.github/workflows/ci.yml

name: Node CI Suite

on:
  push

jobs:
  test:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        node-version: [14.x, 16.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
          cache: yarn
      - run: yarn --frozen-lockfile --network-timeout 1000000
      - run: yarn test

  acceptance:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        node-version: [16.x]
        os: [ubuntu-latest, macos-latest]
    environment: AcceptanceTests
    env:
      RUN_ACCEPTANCE_TESTS: true
      HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
          cache: yarn
      - run: yarn --frozen-lockfile --network-timeout 1000000
      - name: Build packages
        run: yarn lerna run prepack
      - run: ./bin/run whoami
      - run: yarn lerna run test:acceptance

  # dummy job needed to pass changeling compliance because it only watches one build
  done:
    runs-on: macos-latest
    needs: [test, acceptance]
    steps:
      - run: echo done
        working-directory: /

  pack_deb:
    if: github.ref == 'refs/heads/master' || (github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta'))
    # ubuntu started using a compression method after this version that debian currently does not support
    # https://github.com/heroku/cli/pull/2245#issue-1590017122
    runs-on: ubuntu-20.04
    env:
      HEROKU_AUTHOR: 'Heroku'
    steps:
      - uses: actions/checkout@v3
      - name: Install system deps
        run: |
          sudo apt-get update
          sudo apt-get install -y nsis p7zip-full
      - run: sudo mkdir -p /build
      - name: Install package deps
        run: |
          cp yarn.lock packages/cli
          cd packages/cli
          yarn --frozen-lockfile --network-timeout 1000000
      - name: Building deb
        run: ./scripts/pack/deb
      - uses: actions/upload-artifact@v3
        with:
          name: packed-deb
          path: /home/runner/work/cli/cli/packages/cli/dist

  pack_tarballs:
    if: github.ref == 'refs/heads/master' || (github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta'))
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install system deps
        run: |
          sudo apt-get update
          sudo apt-get install -y nsis p7zip-full
      - run: sudo mkdir -p /build
      - name: Install package deps
        run: |
          cp yarn.lock packages/cli
          cd packages/cli
          yarn --frozen-lockfile --network-timeout 1000000
      - name: Building tarballs
        run: ./scripts/pack/tarballs
      - uses: actions/upload-artifact@v3
        with:
          name: packed-tarballs
          path: /home/runner/work/cli/cli/packages/cli/dist

  sign_deb:
    needs: [pack_deb]
    if: github.ref == 'refs/heads/master' || (github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta'))
    runs-on: ubuntu-latest
    environment: SignDebian
    env:
      HEROKU_DEB_SECRET_KEY: ${{ secrets.HEROKU_DEB_SECRET_KEY }}
      HEROKU_DEB_SIGNING_PASSWORD: ${{ secrets.HEROKU_DEB_SIGNING_PASSWORD }}
      HEROKU_DEB_KEY_ID: ${{ secrets.HEROKU_DEB_KEY_ID }}
      HEROKU_DEB_PUBLIC_KEY: ${{ secrets.HEROKU_DEB_PUBLIC_KEY }}
    steps:
      - uses: actions/checkout@v3
      - run: sudo mkdir -p /build
      - uses: actions/download-artifact@v3
        with:
          name: packed-deb
          path: /home/runner/work/cli/cli/packages/cli/dist
      - run: |
          cd /home/runner/work/cli/cli/packages/cli/dist/deb
          /home/runner/work/cli/cli/packages/cli/scripts/sign/deb
      - uses: actions/upload-artifact@v3
        with:
          name: signed-deb
          path: /home/runner/work/cli/cli/packages/cli/dist


  # TODO: the circle job ran `install_scripts` but this isn't, do we need to add that?
  release-deb-and-tarballs:
    needs: [test, acceptance, sign_deb, pack_tarballs]
    if: github.ref == 'refs/heads/master' || (github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta'))
    runs-on: ubuntu-latest
    environment: CLIS3BucketAndCloudfront
    env:
      CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
      HEROKU_S3_BUCKET: ${{ secrets.HEROKU_S3_BUCKET }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_EC2_METADATA_DISABLED: true
    steps:
      - uses: actions/checkout@v3
      - run: sudo mkdir -p /build
      - uses: actions/download-artifact@v3
        with:
          name: signed-deb
          path: /home/runner/work/cli/cli/packages/cli/dist

      - uses: actions/download-artifact@v3
        with:
          name: packed-tarballs
          path: /home/runner/work/cli/cli/packages/cli/dist
      - name: List all the downloaded files (for debugging)
        run: ls -R
        working-directory: /home/runner/work/cli/cli/packages/cli/dist
      - run: |
          sudo apt-get update
          sudo apt-get install -y awscli
      - name: yarn install
        run: |
          cp yarn.lock packages/cli
          cd packages/cli
          yarn --frozen-lockfile --prefer-offline --network-timeout 1000000
      - name: Upload production artifacts
        run: |
          cd packages/cli
          pwd
          ./scripts/release/tarballs
          ./scripts/release/deb
      - uses: actions/upload-artifact@v3
        with:
          name: all-dist
          path: /home/runner/work/cli/cli/packages/cli/dist

  ## POST release jobs
  invalidate-cdn-cache:
    needs: [release-deb-and-tarballs]
    if: github.ref == 'refs/heads/master' || (github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta'))
    runs-on: ubuntu-latest
    environment: CLIS3BucketAndCloudfront
    env:
      CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
      HEROKU_S3_BUCKET: ${{ secrets.HEROKU_S3_BUCKET }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_EC2_METADATA_DISABLED: true
    steps:
      - uses: actions/checkout@v3
      - run: |
          sudo apt-get update
          sudo apt-get install -y awscli
          aws configure set preview.cloudfront true
      - run: ./scripts/postrelease/invalidate_cdn_cache

  release-homebrew:
    needs: [release-deb-and-tarballs]
    if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta')
    runs-on: ubuntu-latest
    environment: ReleaseHomebrew
    steps:
      - uses: actions/checkout@v3
      - uses: webfactory/ssh-agent@v0.5.4
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
      - uses: actions/download-artifact@v3
        with:
          name: all-dist
          path: /home/runner/work/cli/cli/packages/cli/dist
      - name: List all the downloaded files (for debugging)
        run: ls -R
        working-directory: /home/runner/work/cli/cli/packages/cli/dist
      - run: |
          cp yarn.lock packages/cli
          cd packages/cli
          yarn --frozen-lockfile --network-timeout 1000000
          ./scripts/release/homebrew.js

  change-management:
    needs: [release-deb-and-tarballs]
    if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v' ) && !contains(github.ref_name, 'beta')
    runs-on: ubuntu-latest
    environment: ChangeManagement
    env:
      TPS_API_APP_ID: ${{ secrets.TPS_API_APP_ID }}
      TPS_API_RELEASE_ACTOR_EMAIL: ${{ secrets.TPS_API_RELEASE_ACTOR_EMAIL }}
      TPS_API_STAGE: ${{ secrets.TPS_API_STAGE }}
      TPS_API_TOKEN_PARAM: ${{ secrets.TPS_API_TOKEN_PARAM }}
      TPS_API_URL_PARAM: ${{ secrets.TPS_API_URL_PARAM }}
    steps:
      - uses: actions/checkout@v3
      - run: |
          yarn --frozen-lockfile --network-timeout 1000000
          ./scripts/postrelease/change_management