ci(PI-4819): keep binary updated

.github/workflows/publish.yml

@@ -3,6 +3,13 @@ name: Publish
 on:
   workflow_call:
     inputs:
+      unpublish:
+        description: |
+          Unpublish the extenion before attempting to publish the current version.
+          Useful for dev and QA environments where you don't care about the consistency of a published version
+        required: false
+        type: boolean
+        default: false
       overrides-file:
         description: "filepath for overrides.json file to override vss-extension defaults"
         required: true
@@ -42,7 +49,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
-          cache: 'npm'
+          cache: "npm"
           cache-dependency-path: ./nowsecure
 
       - name: Install Dependencies
@@ -52,6 +59,14 @@ jobs:
       - name: Install TFX
         run: npm install -g tfx-cli
 
+      - name: Unpublish Extension
+        if: ${{ inputs.unpublish }}
+        run: |
+          tfx extension unpublish \
+              --publisher "$(jq -r '.publisher' < ${{ inputs.overrides-file }})" \
+              --extension-id "$(jq -r '.id' < ${{ inputs.overrides-file }})" \
+              --token ${{ secrets.token }}
+
       - name: Publish Extension
         run: |
           tfx extension publish \

.github/workflows/update-binary.yml

@@ -0,0 +1,59 @@
+name: Update Binary
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Mon at 5am weekly
+    - cron: "00 5 * * 0"
+
+jobs:
+  update-binary:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get Latest Release
+        working-directory: ./nowsecure/bin
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          LATEST_VERSION=$(gh release --repo nowsecure/nowsecure-ci view --json tagName --jq '.tagName')
+          CURRENT_VERSION=$(cat version)
+
+          if [ "$LATEST_VERSION" = "$CURRENT_VERSION" ]; then
+            echo "Current version ($CURRENT_VERSION) is latest"
+          else
+            echo "$LATEST_VERSION" > version
+
+            find . -name 'ns_*' -delete
+
+            gh release --repo nowsecure/nowsecureci download --clobber \
+              --pattern 'ns_darwin-arm64*' \
+              --pattern 'ns_linux-amd64*' \
+              --pattern 'ns_windows-amd64*'
+
+            # Github release has tgz and zip files, each containing license and readme files
+            find . -name '*.tgz' -exec tar -xzf {} \;
+            find . -name '*.zip' -exec unzip {} \;
+            rm LICENSE README.md
+
+            echo "RELEASE_NOTES=$(gh release --repo nowsecure/nowsecure-ci view --json body --jq '.body')" >> "$GITHUB_ENV"
+          fi
+
+          echo "LATEST_VERSION=$LATEST_VERSION" >> "$GITHUB_ENV"
+
+      - name: Commit changes
+        working-directory: ./nowsecure/bin
+        run: |
+          PR_TITLE="chore(deps): update nowsecure-ci binary to ${{ env.LATEST_VERSION }}"
+          BRANCH_NAME="chore/ns-binary/${{ env.LATEST_VERSION }}"
+
+          git config --global user.email "devops@nowsecure.com"
+          git config --global user.name "Nora The Narwhal"
+
+          if [[ -n "$(git status --porcelain)" ]]; then
+            git checkout -b "$BRANCH_NAME"
+            git add .
+            git commit -m "$PR_TITLE"
+            git push
+            gh pr create --title "$PR_TITLE" --body "# NowSecure CI Release Notes \n ${{ env.RELEASE_NOTES }}"
+          fi

.github/workflows/workflow.yml

@@ -5,8 +5,7 @@ on:
   push:
     tags:
       - "v*.*.*"
-    branches: [ "main" ]
-
+    branches: ["main"]
 
 jobs:
   build:
@@ -23,7 +22,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
-          cache: 'npm'
+          cache: "npm"
           cache-dependency-path: ./nowsecure
 
       - name: Install Dependencies
@@ -39,42 +38,17 @@ jobs:
           name: build-output
           path: ./nowsecure/index.js
 
-  package:
+  dev-publish:
     needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download Build
-        uses: actions/download-artifact@v5
-        with:
-          artifact-ids: ${{ needs.build.outputs.js-build-artifact }}
-          path: ./nowsecure
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: ./nowsecure
-
-      - name: Install Dependencies
-        working-directory: ./nowsecure
-        run: npm ci
-
-      - name: Install TFX
-        run: npm install -g tfx-cli
-
-      - name: Package Extension
-        run: |
-          tfx extension create \
-              --manifest-globs vss-extension.json \
-              --overrides-file dev-overrides.json
-
-      - name: Upload VSIX
-        uses: actions/upload-artifact@v4
-        with:
-          name: vsix-pr-${{ github.event.pull_request.number }}
-          path: '*.vsix'
+    uses: ./.github/workflows/publish.yml
+    with:
+      overrides-file: "dev-overrides.json"
+      artifact-id: ${{ needs.build.outputs.js-build-artifact }}
+      environment: "development"
+      additional-flags: "--share-with nowsecure-test"
+      unpublish: true
+    secrets:
+      token: ${{ secrets.QA_TOKEN }}
 
   qa-publish:
     needs: build
@@ -85,6 +59,7 @@ jobs:
       artifact-id: ${{ needs.build.outputs.js-build-artifact }}
       environment: "QA"
       additional-flags: "--share-with nowsecure-test"
+      unpublish: true
     secrets:
       token: ${{ secrets.QA_TOKEN }}
 

dev-overrides.json

@@ -1,6 +1,6 @@
 {
     "id": "dev-nowsecure-azure-ci-extension",
-    "name": "dev-nowsecure-azure-ci-extension",
+    "name": "DEV NowSecure Azure CI Extension",
     "public": false,
     "publisher": "qa-nowsecure"
 }

nowsecure/bin/version

@@ -0,0 +1 @@
+v0.1.2