Merge branch 'main' into mble-sfdc-space-drain-set

heroku · Jan 31, 2024 · 66727b9 · 66727b9
2 parents 57d306a + 23f8e2d
commit 66727b9
Show file tree

Hide file tree

Showing 161 changed files with 5,576 additions and 956 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,7 +6,7 @@ updates:
       interval: "weekly"
     labels:
       - "dependencies"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 5
     pull-request-branch-name:
       separator: "-"
     ignore:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -58,9 +58,6 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: yarn
       - run: yarn --immutable --network-timeout 1000000
-      - name: Build packages
-        run: yarn lerna run prepack
-      - run: ./bin/run whoami
         # on 'main' and 'release-' branches, these tests will be run as part of the acceptance tests.
       - name: run smoke tests
         if: github.ref_name != 'main' || !startsWith(github.ref_name, 'release-')

diff --git a/.github/workflows/create-cli-release.yml b/.github/workflows/create-cli-release.yml
@@ -38,6 +38,7 @@ jobs:
     uses: ./.github/workflows/publish-npm.yml
     with:
       isStableRelease: ${{ fromJSON(needs.get-version-channel.outputs.isStableRelease) }}
+      channel: ${{ needs.get-version-channel.outputs.channel }}
     secrets: inherit
 
   pack-upload:
@@ -52,4 +53,5 @@ jobs:
     with:
       version: ${{ needs.get-version-channel.outputs.version }}
       isStableRelease: ${{ fromJSON(needs.get-version-channel.outputs.isStableRelease) }}
+      channel: ${{ needs.get-version-channel.outputs.channel }}
     secrets: inherit
diff --git a/.github/workflows/direwolf.yml b/.github/workflows/direwolf.yml
@@ -0,0 +1,40 @@
+name: Run CLI Direwolf Tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      releaseChannel:
+        type: choice
+        description: Channel to run the Direwolf tests against
+        required: true
+        options:
+        - stable
+        - beta
+        - alpha
+
+  workflow_call:
+    inputs:
+      releaseChannel:
+        type: string
+        description: Channel to run the Direwolf tests against
+        required: true
+        default: stable
+
+jobs:
+  run-direwolf-tests:
+    name: Run Direwolf CLI tests
+    runs-on: pub-hk-ubuntu-22.04-small
+    timeout-minutes: 20
+    environment: direwolf
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install jq
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y awscli jq
+    - name: run direwolf suite
+      run: ./scripts/direwolf-test-run
+      env:
+        HEROKU_CLI_VERSION: ${{ inputs.releaseChannel }}
+        DIREWOLF_TOKEN: ${{ secrets.DEV_TOOLING_DIREWOLF_TOKEN }}
+        DIREWOLF_CLOUD_UUID: ${{ secrets.DIREWOLF_CLOUD_UUID_PRODUCTION }}
diff --git a/.github/workflows/empty-stampy-buckets.yml b/.github/workflows/empty-stampy-buckets.yml
@@ -0,0 +1,24 @@
+name: Empty Stampy signed and unsigned buckets
+on:
+  workflow_dispatch
+
+jobs:
+  copy-to-stable:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - name: Empty Stampy signed and unsigned buckets
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
+          STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          node scripts/stampy/empty-stampy-buckets.js
diff --git a/.github/workflows/get-signed-from-stampy.yml b/.github/workflows/get-signed-from-stampy.yml
@@ -0,0 +1,30 @@
+name: Get signed installers from Stampy
+on:
+  workflow_dispatch
+
+jobs:
+  get-signed-from-stampy:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - uses: actions/checkout@v3
+      - name: download signed Windows installer from from Stampy
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        # switch AWS identity to the one that can access stampy
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          aws s3 cp --recursive s3://${{ secrets.STAMPY_SIGNED_BUCKET }}/ .
+      - name: upload signed Windows installer to Heroku CLI s3
+        env:
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: node ./scripts/stampy/upload-stampy-signed.js
diff --git a/.github/workflows/pack-upload-windows.yml b/.github/workflows/pack-upload-windows.yml
@@ -0,0 +1,26 @@
+name: Pack and Upload Windows Installers
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  pack-and-upload-windows:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@41775cf0c82ef066f1eb39cea1bd74697ca5b735
+      - name: Install NSIS
+        run: brew install nsis
+      - name: yarn install
+        run: yarn --immutable --network-timeout 1000000
+      - name: pack windows installer
+        run: yarn oclif pack win --defender-exclusion hidden --root="./packages/cli"
+      - name: upload windows installer
+        run: yarn oclif upload win --root="./packages/cli"
diff --git a/.github/workflows/pack-upload.yml b/.github/workflows/pack-upload.yml
@@ -28,7 +28,7 @@ jobs:
           path: /home/runner/work/cli/cli/packages/cli/dist
 
   pack_tarballs:
-    runs-on: ubuntu-latest
+    runs-on: pub-hk-ubuntu-22.04-2xlarge
     steps:
       - uses: actions/checkout@v3
       - name: Install system deps
@@ -103,4 +103,4 @@ jobs:
           cd packages/cli
           pwd
           yarn oclif upload tarballs
-          ./scripts/upload/deb
+          ./scripts/upload/deb
diff --git a/.github/workflows/promote-release.yml b/.github/workflows/promote-release.yml
@@ -12,6 +12,10 @@ on:
         description: Is this a stable/prod release?
         required: true
         default: false
+      channel:
+        type: string
+        description: Release channel for prereleases
+        required: false
 
   workflow_dispatch:
     inputs:
@@ -24,13 +28,18 @@ on:
         description: Is this a stable/prod release?
         required: true
         default: false
+      channel:
+        type: string
+        description: Release channel for prereleases
+        required: false
 
 jobs:
   promote:
     uses: ./.github/workflows/promote.yml
     with:
         version: ${{ inputs.version }}
         isStableRelease: ${{ fromJSON(inputs.isStableRelease) }}
+        channel: ${{ inputs.channel }}
     secrets: inherit
 
   ## POST release jobs
@@ -69,6 +78,5 @@ jobs:
       TPS_API_URL_PARAM: ${{ secrets.TPS_API_URL_PARAM }}
     steps:
       - uses: actions/checkout@v3
-      - run: |
-          yarn --immutable --network-timeout 1000000
-          ./scripts/postrelease/change_management
+      - run: yarn --immutable --network-timeout 1000000
+      - run: ./scripts/postrelease/change_management
diff --git a/.github/workflows/promote-windows.yml b/.github/workflows/promote-windows.yml
@@ -0,0 +1,50 @@
+name: Promote signed Windows installer
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: version to promote to stable (this should be the latest release version)
+        type: string
+        required: true
+      isStableRelease:
+        type: boolean
+        description: Is this a stable/prod release?
+        required: true
+        default: false
+      channel:
+        type: choice
+        description: Release channel for prereleases
+        required: false
+        options:
+          - beta
+          - alpha
+
+jobs:
+  promote:
+    name: Promote ${{ inputs.version }}  of the Windows installer to stable
+    runs-on: ubuntu-latest
+    env:
+      CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+          cache: yarn
+      - run: yarn --immutable --network-timeout 1000000
+      - name: install apt-get dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y awscli jq
+      - name: promote
+        env:
+          prerelease-channel: ${{ inputs.channel || 'beta'}}
+        run: |
+          SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
+          yarn oclif promote --win --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel=${{ fromJSON(inputs.isStableRelease) && 'stable' || env.prerelease-channel }}
+        shell: bash
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
@@ -12,6 +12,10 @@ on:
         description: Is this a stable/prod release?
         required: true
         default: false
+      channel:
+        type: string
+        description: Release channel for prereleases
+        required: false
 
   workflow_dispatch:
     inputs:
@@ -24,14 +28,14 @@ on:
         description: Is this a stable/prod release?
         required: true
         default: false
-      s3VersionSha:
-        description: first 7 characters of the commit sha of the version to promote. Must match what is in S3 bucket/versions/VERSION/THIS
+      channel:
         type: string
+        description: Release channel for prereleases
         required: false
 
 jobs:
   promote:
-    name: Promote ${{ inputs.version }} to ${{ fromJSON(inputs.isStableRelease) && 'stable' || 'beta' }}
+    name: Promote ${{ inputs.version }} to ${{ fromJSON(inputs.isStableRelease) && 'stable' || inputs.channel }}
     runs-on: ubuntu-latest
     env:
       CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
@@ -51,13 +55,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y awscli jq
       - name: promote
+        env:
+          prerelease-channel: ${{ inputs.channel || 'beta'}}
         run: |
-          SHA=${{ inputs.s3VersionSha }}
-          if [[ -z "$SHA" ]]; then
-            # get SHA directly from NPM
-            SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
-          fi
-          yarn oclif promote --deb --xz --root="./packages/cli" --sha="$SHA" ${{ fromJSON(inputs.isStableRelease) && '--indexes' || ''}} --version=${{ inputs.version }} --channel=${{ fromJSON(inputs.isStableRelease) && 'stable' || 'beta' }}
+          SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
+          yarn oclif promote --deb --xz --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel=${{ fromJSON(inputs.isStableRelease) && 'stable' || env.prerelease-channel }}
         shell: bash
       - name: promote Linux install scripts
         run: node ./scripts/postrelease/install_scripts.js
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -8,13 +8,24 @@ on:
         description: Is this a stable/prod release?
         required: true
         default: false
+      channel:
+        type: choice
+        description: If this is a prerelease, is it alpha or beta?
+        options:
+          - alpha
+          - beta
+        required: false
   workflow_call:
     inputs:
       isStableRelease:
         type: boolean
         description: Is this a stable/prod release?
         required: true
         default: false
+      channel:
+        type: string
+        description: Release channel for prereleases
+        required: false
 
 jobs:
   publish-npm:
@@ -36,6 +47,6 @@ jobs:
           then
             yarn lerna publish --yes from-package
           else
-            yarn lerna publish --dist-tag beta --yes from-package
+            yarn lerna publish --dist-tag ${{ inputs.channel || 'beta' }} --yes from-package
           fi
         shell: bash
diff --git a/.github/workflows/release-homebrew.yml b/.github/workflows/release-homebrew.yml
@@ -27,7 +27,7 @@ jobs:
         run: yarn --immutable --network-timeout 1000000
       - run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-7)" >> $GITHUB_ENV
       - name: release homebrew
-        run: ./scripts/release/homebrew.js
+        run: node ./scripts/release/homebrew.js
         env:
           GITHUB_SHA_SHORT: ${{ env.GITHUB_SHA_SHORT }}
           CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}