Skip to content

Commit c80c69b

Browse files
authored
ci: Upgrade Yarn to 4.16.0 and align workflows with module template (#204)
## Summary - Upgrades Yarn from 3.2.1 to 4.16.0 and aligns `.yarnrc.yml` with the module template (Corepack, `approvedGitRepositories: []`, `npmMinimalAgeGate: 4320`, `npmPreapprovedPackages`) - Updates `action-npm-publish` from v1 to v6 - Fully aligns CI workflows with the [metamask-module-template](https://github.com/MetaMask/metamask-module-template): - **Added** `main.yml` — top-level orchestration workflow (actionlint, security scan, build/lint/test, release gating) - **Added** `build-lint-test.yml` — reusable workflow with `prepare`/`build`/`lint`/`test`/`compatibility-test` jobs on Node 20/22/24 using `action-checkout-and-setup@v3` - **Rewrote** `publish-release.yml` as a reusable `workflow_call` — restructured as `build → publish-npm-dry-run → publish-npm → publish-release`; GitHub release now happens after npm publish; uses `action-publish-release@v3` - **Updated** `create-release-pr.yml` — uses `action-checkout-and-setup@v3`, `action-create-release-pr@v5`, `release-type` is now a `choice` input - **Updated** `publish-preview.yml` — `action-checkout-and-setup@v1` → `v3` - **Deleted** `build-test.yml` and `security-code-scanner.yml` — consolidated into `main.yml` - **Added** `actionlint-matcher.json` and `actionlint.yml` - Adds `lint:changelog` script (`auto-changelog validate --formatter prettier`) and wires it into `lint` and `lint:fix` <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes npm publish ordering, release gating, and Node matrix coverage, which can block merges or alter how/when packages ship if misconfigured. > > **Overview** > Replaces the monolithic **`build-test.yml`** CI with a **`main.yml`** entrypoint that runs **actionlint** (with a GitHub problem matcher), invokes the reusable **MetaMask security scan** workflow, and calls a new reusable **`build-lint-test.yml`** for prepare/build/lint/test plus a **lockfile-free compatibility test** on Node **20/22/24** via **`MetaMask/action-checkout-and-setup@v3`**. > > **Release and publish** behavior shifts: **`publish-release.yml`** is now **`workflow_call`-only** and runs **`build → npm dry-run → npm publish → GitHub release`** (GitHub release after npm), using **artifact upload/download** instead of commit-keyed cache and **`action-npm-publish@v6`** / **`action-publish-release@v3`**. **`main.yml`** gates publishing on **`all-jobs-pass`**, **`action-is-release@v2`**, and **push** events whose head commit author is **`github-actions`**. > > **`create-release-pr.yml`** moves to **`action-create-release-pr@v5`**, makes **`release-type`** a **choice** input (including empty), and drops the release-authors artifact upload. **`publish-preview.yml`** bumps checkout/setup to **v3**. Adds **`actionlint.yml`** to ignore the intentional empty **`release-type`** option. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 9e17710. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
1 parent c6a5d49 commit c80c69b

13 files changed

Lines changed: 3710 additions & 4390 deletions

.github/actionlint-matcher.json

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
{
2+
"problemMatcher": [
3+
{
4+
"owner": "actionlint",
5+
"pattern": [
6+
{
7+
"regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
8+
"file": 1,
9+
"line": 2,
10+
"column": 3,
11+
"message": 4,
12+
"code": 5
13+
}
14+
]
15+
}
16+
]
17+
}

.github/actionlint.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# Please see the documentation for all configuration options:
2+
# https://github.com/rhysd/actionlint/blob/main/docs/config.md#configuration-file
3+
4+
paths:
5+
.github/workflows/create-release-pr.yml:
6+
ignore:
7+
# `create-release-pr` has an empty string value for the `release-type`
8+
# input, which is intentional and valid.
9+
- 'string should not be empty'
Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,120 @@
1+
name: Build, Lint, and Test
2+
3+
on:
4+
workflow_call:
5+
6+
permissions:
7+
contents: read
8+
9+
jobs:
10+
prepare:
11+
name: Prepare
12+
runs-on: ubuntu-latest
13+
strategy:
14+
matrix:
15+
node-version: [20.x, 22.x, 24.x]
16+
steps:
17+
- name: Checkout and setup environment
18+
uses: MetaMask/action-checkout-and-setup@v3
19+
with:
20+
is-high-risk-environment: false
21+
node-version: ${{ matrix.node-version }}
22+
cache-node-modules: ${{ matrix.node-version == '24.x' }}
23+
24+
build:
25+
name: Build
26+
needs: prepare
27+
runs-on: ubuntu-latest
28+
strategy:
29+
matrix:
30+
node-version: [24.x]
31+
steps:
32+
- name: Checkout and setup environment
33+
uses: MetaMask/action-checkout-and-setup@v3
34+
with:
35+
is-high-risk-environment: false
36+
node-version: ${{ matrix.node-version }}
37+
- run: yarn build
38+
- name: Require clean working directory
39+
shell: bash
40+
run: |
41+
if ! git diff --exit-code; then
42+
echo "Working tree dirty at end of job"
43+
exit 1
44+
fi
45+
46+
lint:
47+
name: Lint
48+
needs: prepare
49+
runs-on: ubuntu-latest
50+
strategy:
51+
matrix:
52+
node-version: [24.x]
53+
steps:
54+
- name: Checkout and setup environment
55+
uses: MetaMask/action-checkout-and-setup@v3
56+
with:
57+
is-high-risk-environment: false
58+
node-version: ${{ matrix.node-version }}
59+
- run: yarn lint
60+
- name: Validate RC changelog
61+
if: ${{ startsWith(github.head_ref, 'release/') }}
62+
run: yarn lint:changelog --rc
63+
- name: Validate changelog
64+
if: ${{ !startsWith(github.head_ref, 'release/') }}
65+
run: yarn lint:changelog
66+
- name: Require clean working directory
67+
shell: bash
68+
run: |
69+
if ! git diff --exit-code; then
70+
echo "Working tree dirty at end of job"
71+
exit 1
72+
fi
73+
74+
test:
75+
name: Test
76+
needs: prepare
77+
runs-on: ubuntu-latest
78+
strategy:
79+
matrix:
80+
node-version: [20.x, 22.x, 24.x]
81+
steps:
82+
- name: Checkout and setup environment
83+
uses: MetaMask/action-checkout-and-setup@v3
84+
with:
85+
is-high-risk-environment: false
86+
node-version: ${{ matrix.node-version }}
87+
- run: yarn test
88+
- name: Require clean working directory
89+
shell: bash
90+
run: |
91+
if ! git diff --exit-code; then
92+
echo "Working tree dirty at end of job"
93+
exit 1
94+
fi
95+
96+
compatibility-test:
97+
name: Compatibility test
98+
needs: prepare
99+
runs-on: ubuntu-latest
100+
strategy:
101+
matrix:
102+
node-version: [20.x, 22.x, 24.x]
103+
steps:
104+
- name: Checkout and setup environment
105+
uses: MetaMask/action-checkout-and-setup@v3
106+
with:
107+
is-high-risk-environment: false
108+
node-version: ${{ matrix.node-version }}
109+
- name: Install dependencies via Yarn
110+
run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn
111+
- run: yarn test
112+
- name: Restore lockfile
113+
run: git restore yarn.lock
114+
- name: Require clean working directory
115+
shell: bash
116+
run: |
117+
if ! git diff --exit-code; then
118+
echo "Working tree dirty at end of job"
119+
exit 1
120+
fi

.github/workflows/build-test.yml

Lines changed: 0 additions & 148 deletions
This file was deleted.

.github/workflows/create-release-pr.yml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,14 @@ on:
88
default: 'main'
99
required: true
1010
release-type:
11-
description: 'A SemVer version diff, i.e. major, minor, patch, prerelease etc. Mutually exclusive with "release-version".'
11+
description: 'A SemVer version diff, i.e. major, minor, or patch. Mutually exclusive with "release-version".'
1212
required: false
13+
type: choice
14+
options:
15+
- ''
16+
- major
17+
- minor
18+
- patch
1319
release-version:
1420
description: 'A specific version to bump to. Mutually exclusive with "release-type".'
1521
required: false
@@ -21,28 +27,22 @@ jobs:
2127
contents: write
2228
pull-requests: write
2329
steps:
24-
- uses: actions/checkout@v3
30+
- name: Checkout and setup environment
31+
uses: MetaMask/action-checkout-and-setup@v3
2532
with:
26-
# This is to guarantee that the most recent tag is fetched.
27-
# This can be configured to a more reasonable value by consumers.
33+
is-high-risk-environment: true
34+
35+
# This is to guarantee that the most recent tag is fetched. This can
36+
# be configured to a more reasonable value by consumers.
2837
fetch-depth: 0
38+
2939
# We check out the specified branch, which will be used as the base
3040
# branch for all git operations and the release PR.
3141
ref: ${{ github.event.inputs.base-branch }}
32-
- name: Setup Node.js
33-
uses: actions/setup-node@v3
34-
with:
35-
node-version-file: '.nvmrc'
36-
- uses: MetaMask/action-create-release-pr@v3
37-
env:
38-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
42+
43+
- uses: MetaMask/action-create-release-pr@v5
3944
with:
4045
release-type: ${{ github.event.inputs.release-type }}
4146
release-version: ${{ github.event.inputs.release-version }}
42-
artifacts-path: gh-action__release-authors
43-
# Upload the release author artifact for use in subsequent workflows
44-
- uses: actions/upload-artifact@v4
45-
with:
46-
name: release-authors
47-
path: gh-action__release-authors
48-
if-no-files-found: error
47+
env:
48+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)