chore: Add v1.14.2 changeset file (#477)

* Add the missing package.json script * Add defender sdk v1.14.2 changeset file * Add ability to perform a prerelease * Refactor the workflows to support snapshot release * Remove unused workflows * Run tests before publish
OpenZeppelin · Jul 21, 2024 · 19cd7a9 · 19cd7a9
1 parent a0a82d5
commit 19cd7a9
Show file tree

Hide file tree

Showing 10 changed files with 242 additions and 341 deletions.
diff --git a/.changeset/strange-squids-turn.md b/.changeset/strange-squids-turn.md
@@ -0,0 +1,44 @@
+---
+'@openzeppelin/defender-sdk-example-create-action': patch
+'@openzeppelin/defender-sdk-example-create-batch-proposal': patch
+'@openzeppelin/defender-sdk-example-create-forked-network': patch
+'@openzeppelin/defender-sdk-example-create-monitor': patch
+'@openzeppelin/defender-sdk-example-create-private-network': patch
+'@openzeppelin/defender-sdk-example-create-proposal': patch
+'example-create-relayer': patch
+'example-create-relayer-key': patch
+'@openzeppelin/defender-sdk-example-rollup': patch
+'@openzeppelin/defender-sdk-example-deploy-contract': patch
+'@openzeppelin/defender-sdk-example-ethers-signer-v5': patch
+'@openzeppelin/defender-sdk-example-ethers-signer': patch
+'@openzeppelin/defender-sdk-example-get-usage': patch
+'@openzeppelin/defender-sdk-example-list-contracts': patch
+'@openzeppelin/defender-sdk-example-list-networks': patch
+'@openzeppelin/defender-sdk-example-list-proposals': patch
+'@openzeppelin/defender-sdk-example-relayer-contract-function': patch
+'@openzeppelin/defender-sdk-example-relayer-load-balance': patch
+'@openzeppelin/defender-sdk-example-relay-signer-action': patch
+'@openzeppelin/defender-sdk-example-relayer-signer-auth-v2': patch
+'@openzeppelin/defender-sdk-example-web3-provider': patch
+'@openzeppelin/defender-sdk-example-simulate-proposal': patch
+'@openzeppelin/defender-sdk-example-update-action': patch
+'@openzeppelin/defender-sdk-example-update-action-env-variables': patch
+'@openzeppelin/defender-sdk-example-update-monitor': patch
+'@openzeppelin/defender-sdk-example-update-relayer': patch
+'@openzeppelin/defender-sdk-example-upgrade-contract': patch
+'@openzeppelin/defender-sdk-example-webhook': patch
+'@openzeppelin/defender-sdk-account-client': patch
+'@openzeppelin/defender-sdk-action-client': patch
+'@openzeppelin/defender-sdk-base-client': patch
+'@openzeppelin/defender-sdk': patch
+'@openzeppelin/defender-sdk-deploy-client': patch
+'@openzeppelin/defender-sdk-monitor-client': patch
+'@openzeppelin/defender-sdk-network-client': patch
+'@openzeppelin/defender-sdk-notification-channel-client': patch
+'@openzeppelin/defender-sdk-proposal-client': patch
+'@openzeppelin/defender-sdk-relay-client': patch
+'@openzeppelin/defender-sdk-relay-signer-client': patch
+---
+
+feat: Add relayers usage limiting
+feat: Add an example contract call
diff --git a/.github/workflows/version-or-publish.yml → .github/workflows/publish-snapshot.yml b/.github/workflows/version-or-publish.yml → .github/workflows/publish-snapshot.yml
@@ -1,12 +1,7 @@
-name: Version or Publish Package
+name: Version or Publish Snapshot
 
 on:
   workflow_dispatch:
-    inputs:
-      version_tag:
-        required: true
-        description: The release version
-        type: string
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -81,41 +76,19 @@ jobs:
         run: |
           set -euo pipefail
           cd "${{ steps.temp-dir.outputs.path }}"
-          tar -xzvf "${{ needs.provenance.outputs.package-name }}" -C $GITHUB_WORKSPACE
+          tar -xzvf "${{ needs.provenance.outputs.package-name }}" -C $GITHUB_WORKSPACE --strip-components=1
+          cd "$GITHUB_WORKSPACE"
+          pnpm run install-deps
+          pnpm nx-test-skip-cache
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # v1.4.7
         with:
           setupGitUser: false
-          version: pnpm ci:version
+          version: pnpm ci:prerelease
           title: "ci: Update the version packages"
-          publish: pnpm release
-          cwd: "package"
+          publish: pnpm prerelease
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@95b086ac308035dc0850b3853be5b7ab108236a8
-        with:
-          artifact-name: sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json
-          output-file: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json
-          upload-artifact: false
-          upload-release-assets: false
-
-      - name: Download Artifacts
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
-
-      - name: Upload attestations SLSA
-        if: steps.changesets.outputs.id != ''
-        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0
-        with:
-          subject-path: ${{ needs.provenance.outputs.provenance-download-name }}
-          subject-name: ${{ github.event.repository.name }}-${{ inputs.version_tag }}
-
-      - name: Upload attestations SBOM
-        if: steps.changesets.outputs.id != ''
-        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0
-        with:
-          subject-path: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,59 +1,123 @@
-name: publish
+name: Version or Publish Package
 
 on:
-  push:
-    tags:
-      - 'v*.*.*'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      version_tag:
+        required: true
+        description: The release version
+        type: string
 
+concurrency: ${{ github.workflow }}-${{ github.ref }}
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  id-token: write
+  contents: write
+  attestations: write
+  actions: write
+  pull-requests: write
 
 jobs:
   provenance:
-    permissions:
-      id-token: write
-      contents: read
-      actions: read
-    if: |
-      (github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/v')) ||
-      (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-rc.'))
-    # Deterministic Build & tests
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
-      run-scripts: "install-deps, style, nx-build-skip-cache, nx-test-skip-cache, skip-lib-ignore"
+      run-scripts: "install-pnpm, install-deps, style, nx-build-skip-cache, nx-test-skip-cache, skip-lib-ignore"
       node-version: "20.11.1"
-      ## Remove after making repo public
-      rekor-log-public: true
-
-  publish:
-    needs: provenance
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write
-      checks: write
-      id-token: write # For signing
+
+  release:
+    needs: [provenance]
+    name: Version or Publish
+    runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
-      - name: Use node@20
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+      - name: Download Artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
+
+      - name: Checkout Repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
+        with:
+          token: ${{ secrets.SAI_PAT }}
+
+      - name: Prepare pre-requisites
+        uses: ./.github/actions/prepare
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef
+        with:
+          gpg_private_key: ${{ secrets.SVC_GPG_KEY }}
+          passphrase: ${{ secrets.SVC_GPG_PASSPHRASE }}
+          git_config_global: true
+          git_tag_gpgsign: true
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - name: Create temp dir
+        id: temp-dir
+        run: |
+          set -euo pipefail
+
+          temp_dir=$(mktemp -d)
+          echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"
+
+      - name: Download tarball
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main
+        with:
+          name: ${{ needs.provenance.outputs.package-download-name }}
+          path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}"
+          sha256: ${{ needs.provenance.outputs.package-download-sha256 }}
+
+      - name: Download provenance
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0
+        with:
+          name: ${{ needs.provenance.outputs.provenance-download-name }}
+          path: "${{ steps.temp-dir.outputs.path }}"
+          sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }}
+
+      - name: Unpack the zipped artifact
+        run: |
+          set -euo pipefail
+          cd "${{ steps.temp-dir.outputs.path }}"
+          tar -xzvf "${{ needs.provenance.outputs.package-name }}" -C $GITHUB_WORKSPACE --strip-components=1
+          cd "$GITHUB_WORKSPACE"
+          pnpm run install-deps
+          pnpm nx-test-skip-cache
+
+      - name: Create Release Pull Request or Publish to npm
+        id: changesets
+        uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # v1.4.7
+        with:
+          setupGitUser: false
+          version: pnpm ci:version
+          title: "ci: Update the version packages"
+          publish: pnpm release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@95b086ac308035dc0850b3853be5b7ab108236a8
+        with:
+          artifact-name: sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json
+          output-file: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+
+      - name: Upload attestations SLSA
+        if: steps.changesets.outputs.id != ''
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0
         with:
-          node-version: 20.11.1
+          subject-path: ${{ needs.provenance.outputs.provenance-download-name }}
+          subject-name: ${{ github.event.repository.name }}-${{ inputs.version_tag }}
 
-      - name: Publish to NPM
-        id: publish
-        uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@41733f74c025cc6d156547121989dd50fbc92364 # v2.0.0.pre.rc.0
+      - name: Upload attestations SBOM
+        if: steps.changesets.outputs.id != ''
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0
         with:
-          access: public
-          node-auth-token: ${{ secrets.NPM_TOKEN }}
-          package-name: ${{ needs.provenance.outputs.package-name }}
-          package-download-name: ${{ needs.provenance.outputs.package-download-name }}
-          package-download-sha256: ${{ needs.provenance.outputs.package-download-sha256 }}
-          provenance-name: ${{ needs.provenance.outputs.provenance-name }}
-          provenance-download-name: ${{ needs.provenance.outputs.provenance-download-name }}
-          provenance-download-sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }}
+          subject-path: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json