FIX (DevOps) @W-15619465@: Using GraphQL to create signed commit. #1466
Conversation
| @@ -41,9 +41,11 @@ jobs: | |||
| # before Release Day. | |||
| [[ $TODAY_DOW != 5 || $NEXT_RELEASE_DATE != $NEXT_TUESDAY_DATE ]] && echo "should_run=false" >> "$GITHUB_OUTPUT" || echo "should_run=true" >> "$GITHUB_OUTPUT" | |||
| create-release-branch: | |||
| runs-on: ubuntu-latest | |||
| runs-on: macos-latest | |||
There was a problem hiding this comment.
Switched to MacOS because the base64 command on Linux behaves differently in ways I didn't expect.
| NEW_PACKAGE="$(cat package.json | base64)" | ||
| NEW_YARN_LOCK="$(cat yarn.lock | base64)" | ||
| NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" |
There was a problem hiding this comment.
This is why I switched to MacOS. base64 on Ubuntu inserts line breaks every 76 characters, but on MacOS it's an unbroken string. Those line breaks were breaking the API call, so I either had to deal with them, or just switch to MacOS where they don't exist.
| git checkout -b release-$NEW_VERSION | ||
| git config --global user.name "sfca-bot" | ||
| git config --global user.email "cli-scanner@salesforce.com" | ||
| git commit -m "Incrementing version for $NEW_VERSION release" | ||
| git push --set-upstream origin release-$NEW_VERSION |
There was a problem hiding this comment.
We now create the branch as a direct copy of dev, because the API call need an existing branch to push the new commit to. It can't create the branch from scratch.
| run: | | ||
| NEW_VERSION=$(jq -r ".version" package.json) | ||
| git stash | ||
| git checkout dev |
There was a problem hiding this comment.
I thought the workflow is already running from dev's latest. Why do we need to checkout dev and do a git pull?
If we didn't do this, then we wouldn't need to stash either. We would just increment the version and then checkout the new branch which forwards our changes automatically. Or am I missing something?
There was a problem hiding this comment.
Yeah, you're right, it's already on dev latest. I was coding extra defensively because I didn't want anything to break, but this one is excessive. I'll remove it.
| NEW_PACKAGE="$(cat package.json | base64)" | ||
| NEW_YARN_LOCK="$(cat yarn.lock | base64)" | ||
| NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" | ||
| gh api graphql -F message="$MESSAGE" -F oldOid=`git rev-parse HEAD` -F branch="$BRANCH" \ |
There was a problem hiding this comment.
Is there a resource where I can learn about this. Did the other methods for signing commits fail, thus leaving you with using the api directly?
There was a problem hiding this comment.
GraphQL overview: https://docs.github.com/en/graphql
GH API overview: https://cli.github.com/manual/gh_api
There was a problem hiding this comment.
Also, the reason I'm using this tactic is because the commits created by the GraphQL API are signed by default, with no need for us to store any GPG keys as repo-level secrets or create a bot user. It all just works.
There was a problem hiding this comment.
Great. Thank you.
No description provided.