Skip to content

Update workflows to use MetaMask/action-checkout-and-setup #5474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mrtenz merged 3 commits into from
Mar 14, 2025
Merged

Update workflows to use MetaMask/action-checkout-and-setup #5474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
583a9ad
Update workflows to use `MetaMask/action-checkout-and-setup`
Mrtenz Mar 13, 2025
dc1760d
Update security code scanner workflow
Mrtenz Mar 13, 2025
5d9661d
Remove variable
Mrtenz Mar 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 3 additions & 12 deletions .github/workflows/ensure-blocking-pr-labels-absent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,10 @@ jobs:
permissions:
pull-requests: read
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'yarn'
- run: yarn --immutable
is-high-risk-environment: false
- name: Run command
uses: actions/github-script@v7
with:
Expand Down
86 changes: 21 additions & 65 deletions .github/workflows/lint-build-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,15 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x, 20.x]
node-version: [18.x, 20.x, 22.x]
outputs:
child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }}
steps:
- uses: actions/checkout@v4
- name: Install Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version: ${{ matrix.node-version }}
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: yarn
- run: yarn --immutable
is-high-risk-environment: false
cache-node-modules: ${{ matrix.node-version == '22.x' }}
- name: Fetch workspace package names
id: workspace-package-names
run: |
Expand All @@ -38,21 +30,12 @@ jobs:
needs: prepare
strategy:
matrix:
node-version: [20.x]
node-version: [22.x]
steps:
- uses: actions/checkout@v4
- name: Install Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version: ${{ matrix.node-version }}
cache: yarn
- run: yarn --immutable
is-high-risk-environment: false
- run: yarn lint
- name: Require clean working directory
shell: bash
Expand All @@ -68,22 +51,13 @@ jobs:
needs: prepare
strategy:
matrix:
node-version: [20.x]
node-version: [22.x]
package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
steps:
- uses: actions/checkout@v4
- name: Install Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version: ${{ matrix.node-version }}
cache: yarn
- run: yarn --immutable
is-high-risk-environment: false
- run: yarn workspace ${{ matrix.package-name }} changelog:validate
- name: Require clean working directory
shell: bash
Expand All @@ -99,21 +73,12 @@ jobs:
needs: prepare
strategy:
matrix:
node-version: [20.x]
node-version: [22.x]
steps:
- uses: actions/checkout@v4
- name: Install Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version: ${{ matrix.node-version }}
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: yarn
- run: yarn --immutable
is-high-risk-environment: false
- run: yarn build
- name: Require clean working directory
shell: bash
Expand All @@ -129,22 +94,13 @@ jobs:
needs: prepare
strategy:
matrix:
node-version: [18.x, 20.x]
node-version: [18.x, 20.x, 22.x]
package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
steps:
- uses: actions/checkout@v4
- name: Install Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version: ${{ matrix.node-version }}
cache: yarn
- run: yarn --immutable
is-high-risk-environment: false
- run: yarn test:scripts
- run: yarn workspace ${{ matrix.package-name }} run test
- name: Require clean working directory
Expand Down
18 changes: 16 additions & 2 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
name: Check workflows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Download actionlint
id: download-actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.25
Expand All @@ -19,6 +19,18 @@ jobs:
run: ${{ steps.download-actionlint.outputs.executable }} -color
shell: bash

analyse-code:
name: Code scanner
needs: check-workflows
uses: ./.github/workflows/security-code-scanner.yml
permissions:
actions: read
contents: read
security-events: write
secrets:
SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}

lint-build-test:
name: Lint, build, and test
needs: check-workflows
Expand Down Expand Up @@ -59,7 +71,9 @@ jobs:
all-jobs-complete:
name: All jobs complete
runs-on: ubuntu-latest
needs: lint-build-test
needs:
- analyse-code
- lint-build-test
outputs:
passed: ${{ steps.set-output.outputs.passed }}
steps:
Expand Down
14 changes: 3 additions & 11 deletions .github/workflows/publish-preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,18 +35,10 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number }}
- name: Install Node
uses: actions/setup-node@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
node-version-file: '.nvmrc'
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: yarn
- run: yarn --immutable
is-high-risk-environment: true
- name: Get commit SHA
id: commit-sha
run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
Expand Down
81 changes: 28 additions & 53 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,85 +14,60 @@ jobs:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
ref: ${{ github.sha }}
- name: Install Node
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
- name: Install Yarn
run: corepack enable
- name: Restore Yarn cache
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: yarn
- uses: actions/cache@v4
with:
path: |
./packages/**/dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}
is-high-risk-environment: true
- uses: MetaMask/action-publish-release@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: yarn --immutable
- run: yarn build
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: publish-release-artifacts-${{ github.sha }}
include-hidden-files: true
retention-days: 4
path: |
./packages/**/dist
./node_modules/.yarn-state.yml

publish-npm-dry-run:
name: Dry run publish to NPM
runs-on: ubuntu-latest
needs: publish-release
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
ref: ${{ github.sha }}
- name: Install Node
uses: actions/setup-node@v4
- name: Restore build artifacts
uses: actions/download-artifact@v4
with:
node-version-file: '.nvmrc'
- name: Install Yarn
run: corepack enable
- uses: actions/cache@v4
with:
path: |
./packages/**/dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}
fail-on-cache-miss: true
- name: Dry Run Publish
# omit npm-token token to perform dry run publish
name: publish-release-artifacts-${{ github.sha }}
- name: Dry run publish to NPM
uses: MetaMask/action-npm-publish@v5
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
subteam: S042S7RE4AE # @metamask-npm-publishers
env:
SKIP_PREPACK: true

publish-npm:
name: Publish to NPM
environment: npm-publish
runs-on: ubuntu-latest
needs: publish-npm-dry-run
steps:
- uses: actions/checkout@v4
- name: Checkout and setup environment
uses: MetaMask/action-checkout-and-setup@v1
with:
is-high-risk-environment: true
ref: ${{ github.sha }}
- name: Install Node
uses: actions/setup-node@v4
- name: Restore build artifacts
uses: actions/download-artifact@v4
with:
node-version-file: '.nvmrc'
- name: Install Yarn
run: corepack enable
- uses: actions/cache@v4
with:
path: |
./packages/**/dist
./node_modules/.yarn-state.yml
key: ${{ github.sha }}
fail-on-cache-miss: true
- name: Publish
name: publish-release-artifacts-${{ github.sha }}
- name: Publish to NPM
uses: MetaMask/action-npm-publish@v5
with:
npm-token: ${{ secrets.NPM_TOKEN }}
env:
SKIP_PREPACK: true
40 changes: 27 additions & 13 deletions .github/workflows/security-code-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,47 @@
name: MetaMask Security Code Scanner

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_call:
secrets:
SECURITY_SCAN_METRICS_TOKEN:
required: false
APPSEC_BOT_SLACK_WEBHOOK:
required: false
workflow_dispatch:

jobs:
run-security-scan:
name: Run security scan
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: MetaMask Security Code Scanner
uses: MetaMask/Security-Code-Scanner@main
- name: Analyse code
uses: MetaMask/action-security-code-scanner@v1
with:
repo: ${{ github.repository }}
paths_ignored: |
.storybook/
'**/__snapshots__/'
'**/*.snap'
'**/*.stories.js'
'**/*.stories.tsx'
'**/*.test.browser.ts*'
'**/*.test.js*'
'**/*.test.ts*'
'**/fixtures/'
'**/jest.config.js'
'**/jest.environment.js'
'**/mocks/'
'**/test*/'
docs/
'**/*.test.js'
'**/*.test.ts'
node_modules
e2e/
merged-packages/
'**/jest.environment.js'
project_metrics_token: ${{secrets.SECURITY_SCAN_METRICS_TOKEN}}
node_modules
storybook/
test*/
rules_excluded: example
project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
Loading