Skip to content

Create release

Create release #254

Workflow file for this run

#TODO: Split into smaller chunks/actions/reusable workflows
name: Create release
on:
workflow_dispatch:
inputs:
version:
description: '⚠ be sure of yourself ⚠'
required: false
default: ''
debug:
description: 'Add DEBUG=* to the env if true'
type: boolean
default: false
required: false
env:
E2E_USE_NPM_REGISTRY: true
# Platform environment to log into for the e2e tests.
PLATFORM_ENV: 'stg'
# Username used to log into the organization whose ID is stored in the ORG_ID variable
PLATFORM_USER_NAME: ${{ secrets.PLATFORM_USER_NAME }}
# Password used to log into the organization whose ID is stored in the ORG_ID variable
PLATFORM_USER_PASSWORD: ${{ secrets.PLATFORM_USER_PASSWORD }}
# API key to delete all the API keys created by the e2e tests
PLATFORM_API_KEY: ${{ secrets.PLATFORM_API_KEY }}
# ID of the organization to log into for the e2e tests
ORG_ID: ${{ secrets.ORG_ID }}
# Passphrase use to encode/decode cliConfig
E2E_TOKEN_PASSPHRASE: ${{ secrets.E2E_TOKEN_PASSPHRASE }}
jobs:
e2e-setup-login:
name: End-to-end login
runs-on: 'ubuntu-20.04'
timeout-minutes: 30
outputs:
cliConfigJson: ${{ steps.setup.outputs.cliConfigJson}}
env:
# ID of the test run to identify resources to teardown.
TEST_RUN_ID: 'idubuntu-20.04-${{ github.sha }}-${{ github.run_attempt }}-releaseg'
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
cache: 'npm'
node-version-file: '.nvmrc'
- name: Install Coveo CLI
run: npm i -g @coveo/cli@latest
- uses: ./.github/actions/e2e-login
id: setup
release-npm:
environment: 'Release'
runs-on: ubuntu-20.04
env:
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master
outputs:
shouldReleaseCli: $${{steps.release.outputs.shouldReleaseCli}}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
node-version-file: '.nvmrc'
- name: Install dependencies
run: npm ci
- name: Release NPM
run: npm run release:npm
id: release
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
VERSION: ${{ inputs.version }}
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
DEBUG: ${{ inputs.debug && '*' || '' }}
- name: Prepare artifacts
run: |
git add .
git commit -m "patch"
git format-patch HEAD^1 --output=release.patch
- name: Upload artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
with:
name: npm-release
path: |
release.patch
.git-message
# RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }}
# RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }}
# RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }}
# RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }}
# RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }}
# DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
e2e:
name: End-to-end tests
runs-on: ubuntu-20.04
needs: [release-npm, e2e-setup-login]
timeout-minutes: 60
env:
TEST_RUN_ID: 'idubuntu-20.04-${{ github.sha }}-${{ github.run_attempt }}-releaseg' # ID of the test run to identify resources to teardown.
COVEO_DISABLE_AUTOUPDATE: true
CLI_CONFIG_JSON: ${{needs.e2e-setup-login.outputs.cliConfigJson}}
strategy:
fail-fast: false
matrix:
spec:
[
'angular.specs.ts',
'atomic.specs.ts',
'auth.specs.ci.ts',
'orgList.specs.ts',
'orgResources.specs.ts',
'react.specs.ts',
'vue.specs.ts',
]
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
node-version-file: '.nvmrc'
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: npm-release
- name: Apply & delete the patch
run: |
git apply release.patch
rm release.patch
- name: Install dependencies
run: npm ci
- name: Install Coveo CLI
run: npm i -g @coveo/cli@latest
- uses: ./.github/actions/e2e-run
with:
os: 'ubuntu-20.04'
node: 18
spec: ${{ matrix.spec }}
cliConfigJson: ${{ env.CLI_CONFIG_JSON }}
jestFlags: '-u'
- name: Find modified Snapshots
id: snapshots-path
run: |
{
echo 'snapshotsPath<<EOF'
git diff --name-only **/*.snap
echo EOF
} >> "$GITHUB_OUTPUT"
- name: Upload Jest Snapshots
if: ${{ steps.snapshots-path.outputs.snapshotsPath != ''}}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
with:
name: release-e2e-snaps
path: ${{ steps.snapshots-path.outputs.snapshotsPath }}
e2e-teardown:
name: End-to-end teardown
if: ${{ always() }}
needs: [e2e, e2e-setup-login]
runs-on: ubuntu-20.04
env:
# ID of the test run to identify resources to teardown.
TEST_RUN_ID: '${{ github.sha }}-${{ github.run_attempt }}-releaseg'
CLI_CONFIG_JSON: ${{needs.e2e-setup-login.outputs.cliConfigJson}}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
# pulls all tags (needed for computing the next version)
- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
- name: Checkout last tag
run: git checkout $(git describe --abbrev=0 --tags)
- uses: ./.github/actions/e2e-clean
with:
cliConfigJson: ${{ env.CLI_CONFIG_JSON }}
unit-tests:
name: Unit Tests
runs-on: 'ubuntu-20.04'
needs: [release-npm]
steps:
- name: Setup runner
# Ensure we can use as many file watcher as we want. see https://github.com/facebook/create-react-app/blob/master/docusaurus/docs/troubleshooting.md#npm-start-fail-due-to-watch-error
run: echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
cache: 'npm'
node-version-file: '.nvmrc'
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: npm-release
- name: Apply & delete the patch
run: |
git apply release.patch
rm release.patch
- name: Setup repo
run: npm ci
- name: Build
run: npm run build
- name: Tests
run: npm run test:ci:snap
- name: Find modified Snapshots
id: snapshots-path
run: |
{
echo 'snapshotsPath<<EOF'
git diff --name-only **/*.snap
echo EOF
} >> "$GITHUB_OUTPUT"
- name: Upload Jest Snapshots
if: ${{ steps.snapshots-path.outputs.snapshotsPath != ''}}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
with:
name: release-e2e-snaps
path: ${{ steps.snapshots-path.outputs.snapshotsPath }}
release-git:
needs: [e2e, release-npm, unit-tests]
environment: 'Release'
runs-on: ubuntu-20.04
env:
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
node-version-file: '.nvmrc'
- name: Download NPM artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: npm-release
- name: Apply & delete the patch
run: |
git apply release.patch
rm release.patch
- name: Download E2E artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: release-e2e-snaps
- name: Install dependencies
run: npm ci
- name: Release Git
run: npm run release:git
env:
VERSION: ${{ inputs.version }}
DEBUG: ${{ inputs.debug && '*' || '' }}
RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }}
RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }}
RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }}
RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }}
RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }}
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
build-binaries:
needs: [release-npm]
if: ${{needs.release-npm.outputs.shouldReleaseCli}}
environment: 'Release'
env:
GITHUB_CREDENTIALS: ${{ secrets.GITHUB_TOKEN }}
# Base64 of the certificat
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
# Certificat password
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
# Keychain password
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
# Apple developer email, the same used for the Apple Developer subscription
MACOS_APP_USERNAME: ${{ secrets.MACOS_APP_USERNAME }}
# App-specific password generated in apple.com for the notarization step
MACOS_APP_SPECIFIC_PWD: ${{ secrets.MACOS_APP_SPECIFIC_PWD }}
# Team ID from the Apple Developer subscription
MACOS_WWDR_TEAM_ID: ${{ secrets.MACOS_WWDR_TEAM_ID }}
name: Package for ${{ matrix.for }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
pack-command: ' macos'
for: 'macos install kit'
- os: windows-latest
pack-command: ' win'
for: 'windows install kit'
- os: ubuntu-20.04
pack-command: ' deb'
for: 'linux install kit'
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for finding the @coveo/cli version to release)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
node-version-file: '.nvmrc'
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: npm-release
- name: Apply & delete the patch
run: |
git apply release.patch
rm release.patch
- name: Install dependencies
run: npm ci
- name: Get CLI version
run: |
{
printf "CLI_VERSION="
cat packages/cli/core/package.json | jq -r '.version'
} >> "$GITHUB_ENV"
- name: Build
run: npm run build
- name: Setup Temporary Keychain
if: ${{matrix.os == 'macos-latest'}}
run: |
echo "Decoding base64 certificate"
echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
echo "Creating temporary keychain"
security create-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
echo "Adding certificate to keychain"
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign -T /usr/bin/productsign
echo "Enabling productsign from a non user interactive shell"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_KEYCHAIN_PWD" build.keychain
- name: Create install kits
working-directory: ./packages/cli/core
run: ../../../node_modules/oclif/bin/run pack${{ matrix.pack-command }}
- name: Create packages
working-directory: ./packages/cli/core
if: ${{matrix.os == 'ubuntu-20.04'}}
run: ../../../node_modules/oclif/bin/run pack tarballs
- name: Get commit hash of binaries
run: node ../../../scripts/get-commit-short-hash.mjs
working-directory: ./packages/cli/core
- name: Sign Executable (Windows)
working-directory: ./packages/cli/core
if: ${{matrix.os == 'windows-latest'}}
run: |
New-Item -Force -ItemType directory -Path tmp
echo "${{ secrets.COVEO_PFX }}" > ./tmp/cert.txt
certutil -decode ./tmp/cert.txt ./tmp/cert.pfx
Start-Process -FilePath "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" -ArgumentList "sign /f ./tmp/cert.pfx /p ${{ secrets.COVEO_PFX_PWD }} /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ./dist/win32/coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64.exe" -PassThru | Wait-Process
Start-Process -FilePath "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" -ArgumentList "sign /f ./tmp/cert.pfx /p ${{ secrets.COVEO_PFX_PWD }} /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ./dist/win32/coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x86.exe" -PassThru | Wait-Process
- name: Sign Executable (macOS)
working-directory: ./packages/cli/core/dist/macos
if: ${{matrix.os == 'macos-latest'}}
run: |
echo "Signing for ARM64 architecture"
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
productsign --sign $MACOS_WWDR_TEAM_ID coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64.pkg coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64-signed.pkg --keychain build.keychain
echo "Signing for X64 architecture"
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
productsign --sign $MACOS_WWDR_TEAM_ID coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64.pkg coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64-signed.pkg --keychain build.keychain
- name: Notarize Executable (macOS)
working-directory: ./packages/cli/core/dist/macos
if: ${{matrix.os == 'macos-latest'}}
run: |
echo "Unlocking the keychain"
security unlock-keychain -p "$MACOS_KEYCHAIN_PWD" build.keychain
echo "Creating keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.MACOS_APP_USERNAME }}" --team-id "${{ secrets.MACOS_WWDR_TEAM_ID }}" --password "${{ secrets.MACOS_APP_SPECIFIC_PWD }}"
echo "Creating temp notarization archive"
ditto -c -k --keepParent "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64-signed.pkg" "notarization-arm64.zip"
ditto -c -k --keepParent "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64-signed.pkg" "notarization-x64.zip"
echo "Notarizing app"
xcrun notarytool submit "notarization-arm64.zip" --keychain-profile "notarytool-profile" --wait
xcrun notarytool submit "notarization-x64.zip" --keychain-profile "notarytool-profile" --wait
echo "Attaching staple"
xcrun stapler staple "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64-signed.pkg"
xcrun stapler staple "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64-signed.pkg"
echo "Deleting unsigned packages"
mv "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64-signed.pkg" "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-x64.pkg"
mv "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64-signed.pkg" "coveo-v${{env.CLI_VERSION}}-${{env.commitSHA1}}-arm64.pkg"
rm notarization-arm64.zip notarization-x64.zip
- name: Upload binaries
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
with:
name: release-binaries
path: ./packages/cli/core/dist/**/*
release-github:
needs: [release-git, release-npm, build-binaries]
if: ${{needs.release-npm.outputs.shouldReleaseCli}}
environment: 'Release'
runs-on: ubuntu-20.04
env:
GITHUB_CREDENTIALS: ${{ secrets.CLI_RELEASE }} # Required to lock master
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
with:
# pulls all commits (needed for computing the next version)
fetch-depth: 0
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
with:
registry-url: 'https://registry.npmjs.org'
cache: 'npm'
node-version-file: '.nvmrc'
- name: Download NPM artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: npm-release
- name: Download binaries artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: release-binaries
path: release-binaries
- name: Apply & delete the patch
run: |
git apply release.patch
rm release.patch
- name: Install dependencies
run: npm ci
- name: Release GitHub
run: npm run release:github
env:
VERSION: ${{ inputs.version }}
DEBUG: ${{ inputs.debug && '*' || '' }}
RELEASER_APP_ID: ${{ secrets.RELEASER_APP_ID }}
RELEASER_PRIVATE_KEY: ${{ secrets.RELEASER_PRIVATE_KEY }}
RELEASER_CLIENT_ID: ${{ secrets.RELEASER_CLIENT_ID }}
RELEASER_CLIENT_SECRET: ${{ secrets.RELEASER_CLIENT_SECRET }}
RELEASER_INSTALLATION_ID: ${{ secrets.RELEASER_INSTALLATION_ID }}
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
- name: Upload binaries
uses: svenstaro/upload-release-action@7319e4733ec7a184d739a6f412c40ffc339b69c7 # 2.5.0
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ./release-binaries/**/*
file_glob: true
tag: ${{ env.tag }}