CI: INFRA-2087 auto generated issues for mobile and extension repositories #4763
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| name: Create Update Issues | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| AUTH_APP_ID: | ||
| description: Github app id to authenticate in mobile and extention repositories | ||
| type: string | ||
| required: true | ||
| secrets: | ||
| AUTH_APP_PRIVATE_KEY: | ||
| description: Github app private key to authenticate in mobile and extention repositories | ||
| required: true | ||
|
|
||
| jobs: | ||
| create-update-issues: | ||
| permissions: | ||
| issues: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout head | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Get release tag | ||
| id: releaseTag | ||
| run: echo "tag=$(git describe --tags --abbrev=0)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Check released package | ||
| id: releaseCheck | ||
| env: | ||
| tag: ${{ steps.releaseTag.outputs.tag }} | ||
| run: | | ||
| if [[ ${tag} == @metamask/* ]] ; then | ||
| # Extract package name without the leading '@' | ||
| package_name="${tag#@}" | ||
| package_name="${package_name%@*}" | ||
| echo "package_name=${package_name}" >> $GITHUB_OUTPUT | ||
|
|
||
| # Extract version number | ||
| version="${tag##*@}" | ||
| echo "version=${version}" >> $GITHUB_OUTPUT | ||
|
|
||
| # Check if version number ends with .0.0 | ||
| if [[ $version == *.0.0 ]]; then | ||
| echo "$package_name major update" | ||
| echo "major_version=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "$package_name minor update" | ||
| echo "major_version=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| else | ||
| echo 'Monorepo version update' | ||
| echo "major_version=false" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| - name: Generate a token | ||
|
There was a problem hiding this comment. What is the purpose of using a GitHub app here? Typically we would use a personal access token to create issues. There was a problem hiding this comment. We use GitHup app here to avoid personal access token. PAT is connected to user and when that user will lost access to org also workload will stop working. On top off that is easier to rotate credentials for security team if required. There was a problem hiding this comment. We have a fairly well defined process for managing PATs, and we generate them using an account not tied to an individual ( |
||
| id: generate-token | ||
| if: ${{ steps.releaseCheck.outputs.major_version == 'true' }} | ||
| uses: actions/create-github-app-token@v1 | ||
| with: | ||
| app-id: ${{ inputs.AUTH_APP_ID }} | ||
| private-key: ${{ secrets.AUTH_APP_PRIVATE_KEY }} | ||
| repositories: metamask-mobile, metamask-extension | ||
|
|
||
| - name: Create Issue | ||
| if: ${{ steps.releaseCheck.outputs.major_version == 'true' }} | ||
| env: | ||
| GH_TOKEN: ${{ steps.generate-token.outputs.token }} | ||
| package: ${{ steps.releaseCheck.outputs.package_name }} | ||
| version: ${{ steps.releaseCheck.outputs.version }} | ||
| run: | | ||
| echo "Creating new issue..." | ||
| gh issue create --title "Update ${package} to version ${version}" --body "Please update ${package} to version ${version}" --repo "MetaMask/metamask-extension" | ||
|
There was a problem hiding this comment. We'll want to assign teams as well, this was part of the acceptance criteria and is important for achieving the main goal here (visibility and accountability for these updates). We use labels to keep track of who owns which issue, so assigning a team here means attaching that team's label to the issue (which luckily is easy with the However, determining which team to assign might be tricky. The ticket suggests that we assign it to "the responsible team", but doesn't describe who should be responsible. In discussing this work, we had considered either:
I think either way would be fine to start with, as the assigned team can easily re-assign a different team as appropriate. As long as some team is assigned, it accomplishes the goals of visibility and accountability. For the first strategy, we could get the team label using an approach like this: https://github.com/MetaMask/github-tools/blob/058012b49ff2fbd9649c566ba43b29497f93b21d/.github/workflows/add-team-label.yml#L19 For the second strategy, we could parse the |
||
| gh issue create --title "Update ${package} to version ${version}" --body "Please update ${package} to version ${version}" --repo "MetaMask/metamask-mobile" | ||
Gudahtt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,6 +48,18 @@ jobs: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
|
|
||
| create-update-issues: | ||
| name: Create update issues | ||
| needs: [is-release, publish-release] | ||
| if: needs.is-release.outputs.IS_RELEASE == 'true' | ||
| permissions: | ||
| issues: write | ||
| uses: ./.github/workflows/create-update-issues.yaml | ||
| with: | ||
|
There was a problem hiding this comment. Before merge security team have to create new github app, I will send request to @NicholasEllul |
||
| AUTH_APP_ID: ${{ vars.AUTH_APP_ID }} | ||
| secrets: | ||
| AUTH_APP_PRIVATE_KEY: ${{ secrets.AUTH_APP_PRIVATE_KEY }} | ||
|
|
||
| all-jobs-complete: | ||
| name: All jobs complete | ||
| runs-on: ubuntu-latest | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not 100% sure that we have to fetch here whole history, if release pipeline have always tag on head commit
fetch-tags: trueto make it little fasterThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be safe just to get the HEAD commit. The release tags will always be on that commit. The tags are created in the
publish-releasestep, which happens before this one.