Merge pull request #561 from ForgeRock/changeset-release/master

Release PR

Author: ancheetah

.github/actions/setup-publish/action.yml

@@ -0,0 +1,77 @@
+name: Setup publish
+description: Setup steps for publishing packages
+
+inputs:
+  CODECOV_TOKEN:
+    description: 'Codecov token for uploading coverage reports'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Install pnpm
+      uses: pnpm/action-setup@v4
+      with:
+        run_install: false # don't install any packages yet
+
+    - name: Install Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version-file: '.node-version'
+        cache: 'pnpm' # package manager for caching
+        registry-url: 'https://registry.npmjs.org'
+
+    # Update npm to latest for provenance
+    - name: Update npm
+      run: npm install -g npm@latest
+      shell: bash
+
+    - name: Install dependencies from lockfile
+      run: pnpm install --frozen-lockfile
+      shell: bash
+
+    # Allocate nx tasks across multiple machines/agents in the cloud
+    # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
+    # https://nx.dev/docs/features/ci-features/distribute-task-execution
+    - name: Enable distribution of nx tasks to cloud agents
+      run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
+      shell: bash
+      env:
+        CODECOV_TOKEN: ${{ inputs.CODECOV_TOKEN }}
+
+    # https://github.com/microsoft/playwright/issues/7249#issuecomment-1256878540
+    - name: Cache Playwright browsers
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-playwright-
+
+    - name: Install Playwright browsers
+      run: pnpm exec playwright install
+      shell: bash
+
+    - name: Derive SHAs for `nx affected`
+      uses: nrwl/nx-set-shas@v4
+      with:
+        main-branch-name: master
+
+    - name: Run build, lint, test, and e2e for projects changed
+      run: pnpm exec nx affected -t build lint test e2e-ci --agents
+      shell: bash
+
+    - name: Save Playwright test results
+      uses: actions/upload-artifact@v4
+      if: ${{ !cancelled() }}
+      with:
+        name: playwright-report
+        path: |
+          ./**/.playwright/**
+          ./dist/.playwright/**
+          ./dist/**
+        retention-days: 30
+
+    - name: Ensure builds for all packages before publishing
+      run: pnpm exec nx run-many -t build --no-agents # --no-agents to run in CI without distributing to agents
+      shell: bash

.github/workflows/ci-fork.yml

@@ -0,0 +1,57 @@
+name: ForgeRock Fork Pull Request CI
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  pr:
+    # Only run for forks
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # head commit is fine; the default merge ref also works on pull_request
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+
+      - run: pnpm install --frozen-lockfile
+
+      # Restore-only cache to avoid save attempts/noise on forks
+      - name: Restore Playwright browsers cache
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - run: pnpm exec playwright install --with-deps
+
+      - uses: nrwl/nx-set-shas@v4
+
+      # Needed so nx affected can diff against main
+      - run: git branch --track main origin/main || true
+
+      - run: pnpm nx format:check
+      - run: pnpm nx affected -t build typecheck lint test e2e-ci

.github/workflows/ci.yml

@@ -4,9 +4,9 @@ on:
 env:
   NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-  NX_CLOUD_DISTRIBUTED_EXECUTION: true
 jobs:
   pr:
+    if: ${{github.event.pull_request.head.repo.full_name == github.repository}}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -25,7 +25,7 @@ jobs:
 
       # This line enables distribution
       # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
-      - run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --verbose
+      - run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci"
 
       - run: pnpm exec playwright install
 
@@ -34,7 +34,7 @@ jobs:
       - run: git branch --track develop origin/develop
 
       - run: pnpm exec nx-cloud record -- nx format:check --verbose
-      - run: pnpm exec nx affected -t build lint test docs e2e-ci --verbose
+      - run: pnpm exec nx affected -t build lint test docs e2e-ci
 
       - uses: codecov/codecov-action@v5
         with:

.github/workflows/publish.yml

@@ -4,86 +4,88 @@ on:
     branches:
       - master
       - develop
+  workflow_dispatch:
+    inputs:
+      snapshot_tag:
+        description: 'changesets snapshot tag (beta/canary)'
+        required: false
+        default: 'beta'
+        type: string
+      npm_tag:
+        description: 'npm tag for publishing snapshot'
+        required: false
+        default: 'beta'
+        type: string
+      npm_access:
+        description: 'access level for publishing snapshot to npm'
+        required: false
+        default: 'public'
+        type: choice
+        options:
+          - public
+          - restricted
 env:
   NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  SLACK_WEBHOOK_URL_BETA: ${{ secrets.SLACK_WEBHOOK_URL_BETA }}
   NX_CLOUD_DISTRIBUTED_EXECUTION: true
-  PNPM_CACHE_FOLDER: .pnpm-store
-  NPM_ACCESS_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
   HUSKY: 0
+  CI: true
 
 jobs:
+  # On push to develop/master, create or update release PR or publish to npm
   publish-or-pr:
+    if: github.event_name == 'push'
+    name: Create/update release PR or publish to npm
     permissions:
       contents: write #  to create release (changesets/action)
       issues: write # to post issue comments (changesets/action)
       pull-requests: write #  to create pull request (changesets/action)
-      id-token: write # give id token write for provenance
+      id-token: write # OIDC for provenance if npm publish happens here
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-      - uses: actions/setup-node@v4
-        id: cache
-        with:
-          node-version: '20.10.0'
-          cache: 'pnpm'
-
-      - run: pnpm install --frozen-lockfile
-
-      # This line enables distribution
-      # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
-      - run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --verbose
-
-      - run: pnpm exec playwright install
+      - name: Branch name
+        run: |
+          echo "Checking out branch: ${{ github.ref_name }}"
 
-      - uses: nrwl/nx-set-shas@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
         with:
-          main-branch-name: master
-
-      - name: setup pnpm config
-        run: pnpm config set store-dir $PNPM_CACHE_FOLDER
-
-      - run: pnpm exec nx affected -t build lint test e2e-ci --verbose
+          fetch-depth: 0
 
-      - uses: actions/upload-artifact@v4
-        if: ${{ !cancelled() }}
+      - name: Setup publish
+        uses: ./.github/actions/setup-publish
         with:
-          name: playwright-report
-          path: |
-            ./dist/.playwright/**
-            ./dist/**
-          retention-days: 30
-
-      # make sure we have a build.
-      - run: pnpm exec nx run-many -t build
-        env:
-          NX_CLOUD_DISTRIBUTED_EXECUTION: false
+          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
-      - run: git status
-      - name: publish
+      # This action creates a release pull request with all of
+      # the package versions and changelogs updated. When there
+      # are new changesets on your configured baseBranch, the PR will
+      # be updated. When you're ready, you can merge the release PR
+      # and the action will publish to npm for you.
+      # https://github.com/changesets/action
+      - name: Create/update release PR or publish to npm
         uses: changesets/action@v1
         id: changesets
         with:
-          publish: pnpm ci:release
-          version: pnpm ci:version
-          title: Release PR
-          branch: master
-          commit: 'chore: version-packages'
+          publish: pnpm ci:release # command to tag and publish packages
+          version: pnpm ci:version # command to update version, edit changelog, read and delete changesets
+          branch: master # the branch to base the release PR against
+          title: Release PR # title for the release PR
+          commit: 'chore: version-packages' # the commit message to use
           setupGitUser: true
         env:
-          # See https://github.com/changesets/action/issues/147
-          HOME: ${{ github.workspace }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: 'true'
-          NPM_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
-
-      - name: rebase develop with main on publish
-        if: ${{ steps.changesets.outputs.published == 'true' }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+
+      - name: Publish previews to Stackblitz on PR
+        if: steps.changesets.outputs.published == 'false'
+        run: pnpm pkg-pr-new publish './packages/*' --packageManager=pnpm --comment=off
+
+      - name: Rebase develop with master on publish
+        if: steps.changesets.outputs.published == 'true'
         run: |
           git restore .
           git checkout master
@@ -95,10 +97,73 @@ jobs:
           git rebase master
           git push -f
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+
+      - name: Format published packages for Slack
+        if: steps.changesets.outputs.published == 'true'
+        id: format-packages
+        run: |
+          PACKAGES=$(echo '${{ steps.changesets.outputs.publishedPackages }}' | jq -r '.[] | ":package: *\(.name)* `\(.version)`"')
+          echo "formatted<<EOF" >> $GITHUB_OUTPUT
+          echo "$PACKAGES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
 
-      - uses: codecov/codecov-action@v5
+      - name: Send GitHub Action data to a Slack workflow
+        if: steps.changesets.outputs.published == 'true'
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          payload-delimiter: '_'
+          webhook: ${{ env.SLACK_WEBHOOK_URL }}
+          webhook-type: webhook-trigger
+          payload: |
+            publishedPackages: ${{ steps.format-packages.outputs.formatted }}
+
+      - name: Run code coverage
+        uses: codecov/codecov-action@v5
         with:
           files: ./packages/**/coverage/*.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ env.CODECOV_TOKEN }}
+
+  snapshot:
+    # On manual trigger of GH action, publish a snapshot release to npm
+    if: github.event_name == 'workflow_dispatch'
+    name: Publish snapshot/beta release to npm
+    permissions:
+      contents: read
+      id-token: write # OIDC for provenance when npm publish happens
+    runs-on: ubuntu-latest
+    steps:
+      - name: Branch name
+        run: |
+          echo "Checking out branch: ${{ github.ref_name }}"
+
+      # Checkout the branch selected when triggering the workflow
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup publish
+        uses: ./.github/actions/setup-publish
+        with:
+          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
+
+      - name: Version packages for snapshot
+        run: pnpm changeset version --snapshot ${{ inputs.snapshot_tag }}
+        env:
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+
+      - name: Publish packages snapshot with npm_tag
+        id: npmpublish
+        run: pnpm publish -r --tag ${{ inputs.npm_tag }} --no-git-checks --access ${{ inputs.npm_access }}
+
+      - name: Send GitHub Action data to a Slack workflow
+        if: steps.npmpublish.outcome == 'success'
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          payload-delimiter: '_'
+          webhook: ${{ env.SLACK_WEBHOOK_URL_BETA }}
+          webhook-type: webhook-trigger
+          payload: |
+            npmTag: "${{ inputs.npm_tag }}"
+            publishedPackages: ""

.node-version

@@ -1 +1 @@
-v20
+20

.npmrc

@@ -1,4 +1 @@
-link-workspace-packages=true
-strict-peer-dependencies=false
-save-workspace-protocol=rolling
-save-prefix=""
+registry=https://registry.npmjs.org/