@quiltdata/benchling-webhook 0.4.13 → 0.5.0

package/bin/publish-manual.js

@@ -1,211 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Manual NPM publish script using access token
- *
- * This script allows manual publishing to npmjs.org using an NPM access token.
- * It's useful for:
- * - Local testing of the publish process
- * - Manual releases when CI/CD is unavailable
- * - Emergency hotfix releases
- *
- * Prerequisites:
- * 1. You must have an NPM access token with publish permissions
- * 2. Set the token as environment variable: NPM_TOKEN=your_token_here
- *
- * Usage:
- *   NPM_TOKEN=your_token npm run publish:manual
- *   NPM_TOKEN=your_token npm run publish:manual -- --dry-run
- *   NPM_TOKEN=your_token npm run publish:manual -- --tag beta
- */
-
-const fs = require('fs');
-const path = require('path');
-const { execSync } = require('child_process');
-
-const NPMRC_PATH = path.join(__dirname, '..', '.npmrc');
-const NPMRC_BACKUP_PATH = path.join(__dirname, '..', '.npmrc.backup');
-
-function validateToken() {
-  const token = process.env.NPM_TOKEN;
-
-  if (!token) {
-    console.error('❌ Error: NPM_TOKEN environment variable is not set');
-    console.error('');
-    console.error('Usage:');
-    console.error('  NPM_TOKEN=your_token_here npm run publish:manual');
-    console.error('');
-    console.error('To get an NPM access token:');
-    console.error('  1. Go to https://www.npmjs.com/settings/[your-username]/tokens');
-    console.error('  2. Click "Generate New Token"');
-    console.error('  3. Select "Automation" type for CI/CD or "Publish" for manual use');
-    console.error('  4. Copy the token and use it with this script');
-    process.exit(1);
-  }
-
-  return token;
-}
-
-function validateGitState() {
-  // Check for uncommitted changes
-  try {
-    execSync('git diff-index --quiet HEAD --', { stdio: 'ignore' });
-  } catch (e) {
-    console.error('⚠️  Warning: You have uncommitted changes');
-    console.error('   It is recommended to commit changes before publishing');
-    console.error('');
-
-    const readline = require('readline').createInterface({
-      input: process.stdin,
-      output: process.stdout
-    });
-
-    return new Promise((resolve) => {
-      readline.question('Continue anyway? (y/N): ', (answer) => {
-        readline.close();
-        if (answer.toLowerCase() !== 'y') {
-          console.log('Aborted');
-          process.exit(1);
-        }
-        resolve();
-      });
-    });
-  }
-}
-
-function createNpmrc(token) {
-  // Backup existing .npmrc if it exists
-  if (fs.existsSync(NPMRC_PATH)) {
-    console.log('📋 Backing up existing .npmrc');
-    fs.copyFileSync(NPMRC_PATH, NPMRC_BACKUP_PATH);
-  }
-
-  // Create .npmrc with token
-  const npmrcContent = `//registry.npmjs.org/:_authToken=${token}\nregistry=https://registry.npmjs.org/\n`;
-  fs.writeFileSync(NPMRC_PATH, npmrcContent, { mode: 0o600 });
-  console.log('✅ Created .npmrc with authentication token');
-}
-
-function restoreNpmrc() {
-  // Remove the temporary .npmrc
-  if (fs.existsSync(NPMRC_PATH)) {
-    fs.unlinkSync(NPMRC_PATH);
-  }
-
-  // Restore backup if it exists
-  if (fs.existsSync(NPMRC_BACKUP_PATH)) {
-    console.log('📋 Restoring original .npmrc');
-    fs.renameSync(NPMRC_BACKUP_PATH, NPMRC_PATH);
-  }
-}
-
-function publishPackage(isDryRun, tag) {
-  const packagePath = path.join(__dirname, '..', 'package.json');
-  const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
-
-  console.log('');
-  console.log('📦 Publishing package: ' + pkg.name);
-  console.log('📌 Version: ' + pkg.version);
-  if (tag) {
-    console.log('🏷️  Tag: ' + tag);
-  }
-  console.log('');
-
-  let publishCmd = 'npm publish --access public';
-
-  if (isDryRun) {
-    publishCmd += ' --dry-run';
-    console.log('🔍 Running in dry-run mode (no actual publish)');
-    console.log('');
-  }
-
-  if (tag) {
-    publishCmd += ` --tag ${tag}`;
-  }
-
-  try {
-    execSync(publishCmd, { stdio: 'inherit', cwd: path.join(__dirname, '..') });
-
-    if (isDryRun) {
-      console.log('');
-      console.log('✅ Dry run completed successfully');
-      console.log('   Remove --dry-run to publish for real');
-    } else {
-      console.log('');
-      console.log('✅ Package published successfully!');
-      console.log(`   View at: https://www.npmjs.com/package/${pkg.name}/v/${pkg.version}`);
-    }
-  } catch (error) {
-    console.error('');
-    console.error('❌ Failed to publish package');
-    throw error;
-  }
-}
-
-async function main() {
-  const args = process.argv.slice(2);
-
-  if (args.includes('--help') || args.includes('-h')) {
-    const packagePath = path.join(__dirname, '..', 'package.json');
-    const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'));
-
-    console.log('📦 Manual NPM Publish');
-    console.log('');
-    console.log('Current package:', pkg.name);
-    console.log('Current version:', pkg.version);
-    console.log('');
-    console.log('Usage:');
-    console.log('  NPM_TOKEN=token npm run publish:manual [options]');
-    console.log('');
-    console.log('Options:');
-    console.log('  --dry-run    Test the publish process without actually publishing');
-    console.log('  --tag TAG    Publish with a specific dist-tag (e.g., beta, next, latest)');
-    console.log('  --help, -h   Show this help message');
-    console.log('');
-    console.log('Examples:');
-    console.log('  NPM_TOKEN=npm_xxx npm run publish:manual');
-    console.log('  NPM_TOKEN=npm_xxx npm run publish:manual -- --dry-run');
-    console.log('  NPM_TOKEN=npm_xxx npm run publish:manual -- --tag beta');
-    console.log('');
-    console.log('Getting an NPM token:');
-    console.log('  1. Visit: https://www.npmjs.com/settings/[your-username]/tokens');
-    console.log('  2. Click "Generate New Token"');
-    console.log('  3. Choose "Automation" (for CI/CD) or "Publish" (for manual use)');
-    console.log('  4. Copy the token (it starts with "npm_")');
-    process.exit(0);
-  }
-
-  const isDryRun = args.includes('--dry-run');
-  const tagIndex = args.indexOf('--tag');
-  const tag = tagIndex !== -1 && args[tagIndex + 1] ? args[tagIndex + 1] : null;
-
-  console.log('🚀 Manual NPM Publish Script');
-  console.log('═'.repeat(50));
-
-  // Validate token
-  const token = validateToken();
-
-  // Validate git state
-  await validateGitState();
-
-  try {
-    // Create .npmrc with token
-    createNpmrc(token);
-
-    // Publish package
-    publishPackage(isDryRun, tag);
-  } catch (error) {
-    console.error('');
-    console.error('Publishing failed');
-    process.exit(1);
-  } finally {
-    // Always restore the original .npmrc
-    restoreNpmrc();
-  }
-}
-
-main().catch((error) => {
-  console.error('Unexpected error:', error);
-  restoreNpmrc();
-  process.exit(1);
-});

package/bin/release-notes.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-# Generate release notes for GitHub releases
-# Usage: ./bin/release-notes.sh VERSION IMAGE_URI [IS_PRERELEASE]
-
-set -e
-
-VERSION="${1}"
-IMAGE_URI="${2}"
-IS_PRERELEASE="${3:-false}"
-
-if [ -z "$VERSION" ] || [ -z "$IMAGE_URI" ]; then
-  echo "Usage: $0 VERSION IMAGE_URI [IS_PRERELEASE]"
-  echo "Example: $0 0.4.12 123456.dkr.ecr.us-west-2.amazonaws.com/quiltdata/benchling:0.4.12 false"
-  exit 1
-fi
-
-# Extract changelog notes if available
-CHANGELOG_NOTES=""
-if [ -f CHANGELOG.md ]; then
-  CHANGELOG_NOTES=$(sed -n "/## \[$VERSION\]/,/## \[/p" CHANGELOG.md | sed '$d' | sed '1d')
-fi
-
-# Generate release notes
-cat << EOFNOTES
-## Quick Start
-
-# 1. Configure
-cp env.template .env
-# Edit .env with AWS account, Benchling credentials, S3/SQS settings
-
-# 2. Install app-manifest.yaml as a Benchling app
-
-# 3. Deploy
-
-```
-set -a; source .env; set +a
-npx cdk bootstrap aws://\$CDK_DEFAULT_ACCOUNT/\$CDK_DEFAULT_REGION
-npm run check
-```
-
-# 4. Set Benchling webhook URL in the app overview page
-
-# 5. Insert a canvas into a notebook entry and click "Create"
-
-# 6. Set `experiment_id` in a package's metadata to link it to a notebook'
-
-
-\`\`\`
-
-## Docker Image
-
-For custom deployments, use the following Docker image:
-
-\`\`\`
-${IMAGE_URI}
-\`\`\`
-
-Pull and run:
-\`\`\`bash
-docker pull ${IMAGE_URI}
-\`\`\`
-
-EOFNOTES
-
-# Add changelog notes if available
-if [ -n "$CHANGELOG_NOTES" ]; then
-  echo ""
-  echo "## Changes"
-  echo ""
-  echo "$CHANGELOG_NOTES"
-fi
-
-# Add resources
-cat << EOFRESOURCES
-
-## Resources
-
-- [Installation Guide](https://github.com/quiltdata/benchling-webhook#installation)
-- [Configuration Guide](https://github.com/quiltdata/benchling-webhook#configuration)
-- [Development Guide](https://github.com/quiltdata/benchling-webhook/tree/main/docker)
-- [Release Process](https://github.com/quiltdata/benchling-webhook/blob/main/doc/RELEASE.md)
-EOFRESOURCES

package/bin/sync-version.js

@@ -1,72 +0,0 @@
-#!/usr/bin/env node
-/**
- * Synchronize version between package.json, docker/pyproject.toml, and docker/app-manifest.yaml
- * The source of truth is docker/pyproject.toml
- */
-
-const fs = require('fs');
-const path = require('path');
-
-const PYPROJECT_PATH = path.join(__dirname, '..', 'docker', 'pyproject.toml');
-const PACKAGE_JSON_PATH = path.join(__dirname, '..', 'package.json');
-const APP_MANIFEST_PATH = path.join(__dirname, '..', 'docker', 'app-manifest.yaml');
-
-function extractVersionFromPyproject(content) {
-  const match = content.match(/^version\s*=\s*"([^"]+)"/m);
-  if (!match) {
-    throw new Error('Could not find version in pyproject.toml');
-  }
-  return match[1];
-}
-
-function updateAppManifest(version) {
-  const content = fs.readFileSync(APP_MANIFEST_PATH, 'utf-8');
-  const updatedContent = content.replace(
-    /^version:\s*.+$/m,
-    `version: ${version}`
-  );
-  
-  if (content !== updatedContent) {
-    fs.writeFileSync(APP_MANIFEST_PATH, updatedContent);
-    return true;
-  }
-  return false;
-}
-
-function main() {
-  // Read pyproject.toml
-  const pyprojectContent = fs.readFileSync(PYPROJECT_PATH, 'utf-8');
-  const version = extractVersionFromPyproject(pyprojectContent);
-
-  console.log(`Version from docker/pyproject.toml: ${version}`);
-
-  // Update package.json
-  const packageJson = JSON.parse(fs.readFileSync(PACKAGE_JSON_PATH, 'utf-8'));
-  const oldVersion = packageJson.version;
-
-  if (oldVersion !== version) {
-    packageJson.version = version;
-    fs.writeFileSync(PACKAGE_JSON_PATH, JSON.stringify(packageJson, null, 2) + '\n');
-    console.log(`✓ Updated package.json version: ${oldVersion} → ${version}`);
-  } else {
-    console.log(`✓ package.json version already matches: ${version}`);
-  }
-
-  // Update app-manifest.yaml
-  if (updateAppManifest(version)) {
-    console.log(`✓ Updated app-manifest.yaml version to: ${version}`);
-  } else {
-    console.log(`✓ app-manifest.yaml version already matches: ${version}`);
-  }
-}
-
-if (require.main === module) {
-  try {
-    main();
-  } catch (error) {
-    console.error('Error:', error.message);
-    process.exit(1);
-  }
-}
-
-module.exports = { extractVersionFromPyproject };

package/cdk.context.json

@@ -1,58 +0,0 @@
-{
-  "acknowledged-issue-numbers": [
-    32775,
-    30717,
-    34293,
-    34486
-  ],
-  "vpc-provider:account=712023778557:filter.isDefault=true:region=us-east-1:returnAsymmetricSubnets=true": {
-    "vpcId": "vpc-2dda6457",
-    "vpcCidrBlock": "172.31.0.0/16",
-    "ownerAccountId": "712023778557",
-    "availabilityZones": [],
-    "subnetGroups": [
-      {
-        "name": "Public",
-        "type": "Public",
-        "subnets": [
-          {
-            "subnetId": "subnet-a9e2d0e3",
-            "cidr": "172.31.16.0/20",
-            "availabilityZone": "us-east-1a",
-            "routeTableId": "rtb-455b5e3a"
-          },
-          {
-            "subnetId": "subnet-f1a1cead",
-            "cidr": "172.31.32.0/20",
-            "availabilityZone": "us-east-1b",
-            "routeTableId": "rtb-455b5e3a"
-          },
-          {
-            "subnetId": "subnet-5853313f",
-            "cidr": "172.31.0.0/20",
-            "availabilityZone": "us-east-1c",
-            "routeTableId": "rtb-455b5e3a"
-          },
-          {
-            "subnetId": "subnet-5dbfd673",
-            "cidr": "172.31.80.0/20",
-            "availabilityZone": "us-east-1d",
-            "routeTableId": "rtb-455b5e3a"
-          },
-          {
-            "subnetId": "subnet-7a3f8944",
-            "cidr": "172.31.48.0/20",
-            "availabilityZone": "us-east-1e",
-            "routeTableId": "rtb-455b5e3a"
-          },
-          {
-            "subnetId": "subnet-30e0c43f",
-            "cidr": "172.31.64.0/20",
-            "availabilityZone": "us-east-1f",
-            "routeTableId": "rtb-455b5e3a"
-          }
-        ]
-      }
-    ]
-  }
-}

package/cdk.json

@@ -1,85 +0,0 @@
-{
-  "app": "npx ts-node --prefer-ts-exts bin/benchling-webhook.ts",
-  "watch": {
-    "include": [
-      "**"
-    ],
-    "exclude": [
-      "README.md",
-      "cdk*.json",
-      "**/*.d.ts",
-      "**/*.js",
-      "tsconfig.json",
-      "package*.json",
-      "yarn.lock",
-      "node_modules",
-      "test"
-    ]
-  },
-  "context": {
-    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
-    "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": [
-      "aws",
-      "aws-cn"
-    ],
-    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
-    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
-    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
-    "@aws-cdk/aws-iam:minimizePolicies": true,
-    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
-    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
-    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
-    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
-    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
-    "@aws-cdk/core:enablePartitionLiterals": true,
-    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
-    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
-    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
-    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
-    "@aws-cdk/aws-route53-patters:useCertificate": true,
-    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
-    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
-    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
-    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
-    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
-    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
-    "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
-    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
-    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
-    "@aws-cdk/aws-kms:aliasNameRef": true,
-    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
-    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
-    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
-    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
-    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
-    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
-    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
-    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
-    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
-    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
-    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
-    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
-    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
-    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
-    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
-    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
-    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
-    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
-    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
-    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
-    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
-    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
-    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
-    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
-    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
-    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
-    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
-    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
-    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
-    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
-    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
-    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
-  }
-}

package/doc/NPM_OIDC_SETUP.md

@@ -1,95 +0,0 @@
-# NPM OIDC Configuration for GitHub Actions
-
-This repository now uses OpenID Connect (OIDC) for publishing to npm, eliminating the need for long-lived `NPM_TOKEN` secrets.
-
-## What Changed
-
-The GitHub Actions workflow ([.github/workflows/ci.yaml](.github/workflows/ci.yaml)) has been updated to:
-
-1. Add `id-token: write` permission for OIDC token generation
-2. Use `npm publish --provenance --access public` with automatic OIDC authentication
-3. Remove dependency on `NPM_TOKEN` GitHub secret
-
-## Required npm Configuration
-
-To enable OIDC publishing, you need to configure your npm package settings:
-
-### 1. Enable Provenance on npm
-
-The `--provenance` flag automatically uses OIDC when available. npm will:
-
-- Accept OIDC tokens from GitHub Actions
-- Generate signed provenance attestations
-- Link published packages to their source code and build process
-
-### 2. Configure npm Package Access
-
-If not already configured, ensure your npm account has:
-
-1. **Publishing access** to the `quilt-benchling-webhook` package
-2. **Provenance enabled** for your npm account/organization
-
-### 3. Update npm Settings (If First Time Using OIDC)
-
-Visit [npm automation tokens settings](https://www.npmjs.com/settings/~/tokens) and:
-
-1. You can safely **delete the old `NPM_TOKEN`** secret from GitHub after verifying OIDC works
-2. No new token needs to be created - OIDC handles authentication automatically
-3. Ensure your npm organization settings allow publishing with provenance
-
-### 4. Grant GitHub Actions Access (npm Configuration)
-
-For npm to accept OIDC tokens from your repository:
-
-1. Go to [npm package settings](https://www.npmjs.com/package/quilt-benchling-webhook/access)
-2. Ensure the package allows automated publishing
-3. npm automatically trusts GitHub Actions OIDC tokens for configured organizations
-
-## Testing the Setup
-
-To test OIDC publishing:
-
-1. Create a test tag: `git tag v0.4.14-dev.1 && git push origin v0.4.14-dev.1`
-2. Monitor the GitHub Actions workflow
-3. The "Publish to NPM" step should succeed without `NODE_AUTH_TOKEN`
-4. Verify provenance on npm: `npm view quilt-benchling-webhook`
-
-## Troubleshooting
-
-### "Unable to authenticate" errors
-
-- Verify `id-token: write` permission is set in the workflow
-- Check that `registry-url: 'https://registry.npmjs.org'` is configured in the Node.js setup
-- Ensure the package exists and your account has publishing rights
-
-### "Provenance not supported" errors
-
-- Update to npm 9.5.0 or later (the workflow uses Node.js 24 which includes npm 10.x)
-- Verify your npm account/organization supports provenance
-
-### Need to roll back?
-
-If you need to revert to token-based authentication:
-
-1. Create a new npm automation token
-2. Add it as `NPM_TOKEN` secret in GitHub
-3. Remove `--provenance` flag and add back:
-
-   ```yaml
-   env:
-     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-   ```
-
-## Benefits of OIDC
-
-- **No secret rotation**: No long-lived tokens to manage or rotate
-- **Better security**: Tokens are short-lived and scoped to specific workflows
-- **Provenance**: Published packages include verifiable build provenance
-- **Audit trail**: Clear link between published packages and their source
-- **Supply chain security**: Helps prevent package tampering and improves trust
-
-## References
-
-- [npm Provenance Documentation](https://docs.npmjs.com/generating-provenance-statements)
-- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
-- [npm publish with provenance](https://docs.npmjs.com/cli/v10/commands/npm-publish#provenance)