-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIX (DevOps) @W-15619465@: Using GraphQL to create signed commit. #1466
Conversation
@@ -41,9 +41,11 @@ jobs: | |||
# before Release Day. | |||
[[ $TODAY_DOW != 5 || $NEXT_RELEASE_DATE != $NEXT_TUESDAY_DATE ]] && echo "should_run=false" >> "$GITHUB_OUTPUT" || echo "should_run=true" >> "$GITHUB_OUTPUT" | |||
create-release-branch: | |||
runs-on: ubuntu-latest | |||
runs-on: macos-latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switched to MacOS because the base64
command on Linux behaves differently in ways I didn't expect.
NEW_PACKAGE="$(cat package.json | base64)" | ||
NEW_YARN_LOCK="$(cat yarn.lock | base64)" | ||
NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is why I switched to MacOS. base64
on Ubuntu inserts line breaks every 76 characters, but on MacOS it's an unbroken string. Those line breaks were breaking the API call, so I either had to deal with them, or just switch to MacOS where they don't exist.
git checkout -b release-$NEW_VERSION | ||
git config --global user.name "sfca-bot" | ||
git config --global user.email "cli-scanner@salesforce.com" | ||
git commit -m "Incrementing version for $NEW_VERSION release" | ||
git push --set-upstream origin release-$NEW_VERSION |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We now create the branch as a direct copy of dev
, because the API call need an existing branch to push the new commit to. It can't create the branch from scratch.
run: | | ||
NEW_VERSION=$(jq -r ".version" package.json) | ||
git stash | ||
git checkout dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the workflow is already running from dev's latest. Why do we need to checkout dev and do a git pull?
If we didn't do this, then we wouldn't need to stash either. We would just increment the version and then checkout the new branch which forwards our changes automatically. Or am I missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, you're right, it's already on dev
latest. I was coding extra defensively because I didn't want anything to break, but this one is excessive. I'll remove it.
NEW_PACKAGE="$(cat package.json | base64)" | ||
NEW_YARN_LOCK="$(cat yarn.lock | base64)" | ||
NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" | ||
gh api graphql -F message="$MESSAGE" -F oldOid=`git rev-parse HEAD` -F branch="$BRANCH" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a resource where I can learn about this. Did the other methods for signing commits fail, thus leaving you with using the api directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GraphQL overview: https://docs.github.com/en/graphql
GH API overview: https://cli.github.com/manual/gh_api
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the reason I'm using this tactic is because the commits created by the GraphQL API are signed by default, with no need for us to store any GPG keys as repo-level secrets or create a bot user. It all just works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great. Thank you.
No description provided.