Merge branch 'main' into chore/update-actions-cache

.changeset/sweet-pens-decide.md

@@ -0,0 +1,6 @@
+---
+"gha-workflow-validator": patch
+---
+
+fix: action reference validation bug producing false positives for lines which
+contain "uses:" substring, but is not an action reference

actions/crib-deploy-environment/CHANGELOG.md

@@ -1,5 +1,48 @@
 # crib-deploy-environment
 
+## 7.5.0
+
+### Minor Changes
+
+- [#770](https://github.com/smartcontractkit/.github/pull/770)
+  [`d448849`](https://github.com/smartcontractkit/.github/commit/d44884987b855e6085bcf5e6a02a43e00057bef3)
+  Thanks [@chainchad](https://github.com/chainchad)! - Make local proxy port
+  configurable via input
+
+## 7.4.0
+
+### Minor Changes
+
+- [#764](https://github.com/smartcontractkit/.github/pull/764)
+  [`b1a69d8`](https://github.com/smartcontractkit/.github/commit/b1a69d84985fdef78dce563fdc69b840e7cf0e1a)
+  Thanks [@rafaelfelix](https://github.com/rafaelfelix)! - upgraded default
+  crib-repo-ref to v1.2.0
+
+## 7.3.0
+
+### Minor Changes
+
+- [#743](https://github.com/smartcontractkit/.github/pull/743)
+  [`f5fbc93`](https://github.com/smartcontractkit/.github/commit/f5fbc93a367af8b8cd16093fd0edd92b9ba756ea)
+  Thanks [@njegosrailic](https://github.com/njegosrailic)! - Switch the cost
+  stributtion NS labeling to crib CLI
+
+### Patch Changes
+
+- [#759](https://github.com/smartcontractkit/.github/pull/759)
+  [`7f3916b`](https://github.com/smartcontractkit/.github/commit/7f3916b1177db2b3e9c6af8e1d92bc7004f4b046)
+  Thanks [@njegosrailic](https://github.com/njegosrailic)! - Removing default
+  empty values for cost atributtion labels
+
+## 7.2.0
+
+### Minor Changes
+
+- [#755](https://github.com/smartcontractkit/.github/pull/755)
+  [`080a444`](https://github.com/smartcontractkit/.github/commit/080a444ef384c43c860a5430b1a5f0b2f0bd9386)
+  Thanks [@scheibinger](https://github.com/scheibinger)! - Add product-dir
+  option to enable multiple product directories.
+
 ## 7.1.1
 
 ### Patch Changes

actions/crib-deploy-environment/action.yml

@@ -17,6 +17,10 @@ inputs:
     default: "0.0.0.0/0"
     description: "DevSpace ingress CIDRs."
     required: false
+  gap-local-proxy-port:
+    description: "The port the local GAP proxy will listen on."
+    required: false
+    default: "8888"
   github-token:
     description:
       "The `GITHUB_TOKEN` issued for the workflow. It is required unless the
@@ -52,6 +56,10 @@ inputs:
     default: "latest"
     description: "Docker image tag for the product."
     required: false
+  product-dir:
+    default: "chainlink"
+    description: "Product directory under deployments folder"
+    required: false
   send-alerts:
     default: "true"
     description: |
@@ -64,17 +72,15 @@ inputs:
       for example: https://hooks.slack.com/services/aaa/bbb
     required: false
   crib-repo-ref:
-    default: "v1.0.0"
+    default: "v1.2.0"
     required: false
     description: Useful for testing updates in CRIB
   chainlink-team:
-    default: ""
     required: true
     description: |
       Specify a relevant value for tagging resources and attributing
       costs to the correct team.
   chainlink-product:
-    default: ""
     required: true
     description: |
       Specify a relevant value for tagging resources and attributing
@@ -104,12 +110,15 @@ outputs:
   devspace-namespace:
     description: "Kubernetes namespace used to provision a CRIB environment."
     value: ${{ steps.generate-ns-name.outputs.devspace-namespace }}
+  gap-local-proxy-port:
+    description: "The port the local proxy will listen on."
+    value: ${{ inputs.proxy-port }}
 
 runs:
   using: "composite"
   steps:
     - name: Setup GAP
-      uses: smartcontractkit/.github/actions/setup-gap@a1c64ab26eaac82da84581788f33029f5ae6cc02 # setup-gap@3.0.0
+      uses: smartcontractkit/.github/actions/setup-gap@1bb35eaa8308e0a780afe4945596a6482e13f320 # setup-gap@3.1.0
       with:
         aws-region: ${{ inputs.aws-region }}
         aws-role-arn: ${{ inputs.aws-role-arn }}
@@ -122,7 +131,7 @@ runs:
         use-k8s: true
         # Choose port that is less likely to be conflicting with other GAP
         # instances that runs in the same workflow
-        proxy-port: 8888
+        proxy-port: ${{ inputs.gap-local-proxy-port }}
 
     - name: Checkout crib repo
       uses: actions/checkout@v4.2.1
@@ -200,8 +209,6 @@ runs:
 
         kubectl label namespace $NAMESPACE \
           branch="${sanitized_branch}" \
-          chain.link/product=${{ inputs.chainlink-product }} \
-          chain.link/team=${{ inputs.chainlink-team }} \
           commit=${{ steps.generate-ns-name.outputs.commit-sha }} \
           pr-number=${{ steps.generate-ns-name.outputs.pr-number || 'none' }} \
           repo=${{ steps.generate-ns-name.outputs.repo-name }} \
@@ -215,16 +222,19 @@ runs:
         kubectl get namespace $NAMESPACE --show-labels
 
     - name: Deploy to CRIB ephemeral environment
-      working-directory: ${{ github.workspace }}/crib/deployments/chainlink
+      working-directory:
+        ${{ github.workspace }}/crib/deployments/${{ inputs.product-dir }}
       shell: bash
       env:
         CHAINLINK_CODE_DIR: "../"
+        CHAINLINK_PRODUCT: ${{ inputs.chainlink-product }}
+        CHAINLINK_TEAM: ${{ inputs.chainlink-team }}
         CRIB_CI_ENV: true
         CLI_CHANGED: ${{ steps.filter.outputs.cli == 'true' }}
         CRIB_SKIP_DOCKER_ECR_LOGIN: true
         CRIB_SKIP_HELM_ECR_LOGIN: true
-        DEVSPACE_IMAGE: "${{inputs.product-image}}"
         DEVSPACE_IMAGE_TAG: "${{inputs.product-image-tag}}"
+        DEVSPACE_IMAGE: "${{inputs.product-image}}"
         DEVSPACE_INGRESS_BASE_DOMAIN: ${{ inputs.ingress-base-domain }}
         DEVSPACE_INGRESS_CIDRS: ${{ inputs.devspace-ingress-cidrs }}
         GH_TOKEN: ${{ inputs.github-token }}

actions/crib-deploy-environment/package.json

@@ -1,6 +1,6 @@
 {
   "name": "crib-deploy-environment",
-  "version": "7.1.1",
+  "version": "7.5.0",
   "description": "",
   "private": true,
   "scripts": {},

actions/gha-workflow-validator/dist/index.js

@@ -24174,9 +24174,11 @@ function extractActionReferenceFromLine(line) {
   if (trimmedLine.startsWith("#")) {
     return;
   }
-  const trimSubString = "uses:";
-  const usesIndex = trimmedLine.indexOf(trimSubString);
-  if (usesIndex === -1) {
+  const possibleTrimmedPrefixes = ["- uses: ", "uses: "];
+  const trimSubString = possibleTrimmedPrefixes.find(
+    (prefix) => trimmedLine.startsWith(prefix)
+  );
+  if (!trimSubString) {
     return;
   }
   const trimmedUses = line.substring(line.indexOf(trimSubString) + trimSubString.length).trim();

actions/gha-workflow-validator/src/__tests__/action-reference-validation.test.ts

@@ -31,13 +31,18 @@ describe(ActionReferenceValidation.name, () => {
     expect(result).toEqual({ filename: "foo.yml", lineValidations: [] });
   });
 
-  it("should validate no action references", async () => {
+  it("should validate no action references (statuses:write) ", async () => {
     const octokit = getTestOctokit(nockBack.currentMode);
     const subject = new ActionReferenceValidation(octokit);
     const noWorkflowChanges: ParsedFile = {
       filename: ".github/workflows/test.yml",
       lines: [
-        { lineNumber: 1, content: "line 1", operation: "add", ignored: false },
+        {
+          lineNumber: 1,
+          content: "        statuses: write",
+          operation: "add",
+          ignored: false,
+        },
         { lineNumber: 2, content: "line 2", operation: "add", ignored: false },
       ],
     };

actions/gha-workflow-validator/src/validations/action-reference-validations.ts

@@ -226,12 +226,16 @@ export function extractActionReferenceFromLine(
     return;
   }
 
-  // example line:
+  // example line (after trimming):
   // - uses: actions/checkout@v4.2.1
-  const trimSubString = "uses:";
-  const usesIndex = trimmedLine.indexOf(trimSubString);
+  // or
+  // uses: actions/checkout@v4.2.1
+  const possibleTrimmedPrefixes = ["- uses: ", "uses: "];
+  const trimSubString = possibleTrimmedPrefixes.find((prefix) =>
+    trimmedLine.startsWith(prefix),
+  );
 
-  if (usesIndex === -1) {
+  if (!trimSubString) {
     // Not an action reference
     return;
   }

actions/release-tag-check/CHANGELOG.md

@@ -0,0 +1,10 @@
+# release-tag-check
+
+## 0.1.0
+
+### Minor Changes
+
+- [#767](https://github.com/smartcontractkit/.github/pull/767)
+  [`649140f`](https://github.com/smartcontractkit/.github/commit/649140f2b55da65959308403fff0e812c0b794e7)
+  Thanks [@chainchad](https://github.com/chainchad)! - Migrate release-tag-check
+  action from chainlink-github-actions repo

actions/release-tag-check/README.md

@@ -0,0 +1,59 @@
+# Release Tag Check
+
+Checks if git tag is a release or pre-release, and tells you the version.
+
+## Inputs
+
+These are passed by setting environment variables.
+
+- GITHUB_REF
+  - Automatically available in a Github workflow. Will only work with `tag`
+    pushes, otherwise the extracted ref will have an extra `/`
+  - If a tag is the git ref, the prefix will be `refs/tags/`, if a branch is the
+    git ref, the prefix will be `refs/heads/` (10 characters vs 11 characters).
+- RELEASE_REGEX
+  - Used to determine if the tag pushed is the expected format of a release
+  - Defaults to: `^v[0-9]+\.[0-9]+\.[0-9]+$`
+- PRE_RELEASE_REGEX
+  - Used to determine if the tag pushed is the expected format of a pre-release
+  - Defaults to: `^v[0-9]+\.[0-9]+\.[0-9]+-(.+)$`
+- VERSION_PREFIX
+  - Used for determining the `release-version` and `pre-release-version` outputs
+    only. This will not affect how the release/pre-release regexes determine the
+    output.
+  - Defaults to: `v`
+
+## Outputs
+
+- `is-release` - whether the tag name conformed to the release regex
+  (`refs/tag/<tag name>`)
+  - If yes, `release-version` should be set to the version. Without the
+    `$VERSION_PREFIX` on the tag name
+- `is-pre-release` whether the tag name conformed to the pre-release regex
+  (`refs/tag/<tag name>`)
+  - If yes, `pre-release-version` should be set to the version. Without the
+    `$VERSION_PREFIX` on the tag name
+
+## Examples
+
+1. Ref: refs/tag/v1.2.3-beta.0
+   - is-pre-release: true
+   - is-release: false
+   - pre-release-version: 1.2.3-beta.0
+   - release-version: null
+2. Ref: refs/tag/v1.2.3
+   - is-pre-release: false
+   - is-release: true
+   - pre-release-version: null
+   - release-version: 1.2.3
+3. Ref: refs/tag/release-v1.2.3 (must override release_regex, and
+   VERSION_PREFIX)
+   - is-pre-release: false
+   - is-release: true
+   - pre-release-version: null
+   - release-version: 1.2.3
+4. Ref: refs/head/v1.2.3
+   - is-pre-release: false
+   - is-release: false
+   - pre-release-version: null
+   - release-version: false

actions/release-tag-check/action.yml

@@ -0,0 +1,22 @@
+name: Release tag check
+description: Indicates whether a GitHub ref is a pre-release or a final release.
+outputs:
+  is-pre-release:
+    description: "`true` if the release is a pre-release"
+    value: ${{ steps.check.outputs.is-pre-release }}
+  is-release:
+    description: "`true if the release is final"
+    value: ${{ steps.check.outputs.is-release }}
+  release-version:
+    description: "The version of the release"
+    value: ${{ steps.check.outputs.release-version }}
+  pre-release-version:
+    description: "The version of the pre-release"
+    value: ${{ steps.check.outputs.pre-release-version }}
+runs:
+  using: composite
+  steps:
+    - name: Check release tag
+      id: check
+      shell: bash
+      run: ${{ github.action_path }}/scripts/releasetagcheck.sh

actions/release-tag-check/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "release-tag-check",
+  "version": "0.1.0",
+  "description": "Indicates whether a GitHub ref is a pre-release or a final release",
+  "private": true,
+  "scripts": {},
+  "author": "@smartcontractkit",
+  "license": "MIT",
+  "dependencies": {},
+  "repository": "https://github.com/smartcontractkit/.github"
+}

actions/release-tag-check/project.json

@@ -0,0 +1,7 @@
+{
+  "name": "release-tag-check",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "projectType": "application",
+  "sourceRoot": "actions/release-tag-check",
+  "targets": {}
+}

actions/release-tag-check/scripts/releasetagcheck.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Configurable regex patterns with defaults
+RELEASE_REGEX=${RELEASE_REGEX:-"^v[0-9]+\.[0-9]+\.[0-9]+$"}
+PRE_RELEASE_REGEX=${PRE_RELEASE_REGEX:-"^v[0-9]+\.[0-9]+\.[0-9]+-(.+)$"}
+
+# Configurable prefix removal with default
+VERSION_PREFIX=${VERSION_PREFIX:-"v"} 
+
+if [[ -z "${GITHUB_REF:-}" ]]; then
+    echo "ERROR: GITHUB_REF environment variable is required"
+    exit 1
+fi
+
+TAG_REF="${GITHUB_REF}"
+TAG_NAME=${TAG_REF:10} # remove "refs/tags/" prefix
+
+# Remove specified prefix from the version tag
+VERSION_TAG=${TAG_NAME#"${VERSION_PREFIX}"}
+
+echo "Tag: $TAG_NAME"
+echo "Checking if $TAG_NAME is a release or pre-release tag..."
+
+IS_RELEASE=false
+IS_PRE_RELEASE=false
+RELEASE_VERSION="null"
+PRE_RELEASE_VERSION="null"
+
+if [[ $TAG_NAME =~ $RELEASE_REGEX ]]; then
+    echo "Release tag detected. Tag: $TAG_NAME - Version: $VERSION_TAG"
+    IS_RELEASE=true
+    RELEASE_VERSION=$VERSION_TAG
+elif [[ $TAG_NAME =~ $PRE_RELEASE_REGEX ]]; then
+    echo "Pre-release tag detected. Tag: $TAG_NAME - Version: $VERSION_TAG"
+    IS_PRE_RELEASE=true
+    PRE_RELEASE_VERSION=$VERSION_TAG
+else
+    echo "No release or pre-release tag detected. Tag: $TAG_NAME"
+fi
+
+echo "is-release=$IS_RELEASE" | tee -a "$GITHUB_OUTPUT"
+echo "release-version=$RELEASE_VERSION" | tee -a "$GITHUB_OUTPUT"
+
+echo "is-pre-release=$IS_PRE_RELEASE" | tee -a "$GITHUB_OUTPUT"
+echo "pre-release-version=$PRE_RELEASE_VERSION" | tee -a "$GITHUB_OUTPUT"