Hatching-Dev/.github/workflows/pkg_release.yml at main · CrackingShells/Hatching-Dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
name: Package Release Process

on:
  repository_dispatch:
    types: [release-package]

jobs:
  # 1. Auto-merge if validation passed
  check-conflicts-in-merge:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate GitHub App token
        id: generate-token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.HATCH_WORKFLOW_APP_ID }}
          private_key: ${{ secrets.HATCH_WORKFLOW_APP_PRIVATE_KEY }}

      - name: Check PR for conflicts
        id: check-conflicts
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const repository = '${{ github.repository }}';
            const [owner, repo] = repository.split('/');
            const prNumber = ${{ github.event.client_payload.pr_number }};

            const pr = await github.rest.pulls.get({
              owner: owner,
              repo: repo,
              pull_number: prNumber
            });

            if (pr.data.mergeable === false) {
              console.log('PR has conflicts that need to be resolved');
              await github.rest.issues.createComment({
                owner: owner,
                repo: repo,
                issue_number: prNumber,
                body: '⚠️ This PR has merge conflicts that need to be resolved before it can be auto-merged. Please resolve the conflicts and try again.'
              });
              return { can_merge: false };
            }

            console.log('PR is ready to be merged');

            // Add the automerge label
            await github.rest.issues.addLabels({
              owner: owner,
              repo: repo,
              issue_number: prNumber,
              labels: ['automerge']
            });

            return { can_merge: true };

  # 2. Create Release and Review Issue
  create-release-and-review:
    needs: [check-conflicts-in-merge]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate GitHub App token
        id: generate-token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.HATCH_WORKFLOW_APP_ID }}
          private_key: ${{ secrets.HATCH_WORKFLOW_APP_PRIVATE_KEY }}

      # Retrieve the original artifact of the package used to be validated by the registry
      - name: Retrieve package artifact
        id: retrieve-artifact
        uses: dawidd6/action-download-artifact@v9
        with:
          github_token: ${{ steps.generate-token.outputs.token }}
          workflow: ${{ github.event.client_payload.workflow_id }}
          run_id: ${{ github.event.client_payload.run_id }}
          name: ${{ github.event.client_payload.artifact_name }}
          repo: ${{ github.repository }}
          path: downloaded-package

      - name: Extract package info
        id: package-info
        run: |

          # Extract version from metadata file (adapt based on your format)
          VERSION=$(jq -r .version downloaded-package/hatch_metadata.json)

          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "release_name=${{ github.event.client_payload.package_name }}-v${VERSION}" >> $GITHUB_OUTPUT

      - name: Create release artifact
        run: |
          cd downloaded-package
          zip -r ../${{ steps.package-info.outputs.release_name }}.zip .

      - name: Create GitHub Release
        id: create-release
        uses: softprops/action-gh-release@v1
        with:
          files: ${{ steps.package-info.outputs.release_name }}.zip
          name: ${{ steps.package-info.outputs.release_name }}
          tag_name: ${{ steps.package-info.outputs.release_name }}
          token: ${{ steps.generate-token.outputs.token }}

      - name: Retrieve PR author information
        id: author-info
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const prNumber = ${{ github.event.client_payload.pr_number }};
            const [owner, repo] = '${{ github.repository }}'.split('/');

            const pr = await github.rest.pulls.get({
              owner: owner,
              repo: repo,
              pull_number: prNumber
            });

            core.setOutput("author_id", pr.data.user.login);
            core.setOutput("author_email", pr.data.user.email || pr.data.user.login + "@not-provided.com");

      # Trigger registry update with package details including author info
      - name: Trigger registry update
        uses: peter-evans/repository-dispatch@v3
        with:
          token: ${{ steps.generate-token.outputs.token }}
          repository: CrackingShells/Hatch-Registry
          event-type: add-package
          client-payload: |-
            {
              "repository": "${{ github.repository }}",
              "package_name": "${{ github.event.client_payload.package_name }}",
              "workflow_id": "${{ github.event.client_payload.workflow_id }}",
              "run_id": "${{ github.event.client_payload.run_id }}",
              "artifact_name": "${{ github.event.client_payload.artifact_name }}",
              "author": {
                "GitHubID": "${{ steps.author-info.outputs.author_id }}",
                "email": "${{ steps.author-info.outputs.author_email }}"
              },
              "version": "${{ steps.package-info.outputs.version }}"
            }

      # Create review issue in the Registry repository
      - name: Create review issue
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const package_name = "${{ github.event.client_payload.package_name }}";
            const version = "${{ steps.package-info.outputs.version }}";
            const author_id = "${{ steps.author-info.outputs.author_id }}";
            const release_url = "${{ steps.create-release.outputs.url }}";
            const repository = '${{ github.repository }}'
            const [owner, repo] = repository.split('/');

            await github.rest.issues.create({
              owner: owner,
              repo: repo,
              title: `Package Review: ${package_name} v${version}`,
              body: `## Package Review Needed

            - **Package:** ${package_name}
            - **Version:** ${version}
            - **Author:** @${author_id}
            - **Release:** ${release_url}
            - **PR:** https://github.com/${{ github.repository }}/pull/${{ github.event.client_payload.pr_number }}

            Please review this package for quality and security concerns.
            Once reviewed, update the trust level using the registry update tool.

            ### Review Checklist

            - [ ] Code quality and readability
            - [ ] Functionality and performance
            - [ ] Security concerns
            - [ ] Documentation completeness
            - [ ] License compliance
            `,
              labels: ['ready-for-review', 'package']
            });

  # 3. Auto-approve and merge PR if validation, release, and review issue creation were successful
  approve-and-merge:
    runs-on: ubuntu-latest
    needs: [check-conflicts-in-merge, create-release-and-review]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate GitHub App token
        id: generate-token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.HATCH_WORKFLOW_APP_ID }}
          private_key: ${{ secrets.HATCH_WORKFLOW_APP_PRIVATE_KEY }}

      - name: Notify PR author of success
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          script: |
            const message = [
              "### ✅ No conflicts detected.",
              "",
              "The package has been successfully validated and [released](https://github.com/${{ github.repository }}/releases",
              "This PR will be auto-approved and auto-merged shortly.",
              "",
              "### Next Steps",
              "",
              "1. The package will be released to the registry under the lowest trust level: unreviewed.",
              "2. The package will be available for download from the Hatch! package manager.",
              "3. A review issue will be created in the [repository](https://github.com/${{ github.repository }}/issues) for this package.",
              "  - Package authors are encouraged to check the review issue and respond to any questions or concerns raised by the reviewers.",
              "4. Once the review is complete, the package's trust level will be raised to: reviewed.",

            ].join('\n');

            const prNumber = ${{ github.event.client_payload.pr_number }};
            const [owner, repo] = '${{ github.repository }}'.split('/');

            await github.rest.issues.createComment({
              issue_number: prNumber,
              owner: owner,
              repo: repo,
              body: message
            })

      - name: Approve and merge PR
        uses: hmarr/auto-approve-action@v4
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          pull-request-number: ${{ github.event.client_payload.pr_number }}

      - name: Auto-merge PR
        uses: pascalgn/automerge-action@v0.16.4
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
          MERGE_METHOD: merge
          MERGE_LABELS: "validation-passed,automerge"
          MERGE_REMOVE_LABELS: "validation-passed,automerge"
          MERGE_FORKS: true
          PULL_REQUEST: ${{ github.event.client_payload.pr_number }}