@node-core/utils 5.6.0 → 5.8.0

package/components/git/release.js

@@ -1,14 +1,31 @@
+import auth from '../../lib/auth.js';
 import CLI from '../../lib/cli.js';
 import ReleasePreparation from '../../lib/prepare_release.js';
+import ReleasePromotion from '../../lib/promote_release.js';
+import TeamInfo from '../../lib/team_info.js';
+import Request from '../../lib/request.js';
 import { runPromise } from '../../lib/run.js';
 
-export const command = 'release [newVersion|options]';
+export const command = 'release [prid|options]';
 export const describe = 'Manage an in-progress release or start a new one.';
 
 const PREPARE = 'prepare';
 const PROMOTE = 'promote';
+const RELEASERS = 'releasers';
 
 const releaseOptions = {
+  filterLabel: {
+    describe: 'Labels separated by "," to filter security PRs',
+    type: 'string'
+  },
+  'gpg-sign': {
+    describe: 'GPG-sign commits, will be passed to the git process',
+    alias: 'S'
+  },
+  newVersion: {
+    describe: 'Version number of the release to be prepared',
+    type: 'string'
+  },
   prepare: {
     describe: 'Prepare a new release of Node.js',
     type: 'boolean'
@@ -21,14 +38,16 @@ const releaseOptions = {
     describe: 'Default relase date when --prepare is used. It must be YYYY-MM-DD',
     type: 'string'
   },
+  run: {
+    describe: 'Run steps that involve touching more than the local clone, ' +
+           'including `git push` commands. Might not work if a passphrase ' +
+           'required to push to the remote clone.',
+    type: 'boolean'
+  },
   security: {
     describe: 'Demarcate the new security release as a security release',
     type: 'boolean'
   },
-  filterLabel: {
-    describe: 'Labels separated by "," to filter security PRs',
-    type: 'string'
-  },
   skipBranchDiff: {
     describe: 'Skips the initial branch-diff check when preparing releases',
     type: 'boolean'
@@ -49,11 +68,16 @@ let yargsInstance;
 export function builder(yargs) {
   yargsInstance = yargs;
   return yargs
-    .options(releaseOptions).positional('newVersion', {
-      describe: 'Version number of the release to be prepared or promoted'
+    .options(releaseOptions).positional('prid', {
+      describe: 'PR number or URL of the release proposal to be promoted',
+      type: 'string'
     })
-    .example('git node release --prepare 1.2.3',
-      'Prepare a release of Node.js tagged v1.2.3')
+    .example('git node release --prepare --security',
+      'Prepare a new security release of Node.js with auto-determined version')
+    .example('git node release --prepare --newVersion=1.2.3',
+      'Prepare a new release of Node.js tagged v1.2.3')
+    .example('git node release --promote 12345',
+      'Promote a prepared release of Node.js with PR #12345')
     .example('git node --prepare --startLTS',
       'Prepare the first LTS release');
 }
@@ -88,17 +112,21 @@ function release(state, argv) {
 }
 
 async function main(state, argv, cli, dir) {
+  const prID = /^(?:https:\/\/github\.com\/nodejs\/node\/pull\/)?(\d+)$/.exec(argv.prid);
+  if (prID) {
+    argv.prid = Number(prID[1]);
+  }
   if (state === PREPARE) {
-    const prep = new ReleasePreparation(argv, cli, dir);
+    const release = new ReleasePreparation(argv, cli, dir);
 
-    await prep.prepareLocalBranch();
+    await release.prepareLocalBranch();
 
-    if (prep.warnForWrongBranch()) return;
+    if (release.warnForWrongBranch()) return;
 
     // If the new version was automatically calculated, confirm it.
     if (!argv.newVersion) {
       const create = await cli.prompt(
-        `Create release with new version ${prep.newVersion}?`,
+        `Create release with new version ${release.newVersion}?`,
         { defaultAnswer: true });
 
       if (!create) {
@@ -107,8 +135,30 @@ async function main(state, argv, cli, dir) {
       }
     }
 
-    return prep.prepare();
+    return release.prepare();
   } else if (state === PROMOTE) {
-    // TODO(codebytere): implement release promotion.
+    const credentials = await auth({ github: true });
+    const request = new Request(credentials);
+    const release = new ReleasePromotion(argv, request, cli, dir);
+
+    cli.startSpinner('Verifying Releaser status');
+    const info = new TeamInfo(cli, request, 'nodejs', RELEASERS);
+
+    const releasers = await info.getMembers();
+    if (release.username === undefined) {
+      cli.stopSpinner('Failed to verify Releaser status');
+      cli.info(
+        'Username was undefined - do you have your .ncurc set up correctly?');
+      return;
+    } else if (releasers.every(r => r.login !== release.username)) {
+      cli.stopSpinner(`${release.username} is not a Releaser`, 'failed');
+      if (!argv.dryRun) {
+        throw new Error('aborted');
+      }
+    } else {
+      cli.stopSpinner(`${release.username} is a Releaser`);
+    }
+
+    return release.promote();
   }
 }

package/components/git/security.js

@@ -29,8 +29,8 @@ const securityOptions = {
     type: 'string'
   },
   'pre-release': {
-    describe: 'Create the pre-release announcement',
-    type: 'boolean'
+    describe: 'Create the pre-release announcement to the given nodejs.org folder',
+    type: 'string'
   },
   'notify-pre-release': {
     describe: 'Notify the community about the security release',
@@ -41,8 +41,8 @@ const securityOptions = {
     type: 'boolean'
   },
   'post-release': {
-    describe: 'Create the post-release announcement',
-    type: 'boolean'
+    describe: 'Create the post-release announcement to the given nodejs.org folder',
+    type: 'string'
   },
   cleanup: {
     describe: 'cleanup the security release.',
@@ -73,7 +73,7 @@ export function builder(yargs) {
       'git node security --remove-report=H1-ID',
       'Removes the Hackerone report based on ID provided from vulnerabilities.json'
     ).example(
-      'git node security --pre-release',
+      'git node security --pre-release="../nodejs.org/"',
       'Create the pre-release announcement on the Nodejs.org repo'
     ).example(
       'git node security --notify-pre-release',
@@ -83,7 +83,7 @@ export function builder(yargs) {
       'Request CVEs for a security release of Node.js based on' +
       ' the next-security-release/vulnerabilities.json'
     ).example(
-      'git node security --post-release',
+      'git node security --post-release="../nodejs.org/"',
       'Create the post-release announcement on the Nodejs.org repo'
     ).example(
       'git node security --cleanup',
@@ -149,11 +149,12 @@ async function updateReleaseDate(argv) {
   return update.updateReleaseDate(releaseDate);
 }
 
-async function createPreRelease() {
+async function createPreRelease(argv) {
+  const nodejsOrgFolder = argv['pre-release'];
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
   const preRelease = new SecurityBlog(cli);
-  return preRelease.createPreRelease();
+  return preRelease.createPreRelease(nodejsOrgFolder);
 }
 
 async function requestCVEs() {
@@ -163,11 +164,12 @@ async function requestCVEs() {
   return hackerOneCve.requestCVEs();
 }
 
-async function createPostRelease() {
+async function createPostRelease(argv) {
+  const nodejsOrgFolder = argv['post-release'];
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
   const blog = new SecurityBlog(cli);
-  return blog.createPostRelease();
+  return blog.createPostRelease(nodejsOrgFolder);
 }
 
 async function startSecurityRelease() {

package/components/git/v8.js

@@ -44,10 +44,22 @@ export function builder(yargs) {
             describe: 'Bump V8 embedder version number or patch version',
             default: true
           })
+          .option('gpg-sign', {
+            alias: 'S',
+            type: 'boolean',
+            describe: 'GPG-sign commits',
+            default: false
+          })
+          .option('preserve-original-author', {
+            type: 'boolean',
+            describe: 'Preserve original commit author and date',
+            default: true
+          })
           .option('squash', {
             type: 'boolean',
             describe:
-                'If multiple commits are backported, squash them into one',
+                'If multiple commits are backported, squash them into one. When ' +
+                '`--squash` is passed, `--preserve-original-author` will be ignored',
             default: false
           });
       }
@@ -88,7 +100,7 @@ export function handler(argv) {
       input,
       spawnArgs: {
         cwd: options.nodeDir,
-        stdio: input ? ['pipe', 'ignore', 'ignore'] : 'ignore'
+        stdio: input ? ['pipe', 'inherit', 'inherit'] : 'inherit'
       }
     });
   };
@@ -97,7 +109,7 @@ export function handler(argv) {
     return forceRunAsync('git', args, {
       ignoreFailure: false,
       captureStdout: true,
-      spawnArgs: { cwd: options.v8Dir, stdio: ['ignore', 'pipe', 'ignore'] }
+      spawnArgs: { cwd: options.v8Dir, stdio: ['ignore', 'pipe', 'inherit'] }
     });
   };
 

package/components/git/wpt.js

@@ -52,7 +52,7 @@ async function main(argv) {
   if (fs.existsSync(statusFolder)) {
     const jsons = fs.readdirSync(statusFolder);
     supported = supported.concat(
-      jsons.map(item => item.replace('.json', '')));
+      jsons.map(item => path.basename(item, path.extname(item))));
   } else {
     cli.warn(`Please create the status JSON files in ${statusFolder}`);
   }

package/lib/prepare_release.js

@@ -167,7 +167,11 @@ export default class ReleasePreparation extends Session {
       return this.prepareSecurity();
     }
 
-    if (this.runBranchDiff) {
+    const runBranchDiff = await cli.prompt(
+      'Do you want to check if any additional commits could be backported ' +
+      '(recommended except for Maintenance releases)?',
+      { defaultAnswer: this.runBranchDiff });
+    if (runBranchDiff) {
       // TODO: UPDATE re-use
       // Check the branch diff to determine if the releaser
       // wants to backport any more commits before proceeding.
@@ -363,6 +367,16 @@ export default class ReleasePreparation extends Session {
       runSync('git', ['fetch', this.upstream, 'tag', '-n', tagName]);
       this.cli.stopSpinner(`Tag fetched: ${tagName}`);
     }
+    try {
+      if (runSync('git', ['describe', '--abbrev=0', '--tags']).trim() !== tagName) {
+        this.cli.warn(`${tagName} is not the closest tag`);
+      }
+    } catch {
+      this.cli.startSpinner(`${tagName} is unreachable from the current HEAD`);
+      runSync('git', ['fetch', '--shallow-exclude', tagName, this.upstream, this.branch]);
+      runSync('git', ['fetch', '--deepen=1', this.upstream, this.branch]);
+      this.cli.stopSpinner('Local clone unshallowed');
+    }
     return tagName;
   }
 

package/lib/promote_release.js

@@ -0,0 +1,493 @@
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import semver from 'semver';
+import * as gst from 'git-secure-tag';
+
+import { forceRunAsync } from './run.js';
+import PRData from './pr_data.js';
+import PRChecker from './pr_checker.js';
+import Session from './session.js';
+import { existsSync } from 'node:fs';
+
+const dryRunMessage = 'You are running in dry-run mode, meaning NCU will not run ' +
+                      'the `git push` commands, you would need to copy-paste the ' +
+                      'following command in another terminal window. Alternatively, ' +
+                      'pass `--run` flag to ask NCU to run the command for you ' +
+                      '(might not work if you need to type a passphrase to push to the remote).';
+
+export default class ReleasePromotion extends Session {
+  constructor(argv, req, cli, dir) {
+    super(cli, dir, argv.prid);
+    this.req = req;
+    this.dryRun = !argv.run;
+    this.isLTS = false;
+    this.ltsCodename = '';
+    this.date = '';
+    this.gpgSign = argv?.['gpg-sign']
+      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
+      : [];
+  }
+
+  get branch() {
+    return this.defaultBranch ?? this.config.branch;
+  }
+
+  async getDefaultBranch() {
+    const { repository: { defaultBranchRef } } = await this.req.gql(
+      'DefaultBranchRef',
+      { owner: this.owner, repo: this.repo });
+    return defaultBranchRef.name;
+  }
+
+  async promote() {
+    const { prid, cli } = this;
+
+    // In the promotion stage, we can pull most relevant data
+    // from the release commit created in the preparation stage.
+    // Verify that PR is ready to promote.
+    const {
+      githubCIReady,
+      isApproved,
+      jenkinsReady,
+      releaseCommitSha
+    } = await this.verifyPRAttributes();
+
+    this.releaseCommitSha = releaseCommitSha;
+
+    let localCloneIsClean = true;
+    const currentHEAD = await forceRunAsync('git', ['rev-parse', 'HEAD'],
+      { captureStdout: true, ignoreFailure: false });
+    if (currentHEAD.trim() !== releaseCommitSha) {
+      cli.warn('Current HEAD is not the release commit');
+      localCloneIsClean = false;
+    }
+    try {
+      await forceRunAsync('git', ['--no-pager', 'diff', '--exit-code'], { ignoreFailure: false });
+    } catch {
+      cli.warn('Some local changes have not been committed');
+      localCloneIsClean = false;
+    }
+    if (!localCloneIsClean) {
+      if (await cli.prompt('Should we reset the local HEAD to be the release proposal?')) {
+        cli.startSpinner('Fetching the proposal upstream...');
+        await forceRunAsync('git', ['fetch', this.upstream, releaseCommitSha],
+          { ignoreFailure: false });
+        await forceRunAsync('git', ['reset', releaseCommitSha, '--hard'], { ignoreFailure: false });
+        cli.stopSpinner('Local HEAD is now in sync with the proposal');
+      } else {
+        cli.error('Local clone is not ready');
+        throw new Error('Aborted');
+      }
+    }
+
+    await this.parseDataFromReleaseCommit();
+
+    const { version } = this;
+    cli.startSpinner('Verifying Jenkins CI status');
+    if (!jenkinsReady) {
+      cli.stopSpinner(
+        `Jenkins CI is failing for #${prid}`, cli.SPINNER_STATUS.FAILED);
+      const proceed = await cli.prompt('Do you want to proceed?');
+      if (!proceed) {
+        cli.warn(`Aborting release promotion for version ${version}`);
+        throw new Error('Aborted');
+      }
+    } else {
+      cli.stopSpinner('Jenkins CI is passing');
+    }
+
+    cli.startSpinner('Verifying GitHub CI status');
+    if (!githubCIReady) {
+      cli.stopSpinner(
+        `GitHub CI is failing for #${prid}`, cli.SPINNER_STATUS.FAILED);
+      const proceed = await cli.prompt('Do you want to proceed?');
+      if (!proceed) {
+        cli.warn(`Aborting release promotion for version ${version}`);
+        throw new Error('Aborted');
+      }
+    } else {
+      cli.stopSpinner('GitHub CI is passing');
+    }
+
+    cli.startSpinner('Verifying PR approval status');
+    if (!isApproved) {
+      cli.stopSpinner(
+        `#${prid} does not have sufficient approvals`,
+        cli.SPINNER_STATUS.FAILED);
+      const proceed = await cli.prompt('Do you want to proceed?');
+      if (!proceed) {
+        cli.warn(`Aborting release promotion for version ${version}`);
+        throw new Error('Aborted');
+      }
+    } else {
+      cli.stopSpinner(`#${prid} has necessary approvals`);
+    }
+
+    // Create and sign the release tag.
+    const shouldTagAndSignRelease = await cli.prompt(
+      'Tag and sign the release?');
+    if (!shouldTagAndSignRelease) {
+      cli.warn(`Aborting release promotion for version ${version}`);
+      throw new Error('Aborted');
+    }
+    await this.secureTagRelease();
+
+    // Set up for next release.
+    cli.startSpinner('Setting up for next release');
+    const workingOnNewReleaseCommit = await this.setupForNextRelease();
+    cli.stopSpinner('Successfully set up for next release');
+
+    // Cherry pick release commit to master.
+    const shouldCherryPick = await cli.prompt(
+      'Cherry-pick release commit to the default branch?', { defaultAnswer: true });
+    if (!shouldCherryPick) {
+      cli.warn(`Aborting release promotion for version ${version}`);
+      throw new Error('Aborted');
+    }
+    const appliedCleanly = await this.cherryPickToDefaultBranch();
+
+    // Ensure `node_version.h`'s `NODE_VERSION_IS_RELEASE` bit is not updated
+    await forceRunAsync('git', ['checkout',
+      appliedCleanly
+        ? 'HEAD^' // In the absence of conflict, the top of the remote branch is the commit before.
+        : 'HEAD', // In case of conflict, HEAD is still the top of the remove branch.
+      '--', 'src/node_version.h'],
+    { ignoreFailure: false });
+
+    if (appliedCleanly) {
+      // There were no conflicts, we have to amend the commit to revert the
+      // `node_version.h` changes.
+      await forceRunAsync('git', ['commit', ...this.gpgSign, '--amend', '--no-edit', '-n'],
+        { ignoreFailure: false });
+    } else {
+      // There will be remaining cherry-pick conflicts the Releaser will
+      // need to resolve, so confirm they've been resolved before
+      // proceeding with next steps.
+      cli.separator();
+      cli.info('Resolve the conflicts and commit the result');
+      cli.separator();
+      const didResolveConflicts = await cli.prompt(
+        'Finished resolving cherry-pick conflicts?', { defaultAnswer: true });
+      if (!didResolveConflicts) {
+        cli.warn(`Aborting release promotion for version ${version}`);
+        throw new Error('Aborted');
+      }
+    }
+
+    if (existsSync('.git/CHERRY_PICK_HEAD')) {
+      cli.info('Cherry-pick is still in progress, attempting to continue it.');
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, '--continue'],
+        { ignoreFailure: false });
+    }
+
+    // Validate release commit on the default branch
+    const releaseCommitOnDefaultBranch =
+      await forceRunAsync('git', ['show', 'HEAD', '--name-only', '--pretty=format:%s'],
+        { captureStdout: true, ignoreFailure: false });
+    const [commitTitle, ...modifiedFiles] = releaseCommitOnDefaultBranch.trim().split('\n');
+    await this.validateReleaseCommit(commitTitle);
+    if (modifiedFiles.some(file => !file.endsWith('.md'))) {
+      cli.warn('Some modified files are not markdown, that\'s unusual.');
+      cli.info(`The list of modified files: ${modifiedFiles.map(f => `- ${f}`).join('\n')}`);
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        throw new Error('Aborted');
+      }
+    }
+
+    // Push to the remote the release tag, and default, release, and staging branch.
+    await this.pushToRemote(workingOnNewReleaseCommit);
+
+    // Promote and sign the release builds.
+    await this.promoteAndSignRelease();
+
+    cli.separator();
+    cli.ok(`Release promotion for ${version} complete.\n`);
+    cli.info(
+      'To finish this release, you\'ll need to: \n' +
+      ` 1. Check the release at: https://nodejs.org/dist/v${version}\n` +
+      ' 2. Create the blog post for nodejs.org.\n' +
+      ' 3. Create the release on GitHub.\n' +
+      ' 4. Optionally, announce the release on your social networks.\n' +
+      ' 5. Tag @nodejs-social-team on #nodejs-release Slack channel.\n');
+
+    cli.separator();
+    cli.info('Use the following command to create the GitHub release:');
+    cli.separator();
+    cli.info(
+      'awk \'' +
+      `/^## ${this.date}, Version ${this.version.replaceAll('.', '\\.')} /,` +
+      '/^<a id="[0-9]+\\.[0-9]+\\.[0-9]+"><\\x2fa>$/{' +
+      'print buf; if(firstLine == "") firstLine = $0; else buf = $0' +
+    `}' doc/changelogs/CHANGELOG_V${
+      this.versionComponents.major}.md | gh release create v${this.version} --verify-tag --latest${
+        this.isLTS ? '=false' : ''} --title=${JSON.stringify(this.releaseTitle)} --notes-file -`);
+  }
+
+  async verifyPRAttributes() {
+    const { cli, prid, owner, repo, req } = this;
+
+    const data = new PRData({ prid, owner, repo }, cli, req);
+    await data.getAll();
+
+    const checker = new PRChecker(cli, data, { prid, owner, repo }, { maxCommits: 0 });
+    const jenkinsReady = checker.checkJenkinsCI();
+    const githubCIReady = checker.checkGitHubCI();
+    const isApproved = checker.checkReviewsAndWait(new Date(), false);
+
+    return {
+      githubCIReady,
+      isApproved,
+      jenkinsReady,
+      releaseCommitSha: data.commits.at(-1).commit.oid
+    };
+  }
+
+  async validateReleaseCommit(releaseCommitMessage) {
+    const { cli } = this;
+    const data = {};
+    // Parse out release date.
+    if (!/^\d{4}-\d{2}-\d{2}, Version \d/.test(releaseCommitMessage)) {
+      cli.error(`Invalid Release commit message: ${releaseCommitMessage}`);
+      throw new Error('Aborted');
+    }
+    data.date = releaseCommitMessage.slice(0, 10);
+    const systemDate = new Date().toISOString().slice(0, 10);
+    if (data.date !== systemDate) {
+      cli.warn(
+        `The release date (${data.date}) does not match the system date for today (${systemDate}).`
+      );
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        throw new Error('Aborted');
+      }
+    }
+
+    // Parse out release version.
+    data.version = releaseCommitMessage.slice(20, releaseCommitMessage.indexOf(' ', 20));
+    const version = semver.parse(data.version);
+    if (!version) {
+      cli.error(`Release commit contains invalid semantic version: ${data.version}`);
+      throw new Error('Aborted');
+    }
+
+    const { major, minor, patch } = version;
+    data.stagingBranch = `v${major}.x-staging`;
+    data.versionComponents = {
+      major,
+      minor,
+      patch
+    };
+
+    // Parse out LTS status and codename.
+    if (!releaseCommitMessage.endsWith(' (Current)')) {
+      const match = /'([^']+)' \(LTS\)$/.exec(releaseCommitMessage);
+      if (match == null) {
+        cli.error('Invalid release commit, it should match either Current or LTS release format');
+        throw new Error('Aborted');
+      }
+      data.isLTS = true;
+      data.ltsCodename = match[1];
+    }
+    return data;
+  }
+
+  async parseDataFromReleaseCommit() {
+    const { cli, releaseCommitSha } = this;
+
+    const releaseCommitMessage = await forceRunAsync('git', [
+      '--no-pager', 'log', '-1',
+      releaseCommitSha,
+      '--pretty=format:%s'], {
+      captureStdout: true,
+      ignoreFailure: false
+    });
+
+    const releaseCommitData = await this.validateReleaseCommit(releaseCommitMessage);
+
+    this.date = releaseCommitData.date;
+    this.version = releaseCommitData.version;
+    this.stagingBranch = releaseCommitData.stagingBranch;
+    this.versionComponents = releaseCommitData.versionComponents;
+    this.isLTS = releaseCommitData.isLTS;
+    this.ltsCodename = releaseCommitData.ltsCodename;
+
+    // Check if CHANGELOG show the correct releaser for the current release
+    const changeLogDiff = await forceRunAsync('git', [
+      '--no-pager', 'diff',
+      `${this.releaseCommitSha}^..${this.releaseCommitSha}`,
+      '--',
+      `doc/changelogs/CHANGELOG_V${this.versionComponents.major}.md`
+    ], { captureStdout: true, ignoreFailure: false });
+    const headingLine = /^\+## \d{4}-\d{2}-\d{2}, Version \d.+$/m.exec(changeLogDiff);
+    if (headingLine == null) {
+      cli.error('Cannot find section for the new release in CHANGELOG');
+      throw new Error('Aborted');
+    }
+    this.releaseTitle = headingLine[0].slice(4);
+    const expectedLine = `+## ${releaseCommitMessage}, @${this.username}`;
+    if (headingLine[0] !== expectedLine &&
+        !headingLine[0].startsWith(`${expectedLine} prepared by @`)) {
+      cli.error(
+        `Invalid section heading for CHANGELOG. Expected "${
+          expectedLine.slice(1)
+        }", found "${headingLine[0].slice(1)}`
+      );
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        throw new Error('Aborted');
+      }
+    }
+  }
+
+  async secureTagRelease() {
+    const { version, isLTS, ltsCodename, releaseCommitSha } = this;
+
+    const releaseInfo = isLTS ? `${ltsCodename} (LTS)` : '(Current)';
+
+    try {
+      await new Promise((resolve, reject) => {
+        const api = new gst.API(process.cwd());
+        api.sign(`v${version}`, releaseCommitSha, {
+          insecure: false,
+          m: `${this.date} Node.js v${version} ${releaseInfo} Release`
+        }, (err) => err ? reject(err) : resolve());
+      });
+    } catch (err) {
+      const tagCommitSHA = await forceRunAsync('git', [
+        'rev-parse', `refs/tags/v${version}^0`
+      ], { captureStdout: true, ignoreFailure: false });
+      if (tagCommitSHA.trim() !== releaseCommitSha) {
+        throw new Error(
+          `Existing version tag points to ${tagCommitSHA.trim()} instead of ${releaseCommitSha}`,
+          { cause: err }
+        );
+      }
+      await forceRunAsync('git', ['tag', '--verify', `v${version}`], { ignoreFailure: false });
+      this.cli.info('Using the existing tag');
+    }
+  }
+
+  // Set up the branch so that nightly builds are produced with the next
+  // version number and a pre-release tag.
+  async setupForNextRelease() {
+    const { versionComponents, prid } = this;
+
+    // Update node_version.h for next patch release.
+    const filePath = path.resolve('src', 'node_version.h');
+    const nodeVersionFile = await fs.open(filePath, 'r+');
+
+    const patchVersion = versionComponents.patch + 1;
+    let cursor = 0;
+    for await (const line of nodeVersionFile.readLines({ autoClose: false })) {
+      cursor += line.length + 1;
+      if (line === `#define NODE_PATCH_VERSION ${versionComponents.patch}`) {
+        await nodeVersionFile.write(`${patchVersion}`, cursor - 2, 'ascii');
+      } else if (line === '#define NODE_VERSION_IS_RELEASE 1') {
+        await nodeVersionFile.write('0', cursor - 2, 'ascii');
+        break;
+      }
+    }
+
+    await nodeVersionFile.close();
+
+    const workingOnVersion =
+      `v${versionComponents.major}.${versionComponents.minor}.${patchVersion}`;
+
+    // Create 'Working On' commit.
+    await forceRunAsync('git', ['add', filePath], { ignoreFailure: false });
+    await forceRunAsync('git', [
+      'commit',
+      ...this.gpgSign,
+      '-m',
+      `Working on ${workingOnVersion}`,
+      '-m',
+      `PR-URL: https://github.com/nodejs/node/pull/${prid}`
+    ], { ignoreFailure: false });
+    const workingOnNewReleaseCommit = await forceRunAsync('git', ['rev-parse', 'HEAD'],
+      { ignoreFailure: false, captureStdout: true });
+    return workingOnNewReleaseCommit.trim();
+  }
+
+  async pushToRemote(workingOnNewReleaseCommit) {
+    const { cli, dryRun, version, versionComponents, stagingBranch } = this;
+    const releaseBranch = `v${versionComponents.major}.x`;
+    const tagVersion = `v${version}`;
+
+    this.defaultBranch ??= await this.getDefaultBranch();
+
+    let prompt = `Push release tag and commits to ${this.upstream}?`;
+    if (dryRun) {
+      cli.info(dryRunMessage);
+      cli.info('Run the following command to push to remote:');
+      cli.info(`git push ${this.upstream} ${
+        this.defaultBranch} ${
+        tagVersion} ${
+        workingOnNewReleaseCommit}:refs/heads/${releaseBranch} ${
+        workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`);
+      cli.warn('Once pushed, you must not delete the local tag');
+      prompt = 'Ready to continue?';
+    }
+
+    const shouldPushTag = await cli.prompt(prompt, { defaultAnswer: true });
+    if (!shouldPushTag) {
+      cli.warn('Aborting release promotion');
+      throw new Error('Aborted');
+    } else if (dryRun) {
+      return;
+    }
+
+    cli.startSpinner('Pushing to remote');
+    await forceRunAsync('git', ['push', this.upstream, this.defaultBranch, tagVersion,
+      `${workingOnNewReleaseCommit}:refs/heads/${releaseBranch}`,
+      `${workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`],
+    { ignoreFailure: false });
+    cli.stopSpinner(`Pushed ${tagVersion}, ${this.defaultBranch}, ${
+      releaseBranch}, and ${stagingBranch} to remote`);
+    cli.warn('Now that it has been pushed, you must not delete the local tag');
+  }
+
+  async promoteAndSignRelease() {
+    const { cli, dryRun } = this;
+    let prompt = 'Promote and sign release builds?';
+
+    if (dryRun) {
+      cli.info(dryRunMessage);
+      cli.info('Run the following command to sign and promote the release:');
+      cli.info('./tools/release.sh -i <keyPath>');
+      prompt = 'Ready to continue?';
+    }
+    const shouldPromote = await cli.prompt(prompt, { defaultAnswer: true });
+    if (!shouldPromote) {
+      cli.warn('Aborting release promotion');
+      throw new Error('Aborted');
+    } else if (dryRun) {
+      return;
+    }
+
+    // TODO: move this to .ncurc
+    const defaultKeyPath = '~/.ssh/node_id_rsa';
+    const keyPath = await cli.prompt(
+      `Please enter the path to your ssh key (Default ${defaultKeyPath}): `,
+      { questionType: 'input', defaultAnswer: defaultKeyPath });
+
+    cli.startSpinner('Signing and promoting the release');
+    await forceRunAsync('./tools/release.sh', ['-i', keyPath], { ignoreFailure: false });
+    cli.stopSpinner('Release has been signed and promoted');
+  }
+
+  async cherryPickToDefaultBranch() {
+    this.defaultBranch ??= await this.getDefaultBranch();
+    const releaseCommitSha = this.releaseCommitSha;
+    await forceRunAsync('git', ['checkout', this.defaultBranch], { ignoreFailure: false });
+
+    await this.tryResetBranch();
+
+    // There might be conflicts, we do not want to treat this as a hard failure,
+    // but we want to retain that information.
+    try {
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, releaseCommitSha],
+        { ignoreFailure: false });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+}

package/lib/security_blog.js

@@ -11,12 +11,10 @@ import {
 import auth from './auth.js';
 import Request from './request.js';
 
-const kChanged = Symbol('changed');
-
 export default class SecurityBlog extends SecurityRelease {
   req;
 
-  async createPreRelease() {
+  async createPreRelease(nodejsOrgFolder) {
     const { cli } = this;
 
     // checkout on security release branch
@@ -45,14 +43,32 @@ export default class SecurityBlog extends SecurityRelease {
     };
     const month = releaseDate.toLocaleString('en-US', { month: 'long' }).toLowerCase();
     const year = releaseDate.getFullYear();
-    const fileName = `${month}-${year}-security-releases.md`;
+    const fileName = `${month}-${year}-security-releases`;
+    const fileNameExt = fileName + '.md';
     const preRelease = this.buildPreRelease(template, data);
-    const file = path.join(process.cwd(), fileName);
+
+    const pathToBlogPosts = 'apps/site/pages/en/blog/release';
+    const pathToBannerJson = 'apps/site/site.json';
+
+    const file = path.resolve(process.cwd(), nodejsOrgFolder, pathToBlogPosts, fileNameExt);
+    const site = path.resolve(process.cwd(), nodejsOrgFolder, pathToBannerJson);
+
+    const endDate = new Date(data.annoucementDate);
+    endDate.setDate(endDate.getDate() + 7);
+
+    this.updateWebsiteBanner(site, {
+      startDate: data.annoucementDate,
+      endDate: endDate.toISOString(),
+      text: `New security releases to be made available ${data.releaseDate}`,
+      link: `https://nodejs.org/en/blog/vulnerability/${fileName}`,
+      type: 'warning'
+    });
+
     fs.writeFileSync(file, preRelease);
-    cli.ok(`Pre-release announcement file created at ${file}`);
+    cli.ok(`Announcement file created and banner has been updated. Folder: ${nodejsOrgFolder}`);
   }
 
-  async createPostRelease() {
+  async createPostRelease(nodejsOrgFolder) {
     const { cli } = this;
     const credentials = await auth({
       github: true,
@@ -65,7 +81,7 @@ export default class SecurityBlog extends SecurityRelease {
     checkoutOnSecurityReleaseBranch(cli, this.repository);
 
     // read vulnerabilities JSON file
-    const content = this.readVulnerabilitiesJSON(cli);
+    const content = this.readVulnerabilitiesJSON();
     if (!content.releaseDate) {
       cli.error('Release date is not set in vulnerabilities.json,' +
         ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
@@ -76,47 +92,54 @@ export default class SecurityBlog extends SecurityRelease {
     const releaseDate = new Date(content.releaseDate);
     const template = this.getSecurityPostReleaseTemplate();
     const data = {
-      // TODO: read from pre-sec-release
-      annoucementDate: await this.getAnnouncementDate(cli),
+      annoucementDate: releaseDate.toISOString(),
       releaseDate: this.formatReleaseDate(releaseDate),
       affectedVersions: this.getAffectedVersions(content),
       vulnerabilities: this.getVulnerabilities(content),
       slug: this.getSlug(releaseDate),
-      author: await this.promptAuthor(cli),
+      author: 'The Node.js Project',
       dependencyUpdates: content.dependencies
     };
-    const postReleaseContent = await this.buildPostRelease(template, data, content);
 
-    const pathPreRelease = await this.promptExistingPreRelease(cli);
-    // read the existing pre-release announcement
-    let preReleaseContent = fs.readFileSync(pathPreRelease, 'utf-8');
+    const pathToBlogPosts = path.resolve(nodejsOrgFolder, 'apps/site/pages/en/blog/release');
+    const pathToBannerJson = path.resolve(nodejsOrgFolder, 'apps/site/site.json');
+
+    const preReleasePath = path.resolve(pathToBlogPosts, data.slug + '.md');
+    let preReleaseContent = this.findExistingPreRelease(preReleasePath);
+    if (!preReleaseContent) {
+      cli.error(`Existing pre-release not found! Path: ${preReleasePath} `);
+      process.exit(1);
+    }
+
+    const postReleaseContent = await this.buildPostRelease(template, data, content);
     // cut the part before summary
     const preSummary = preReleaseContent.indexOf('# Summary');
     if (preSummary !== -1) {
       preReleaseContent = preReleaseContent.substring(preSummary);
     }
-
     const updatedContent = postReleaseContent + preReleaseContent;
 
-    fs.writeFileSync(pathPreRelease, updatedContent);
-    cli.ok(`Post-release announcement file updated at ${pathPreRelease}`);
+    const endDate = new Date(data.annoucementDate);
+    endDate.setDate(endDate.getDate() + 7);
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' });
+    const capitalizedMonth = month[0].toUpperCase() + month.slice(1);
 
-    // if the vulnerabilities.json has been changed, update the file
-    if (!content[kChanged]) return;
-    this.updateVulnerabilitiesJSON(content);
-  }
+    this.updateWebsiteBanner(pathToBannerJson, {
+      startDate: releaseDate,
+      endDate,
+      text: `${capitalizedMonth} Security Release is available`
+    });
 
-  async promptExistingPreRelease(cli) {
-    const pathPreRelease = await cli.prompt(
-      'Please provide the path of the existing pre-release announcement:', {
-        questionType: 'input',
-        defaultAnswer: ''
-      });
+    fs.writeFileSync(preReleasePath, updatedContent);
+    cli.ok(`Announcement file and banner has been updated. Folder: ${nodejsOrgFolder}`);
+  }
 
-    if (!pathPreRelease || !fs.existsSync(path.resolve(pathPreRelease))) {
-      return this.promptExistingPreRelease(cli);
+  findExistingPreRelease(filepath) {
+    if (!fs.existsSync(filepath)) {
+      return null;
     }
-    return pathPreRelease;
+
+    return fs.readFileSync(filepath, 'utf-8');
   }
 
   promptAuthor(cli) {
@@ -127,6 +150,20 @@ export default class SecurityBlog extends SecurityRelease {
     });
   }
 
+  updateWebsiteBanner(siteJsonPath, content) {
+    const siteJson = JSON.parse(fs.readFileSync(siteJsonPath));
+
+    const currentValue = siteJson.websiteBanners.index;
+    siteJson.websiteBanners.index = {
+      startDate: content.startDate ?? currentValue.startDate,
+      endDate: content.endDate ?? currentValue.endDate,
+      text: content.text ?? currentValue.text,
+      link: content.link ?? currentValue.link,
+      type: content.type ?? currentValue.type
+    };
+    fs.writeFileSync(siteJsonPath, JSON.stringify(siteJson, null, 2));
+  }
+
   formatReleaseDate(releaseDate) {
     const options = {
       weekday: 'long',

package/lib/session.js

@@ -87,6 +87,10 @@ export default class Session {
     return this.config.branch;
   }
 
+  get username() {
+    return this.config.username;
+  }
+
   get readme() {
     return this.config.readme;
   }

package/lib/update-v8/backport.js

@@ -9,6 +9,7 @@ import { ListrEnquirerPromptAdapter } from '@listr2/prompt-adapter-enquirer';
 import { shortSha } from '../utils.js';
 
 import { getCurrentV8Version } from './common.js';
+import { forceRunAsync } from '../run.js';
 
 export async function checkOptions(options) {
   if (options.sha.length > 1 && options.squash) {
@@ -41,6 +42,8 @@ export function doBackport(options) {
       }
     }
     todo.push(commitSquashedBackport());
+  } else if (options.preserveOriginalAuthor) {
+    todo.push(cherryPickV8Commits(options));
   } else {
     todo.push(applyAndCommitPatches());
   }
@@ -76,18 +79,47 @@ function commitSquashedBackport() {
   };
 };
 
-function commitPatch(patch) {
+const commitTask = (patch, extraArgs, trailers) => async(ctx) => {
+  const messageTitle = formatMessageTitle([patch]);
+  const messageBody = formatMessageBody(patch, false, trailers);
+  await ctx.execGitNode('add', ['deps/v8']);
+  await ctx.execGitNode('commit', [
+    ...ctx.gpgSign, ...extraArgs,
+    '-m', messageTitle, '-m', messageBody
+  ]);
+};
+
+function amendHEAD(patch) {
   return {
-    title: 'Commit patch',
+    title: 'Amend/commit',
     task: async(ctx) => {
-      const messageTitle = formatMessageTitle([patch]);
-      const messageBody = formatMessageBody(patch, false);
-      await ctx.execGitNode('add', ['deps/v8']);
-      await ctx.execGitNode('commit', ['-m', messageTitle, '-m', messageBody]);
+      let coAuthor;
+      if (patch.hadConflicts) {
+        const getGitConfigEntry = async(configKey) => {
+          const output = await forceRunAsync('git', ['config', configKey], {
+            ignoreFailure: false,
+            captureStdout: true,
+            spawnArgs: { cwd: ctx.nodeDir }
+          });
+          return output.trim();
+        };
+        await ctx.execGitNode('am', [...ctx.gpgSign, '--continue']);
+        coAuthor = `\nCo-authored-by: ${
+          await getGitConfigEntry('user.name')} <${
+          await getGitConfigEntry('user.email')}>`;
+      }
+      await commitTask(patch, ['--amend'], coAuthor)(ctx);
     }
   };
 }
 
+function commitPatch(patch) {
+  return {
+    title: 'Commit patch',
+    task: commitTask(patch)
+  };
+}
+
 function formatMessageTitle(patches) {
   const action =
     patches.some(patch => patch.hadConflicts) ? 'backport' : 'cherry-pick';
@@ -106,12 +138,12 @@ function formatMessageTitle(patches) {
   }
 }
 
-function formatMessageBody(patch, prefixTitle) {
+function formatMessageBody(patch, prefixTitle, trailers = '') {
   const indentedMessage = patch.message.replace(/\n/g, '\n    ');
   const body =
     'Original commit message:\n\n' +
     `    ${indentedMessage}\n\n` +
-    `Refs: https://github.com/v8/v8/commit/${patch.sha}`;
+    `Refs: https://github.com/v8/v8/commit/${patch.sha}${trailers}`;
 
   if (prefixTitle) {
     const action = patch.hadConflicts ? 'Backport' : 'Cherry-pick';
@@ -167,6 +199,15 @@ function applyAndCommitPatches() {
   };
 }
 
+function cherryPickV8Commits() {
+  return {
+    title: 'Cherry-pick commit from V8 clone to deps/v8',
+    task: (ctx, task) => {
+      return task.newListr(ctx.patches.map(cherryPickV8CommitTask));
+    }
+  };
+}
+
 function applyPatchTask(patch) {
   return {
     title: `Commit ${shortSha(patch.sha)}`,
@@ -190,10 +231,33 @@ function applyPatchTask(patch) {
   };
 }
 
-async function applyPatch(ctx, task, patch) {
+function cherryPickV8CommitTask(patch) {
+  return {
+    title: `Commit ${shortSha(patch.sha)}`,
+    task: (ctx, task) => {
+      const todo = [
+        {
+          title: 'Cherry-pick',
+          task: (ctx, task) => applyPatch(ctx, task, patch, 'am')
+        }
+      ];
+      if (ctx.bump !== false) {
+        if (ctx.nodeMajorVersion < 9) {
+          todo.push(incrementV8Version());
+        } else {
+          todo.push(incrementEmbedderVersion());
+        }
+      }
+      todo.push(amendHEAD(patch));
+      return task.newListr(todo);
+    }
+  };
+}
+
+async function applyPatch(ctx, task, patch, method = 'apply') {
   try {
     await ctx.execGitNode(
-      'apply',
+      method,
       ['-p1', '--3way', '--directory=deps/v8'],
       patch.data /* input */
     );

package/lib/update-v8/index.js

@@ -26,6 +26,7 @@ export function minor(options) {
 export async function backport(options) {
   const shouldStop = await checkOptions(options);
   if (shouldStop) return;
+  options.gpgSign = options.gpgSign ? ['-S'] : [];
   const tasks = new Listr(
     [updateV8Clone(), doBackport(options)],
     getOptions(options)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.6.0",
+  "version": "5.8.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -46,6 +46,7 @@
     "core-validate-commit": "^4.1.0",
     "figures": "^6.1.0",
     "ghauth": "^6.0.7",
+    "git-secure-tag": "^2.3.1",
     "js-yaml": "^4.1.0",
     "listr2": "^8.2.4",
     "lodash": "^4.17.21",