npm - @npmcli/template-oss - Versions diffs - 4.11.4 → 4.12.0 - Mend

@npmcli/template-oss 4.11.4 → 4.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/lib/content/SECURITY.md +1 -2
package/lib/content/post-dependabot.yml +4 -4
package/lib/content/release.yml +5 -5
package/lib/release-please/changelog.js +11 -2
package/lib/release-please/github.js +15 -0
package/package.json +1 -1

package/lib/content/SECURITY.md CHANGED Viewed

@@ -2,11 +2,10 @@ GitHub takes the security of our software products and services seriously, inclu
 If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways.
-If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com).
 If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 Thanks for helping make GitHub safe for everyone.

package/lib/content/post-dependabot.yml CHANGED Viewed

@@ -27,11 +27,11 @@ jobs:
         run: |
           dependabot_dir="$\{{ steps.metadata.outputs.directory }}"
           if [[ "$dependabot_dir" == "/" ]]; then
-            echo "::set-output name=workspace::-iwr"
+            echo "workspace=-iwr" >> $GITHUB_OUTPUT
           else
             # strip leading slash from directory so it works as a
             # a path to the workspace flag
-            echo "::set-output name=workspace::-w ${dependabot_dir#/}"
+            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
           fi
       - name: Apply Changes
@@ -40,7 +40,7 @@ jobs:
         run: |
           {{ rootNpmPath }} run template-oss-apply $\{{ steps.flags.outputs.workspace }}
           if [[ `git status --porcelain` ]]; then
-            echo "::set-output name=changes::true"
+            echo "changes=true" >> $GITHUB_OUTPUT
           fi
           # This only sets the conventional commit prefix. This workflow can't reliably determine
           # what the breaking change is though. If a BREAKING CHANGE message is required then
@@ -50,7 +50,7 @@ jobs:
           else
             prefix='chore'
           fi
-          echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR"
+          echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT
       # This step will fail if template-oss has made any workflow updates. It is impossible
       # for a workflow to update other workflows. In the case it does fail, we continue

package/lib/content/release.yml CHANGED Viewed

@@ -94,7 +94,7 @@ jobs:
         run: |
           git commit --all --amend --no-edit || true
           git push --force-with-lease
-          echo "::set-output  name=sha::$(git rev-parse HEAD)"
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       {{> stepChecks jobName="Update - Release" jobCheck=(obj sha="steps.commit.outputs.sha" name="Release" )}}
       {{> stepChecks jobCheck=(obj id="needs.release.outputs.check-id" )}}
@@ -121,7 +121,7 @@ jobs:
           else
             result="success"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       {{> stepChecks jobCheck=(obj id="needs.update.outputs.check-id" status="steps.needs-result.outputs.result") }}
   post-release:
@@ -172,7 +172,6 @@ jobs:
       - name: Get Needs Result
         id: needs-result
         run: |
-          result=""
           if [[ "$\{{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
             result="x"
           elif [[ "$\{{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
@@ -180,7 +179,7 @@ jobs:
           else
             result="white_check_mark"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       - name: Update Release PR Comment
         uses: actions/github-script@v6
         env:
@@ -201,7 +200,8 @@ jobs:
             if (updateComment) {
               console.log('Found comment to update:', JSON.stringify(updateComment, null, 2))
               let body = updateComment.body.replace(/Workflow run: :[a-z_]+:/, `Workflow run: :${RESULT}:`)
-              if (RESULT === 'x') {
+              const tagCodeowner = RESULT !== 'white_check_mark'
+              if (tagCodeowner) {
                 body += `\n\n:rotating_light:`
                 body += ` {{ codeowner }}: The post-release workflow failed for this release.`
                 body += ` Manual steps may need to be taken after examining the workflow output`

package/lib/release-please/changelog.js CHANGED Viewed

@@ -19,7 +19,7 @@ module.exports = class ChangelogNotes {
     }
     // A link to the pull request if the commit has one
-    const prNumber = commit.pullRequest && commit.pullRequest.number
+    const prNumber = commit.pullRequest?.number
     if (prNumber) {
       entry.push(link(`#${prNumber}`, this.gh.pull(prNumber)))
     }
@@ -63,7 +63,16 @@ module.exports = class ChangelogNotes {
     // Group commits by type
     for (const commit of commits) {
-      const { entry, breaking } = this.buildEntry(commit, authorsByCommit[commit.sha])
+      // when rebase merging multiple commits with a single PR, only the first commit
+      // will have a pr number when coming from release-please. this check will manually
+      // lookup commits without a pr number and find one if it exists
+      if (!commit.pullRequest?.number) {
+        commit.pullRequest = { number: await this.gh.commitPrNumber(commit) }
+      }
+      const { entry, breaking } = this.buildEntry(
+        commit,
+        authorsByCommit[commit.sha]
+      )
       // Collect commits by type
       changelog[commit.type].entries.push(entry)

package/lib/release-please/github.js CHANGED Viewed

@@ -45,10 +45,25 @@ module.exports = (gh) => {
     }
   }
+  const commitPrNumber = async (commit) => {
+    try {
+      const res = await gh.octokit.rest.repos.listPullRequestsAssociatedWithCommit({
+        owner,
+        repo,
+        commit_sha: commit.sha,
+        per_page: 1,
+      })
+      return res.data[0].number
+    } catch {
+      return null
+    }
+  }
   const url = (...p) => `https://github.com/${owner}/${repo}/${p.join('/')}`
   return {
     authors,
+    commitPrNumber,
     pull: (number) => url('pull', number),
     commit: (sha) => url('commit', sha),
     compare: (a, b) => a ? url('compare', `${a.toString()}...${b.toString()}`) : null,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/template-oss",
-  "version": "4.11.4",
+  "version": "4.12.0",
   "description": "templated files used in npm CLI team oss projects",
   "main": "lib/content/index.js",
   "bin": {