From 77237219dd6447de40c17a4377be146b16597474 Mon Sep 17 00:00:00 2001 From: Shane Savoie Date: Wed, 1 Jul 2026 09:26:52 -0700 Subject: [PATCH] chore(ci): swap release-please path to step-security fork on node 24 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces `google-github-actions/release-please-action@v3.7.13` (node 16, archived upstream) with `step-security/release-please-action-oss@v6.0.2` (node 24, step-security-maintained fork of release-please-oss v6.0.2) in the `release:` job of `conventional-commit-release.yaml`. Eliminates the last node 16 runtime dependency in this workflow, which today surfaces as a "node 20 is being deprecated" warning on every downstream call because github is force-upgrading the node 16 runtime to node 24 during the deprecation grace period. why this action: - `step-security/release-please-action-oss@v6.0.2` is a direct fork of `release-please-oss/release-please-action@v6.0.2` — same v6.0.2 tag, same JS source, `comm` diff of `action.yml` inputs shows zero drift, including the `config-overrides-json` input we need. - covered by the org-wide `step-security/*` wildcard allowlist in stepsecurity policy — no policy PR needed. what changes for callers: - zero workflow-input changes. every v3 inline action input (`changelog-types`, `include-v-in-tag`, `pull-request-title-pattern`, `extra-files`, `package-name`) is preserved as a reusable-workflow input and translated into a single `config-overrides-json` JSON string built in a new `build-config-overrides` step. - the four downstream callers (`circle-nodejs-sdk`, `buidl-wallet-contracts`, `terraform-provider-quicknode`, `circle-ooak`) need no changes. translation mechanics: - `default-branch` -> `target-branch` (renamed in v6). - `changelog-types` -> `config-overrides-json.changelog-sections`. - `include-v-in-tag`, `pull-request-title-pattern`, `extra-files`, `package-name` -> same keys under `config-overrides-json`. - `extra_files` (newline- or comma-separated string in v3) is normalized to a JSON array via a jq pipeline that trims per-entry whitespace and drops blank entries, so both v3 input shapes stay compatible. `release-type` + `config-overrides-json` puts release-please in inline-config mode (`Manifest.fromConfig`), preserving v3 behavior without requiring callers to commit a `release-please-config.json` file. outputs unchanged. for a single-component (root path '.') release, the per-path outputs (`release_created`, `tag_name`, `major`, `minor`, `pr`) are emitted unprefixed at the step level via `setPathOutput('.', key, val)` -> `core.setOutput(key, val)`, matching the v3 output shape that the `create additional tags` and `checkout release branch` steps consume. --- .../conventional-commit-release.yaml | 53 ++++++++++++++++--- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 0cd5d35..38572d9 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -246,17 +246,54 @@ jobs: core.setOutput("changelog-types-json", JSON.stringify(changelogTypes)); - - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 + # Build the JSON object passed to OSS v6 as `config-overrides-json`. The + # OSS fork dropped the v3-era inline action inputs (changelog-types, + # include-v-in-tag, pull-request-title-pattern, extra-files, package-name) + # and accepts them as a single JSON string instead. `release-type` + this + # JSON makes release-please run in inline-config mode + # (Manifest.fromConfig), preserving the v3 behavior without requiring + # callers to commit a release-please-config.json file. + - name: Build release-please config-overrides JSON + id: build-config-overrides + env: + PKG_NAME: ${{ github.event.repository.name }} + CHANGELOG_SECTIONS: ${{ steps.merge-changelog-types.outputs.changelog-types-json }} + INCLUDE_V_IN_TAG: ${{ inputs.include_v_in_tag }} + PR_TITLE_PATTERN: ${{ inputs.pull_request_title_template }} + EXTRA_FILES: ${{ inputs.extra_files }} + run: | + # v3 accepted extra-files as a newline- or comma-separated string; + # OSS v6 expects a JSON array. Split on either delimiter, trim + # per-entry whitespace so "a, b, c" -> ["a","b","c"], drop blanks. + if [ -n "${EXTRA_FILES:-}" ]; then + extra_files_json=$(printf '%s\n' "$EXTRA_FILES" | tr ',' '\n' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | sed '/^$/d' | jq -R . | jq -s -c .) + else + extra_files_json='[]' + fi + + overrides=$(jq -n -c \ + --arg pkg "$PKG_NAME" \ + --argjson sections "$CHANGELOG_SECTIONS" \ + --argjson v_in_tag "$INCLUDE_V_IN_TAG" \ + --arg pr_title "$PR_TITLE_PATTERN" \ + --argjson extra_files "$extra_files_json" \ + '{ + "package-name": $pkg, + "changelog-sections": $sections, + "include-v-in-tag": $v_in_tag, + "pull-request-title-pattern": $pr_title, + "extra-files": $extra_files + }') + + echo "json=$overrides" >> "$GITHUB_OUTPUT" + + - uses: step-security/release-please-action-oss@af33b76a7bcd035c1d8837e0190cbf85f719e158 # v6.0.2 id: release with: - default-branch: ${{ github.event.repository.default_branch }} - release-type: ${{ inputs.release_type }} - package-name: ${{ github.event.repository.name }} - changelog-types: ${{ steps.merge-changelog-types.outputs.changelog-types-json }} - include-v-in-tag: ${{ inputs.include_v_in_tag }} - pull-request-title-pattern: ${{ inputs.pull_request_title_template }} - extra-files: ${{ inputs.extra_files }} token: ${{ secrets.RELEASE_TOKEN }} + target-branch: ${{ github.event.repository.default_branch }} + release-type: ${{ inputs.release_type }} + config-overrides-json: ${{ steps.build-config-overrides.outputs.json }} - name: Checkout Release Branch