will only cause the `check-plan` job to have a "command" of `release`
+      # This will only cause the `is-this-a-release` job to have a "command" of `release`
       # when the .release-plan.json file was changed on the last commit.
       - id: check-release
         run: if git diff --name-only HEAD HEAD~1 | grep -w -q ".release-plan.json"; then echo "command=release"; fi >> $GITHUB_OUTPUT
 
-  prepare_release_notes:
-    name: Prepare Release Notes
+  create-prepare-release-pr:
+    name: Create Prepare Release PR
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    needs: check-plan
-    outputs:
-      explanation: ${{ steps.explanation.outputs.text }}
-    # only run on push event if plan wasn't updated (don't create a release plan when we're releasing)
+    needs: is-this-a-release
+    permissions:
+      contents: write
+      issues: read
+      pull-requests: write
+    # only run on push event or workflow dispatch if plan wasn't updated (don't create a release plan when we're releasing)
     # only run on labeled event if the PR has already been merged
-    if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+    if: ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && needs.is-this-a-release.outputs.command != 'release') || (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true)
 
     steps:
       - uses: actions/checkout@v4
         # We need to download lots of history so that
-        # lerna-changelog can discover what's changed since the last release
+        # github-changelog can discover what's changed since the last release
         with:
           fetch-depth: 0
+          ref: 'main'
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: 18
-
-      - uses: pnpm/action-setup@v2
-        with:
-          version: 8
+          cache: pnpm
       - run: pnpm install --frozen-lockfile
-
       - name: "Generate Explanation and Prep Changelogs"
         id: explanation
         run: |
-          set -x
+          set +e
+          pnpm release-plan prepare 2> >(tee -a release-plan-stderr.txt >&2)
 
-          pnpm release-plan prepare --singlePackage=ember-inspector
+          if [ $? -ne 0 ]; then
+            release_plan_output=$(cat release-plan-stderr.txt)
+          else
+            release_plan_output=$(jq .description .release-plan.json -r)
+            rm release-plan-stderr.txt
 
-          echo 'text<<EOF' >> $GITHUB_OUTPUT
-          jq .description .release-plan.json -r >> $GITHUB_OUTPUT
-          echo 'EOF' >> $GITHUB_OUTPUT
+            if [ $(jq '.solution | length' .release-plan.json) -eq 1 ]; then
+              new_version=$(jq -r '.solution[].newVersion' .release-plan.json)
+              echo "new_version=v$new_version" >> $GITHUB_OUTPUT
+            fi
+          fi
+            echo 'text<<EOF' >> $GITHUB_OUTPUT
+          echo "$release_plan_output" >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
         env:
           GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: peter-evans/create-pull-request@v5
+      - uses: peter-evans/create-pull-request@v7
         with:
-          commit-message: "Prepare Release using 'release-plan'"
-          author: "github-actions[bot] <[email protected]>"
+          commit-message: "Prepare Release ${{ steps.explanation.outputs.new_version}} using 'release-plan'"
           labels: "internal"
           branch: release-preview
-          title: Prepare Release
+          title: Prepare Release ${{ steps.explanation.outputs.new_version }}
           body: |
             This PR is a preview of the release that [release-plan](https://github.com/embroider-build/release-plan) has prepared. To release you should just merge this PR 👍
 

.github/workflows/publish.yml

@@ -1,6 +1,5 @@
-# For every push to the master branch, this checks if the release-plan was
-# updated and if it was it will publish stable npm packages based on the
-# release plan
+# For every push to the primary branch with .release-plan.json modified,
+# runs release-plan.
 
 name: Publish Stable
 
@@ -10,51 +9,37 @@ on:
     branches:
       - main
       - master
+    paths:
+      - '.release-plan.json'
 
 concurrency:
   group: publish-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  check-plan:
-    name: "Check Release Plan"
-    runs-on: ubuntu-latest
-    outputs:
-      command: ${{ steps.check-release.outputs.command }}
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: 'main'
-      # This will only cause the `check-plan` job to have a result of `success`
-      # when the .release-plan.json file was changed on the last commit. This
-      # plus the fact that this action only runs on main will be enough of a guard
-      - id: check-release
-        run: if git diff --name-only HEAD HEAD~1 | grep -w -q ".release-plan.json"; then echo "command=release"; fi >> $GITHUB_OUTPUT
-
   publish:
     name: "NPM Publish"
     runs-on: ubuntu-latest
-    needs: check-plan
-    if: needs.check-plan.outputs.command == 'release'
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+      attestations: write
 
     steps:
       - uses: actions/checkout@v4
         with: 
           token: ${{ secrets.GH_PAT }}
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: 18
           # This creates an .npmrc that reads the NODE_AUTH_TOKEN environment variable
           registry-url: 'https://registry.npmjs.org'
-
-      - uses: pnpm/action-setup@v2
-        with:
-          version: 8
+          cache: pnpm
       - run: pnpm install --frozen-lockfile
-      - name: npm publish
-        run: pnpm release-plan publish --singlePackage=ember-inspector
+      - name: Publish to NPM
+        run: NPM_CONFIG_PROVENANCE=true pnpm release-plan publish
         env:
           GITHUB_AUTH: ${{ secrets.GH_PAT }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

package.json

@@ -10,7 +10,6 @@
     "test": "tests"
   },
   "scripts": {
-    "prepublishOnly": "node -e 'process.exit(!require(\"fs\").existsSync(\"./dist\"))' || pnpm build:production",
     "build": "ember build",
     "build:production": "EMBER_ENV=production node scripts/download-panes.js && ember build --environment production && gulp compress:chrome && gulp compress:firefox && gulp clean-tmp",
     "changelog": "github_changelog_generator -u emberjs -p ember-inspector --since-tag v3.8.0",
@@ -25,6 +24,7 @@
     "lint:js:fix": "eslint . --fix",
     "lint:types": "tsc --noEmit",
     "lock-version": "pnpm build:production && pnpm compress:panes",
+    "prepublishOnly": "node -e 'process.exit(!require(\"fs\").existsSync(\"./dist\"))' || pnpm build:production",
     "serve:bookmarklet": "ember serve --port 9191",
     "start": "ember serve",
     "test": "concurrently \"pnpm:lint\" \"pnpm:test:*\" --names \"lint,test:\" --prefixColors auto",
@@ -49,10 +49,10 @@
     "@eslint/js": "^9.17.0",
     "@glimmer/component": "^1.1.2",
     "@glimmer/tracking": "^1.1.2",
-    "@html-next/vertical-collection": "^4.0.2",
     "@glint/environment-ember-loose": "^1.5.0",
     "@glint/environment-ember-template-imports": "^1.5.0",
     "@glint/template": "^1.5.0",
+    "@html-next/vertical-collection": "^4.0.2",
     "@tsconfig/ember": "^3.0.8",
     "@types/chrome": "^0.0.250",
     "@types/eslint__js": "^8.42.3",
@@ -136,7 +136,7 @@
     "qunit-dom": "^3.4.0",
     "release-it": "^15.11.0",
     "release-it-lerna-changelog": "^5.0.0",
-    "release-plan": "^0.8.0",
+    "release-plan": "^0.16.0",
     "sass": "^1.79.4",
     "source-map-js": "^1.2.1",
     "stylelint": "^16.13.2",
@@ -148,10 +148,15 @@
     "typescript-eslint": "^8.18.2",
     "webpack": "^5.97.1"
   },
+  "packageManager": "[email protected]",
   "engines": {
     "node": ">= 18",
     "pnpm": "^9.0.0"
   },
+  "volta": {
+    "node": "18.20.4",
+    "pnpm": "9.12.1"
+  },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
   },
@@ -189,10 +194,5 @@
     "npm": {
       "publish": false
     }
-  },
-  "volta": {
-    "node": "18.20.4",
-    "pnpm": "9.12.1"
-  },
-  "packageManager": "[email protected]"
+  }
 }