Merge pull request #551 from ForgeRock/SDKS-4448-update-publish

SDKS-4448: Update CI/CD

Author: ancheetah

.github/actions/setup-publish/action.yml

@@ -0,0 +1,76 @@
+name: Setup publish
+description: Setup steps for publishing packages
+
+inputs:
+  branch:
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ inputs.branch }}
+
+    - name: Install pnpm
+      uses: pnpm/action-setup@v4
+      with:
+        run_install: false # don't install any packages yet
+
+    - name: Install Node.js
+      uses: actions/setup-node@v4
+      id: cache
+      with:
+        node-version: '.node-version'
+        cache: 'pnpm' # package manager for caching
+        registry-url: 'https://registry.npmjs.org'
+
+    # Update npm to latest for provenance
+    - name: Update npm
+      run: npm install -g npm@latest
+
+    - name: Install dependencies from lockfile
+      run: pnpm install --frozen-lockfile
+
+    # Allocate nx tasks across multiple machines/agents in the cloud
+    # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
+    # https://nx.dev/docs/features/ci-features/distribute-task-execution
+    - name: Enable distribution of nx tasks to cloud agents
+      run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
+      env:
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+    # https://github.com/microsoft/playwright/issues/7249#issuecomment-1256878540
+    - name: Cache Playwright browsers
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-playwright-
+
+    - name: Install Playwright browsers
+      run: pnpm exec playwright install
+
+    - name: Derive SHAs for `nx affected`
+      uses: nrwl/nx-set-shas@v4
+      with:
+        main-branch-name: master
+
+    - name: Run build, lint, test, and e2e for projects changed
+      run: pnpm exec nx affected -t build lint test e2e-ci --agents
+
+    - name: Save Playwright test results
+      uses: actions/upload-artifact@v4
+      if: ${{ !cancelled() }}
+      with:
+        name: playwright-report
+        path: |
+          ./dist/.playwright/**
+          ./dist/**
+        retention-days: 30
+
+    - name: Ensure builds for all packages before publishing
+      run: pnpm exec nx run-many -t build --no-agents # --no-agents to run in CI without distributing to agents

.github/workflows/ci-fork.yml

@@ -0,0 +1,57 @@
+name: ForgeRock Fork Pull Request CI
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  pr:
+    # Only run for forks
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # head commit is fine; the default merge ref also works on pull_request
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+
+      - run: pnpm install --frozen-lockfile
+
+      # Restore-only cache to avoid save attempts/noise on forks
+      - name: Restore Playwright browsers cache
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - run: pnpm exec playwright install --with-deps
+
+      - uses: nrwl/nx-set-shas@v4
+
+      # Needed so nx affected can diff against main
+      - run: git branch --track main origin/main || true
+
+      - run: pnpm nx format:check
+      - run: pnpm nx affected -t build typecheck lint test e2e-ci

.github/workflows/ci.yml

@@ -7,6 +7,7 @@ env:
   NX_CLOUD_DISTRIBUTED_EXECUTION: true
 jobs:
   pr:
+    if: ${{github.event.pull_request.head.repo.full_name == github.repository}}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/publish.yml

@@ -4,86 +4,76 @@ on:
     branches:
       - master
       - develop
+  workflow_dispatch:
+    inputs:
+      snapshot_tag:
+        description: 'changesets snapshot tag (beta/canary)'
+        required: false
+        default: 'beta'
+        type: string
+      npm_tag:
+        description: 'npm tag for publishing snapshot'
+        required: false
+        default: 'beta'
+        type: string
+      npm_access:
+        description: 'access level for publishing snapshot to npm'
+        required: false
+        default: 'public'
+        type: choice
+        options:
+          - public
+          - restricted
 env:
   NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-  NX_CLOUD_DISTRIBUTED_EXECUTION: true
-  PNPM_CACHE_FOLDER: .pnpm-store
-  NPM_ACCESS_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
   HUSKY: 0
+  CI: true
 
 jobs:
+  # On push to develop/master, create or update release PR or publish to npm
   publish-or-pr:
+    if: github.event_name == 'push'
+    name: Create/update release PR or publish to npm
     permissions:
       contents: write #  to create release (changesets/action)
       issues: write # to post issue comments (changesets/action)
       pull-requests: write #  to create pull request (changesets/action)
-      id-token: write # give id token write for provenance
+      id-token: write # OIDC for provenance if npm publish happens here
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Setup publish
+        uses: ./.github/actions/setup-publish
         with:
-          fetch-depth: 0
-      - uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-      - uses: actions/setup-node@v4
-        id: cache
-        with:
-          node-version: '20.10.0'
-          cache: 'pnpm'
-
-      - run: pnpm install --frozen-lockfile
-
-      # This line enables distribution
-      # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
-      - run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --verbose
-
-      - run: pnpm exec playwright install
-
-      - uses: nrwl/nx-set-shas@v4
-        with:
-          main-branch-name: master
+          branch: ${{ github.ref_name }}
 
-      - name: setup pnpm config
-        run: pnpm config set store-dir $PNPM_CACHE_FOLDER
-
-      - run: pnpm exec nx affected -t build lint test e2e-ci --verbose
-
-      - uses: actions/upload-artifact@v4
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report
-          path: |
-            ./dist/.playwright/**
-            ./dist/**
-          retention-days: 30
-
-      # make sure we have a build.
-      - run: pnpm exec nx run-many -t build
-        env:
-          NX_CLOUD_DISTRIBUTED_EXECUTION: false
-
-      - run: git status
-      - name: publish
+      # This action creates a release pull request with all of
+      # the package versions and changelogs updated. When there
+      # are new changesets on your configured baseBranch, the PR will
+      # be updated. When you're ready, you can merge the release PR
+      # and the action will publish to npm for you.
+      # https://github.com/changesets/action
+      - name: Create/update release PR or publish to npm
         uses: changesets/action@v1
         id: changesets
         with:
-          publish: pnpm ci:release
-          version: pnpm ci:version
-          title: Release PR
-          branch: master
-          commit: 'chore: version-packages'
+          publish: pnpm ci:release # command to tag and publish packages
+          version: pnpm ci:version # command to update version, edit changelog, read and delete changesets
+          title: Release PR # title for the release PR
+          commit: 'chore: version-packages' # the commit message to use
           setupGitUser: true
         env:
-          # See https://github.com/changesets/action/issues/147
-          HOME: ${{ github.workspace }}
+          HOME: ${{ github.workspace }} # See https://github.com/changesets/action/issues/147
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_CONFIG_PROVENANCE: 'true'
           NPM_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
 
-      - name: rebase develop with main on publish
-        if: ${{ steps.changesets.outputs.published == 'true' }}
+      - name: Publish previews to Stackblitz on PR
+        if: steps.changesets.outputs.published == 'false'
+        run: pnpm pkg-pr-new publish './packages/*' --packageManager=pnpm --comment=off
+
+      - name: Rebase develop with master on publish
+        if: steps.changesets.outputs.published == 'true'
         run: |
           git restore .
           git checkout master
@@ -95,10 +85,52 @@ jobs:
           git rebase master
           git push -f
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Send GitHub Action data to a Slack workflow
+        if: steps.changesets.outputs.published == 'true'
+        uses: slackapi/[email protected]
+        with:
+          payload-delimiter: '_'
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: webhook-trigger
+          payload: |
+            text: ${{ steps.changesets.outputs.publishedPackages }}
 
-      - uses: codecov/codecov-action@v5
+      - name: Run code coverage
+        uses: codecov/codecov-action@v5
         with:
           files: ./packages/**/coverage/*.xml
           token: ${{ secrets.CODECOV_TOKEN }}
+
+  snapshot:
+    # On manual trigger of GH action, publish a snapshot release to npm
+    if: github.event_name == 'workflow_dispatch'
+    name: Publish snapshot/beta release to npm
+    permissions:
+      contents: read
+      id-token: write # OIDC for provenance when npm publish happens
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup publish
+        uses: ./.github/actions/setup-publish
+        with:
+          branch: ${{ github.ref_name }}
+
+      - name: Version packages for snapshot
+        run: pnpm changeset version --snapshot ${{ inputs.snapshot_tag }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      - name: Publish packages snapshot with npm_tag
+        run: pnpm publish -r --tag ${{ inputs.npm_tag }} --no-git-checks --access ${{ inputs.npm_access }}
+
+      - name: Send GitHub Action data to a Slack workflow
+        if: steps.changesets.outputs.published == 'true'
+        uses: slackapi/[email protected]
+        with:
+          payload-delimiter: '_'
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: webhook-trigger
+          payload: |
+            text: ${{ steps.changesets.outputs.publishedPackages }}

.node-version

@@ -1 +1 @@
-v20
+20

contributing_docs/releases.md

@@ -95,3 +95,7 @@ We provide verdaccio two ways:
   topological graph.
 
 - Publishing to a hosted private registry: Please message @ryanbas21 on slack.
+
+## Publishing a beta
+
+You can trigger a beta publish manually via the `publish.yml` GitHub action. In GitHub, select the `Actions` tab then the `Publish` workflow. Then select the `Run workflow` dropdown on the right-hand side. Select the branch you want to release in the `Use workflow from` dropdown, then fill out the beta release options. Click `Run workflow` and the action will automatically release the changeset snapshot to npm.

package.json

@@ -93,6 +93,7 @@
     "mkcert": "^3.2.0",
     "npm-cli-login": "^1.0.0",
     "nx": "20.3.3",
+    "pkg-pr-new": "^0.0.60",
     "playwright": "^1.47.2",
     "prettier": "^3.2.5",
     "pretty-quick": "^4.0.0",