From 1e9de0a6ed025239356ad1d4010adf88a6b03f17 Mon Sep 17 00:00:00 2001 From: Lauren Tan Date: Mon, 17 Mar 2025 13:40:39 -0400 Subject: [PATCH 1/3] [ci] Don't use third party action to push commits In light of recent third party actions being compromised, let's just push the commit ourselves rather than use a third party action. We already detect if changes are needed, so the step will only run if so. I also added a `dry_run` option to the manual runs of this workflow for testing. --- .../workflows/runtime_commit_artifacts.yml | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/runtime_commit_artifacts.yml b/.github/workflows/runtime_commit_artifacts.yml index 9e60606210f39..6b1cad2245aa6 100644 --- a/.github/workflows/runtime_commit_artifacts.yml +++ b/.github/workflows/runtime_commit_artifacts.yml @@ -16,6 +16,11 @@ on: required: true default: false type: boolean + dry_run: + description: Perform a dry run (run everything except push) + required: true + default: false + type: boolean env: TZ: /usr/share/zoneinfo/America/Los_Angeles @@ -246,16 +251,16 @@ jobs: git status -u - name: Commit changes to branch if: inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true' - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: | - ${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + run: | + git config --global user.email "${{ format('{0}@users.noreply.github.com', github.triggering_actor) }}" + git config --global user.name "${{ github.triggering_actor }}" - DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }}) - branch: builds/facebook-www - commit_user_name: ${{ github.triggering_actor }} - commit_user_email: ${{ format('{0}@users.noreply.github.com', github.triggering_actor) }} - create_branch: true + git commit -m "${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + + DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }})" || echo "No changes to commit" + - name: Push changes to branch + if: inputs.dry_run == false && (inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true') + run: git push commit_fbsource_artifacts: needs: download_artifacts @@ -413,13 +418,13 @@ jobs: git status - name: Commit changes to branch if: inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true' - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: | - ${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + run: | + git config --global user.email "${{ format('{0}@users.noreply.github.com', github.triggering_actor) }}" + git config --global user.name "${{ github.triggering_actor }}" + + git commit -m "${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} - DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }}) - branch: builds/facebook-fbsource - commit_user_name: ${{ github.triggering_actor }} - commit_user_email: ${{ format('{0}@users.noreply.github.com', github.triggering_actor) }} - create_branch: true + DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }})" || echo "No changes to commit" + - name: Push changes to branch + if: inputs.dry_run == false && (inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true') + run: git push From 4eaaba2003441dcdab5554586cd7820b53e43a8a Mon Sep 17 00:00:00 2001 From: Lauren Tan Date: Mon, 17 Mar 2025 13:58:34 -0400 Subject: [PATCH 2/3] [ci] Pin Discord webhook action to specific commit sha Pins the discord webhook action to `86dc739f3f165f16dadc5666051c367efa1692f4`, which is what the v6 tag points to. --- .github/workflows/compiler_discord_notify.yml | 2 +- .github/workflows/runtime_discord_notify.yml | 2 +- .github/workflows/runtime_releases_from_npm_manual.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compiler_discord_notify.yml b/.github/workflows/compiler_discord_notify.yml index f81f42b9cb7df..5b46d0f87601f 100644 --- a/.github/workflows/compiler_discord_notify.yml +++ b/.github/workflows/compiler_discord_notify.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.COMPILER_DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/runtime_discord_notify.yml b/.github/workflows/runtime_discord_notify.yml index e41b1c56405a7..f2be08f904ee2 100644 --- a/.github/workflows/runtime_discord_notify.yml +++ b/.github/workflows/runtime_discord_notify.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/runtime_releases_from_npm_manual.yml b/.github/workflows/runtime_releases_from_npm_manual.yml index c4675bfb7fd4a..0293696428f65 100644 --- a/.github/workflows/runtime_releases_from_npm_manual.yml +++ b/.github/workflows/runtime_releases_from_npm_manual.yml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.sender.login }} From ff2d1ec37299afc46bc24fd4ec61d4b1e65a62fd Mon Sep 17 00:00:00 2001 From: Lauren Tan Date: Mon, 17 Mar 2025 14:07:09 -0400 Subject: [PATCH 3/3] [ci][ez] use yarn --cwd Run yarn install via `--cwd` instead of `working-directory` to make the labels clearer --- .github/workflows/devtools_regression_tests.yml | 3 +-- .github/workflows/runtime_build_and_test.yml | 15 +++++---------- .github/workflows/runtime_commit_artifacts.yml | 5 +---- .github/workflows/runtime_eslint_plugin_e2e.yml | 3 +-- .github/workflows/runtime_prereleases.yml | 3 +-- .../runtime_releases_from_npm_manual.yml | 3 +-- 6 files changed, 10 insertions(+), 22 deletions(-) diff --git a/.github/workflows/devtools_regression_tests.yml b/.github/workflows/devtools_regression_tests.yml index 9399b80f0e250..844b82b82cdb9 100644 --- a/.github/workflows/devtools_regression_tests.yml +++ b/.github/workflows/devtools_regression_tests.yml @@ -35,8 +35,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: scripts/release + - run: yarn --cwd scripts/release install --frozen-lockfile - name: Download react-devtools artifacts for base revision run: | git fetch origin main diff --git a/.github/workflows/runtime_build_and_test.yml b/.github/workflows/runtime_build_and_test.yml index 63e432b4dcd69..d685c848e21f4 100644 --- a/.github/workflows/runtime_build_and_test.yml +++ b/.github/workflows/runtime_build_and_test.yml @@ -169,8 +169,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: compiler + - run: yarn --cwd compiler install --frozen-lockfile - run: yarn test ${{ matrix.params }} --ci --shard=${{ matrix.shard }} # ----- BUILD ----- @@ -208,8 +207,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: compiler + - run: yarn --cwd compiler install --frozen-lockfile - run: yarn build --index=${{ matrix.worker_id }} --total=20 --r=${{ matrix.release_channel }} --ci env: CI: github @@ -287,8 +285,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: compiler + - run: yarn --cwd compiler install --frozen-lockfile - name: Restore archived build uses: actions/download-artifact@v4 with: @@ -438,8 +435,7 @@ jobs: key: fixtures_dom-node_modules-v5-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Ensure clean build directory run: rm -rf build - - run: yarn install --frozen-lockfile - working-directory: fixtures/dom + - run: yarn --cwd fixtures/dom install --frozen-lockfile - name: Restore archived build uses: actions/download-artifact@v4 with: @@ -635,8 +631,7 @@ jobs: key: runtime-node_modules-v5-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Ensure clean build directory run: rm -rf build - - run: yarn install --frozen-lockfile - working-directory: scripts/release + - run: yarn --cwd scripts/release install --frozen-lockfile - name: Download artifacts for base revision run: | GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=$(git rev-parse ${{ github.event.pull_request.base.sha }}) diff --git a/.github/workflows/runtime_commit_artifacts.yml b/.github/workflows/runtime_commit_artifacts.yml index 6b1cad2245aa6..5de51b2664e48 100644 --- a/.github/workflows/runtime_commit_artifacts.yml +++ b/.github/workflows/runtime_commit_artifacts.yml @@ -84,10 +84,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - name: yarn install (react) - - run: yarn install --frozen-lockfile - name: yarn install (scripts/release) - working-directory: scripts/release + - run: yarn --cwd scripts/release install --frozen-lockfile - name: Download artifacts for base revision run: | GH_TOKEN=${{ github.token }} scripts/release/download-experimental-build.js --commit=${{ inputs.commit_sha || github.event.workflow_run.head_sha || github.sha }} diff --git a/.github/workflows/runtime_eslint_plugin_e2e.yml b/.github/workflows/runtime_eslint_plugin_e2e.yml index 8b8222721cfaa..2deb958ea79cc 100644 --- a/.github/workflows/runtime_eslint_plugin_e2e.yml +++ b/.github/workflows/runtime_eslint_plugin_e2e.yml @@ -48,8 +48,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: compiler + - run: yarn --cwd compiler install --frozen-lockfile - name: Build plugin working-directory: fixtures/eslint-v${{ matrix.eslint_major }} run: node build.mjs diff --git a/.github/workflows/runtime_prereleases.yml b/.github/workflows/runtime_prereleases.yml index 293e5f2ce9fa6..ce44246df9a75 100644 --- a/.github/workflows/runtime_prereleases.yml +++ b/.github/workflows/runtime_prereleases.yml @@ -45,8 +45,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: scripts/release + - run: yarn --cwd scripts/release install --frozen-lockfile - run: | scripts/release/prepare-release-from-ci.js --skipTests -r ${{ inputs.release_channel }} --commit=${{ inputs.commit_sha }} cp ./scripts/release/ci-npmrc ~/.npmrc diff --git a/.github/workflows/runtime_releases_from_npm_manual.yml b/.github/workflows/runtime_releases_from_npm_manual.yml index 0293696428f65..d04f202a7ea71 100644 --- a/.github/workflows/runtime_releases_from_npm_manual.yml +++ b/.github/workflows/runtime_releases_from_npm_manual.yml @@ -77,8 +77,7 @@ jobs: - name: Ensure clean build directory run: rm -rf build - run: yarn install --frozen-lockfile - - run: yarn install --frozen-lockfile - working-directory: scripts/release + - run: yarn --cwd scripts/release install --frozen-lockfile - run: cp ./scripts/release/ci-npmrc ~/.npmrc - if: '${{ inputs.only_packages }}' name: 'Prepare ${{ inputs.only_packages }} from NPM'