chore: add gpg logic to other node versions workflow (#3928)

lerna · Dec 30, 2023 · 3d747a1 · 3d747a1
1 parent c2f48c7
commit 3d747a1
Showing 1 changed file with 48 additions and 20 deletions.
diff --git a/.github/workflows/other-node-versions.yml b/.github/workflows/other-node-versions.yml
@@ -13,7 +13,6 @@ concurrency:
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
   NX_CLOUD_DISTRIBUTED_EXECUTION: true
-  NX_BRANCH: ${{ github.event.number || github.ref_name }}
   NX_VERBOSE_LOGGING: false
 
 jobs:
@@ -35,25 +34,19 @@ jobs:
     name: Nx Cloud - Main Job - node-${{ matrix.node }}
     needs: set-node-versions
     runs-on: ubuntu-latest
+    env:
+      NX_CI_EXECUTION_ENV: linux-node-${{ matrix.node }}
     strategy:
       # Do not kill all versions of node just because one version failed
       fail-fast: false
       matrix:
         node: ${{ fromJson(needs.set-node-versions.outputs.node-versions) }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: nrwl/nx-set-shas@v3
-
-      - name: Set NX_RUN_GROUP
-        shell: bash
-        run: echo "NX_RUN_GROUP=$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT-node-${{ matrix.node }}" >> $GITHUB_ENV
-
-      - name: Log NX_RUN_GROUP
-        shell: bash
-        run: echo "NX_RUN_GROUP is ${{ env.NX_RUN_GROUP }}"
+      - uses: nrwl/nx-set-shas@v4
 
       - name: Install node v${{ matrix.node }} and dependencies
         uses: ./.github/actions/install-node-and-dependencies
@@ -120,9 +113,11 @@ jobs:
         run: npx nx prepare-for-e2e e2e-run-task-runner && e2e/run/task-runner/src/run-tests.sh
         shell: bash
         env:
+          # Silently disable nx cloud for task runner e2e (using NX_NO_CLOUD produces a warning log)
+          NX_CLOUD_ACCESS_TOKEN: ""
           NX_CLOUD_DISTRIBUTED_EXECUTION: false
 
-      - name: Stop all running agents for Nx Run Group ${{ env.NX_RUN_GROUP }}
+      - name: Stop all running agents
         # It's important that we always run this step, otherwise in the case of any failures in preceding non-Nx steps, the agents will keep running and waste billable minutes
         if: ${{ always() }}
         run: npx nx-cloud stop-all-agents
@@ -142,6 +137,8 @@ jobs:
     name: Nx Cloud - Agent - node-${{ matrix.node }}-agent-${{ matrix.agent }}
     needs: set-node-versions
     runs-on: ubuntu-latest
+    env:
+      NX_CI_EXECUTION_ENV: linux-node-${{ matrix.node }}
     strategy:
       # Do not kill all versions of node just because one version failed
       fail-fast: false
@@ -150,20 +147,41 @@ jobs:
         # Create 4 agents per node version
         agent: [1, 2, 3, 4]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Configure git metadata
         run: |
           git config --global user.email test@example.com
           git config --global user.name "Tester McPerson"
 
-      - name: Set NX_RUN_GROUP
-        shell: bash
-        run: echo "NX_RUN_GROUP=$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT-node-${{ matrix.node }}" >> $GITHUB_ENV
+      - name: Generate and configure GPG for signing commits and tags in E2E tests
+        run: |
+          # Generate a GPG key for test@example.com and store the output from stderr
+          GPG_OUTPUT=$(echo "Key-Type: default
+          Key-Length: 2048
+          Subkey-Type: default
+          Subkey-Length: 2048
+          Name-Real: Tester McPerson
+          Name-Email: test@example.com
+          Expire-Date: 0
+          %no-protection" | gpg --pinentry-mode loopback --batch --generate-key 2>&1)
 
-      - name: Log NX_RUN_GROUP
-        shell: bash
-        run: echo "NX_RUN_GROUP is ${{ env.NX_RUN_GROUP }}"
+          # Find and extract the revocation file path from sdterr
+          REVOCATION_FILE=$(echo "$GPG_OUTPUT" | grep '.rev' | tr '\n' ' ' | awk -F "'" '{print $4}')
+
+          # Get the GPG key ID and the full fingerprint
+          export GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{print $2}' | cut -d'/' -f2)
+          export GPG_FULL_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep "$GPG_KEY_ID" | grep -v "sec" | awk '{print $1}' | cut -d'/' -f2)
+
+          # Export fingerprint and the path to the revocation file to GITHUB_ENV
+          # This allows the last step in this job to revoke and delete the key
+          echo "GPG_FULL_KEY_ID=$GPG_FULL_KEY_ID" >> $GITHUB_ENV
+          echo "REVOCATION_FILE=$REVOCATION_FILE" >> $GITHUB_ENV
+
+          # Setup git signing for commits and tags
+          git config commit.gpgsign true
+          git config tag.gpgsign true
+          git config --global user.signingkey $GPG_KEY_ID
 
       - name: Install node v${{ matrix.node }} and dependencies
         uses: ./.github/actions/install-node-and-dependencies
@@ -179,4 +197,14 @@ jobs:
         run: npx nx-cloud start-agent
         env:
           NX_AGENT_NAME: node-${{ matrix.node }}-agent-${{ matrix.agent }}
-          NX_RUN_GROUP: ${{ env.NX_RUN_GROUP }}
+
+      - name: Revoke and delete GPG key
+        # It's important that we always run this step, otherwise the key will remain active if any of the steps above fail
+        if: ${{ always() }}
+        run: |
+          # As instructed in the text of revocation file, there is a colon that needs to be removed manually
+          sed -i "s/:-----BEGIN PGP PUBLIC KEY BLOCK-----/-----BEGIN PGP PUBLIC KEY BLOCK-----/" $REVOCATION_FILE
+
+          # Revoke the key and delete it
+          gpg --yes --import $REVOCATION_FILE
+          gpg --batch --yes --delete-secret-and-public-key $GPG_FULL_KEY_ID