diff --git a/.changeset/backport-release-app-token-removal.md b/.changeset/backport-release-app-token-removal.md new file mode 100644 index 0000000000..1031c501ca --- /dev/null +++ b/.changeset/backport-release-app-token-removal.md @@ -0,0 +1,4 @@ +--- +--- + +Backport CI changes from `main` to unblock releases on `stable`. Removes the dependency on the temporarily-removed Release App by switching to `secrets.GITHUB_TOKEN` with `commitMode: github-api` for GPG-signed commits, and bumps `pnpm/action-setup` to `v5` so the version is read from `package.json#packageManager`. Backports #1785, #1866, and #1867. diff --git a/.github/actions/setup-workflow-dev/action.yml b/.github/actions/setup-workflow-dev/action.yml index 44da12c1bc..d12b3eff98 100644 --- a/.github/actions/setup-workflow-dev/action.yml +++ b/.github/actions/setup-workflow-dev/action.yml @@ -6,10 +6,6 @@ inputs: description: 'Node.js version to use' required: false default: '22.x' - pnpm-version: - description: 'pnpm version to use' - required: false - default: '10.14.0' setup-rust: description: 'Whether to setup Rust toolchain' required: false @@ -37,9 +33,7 @@ runs: toolchain: stable - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: ${{ inputs.pnpm-version }} + uses: pnpm/action-setup@v5 - name: Setup Node.js ${{ inputs.node-version }} uses: actions/setup-node@v4 diff --git a/.github/workflows/debug-windows.yml b/.github/workflows/debug-windows.yml index 919886b3ba..82e4bcf09e 100644 --- a/.github/workflows/debug-windows.yml +++ b/.github/workflows/debug-windows.yml @@ -27,9 +27,7 @@ jobs: target: wasm32-unknown-unknown - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4 diff --git a/.github/workflows/dispatch-front-workflow-release-pr.yml b/.github/workflows/dispatch-front-workflow-release-pr.yml index b65bbfa66a..1fbc4aad58 100644 --- a/.github/workflows/dispatch-front-workflow-release-pr.yml +++ b/.github/workflows/dispatch-front-workflow-release-pr.yml @@ -1,5 +1,10 @@ name: Dispatch Front Workflow Release PR +# DISABLED: This workflow dispatches to vercel/front (cross-repo) which +# requires a GitHub App token. The Release App has been temporarily +# removed, so this workflow is disabled (all jobs gated on `if: false`) +# until the App is restored. See .github/workflows/release.yml, which +# has also been updated to no longer rely on the Release App. on: pull_request: types: [opened, synchronize, reopened, closed] @@ -15,6 +20,7 @@ jobs: dispatch-front-sync: name: Dispatch Front Sync if: > + false && startsWith(github.event.pull_request.head.ref, 'changeset-release/') && github.event.action != 'closed' runs-on: ubuntu-latest @@ -68,6 +74,7 @@ jobs: dispatch-front-close: name: Dispatch Front Close if: > + false && startsWith(github.event.pull_request.head.ref, 'changeset-release/') && github.event.action == 'closed' runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f908da9008..49357598af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,11 @@ on: branches: - main - stable + # Allow manual triggering from the Actions tab. Useful for re-running the + # release flow when a push from the default GITHUB_TOKEN (e.g. a clean + # cherry-pick from the backport workflow, or a merged "Version Packages" + # PR) does not automatically trigger this workflow. + workflow_dispatch: concurrency: ${{ github.workflow }}-${{ github.ref }} @@ -23,28 +28,18 @@ jobs: TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} TURBO_TEAM: ${{ vars.TURBO_TEAM }} steps: - - name: Generate GitHub App Token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - - name: Checkout Repo uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ steps.app-token.outputs.token }} - name: Configure Git identity run: | - git config user.name "${{ steps.app-token.outputs.app-slug }}[bot]" - git config user.email "${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 24.x uses: actions/setup-node@v4 @@ -64,13 +59,15 @@ jobs: publish: pnpm ci:publish createGithubReleases: false setupGitUser: false + # Use GitHub API for GPG-signed commits (required by branch rules). + commitMode: github-api env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create GitHub Release if: steps.changesets.outputs.published == 'true' env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }} run: | # Generate release notes (PUBLISHED_PACKAGES filters to only include packages from this release) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ae63f758c3..987c391625 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -161,9 +161,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4 @@ -622,9 +620,7 @@ jobs: target: wasm32-unknown-unknown - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4