@npmcli/template-oss 4.11.3 → 4.12.0

package/bin/release-please.js

@@ -4,7 +4,7 @@ const core = require('@actions/core')
 const main = require('../lib/release-please/index.js')
 
 const dryRun = !process.env.CI
-const [branch, eventName] = process.argv.slice(2)
+const [branch, forcePullRequest] = process.argv.slice(2)
 
 const debugPr = (val) => {
   if (dryRun) {
@@ -45,7 +45,7 @@ main({
   repo: process.env.GITHUB_REPOSITORY,
   dryRun,
   branch,
-  force: eventName === 'workflow_dispatch',
+  forcePullRequest: forcePullRequest ? +forcePullRequest : null,
 }).then(({ pr, release, releases }) => {
   if (pr) {
     debugPr(pr)

package/lib/content/SECURITY.md

@@ -2,11 +2,10 @@ GitHub takes the security of our software products and services seriously, inclu
 
 If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. 
 
-If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com).
 
 If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
 Thanks for helping make GitHub safe for everyone.
-

package/lib/content/post-dependabot.yml

@@ -27,11 +27,11 @@ jobs:
         run: |
           dependabot_dir="$\{{ steps.metadata.outputs.directory }}"
           if [[ "$dependabot_dir" == "/" ]]; then
-            echo "::set-output name=workspace::-iwr"
+            echo "workspace=-iwr" >> $GITHUB_OUTPUT
           else
             # strip leading slash from directory so it works as a
             # a path to the workspace flag
-            echo "::set-output name=workspace::-w ${dependabot_dir#/}"
+            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
           fi
 
       - name: Apply Changes
@@ -40,7 +40,7 @@ jobs:
         run: |
           {{ rootNpmPath }} run template-oss-apply $\{{ steps.flags.outputs.workspace }}
           if [[ `git status --porcelain` ]]; then
-            echo "::set-output name=changes::true"
+            echo "changes=true" >> $GITHUB_OUTPUT
           fi
           # This only sets the conventional commit prefix. This workflow can't reliably determine
           # what the breaking change is though. If a BREAKING CHANGE message is required then
@@ -50,7 +50,7 @@ jobs:
           else
             prefix='chore'
           fi
-          echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR"
+          echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT
 
       # This step will fail if template-oss has made any workflow updates. It is impossible
       # for a workflow to update other workflows. In the case it does fail, we continue

package/lib/content/release.yml

@@ -2,6 +2,10 @@ name: Release
 
 on:
   workflow_dispatch:
+    inputs:
+      release-pr:
+        description: a release PR number to rerun release jobs on
+        type: string
   push:
     branches:
       {{#each branches}}
@@ -30,7 +34,7 @@ jobs:
         env:
           GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
         run: |
-          {{ rootNpxPath }} --offline template-oss-release-please $\{{ github.ref_name }} $\{{ github.event_name }}
+          {{ rootNpxPath }} --offline template-oss-release-please "$\{{ github.ref_name }}" "$\{{ inputs.release-pr }}"
       - name: Post Pull Request Comment
         if: steps.release.outputs.pr-number
         uses: actions/github-script@v6
@@ -53,7 +57,7 @@ jobs:
             body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n`
             body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`{{ defaultBranch }}\`. `
             body += `To force CI to update this PR, run this command:\n\n`
-            body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo}\n\`\`\``
+            body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo} -f release-pr=${issue_number}\n\`\`\``
 
             if (commentId) {
               await github.rest.issues.updateComment({ owner, repo, comment_id: commentId, body })
@@ -90,7 +94,7 @@ jobs:
         run: |
           git commit --all --amend --no-edit || true
           git push --force-with-lease
-          echo "::set-output  name=sha::$(git rev-parse HEAD)"
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       {{> stepChecks jobName="Update - Release" jobCheck=(obj sha="steps.commit.outputs.sha" name="Release" )}}
       {{> stepChecks jobCheck=(obj id="needs.release.outputs.check-id" )}}
 
@@ -117,7 +121,7 @@ jobs:
           else
             result="success"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       {{> stepChecks jobCheck=(obj id="needs.update.outputs.check-id" status="steps.needs-result.outputs.result") }}
 
   post-release:
@@ -139,14 +143,17 @@ jobs:
             }
 
             const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number })
-            const releaseComments = comments.filter(c => c.user.login === 'github-actions[bot]' && c.body.includes('Release is at'))
+              .then(cs => cs.map(c => ({ id: c.id, login: c.user.login, body: c.body })))
+            console.log(`Found comments: ${JSON.stringify(comments, null, 2)}`)
+            const releaseComments = comments.filter(c => c.login === 'github-actions[bot]' && c.body.includes('Release is at'))
 
             for (const comment of releaseComments) {
+              console.log(`Release comment: ${JSON.stringify(comment, null, 2)}`)
               await github.rest.issues.deleteComment({ owner, repo, comment_id: comment.id })
             }
 
             const runUrl = `https://github.com/${owner}/${repo}/actions/runs/${runId}`
-            await github.rest.issues.createComment({ 
+            await github.rest.issues.createComment({
               owner,
               repo,
               issue_number,
@@ -165,7 +172,6 @@ jobs:
       - name: Get Needs Result
         id: needs-result
         run: |
-          result=""
           if [[ "$\{{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
             result="x"
           elif [[ "$\{{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
@@ -173,7 +179,7 @@ jobs:
           else
             result="white_check_mark"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       - name: Update Release PR Comment
         uses: actions/github-script@v6
         env:
@@ -182,15 +188,20 @@ jobs:
         with:
           script: |
             const { PR_NUMBER: issue_number, RESULT } = process.env
-            const { repo: { owner, repo } } = context
+            const { runId, repo: { owner, repo } } = context
 
             const comments = await github.paginate(github.rest.issues.listComments, { owner, repo, issue_number })
-            const updateComment = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith('## Release Workflow\n\n'))
+            const updateComment = comments.find(c =>
+              c.user.login === 'github-actions[bot]' &&
+              c.body.startsWith('## Release Workflow\n\n') &&
+              c.body.includes(runId)
+            )
 
             if (updateComment) {
               console.log('Found comment to update:', JSON.stringify(updateComment, null, 2))
               let body = updateComment.body.replace(/Workflow run: :[a-z_]+:/, `Workflow run: :${RESULT}:`)
-              if (RESULT === 'x') {
+              const tagCodeowner = RESULT !== 'white_check_mark'
+              if (tagCodeowner) {
                 body += `\n\n:rotating_light:`
                 body += ` {{ codeowner }}: The post-release workflow failed for this release.`
                 body += ` Manual steps may need to be taken after examining the workflow output`

package/lib/release-please/changelog.js

@@ -19,7 +19,7 @@ module.exports = class ChangelogNotes {
     }
 
     // A link to the pull request if the commit has one
-    const prNumber = commit.pullRequest && commit.pullRequest.number
+    const prNumber = commit.pullRequest?.number
     if (prNumber) {
       entry.push(link(`#${prNumber}`, this.gh.pull(prNumber)))
     }
@@ -63,7 +63,16 @@ module.exports = class ChangelogNotes {
 
     // Group commits by type
     for (const commit of commits) {
-      const { entry, breaking } = this.buildEntry(commit, authorsByCommit[commit.sha])
+      // when rebase merging multiple commits with a single PR, only the first commit
+      // will have a pr number when coming from release-please. this check will manually
+      // lookup commits without a pr number and find one if it exists
+      if (!commit.pullRequest?.number) {
+        commit.pullRequest = { number: await this.gh.commitPrNumber(commit) }
+      }
+      const { entry, breaking } = this.buildEntry(
+        commit,
+        authorsByCommit[commit.sha]
+      )
 
       // Collect commits by type
       changelog[commit.type].entries.push(entry)

package/lib/release-please/github.js

@@ -45,10 +45,25 @@ module.exports = (gh) => {
     }
   }
 
+  const commitPrNumber = async (commit) => {
+    try {
+      const res = await gh.octokit.rest.repos.listPullRequestsAssociatedWithCommit({
+        owner,
+        repo,
+        commit_sha: commit.sha,
+        per_page: 1,
+      })
+      return res.data[0].number
+    } catch {
+      return null
+    }
+  }
+
   const url = (...p) => `https://github.com/${owner}/${repo}/${p.join('/')}`
 
   return {
     authors,
+    commitPrNumber,
     pull: (number) => url('pull', number),
     commit: (sha) => url('commit', sha),
     compare: (a, b) => a ? url('compare', `${a.toString()}...${b.toString()}`) : null,

package/lib/release-please/index.js

@@ -4,26 +4,33 @@ const ChangelogNotes = require('./changelog.js')
 const Version = require('./version.js')
 const NodeWs = require('./node-workspace.js')
 
-RP.setLogger(new CheckpointLogger(true, true))
+const logger = new CheckpointLogger(true, true)
+RP.setLogger(logger)
 RP.registerChangelogNotes('default', (o) => new ChangelogNotes(o))
 RP.registerVersioningStrategy('default', (o) => new Version(o))
 RP.registerPlugin('node-workspace', (o) => new NodeWs(o.github, o.targetBranch, o.repositoryConfig))
 
-const main = async ({ repo: _fullRepo, token, dryRun, branch, force }) => {
-  if (!token) {
-    throw new Error('Token is required')
+const omit = (obj, ...keys) => {
+  const res = {}
+  for (const [key, value] of Object.entries(obj)) {
+    if (!keys.includes(key)) {
+      res[key] = value
+    }
   }
+  return res
+}
 
-  if (!_fullRepo) {
-    throw new Error('Repo is required')
-  }
+const getManifest = async ({ repo: fullRepo, token, branch }) => {
+  const fullRepoParts = fullRepo.split('/')
+  const github = await RP.GitHub.create({
+    owner: fullRepoParts[0],
+    repo: fullRepoParts[1],
+    token,
+  })
 
-  const fullRepo = _fullRepo.split('/')
-  const github = await RP.GitHub.create({ owner: fullRepo[0], repo: fullRepo[1], token })
-  const {
-    octokit,
-    repository: { owner, repo, defaultBranch },
-  } = github
+  const { octokit, repository: { owner, repo, defaultBranch } } = github
+
+  const baseBranch = branch ?? defaultBranch
 
   // This is mostly for testing and debugging. Use environs with the
   // format `RELEASE_PLEASE_<manfiestOverrideConfigName>` (eg
@@ -33,8 +40,6 @@ const main = async ({ repo: _fullRepo, token, dryRun, branch, force }) => {
     .filter(([k, v]) => k.startsWith('RELEASE_PLEASE_') && v != null)
     .map(([k, v]) => [k.replace('RELEASE_PLEASE_', ''), v])
 
-  const baseBranch = branch ?? defaultBranch
-
   const manifest = await RP.Manifest.fromManifest(
     github,
     baseBranch,
@@ -43,79 +48,213 @@ const main = async ({ repo: _fullRepo, token, dryRun, branch, force }) => {
     Object.fromEntries(manifestOverrides)
   )
 
-  if (force) {
-    const { data: releasePrs } = await octokit.pulls.list({
-      owner,
-      repo,
-      head: `release-please--branches--${baseBranch}`,
-    })
+  return {
+    github,
+    manifest,
+    octokit,
+    owner,
+    repo,
+    baseBranch,
+  }
+}
 
-    if (releasePrs.length !== 1) {
-      throw new Error(`Found ${releasePrs.length} matching PRs, expected 1`)
+const getReleasesFromPr = async ({ manifest, github, number }) => {
+  const baseUrl = `https://github.com/${github.repository.owner}/${github.repository.repo}`
+  // get the release please formatted pull request
+  let pullRequest
+  const prGenerator = github.pullRequestIterator(this.targetBranch, 'MERGED', 200, false)
+  for await (const pr of prGenerator) {
+    if (pr.number === number) {
+      pullRequest = pr
+      break
     }
+  }
+  const strategiesByPath = await manifest.getStrategiesByPath()
+  const releases = []
+  for (const path in manifest.repositoryConfig) {
+    const config = manifest.repositoryConfig[path]
+    const release = await strategiesByPath[path].buildRelease(pullRequest)
+    if (release) {
+      const { tag, ...rest } = release
+      releases.push({
+        ...rest,
+        ...tag.version,
+        tagName: tag.toString(),
+        version: tag.version.toString(),
+        path,
+        draft: false,
+        url: `${baseUrl}/releases/tag/${tag.toString()}`,
+        prerelease: config.prerelease && !!tag.version.preRelease,
+      })
+    }
+  }
+  return releases
+}
+
+const getReleaseArtifacts = async ({ dryRun, manifest, forceReleases }) => {
+  let pullRequests = []
+  let releases = []
+
+  if (forceReleases) {
+    releases = forceReleases
+  } else if (dryRun) {
+    pullRequests = await manifest.buildPullRequests()
+    releases = await manifest.buildReleases()
+  } else {
+    pullRequests = await manifest.createPullRequests()
+    releases = await manifest.createReleases()
+  }
+
+  return {
+    pullRequests: pullRequests.filter(Boolean),
+    releases: releases.filter(Boolean),
+  }
+}
+
+// XXX(hack): to get release please to recreate a pull request it needs
+// to have a different body string so we append a message a message that CI
+// is running. This will force release-please to rebase the PR but it
+// wont update the body again, so we only append to it.
+const touchPullRequest = async ({ octokit, owner, repo, releasePr }) => {
+  const id = process.env.GITHUB_RUN_ID
+    ? `by https://github.com/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`
+    : `manually starting at ${new Date().toJSON()}`
+
+  await octokit.pulls.update({
+    owner,
+    repo,
+    pull_number: releasePr.number,
+    body: `${releasePr.body.trim()}\n- This PR is being recreated ${id}`,
+  })
+}
+
+const main = async ({ repo: fullRepo, token, dryRun, branch, forcePullRequest }) => {
+  if (!token) {
+    throw new Error('Token is required')
+  }
+
+  if (!fullRepo) {
+    throw new Error('Repo is required')
+  }
+
+  const {
+    github,
+    octokit,
+    manifest,
+    owner,
+    repo,
+    baseBranch,
+  } = await getManifest({ repo: fullRepo, token, branch })
 
-    const [releasePr] = releasePrs
-    const id = process.env.GITHUB_RUN_ID
-      ? `by https://github.com/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`
-      : `manually starting at ${new Date().toJSON()}`
+  let forceReleases = null
 
-    // XXX(hack): to get release please to recreate a pull request it needs
-    // to have a different body string so we append a message a message that CI
-    // is running. This will force release-please to rebase the PR but it
-    // wont update the body again, so we only append to it.
-    await octokit.pulls.update({
+  if (forcePullRequest) {
+    const { data: releasePr } = await octokit.rest.pulls.get({
       owner,
       repo,
-      pull_number: releasePr.number,
-      body: `${releasePr.body.trim()}\n- This PR is being recreated ${id}`,
+      pull_number: forcePullRequest,
     })
+
+    if (!releasePr) {
+      throw new Error(`Could not find PR from number: ${forcePullRequest}`)
+    }
+
+    if (releasePr.state === 'open') {
+      await touchPullRequest({ octokit, owner, repo, releasePr })
+    } else if (releasePr.state === 'closed' && releasePr.merged) {
+      forceReleases = await getReleasesFromPr({ manifest, github, number: releasePr.number })
+    } else {
+      throw new Error(`Could not run workflow on PR with wrong state: ${JSON.stringify(
+        releasePr,
+        null,
+        2
+      )}`)
+    }
   }
 
-  const pullRequests = await (dryRun ? manifest.buildPullRequests() : manifest.createPullRequests())
-  const allReleases = await (dryRun ? manifest.buildReleases() : manifest.createReleases())
+  const { pullRequests, releases } = await getReleaseArtifacts({ dryRun, manifest, forceReleases })
 
   // We only ever get a single pull request with our current release-please settings
-  const rootPr = pullRequests.filter(Boolean)?.[0]
+  // Update this if we start creating individual PRs per workspace release
+  const rootPr = pullRequests[0]
+  let rootRelease = releases[0]
+
+  logger.debug(`pull requests: ${pullRequests.length}`)
+  logger.debug(`releases: ${releases.length}`)
+
+  if (rootPr) {
+    logger.debug(`root pr: ${JSON.stringify(omit(rootPr, 'body'), null, 2)}`)
+  }
+
   if (rootPr?.number) {
     const commits = await octokit.paginate(octokit.rest.pulls.listCommits, {
       owner,
       repo,
       pull_number: rootPr.number,
     })
-    rootPr.sha = commits?.[commits.length - 1]?.sha
-  }
 
-  const releases = allReleases.filter(Boolean)
-  let rootRelease = releases[0]
+    const prSha = commits?.[commits.length - 1]?.sha
+    if (!prSha) {
+      throw new Error(`Could not find a latest sha for pull request: ${rootPr.number}`)
+    }
+
+    rootPr.sha = prSha
+  }
 
   for (const release of releases) {
-    const prefix = release.path === '.' ? '' : release.path
+    const { path, sha } = release
+    const prefix = path === '.' ? '' : path
+    const isRoot = !prefix
+    const packagePath = `${prefix}/package.json`
 
-    if (!prefix) {
-      rootRelease = release
+    logger.debug(`release: ${JSON.stringify({
+      ...omit(release, 'notes'),
+      isRoot,
+      prefix,
+    }, null, 2)}`)
+
+    const releasePrNumber = await octokit.rest.repos.listPullRequestsAssociatedWithCommit({
+      owner,
+      repo,
+      commit_sha: sha,
+      per_page: 1,
+    }).then(r => r.data[0]?.number)
+
+    if (!releasePrNumber) {
+      throw new Error(`Could not find release PR number from commit: "${sha}"`)
     }
 
-    const [releasePr, releasePkg] = await Promise.all([
-      octokit.rest.repos.listPullRequestsAssociatedWithCommit({
-        owner,
-        repo,
-        commit_sha: release.sha,
-      }).then(r => r.data[0]),
-      octokit.rest.repos.getContent({
-        owner,
-        repo,
-        ref: baseBranch,
-        path: `${prefix}/package.json`,
-      }).then(r => JSON.parse(Buffer.from(r.data.content, r.data.encoding))),
-    ])
-
-    release.prNumber = releasePr.number
-    release.pkgName = releasePkg.name
+    logger.debug(`pr from ${sha}: ${releasePrNumber}`)
+
+    const releasePkgName = await octokit.rest.repos.getContent({
+      owner,
+      repo,
+      ref: baseBranch,
+      path: packagePath,
+    }).then(r => {
+      try {
+        return JSON.parse(Buffer.from(r.data.content, r.data.encoding)).name
+      } catch {
+        return null
+      }
+    })
+
+    if (!releasePkgName) {
+      throw new Error(`Could not find package name for release at: "${packagePath}#${baseBranch}"`)
+    }
+
+    logger.debug(`pkg name from ${packagePath}#${baseBranch}: "${releasePkgName}"`)
+
+    release.prNumber = releasePrNumber
+    release.pkgName = releasePkgName
+    if (isRoot) {
+      rootRelease = release
+    }
   }
 
   return {
-    pr: rootPr,
-    release: rootRelease,
+    pr: rootPr ?? null,
+    release: rootRelease ?? null,
     releases: releases.length ? releases : null,
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/template-oss",
-  "version": "4.11.3",
+  "version": "4.12.0",
   "description": "templated files used in npm CLI team oss projects",
   "main": "lib/content/index.js",
   "bin": {