diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..5fc5feac --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,11 @@ + diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml index 6527e45a..2334065a 100644 --- a/.github/workflows/build-lint-test.yml +++ b/.github/workflows/build-lint-test.yml @@ -7,41 +7,30 @@ jobs: prepare: name: Prepare runs-on: ubuntu-latest + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Install Node.js ${{ matrix.node-version }} and restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - - name: Install dependencies via Yarn - run: yarn --immutable + cache-node-modules: ${{ matrix.node-version == '22.x' }} build: name: Build needs: prepare runs-on: ubuntu-latest + strategy: + matrix: + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Install Node.js ${{ matrix.node-version }} and restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - - name: Install dependencies via Yarn - run: yarn --immutable --immutable-cache - run: yarn build - name: Require clean working directory shell: bash @@ -55,21 +44,15 @@ jobs: name: Lint needs: prepare runs-on: ubuntu-latest + strategy: + matrix: + node-version: [22.x] steps: - - uses: actions/checkout@v4 - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Install Node.js ${{ matrix.node-version }} and restore Yarn cache - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - - name: Install dependencies via Yarn - run: yarn --immutable --immutable-cache - run: yarn lint - name: Validate RC changelog if: ${{ startsWith(github.head_ref, 'release/') }} @@ -91,23 +74,40 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - node-version: [18.x, 20.x] + node-version: [18.x, 20.x, 22.x] steps: - - uses: actions/checkout@v4 - - name: Install Corepack via Node - uses: actions/setup-node@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Install Node.js ${{ matrix.node-version }} and restore Yarn cache - uses: actions/setup-node@v4 + is-high-risk-environment: false + node-version: ${{ matrix.node-version }} + - run: yarn test + - name: Require clean working directory + shell: bash + run: | + if ! git diff --exit-code; then + echo "Working tree dirty at end of job" + exit 1 + fi + + compatibility-test: + name: Compatibility test + needs: prepare + runs-on: ubuntu-latest + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: false node-version: ${{ matrix.node-version }} - cache: 'yarn' - name: Install dependencies via Yarn - run: yarn --immutable --immutable-cache + run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn - run: yarn test + - name: Restore lockfile + run: git restore yarn.lock - name: Require clean working directory shell: bash run: | diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 98234acb..5197d088 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -21,18 +21,19 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: - # This is to guarantee that the most recent tag is fetched. - # This can be configured to a more reasonable value by consumers. + is-high-risk-environment: true + + # This is to guarantee that the most recent tag is fetched. This can + # be configured to a more reasonable value by consumers. fetch-depth: 0 + # We check out the specified branch, which will be used as the base # branch for all git operations and the release PR. ref: ${{ github.event.inputs.base-branch }} - - name: Install Node.js - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' + - uses: MetaMask/action-create-release-pr@v4 with: release-type: ${{ github.event.inputs.release-type }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 918494f7..730eb923 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,34 @@ on: pull_request: jobs: + check-workflows: + name: Check workflows + runs-on: ubuntu-latest + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 + with: + is-high-risk-environment: false + - name: Download actionlint + id: download-actionlint + run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.23 + shell: bash + - name: Check workflow files + run: ${{ steps.download-actionlint.outputs.executable }} -color + shell: bash + + analyse-code: + name: Code scanner + needs: check-workflows + uses: ./.github/workflows/security-code-scanner.yml + permissions: + actions: read + contents: read + security-events: write + secrets: + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + build-lint-test: name: Build, lint, and test uses: ./.github/workflows/build-lint-test.yml @@ -14,6 +42,8 @@ jobs: name: All jobs completed runs-on: ubuntu-latest needs: + - check-workflows + - analyse-code - build-lint-test outputs: PASSED: ${{ steps.set-output.outputs.PASSED }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index a9f9bca7..69addc59 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -7,63 +7,44 @@ on: required: true SLACK_WEBHOOK_URL: required: true - jobs: publish-release: permissions: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: 'yarn' - uses: MetaMask/action-publish-release@v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/cache@v3 + - run: yarn build + - name: Upload build artifacts + uses: actions/upload-artifact@v4 with: + name: publish-release-artifacts-${{ github.sha }} + retention-days: 4 + include-hidden-files: true path: | ./dist ./node_modules/.yarn-state.yml - key: ${{ github.sha }} - - run: yarn --immutable - - run: yarn build publish-npm-dry-run: needs: publish-release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - node-version-file: '.nvmrc' - cache: 'yarn' - - uses: actions/cache@v3 - with: - path: | - ./dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + name: publish-release-artifacts-${{ github.sha }} - name: Dry Run Publish # omit npm-token token to perform dry run publish uses: MetaMask/action-npm-publish@v5 @@ -78,26 +59,15 @@ jobs: runs-on: ubuntu-latest environment: npm-publish steps: - - uses: actions/checkout@v4 + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v1 with: + is-high-risk-environment: true ref: ${{ github.sha }} - - name: Install Corepack via Node - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - - name: Install Yarn - run: corepack enable - - name: Restore Yarn cache - uses: actions/setup-node@v4 - with: - node-version-file: '.nvmrc' - cache: 'yarn' - - uses: actions/cache@v3 + - name: Restore build artifacts + uses: actions/download-artifact@v4 with: - path: | - ./dist - ./node_modules/.yarn-state.yml - key: ${{ github.sha }} + name: publish-release-artifacts-${{ github.sha }} - name: Publish uses: MetaMask/action-npm-publish@v5 with: diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml new file mode 100644 index 00000000..ababbbeb --- /dev/null +++ b/.github/workflows/security-code-scanner.yml @@ -0,0 +1,47 @@ +name: MetaMask Security Code Scanner + +on: + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false + workflow_dispatch: + +jobs: + run-security-scan: + name: Run security scan + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Analyse code + uses: MetaMask/action-security-code-scanner@v1 + with: + repo: ${{ github.repository }} + paths_ignored: | + .storybook/ + '**/__snapshots__/' + '**/*.snap' + '**/*.stories.js' + '**/*.stories.tsx' + '**/*.test.browser.ts*' + '**/*.test.js*' + '**/*.test.ts*' + '**/fixtures/' + '**/jest.config.js' + '**/jest.environment.js' + '**/mocks/' + '**/test*/' + docs/ + e2e/ + merged-packages/ + node_modules + storybook/ + test*/ + rules_excluded: example + project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}