[ACA-4653] fix release actions (#3029)

* fix publish libs action

* push tags only for master

* fix publishing only for master

* fix leaking sensitive info in the echo

* fix publish script and passing branch name to action

* fix incorrect travis branch

* consistent input naming

* npm tag as input

* Update .github/workflows/release.yml

Co-authored-by: Giovanni Toraldo <me@gionn.net>

* Update .github/workflows/release.yml

Co-authored-by: Giovanni Toraldo <me@gionn.net>

* remove not really necessary workflow_call triggers

* fixup job conditionals with ref_name

* setup job is not really doing anything useful

* add setup node to npm publish step

* add missing npm install to publish libs

* Update scripts/travis/deploy/publish.sh

Co-authored-by: Alex Chapellon <alxgomz@gmail.com>

* Update scripts/travis/deploy/publish.sh

Co-authored-by: Alex Chapellon <alxgomz@gmail.com>

* Update .github/actions/git-tag/action.yml

Co-authored-by: Alex Chapellon <alxgomz@gmail.com>

---------

Co-authored-by: Giovanni Toraldo <me@gionn.net>
Co-authored-by: Giovanni Toraldo <giovanni.toraldo@hyland.com>
Co-authored-by: Alex Chapellon <alxgomz@gmail.com>

.github/actions/git-tag/action.yml

@@ -22,14 +22,16 @@ runs:
       shell: bash
       run: |
         if [[  ${{ inputs.branch_name }} == "master" ]]; then
-          VERSION=$(grep -m1 version package.json | awk '{ print $2 }' | sed 's/[", ]//g')
-        fi;
+          VERSION=$(jq -cr '.version' < package.json)
+
+          echo "git tag -a ${VERSION} -m ${VERSION}"
+          if [[ ${{ inputs.dry-run }} == false ]]; then
+            git tag -a ${VERSION} -m "${VERSION} [ci skip] "
+            git remote rm origin
+            GITHUB_REPO=https://${{ inputs.github_token }}:x-oauth-basic@github.com/Alfresco/alfresco-content-app.git
+            git remote add origin $GITHUB_REPO
+            git push origin --tags
+          fi;
 
-        echo "git tag -a ${VERSION} -m ${VERSION}"
-        if [[ ${{ inputs.dry-run }} == false ]]; then
-          git tag -a ${VERSION} -m "${VERSION} [ci skip] "
-          git remote rm origin
-          GITHUB_REPO=https://${{ inputs.github_token }}:x-oauth-basic@github.com/Alfresco/alfresco-content-app.git
-          git remote add origin $GITHUB_REPO
-          git push origin --tags
         fi;
+

.github/actions/publish-image/action.yml

@@ -14,6 +14,10 @@ inputs:
     description: 'login password'
     required: true
     type: string
+  branch_name:
+    description: 'Name of the branch the workflow runs on'
+    required: true
+    type: string
   dry-run:
     description: dry run flag
     required: true
@@ -25,12 +29,12 @@ runs:
     - name: Get docker image tag name
       shell: bash
       run: |
-        if [[ $BRANCH_NAME == "master" ]]; then
+        if [[ ${{ inputs.branch_name }} == "master" ]]; then
             TAG_VERSION=$(grep -m1 version package.json | awk '{ print $2 }' | sed 's/[", ]//g')
         else
-            TAG_VERSION=$BRANCH_NAME-${{ github.run_id }}
+            TAG_VERSION=${{ inputs.branch_name }}-${{ github.run_id }}
         fi
         echo "TAG_VERSION=$TAG_VERSION" >> $GITHUB_ENV
     - name: Publish image
       shell: bash
-      run: ./scripts/travis/deploy/publish.sh ${{ inputs.domain }} ${{ inputs.username }} ${{ inputs.password }} $TAG_VERSION $BRANCH_NAME ${{ inputs.dry-run }}
+      run: ./scripts/travis/deploy/publish.sh ${{ inputs.domain }} ${{ inputs.username }} ${{ inputs.password }} $TAG_VERSION ${{ inputs.branch_name }} ${{ inputs.dry-run }}

.github/actions/publish-libs/action.yml

@@ -2,18 +2,26 @@ name: "Publish ACA libs to NPM and GH registry"
 description: "Publish ACA libs to NPM and GH registry"
 
 inputs:
+  branch_name:
+    description: 'Name of the branch the workflow runs on'
+    required: true
+    type: string
   github_token:
     description: 'Github token'
     required: true
     type: string
-  npm-registry-address:
+  npm_registry_address:
     description: 'NPM registry address'
     required: true
     type: string
-  npm-registry-token:
+  npm_registry_token:
     description: 'NPM registry token'
     required: true
     type: string
+  npm_tag:
+    description: 'NPM tag'
+    required: true
+    type: string
   dry-run:
     description: dry run flag
     required: true
@@ -22,21 +30,22 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - run: npm ci
+      shell: bash
     - name: update libs version
       shell: bash
       run: |
-        ROOT_DIR=./../../..
         export DIST_DIR=./dist/@alfresco
         PROJECTS_DIR=./projects
-        VERSION_IN_PACKAGE_JSON=$(node -p "require('$ROOT_DIR/package.json').version;")
+        VERSION_IN_PACKAGE_JSON=$(node -p "require('./package.json').version;")
 
-        if [[ $TRAVIS_BRANCH =~ ^master.*?$ ]] ; then
+        if [[ ${{ inputs.branch_name }} =~ ^master.*?$ ]] ; then
           NEW_LIBRARY_VERSION=VERSION_IN_PACKAGE_JSON
         else
           NEW_LIBRARY_VERSION="${VERSION_IN_PACKAGE_JSON}-${{ github.run_id }}"
         fi
 
-        echo -e "Branch is '$BRANCH_NAME', therefore publish with '$TAG_NPM' tag\n"
+        echo -e "Branch is '${{ inputs.branch_name }}, therefore publish with '${{ inputs.npm_tag }}' tag\n"
 
         export PROJECTS=(
           'aca-shared'
@@ -50,15 +59,12 @@ runs:
 
         for PROJECT in "${PROJECTS[@]}"; do
           echo "Update ${PROJECT} version to ${NEW_LIBRARY_VERSION}"
-          cd $PROJECTS_DIR/${PROJECT}
           if [[ ${{ inputs.dry-run }} == false ]]; then
-            npm version ${NEW_LIBRARY_VERSION}
+            (cd cd $PROJECTS_DIR/${PROJECT} && npm version --allow-same-version --no-git-tag-version --force ${NEW_LIBRARY_VERSION})
           fi
         done
 
         echo -e "\n\nBuild projects"
-        cd ${ROOT_DIR}
-
         npm run build-libs
     - uses: actions/setup-node@v3
       name: setup GH registry
@@ -75,12 +81,12 @@ runs:
 
           if [[ ${{ inputs.dry-run }} == false ]]; then
             echo -e "Publish with dry mode for project to GH registry: $PROJECT\n"
-            echo -e "npm publish --dry-run --tag $TAG_NPM \n"
-            npm publish --dry-run --tag $TAG_NPM
+            echo -e "npm publish --dry-run --tag ${{ inputs.npm_tag }} \n"
+            npm publish --dry-run --tag ${{ inputs.npm_tag }}
           else
             echo -e "======== Publishing project to GH registry: $PROJECT ========\n"
-            echo -e "npm publish --tag $TAG_NPM\n"
-            npm publish --tag $TAG_NPM
+            echo -e "npm publish --tag ${{ inputs.npm_tag }}\n"
+            npm publish --tag ${{ inputs.npm_tag }}
           fi
         done
       env:
@@ -89,7 +95,7 @@ runs:
       name: setup NPM registry
       with:
         node-version-file: '.nvmrc'
-        registry-url: ${{ inputs.npm-registry-address }}
+        registry-url: ${{ inputs.npm_registry_address }}
         scope: '@alfresco'
     - name: publish tag to NPM registry
       shell: bash
@@ -100,13 +106,13 @@ runs:
 
           if [[ ${{ inputs.dry-run }} == false ]]; then
             echo -e "Publish with dry mode for project to NPM registry: $PROJECT\n"
-            echo -e "npm publish --dry-run --tag $TAG_NPM \n"
-            npm publish --dry-run --tag $TAG_NPM
+            echo -e "npm publish --dry-run --tag ${{ inputs.npm_tag }} \n"
+            npm publish --dry-run --tag ${{ inputs.npm_tag }}
           else
             echo -e "======== Publishing project to NPM registry: $PROJECT ========\n"
-            echo -e "npm publish --tag $TAG_NPM\n"
-            npm publish --tag $TAG_NPM
+            echo -e "npm publish --tag ${{ inputs.npm_tag }}\n"
+            npm publish --tag ${{ inputs.npm_tag }}
           fi
         done
       env:
-          NODE_AUTH_TOKEN: ${{ inputs.npm-registry-token }}
+          NODE_AUTH_TOKEN: ${{ inputs.npm_registry_token }}

.github/workflows/aca-upstream.yml

@@ -3,7 +3,6 @@ name: "ACA upstream"
 on:
   schedule:
     - cron: "0 12 * * *"
-  workflow_call:
   workflow_dispatch:
     inputs:
       repo_to_update:

.github/workflows/release.yml

@@ -2,7 +2,6 @@ name: "Release"
 
 on:
   workflow_dispatch:
-  workflow_call:
     inputs:
       dry-run-release:
         description: 'enable dry-run'
@@ -40,32 +39,16 @@ env:
   APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI: "{protocol}//{hostname}{:port}/assets/silent-refresh.html"
 
 jobs:
-  setup:
-    if: github.event.pull_request.merged || ${{ inputs.dry-run-release }}
-    name: "Setup"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-      - name: node
-        uses: actions/setup-node@v3
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'npm'
-      - uses: ./.github/actions/setup
   publish-docker-registry:
-    needs: [setup]
-    if: github.event.pull_request.merged || ${{ inputs.dry-run-release }}
-    name: "Publish to  registry"
+    if: github.event.pull_request.merged || inputs.dry-run-release
+    name: "Publish to registry"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
-      - name: node
+      - name: Setup node
         uses: actions/setup-node@v3
         with:
           node-version-file: '.nvmrc'
@@ -74,21 +57,22 @@ jobs:
       - name: publish
         uses: ./.github/actions/publish-image
         with:
+          branch_name: ${{ env.BRANCH_NAME }}
           domain: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
           dry-run: ${{ inputs.dry-run-release }}
+
   publish-to-dockerhub:
-    needs: [setup]
-    if: github.event.pull_request.merged || ${{ inputs.dry-run-release }}
+    if: github.event.pull_request.merged || inputs.dry-run-release
     name: "Publish to Dockerhub"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
-      - name: node
+      - name: Setup node
         uses: actions/setup-node@v3
         with:
           node-version-file: '.nvmrc'
@@ -97,21 +81,22 @@ jobs:
       - name: publish
         uses: ./.github/actions/publish-image
         with:
+          branch_name: ${{ env.BRANCH_NAME }}
           domain: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           dry-run: ${{ inputs.dry-run-release }}
+
   publish-git-tag:
-    needs: [setup]
-    if: (github.event.pull_request.merged && $BRANCH_NAME == "master")|| ${{ inputs.dry-run-release }}
+    if: (github.event.pull_request.merged && github.ref_name == 'master') || inputs.dry-run-release
     name: "Publish git tag"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
-      - name: node
+      - name: Setup node
         uses: actions/setup-node@v3
         with:
           node-version-file: '.nvmrc'
@@ -128,21 +113,28 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           branch_name: ${{ env.BRANCH_NAME }}
           dry-run: ${{ inputs.dry-run-release }}
+
   publish-libs:
-    needs: [setup]
-    if: github.event.pull_request.merged || ${{ inputs.dry-run-release }}
+    if: (github.event.pull_request.merged && github.ref_name == 'master') || inputs.dry-run-release
     name: "Publish libs to npm and gh registry"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 2
+      - name: Setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
       - uses: ./.github/actions/setup
       - name: publish
         uses: ./.github/actions/publish-libs
         with:
+          branch_name: ${{ env.BRANCH_NAME }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          npm-registry-address: ${{ vars.NPM_REGISTRY_ADDRESS }}
-          npm-registry-token: ${{ secrets.NPM_REGISTRY_TOKEN }}
+          npm_registry_address: ${{ vars.NPM_REGISTRY_ADDRESS }}
+          npm_registry_token: ${{ secrets.NPM_REGISTRY_TOKEN }}
+          npm_tag: ${{ env.TAG_NPM }}
           dry-run: ${{ inputs.dry-run-release }}

scripts/travis/deploy/publish.sh

@@ -14,14 +14,12 @@ DOCKER_PROJECT_ARGS="PROJECT_NAME=content-ce"
 DOCKER_REPOSITORY="$DOMAIN/$REPO_SLUG"
 
 # Publish Image to quay.io or dockerhub or another domain - only publish the version on master - elsewhere version and branch
-if [[ $TRAVIS_BRANCH == "master" ]]; then
-    echo "npx @alfresco/adf-cli docker-publish --loginCheck --loginUsername '$USERNAME' --loginPassword '$PASSWORD' --loginRepo '$DOMAIN' --dockerRepo '$DOCKER_REPOSITORY' --buildArgs  $DOCKER_PROJECT_ARGS  --dockerTags '$TAG_VERSION' "
-     if [[ $DRY_RUN == false ]]; then
-        npx       @alfresco/adf-cli docker-publish --loginCheck --loginUsername "$USERNAME" --loginPassword "$PASSWORD" --loginRepo "$DOMAIN" --dockerRepo "$DOCKER_REPOSITORY" --buildArgs "$DOCKER_PROJECT_ARGS" --dockerTags "$TAG_VERSION" --pathProject "$(pwd)"
-      fi;
+if [[ "$BRANCH_NAME" == "master" ]]; then
+  if [[ "$DRY_RUN" == "false" ]]; then
+    npx @alfresco/adf-cli docker-publish --loginCheck --loginUsername "$USERNAME" --loginPassword "$PASSWORD" --loginRepo "$DOMAIN" --dockerRepo "$DOCKER_REPOSITORY" --buildArgs "$DOCKER_PROJECT_ARGS" --dockerTags "$TAG_VERSION" --pathProject "$(pwd)"
+  fi;
 else
-    echo "npx @alfresco/adf-cli docker-publish --loginCheck --loginUsername '$USERNAME' --loginPassword '$PASSWORD' --loginRepo '$DOMAIN' --dockerRepo '$DOCKER_REPOSITORY' --buildArgs  $DOCKER_PROJECT_ARGS  --dockerTags '$TAG_VERSION,$BRANCH_NAME' "
-     if [[ $DRY_RUN == false ]]; then
-      npx       @alfresco/adf-cli docker-publish --loginCheck --loginUsername "$USERNAME" --loginPassword "$PASSWORD" --loginRepo "$DOMAIN" --dockerRepo "$DOCKER_REPOSITORY" --buildArgs "$DOCKER_PROJECT_ARGS" --dockerTags "$TAG_VERSION,$BRANCH_NAME" --pathProject "$(pwd)"
-    fi;
+  if [[ "$DRY_RUN "== "false" ]]; then
+    npx @alfresco/adf-cli docker-publish --loginCheck --loginUsername "$USERNAME" --loginPassword "$PASSWORD" --loginRepo "$DOMAIN" --dockerRepo "$DOCKER_REPOSITORY" --buildArgs "$DOCKER_PROJECT_ARGS" --dockerTags "$TAG_VERSION,$BRANCH_NAME" --pathProject "$(pwd)"
+  fi;
 fi;