ci: add typecheck step to CI workflow (#319) #246
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # STAGING ENVIRONMENT WITH RC PUBLISHING | |
| # ===================================== | |
| # This workflow builds staging environment and publishes RC packages for QA testing. | |
| # Uses public npm registry for @openzeppelin packages. | |
| # | |
| # RC PUBLISHING STRATEGY: | |
| # - Publishes RC snapshot versions (e.g., @openzeppelin/adapter-evm@0.2.1-rc.123) | |
| # - Exported apps from staging use RC versions for QA testing | |
| # - Ensures QA tests latest features before stable release | |
| # | |
| # TRANSITION TO PUBLIC RELEASE: | |
| # When ready to publish publicly, this workflow will automatically work with public npm: | |
| # 1. Remove "Configure npm authentication for private registry" step | |
| # 2. Update .npmrc authentication to use NPM_TOKEN for npm registry (if needed) | |
| # 3. RC packages will be published to public npm instead of GitHub registry | |
| # 4. QA engineers will have seamless access via standard 'npm install' | |
| # 5. All package names and imports will remain the same | |
| name: (Staging) Build and Push Docker Images | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| description: 'Branch to build from' | |
| required: true | |
| default: 'main' | |
| type: string | |
| # Prevent concurrent staging deployments and avoid conflicts with release workflow | |
| concurrency: | |
| group: staging-deployment-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| publish-rc: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7 | |
| id: gh-app-token | |
| with: | |
| app-id: ${{ vars.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| fetch-depth: 0 | |
| - name: Prepare pre-requisites | |
| uses: ./.github/actions/prepare | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| - name: Configure npm authentication for npm registry | |
| run: | | |
| echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc | |
| - name: Install dependencies | |
| run: pnpm install | |
| - name: Build all packages | |
| run: pnpm -r build | |
| env: | |
| NODE_OPTIONS: '--max-old-space-size=8192' | |
| - name: Check for pending changesets | |
| id: changeset-check | |
| run: | | |
| # Check if there are any pending changesets to create snapshots from | |
| if [ -z "$(find .changeset -name '*.md' -not -name 'README.md' -not -name 'config.json')" ]; then | |
| echo "has_changesets=false" >> $GITHUB_OUTPUT | |
| echo "⚠️ No pending changesets found. Skipping RC publishing to prevent stable version pollution." | |
| else | |
| echo "has_changesets=true" >> $GITHUB_OUTPUT | |
| echo "✅ Pending changesets found. Proceeding with RC snapshot creation." | |
| fi | |
| - name: Create RC snapshot version | |
| if: steps.changeset-check.outputs.has_changesets == 'true' | |
| run: | | |
| # Create RC snapshot version with 'rc' tag | |
| pnpm changeset version --snapshot rc | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| HUSKY: 0 | |
| - name: Rebuild packages after version update | |
| if: steps.changeset-check.outputs.has_changesets == 'true' | |
| run: pnpm -r build | |
| env: | |
| NODE_OPTIONS: '--max-old-space-size=8192' | |
| - name: Type check all packages | |
| if: steps.changeset-check.outputs.has_changesets == 'true' | |
| run: pnpm -r typecheck | |
| - name: Publish RC packages | |
| if: steps.changeset-check.outputs.has_changesets == 'true' | |
| run: | | |
| # Publish RC packages with dependencies pre-built | |
| # Temporarily disable prepublishOnly scripts to skip rebuild during publishing | |
| # since we already built all packages with proper dependencies in previous step | |
| export SKIP_PUBLISH_BUILD=true | |
| # TRANSITION NOTE: When switching to public npm, this will automatically | |
| # start publishing RC versions to public npm instead of GitHub registry | |
| pnpm changeset publish --tag rc --no-git-checks | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| HUSKY: 0 | |
| - name: Skip RC publishing notice | |
| if: steps.changeset-check.outputs.has_changesets == 'false' | |
| run: | | |
| echo "🚫 RC publishing skipped because no pending changesets were found." | |
| echo "This prevents publishing stable versions with 'rc' tags." | |
| echo "Stable versions should only be published by the Release workflow with 'latest' tags." | |
| - name: Update export versions for RC packages | |
| if: steps.changeset-check.outputs.has_changesets == 'true' | |
| run: | | |
| # Sync versions.ts with the newly published RC versions | |
| # This ensures staging exports use correct RC versions (e.g., 0.2.1-rc.123) | |
| pnpm update-export-versions | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| attestations: write | |
| security-events: write | |
| env: | |
| REGISTRY: ${{ secrets.RESEARCH_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com | |
| ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role' | |
| ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole' | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| with: | |
| platforms: 'arm64' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 | |
| - name: Set up AWS credentials via OIDC and role chaining | |
| uses: ./.github/actions/oidc | |
| with: | |
| role-for-oidc: ${{ env.ROLE_FOR_OIDC }} | |
| role-to-assume: ${{ env.ROLE_TO_ASSUME }} | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 | |
| id: build | |
| with: | |
| context: . | |
| platforms: linux/amd64 # linux/arm64 causes anchore/scan-action to fail | |
| tags: | | |
| ${{ env.REGISTRY }}/contracts-ui-builder-stg:latest | |
| ${{ env.REGISTRY }}/contracts-ui-builder-stg:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| load: true | |
| build-args: | | |
| VITE_EXPORT_ENV=staging | |
| VITE_APP_CFG_FEATURE_FLAG_ANALYTICS_ENABLED=true | |
| VITE_GA_TAG_ID=${{ secrets.VITE_GA_TAG_ID_STAGING }} | |
| secrets: | | |
| npm_token=${{ secrets.NPM_TOKEN }} | |
| etherscan_api_key=${{ secrets.VITE_APP_CFG_SERVICE_ETHERSCANV2_API_KEY }} | |
| - name: Scan Docker image | |
| uses: anchore/scan-action@df395807f4554463d4455b8047cf58e37b6acaae # v6.5.0 | |
| id: scan | |
| with: | |
| image: ${{ env.REGISTRY }}/contracts-ui-builder-stg:${{ github.sha }} | |
| fail-build: false | |
| - name: Upload Anchore scan SARIF report | |
| uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 | |
| id: push | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| ${{ env.REGISTRY }}/contracts-ui-builder-stg:latest | |
| ${{ env.REGISTRY }}/contracts-ui-builder-stg:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| VITE_EXPORT_ENV=staging | |
| VITE_APP_CFG_FEATURE_FLAG_ANALYTICS_ENABLED=true | |
| VITE_GA_TAG_ID=${{ secrets.VITE_GA_TAG_ID_STAGING }} | |
| secrets: | | |
| npm_token=${{ secrets.NPM_TOKEN }} | |
| etherscan_api_key=${{ secrets.VITE_APP_CFG_SERVICE_ETHERSCANV2_API_KEY }} | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| env: | |
| ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role' | |
| ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole' | |
| ECS_CLUSTER: 'contracts-ui-builder-stg-cluster' | |
| ECS_SERVICE: 'contracts-ui-builder-stg-service' | |
| AWS_REGION: 'us-east-1' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up AWS credentials via OIDC and role chaining | |
| uses: ./.github/actions/oidc | |
| with: | |
| role-for-oidc: ${{ env.ROLE_FOR_OIDC }} | |
| role-to-assume: ${{ env.ROLE_TO_ASSUME }} | |
| - name: AWS ECS force new deployment | |
| run: | | |
| aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION |