Skip to content

Operator attestation policy (#10721) #2573

Operator attestation policy (#10721)

Operator attestation policy (#10721) #2573

Workflow file for this run

# Run after merge to trunk
# Note that this relies on branch protection having:
# Require branches to be up to date before merging
on:
push:
branches:
# $default-branch
- master
- 'release-*'
- 'dev-*'
workflow_dispatch:
jobs:
build:
if: ${{ github.repository_owner == 'agoric' }}
runs-on: ubuntu-latest
strategy:
matrix:
node-version: ['18.x', '20.x']
steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- uses: ./.github/actions/restore-node
with:
node-version: ${{ matrix.node-version}}
- name: notify on failure
if: failure()
uses: ./.github/actions/notify-status
with:
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
dev-canary:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
# note: only use one node-version
node-version: ['18.x']
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/restore-node
with:
node-version: ${{ matrix.node-version }}
# Adapted from https://johnny.sh/notes/publish-canary-lerna-cicd/
- name: configure NPM token
run: |
echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: check credentials
run: npm whoami
- name: publish to NPM tag
run: |
case $GITHUB_REF_NAME in
release-*)
# A pre-release.
TAG=${GITHUB_REF_NAME#release-}-dev
;;
dev-*)
# A pre-release while our release branch is straying from master
TAG=${GITHUB_REF_NAME#dev-}-dev
;;
master)
# A trunk dev release.
TAG=dev
;;
*)
# Some other dev release.
TAG=other-dev
;;
esac
# Prevent `lerna publish` from failing due to uncommitted changes.
git stash || true
# without concurrency until https://github.com/Agoric/agoric-sdk/issues/8091
yarn lerna publish --concurrency 1 --conventional-prerelease --canary --exact \
--dist-tag=$TAG --preid=$TAG-$(git rev-parse --short=7 HEAD) \
--no-push --no-verify-access --yes
# restore any stashed changes for caching
git stash pop || true
- name: notify on failure
if: failure()
uses: ./.github/actions/notify-status
with:
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
coverage:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
# note: only use one node-version
node-version: ['18.x']
if: ${{github.event_name == 'push' }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/restore-node
with:
node-version: ${{ matrix.node-version }}
- name: generate test coverage report
run: ./scripts/ci/generate-test-coverage-report.sh
- uses: actions/upload-artifact@v4
with:
name: coverage
path: coverage
- name: Find Netlify site ID
run: |
echo "NETLIFY_SITE_ID=$(cat COVERAGE_NETLIFY_SITE_ID)" >> $GITHUB_ENV
- uses: nwtgck/[email protected]
with:
# Production deployment if a push or merged PR.
production-deploy: ${{ github.event_name == 'push' && github.ref_name == 'master' }}
publish-dir: coverage/html
# SECURITY: we don't want to hand out the Github token to this action.
# github-token: ${{ secrets.GITHUB_TOKEN }}
env:
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
- name: notify on failure
if: failure()
uses: ./.github/actions/notify-status
with:
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
benchmark:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
# note: only use one node-version
node-version: ['18.x']
if: ${{github.event_name == 'push'}}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/restore-node
with:
node-version: ${{ matrix.node-version }}
- name: benchmark changes
env:
AUTOBENCH_METRICS_URL: ${{ secrets.AUTOBENCH_METRICS_URL }}
run: cd packages/swingset-runner && yarn ci:autobench
- uses: actions/upload-artifact@v4
with:
name: benchmarkstats.json
path: packages/swingset-runner/benchstats*.json
- name: notify on failure
if: failure()
uses: ./.github/actions/notify-status
with:
from: ${{ secrets.NOTIFY_EMAIL_FROM }}
to: ${{ secrets.NOTIFY_EMAIL_TO }}
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }}
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}