From c90e7acc41ded7415af376fa469e2ef71fd519ce Mon Sep 17 00:00:00 2001 From: lutaok Date: Fri, 26 May 2023 08:49:48 +0200 Subject: [PATCH 1/3] tools: order dependency jobs alphabetically Refs: https://github.com/nodejs/security-wg/issues/973 --- .github/workflows/tools.yml | 196 ++++++++++++++++++------------------ 1 file changed, 98 insertions(+), 98 deletions(-) diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index eea4c81c9feb0c..4e16dec6c2e8b5 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -48,70 +48,30 @@ jobs: if: github.repository == 'nodejs/node' runs-on: ubuntu-latest strategy: - fail-fast: false # Prevent other jobs from aborting if one fails + fail-fast: false # Prevent other jobs from aborting if one fails matrix: include: - - id: eslint - subsystem: tools - label: tools + - id: acorn + subsystem: deps + label: dependencies run: | - ./tools/dep_updaters/update-eslint.sh > temp-output + ./tools/dep_updaters/update-acorn.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: corepack - subsystem: deps - label: dependencies - run: | - make corepack-update - echo "NEW_VERSION=$(node deps/corepack/dist/corepack.js --version)" >> $GITHUB_ENV - - id: lint-md-dependencies - subsystem: tools - label: tools - run: | - cd tools/lint-md - npm ci - NEW_VERSION=$(npm outdated --parseable | cut -d: -f4 | xargs) - if [ "$NEW_VERSION" != "" ]; then - echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV - rm -rf package-lock.json node_modules - # Include $NEW_VERSION to explicitly update the package.json - # entry for the dependency and also so that semver-major updates - # are not skipped. - npm install --ignore-scripts $NEW_VERSION - npm install --ignore-scripts - cd ../.. - make lint-md-rollup - fi - - id: doc - subsystem: tools - label: tools - run: | - cd tools/doc - npm ci - NEW_VERSION=$(npm outdated --parseable | cut -d: -f4 | xargs) - if [ "$NEW_VERSION" != "" ]; then - echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV - rm -rf package-lock.json node_modules - # Include $NEW_VERSION to explicitly update the package.json - # entry for the dependency and also so that semver-major updates - # are not skipped. - npm install --ignore-scripts $NEW_VERSION - npm install --ignore-scripts - fi - - id: undici + - id: acorn-walk subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-undici.sh > temp-output + ./tools/dep_updaters/update-acorn-walk.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: postject - subsystem: deps,test - label: test + - id: ada + subsystem: deps + label: dependencies run: | - ./tools/dep_updaters/update-postject.sh > temp-output + ./tools/dep_updaters/update-ada.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output @@ -123,96 +83,131 @@ jobs: cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: acorn + - id: brotli subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-acorn.sh > temp-output + ./tools/dep_updaters/update-brotli.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: acorn-walk + - id: c-ares subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-acorn-walk.sh > temp-output + ./tools/dep_updaters/update-c-ares.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: libuv + - id: cjs-module-lexer subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-libuv.sh > temp-output + ./tools/dep_updaters/update-cjs-module-lexer.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: simdutf + - id: corepack subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-simdutf.sh > temp-output + make corepack-update + echo "NEW_VERSION=$(node deps/corepack/dist/corepack.js --version)" >> $GITHUB_ENV + - id: doc + subsystem: tools + label: tools + run: | + cd tools/doc + npm ci + NEW_VERSION=$(npm outdated --parseable | cut -d: -f4 | xargs) + if [ "$NEW_VERSION" != "" ]; then + echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV + rm -rf package-lock.json node_modules + # Include $NEW_VERSION to explicitly update the package.json + # entry for the dependency and also so that semver-major updates + # are not skipped. + npm install --ignore-scripts $NEW_VERSION + npm install --ignore-scripts + fi + - id: eslint + subsystem: tools + label: tools + run: | + ./tools/dep_updaters/update-eslint.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: ada + - id: googletest subsystem: deps - label: dependencies + label: dependencies, test run: | - ./tools/dep_updaters/update-ada.sh > temp-output + ./tools/dep_updaters/update-googletest.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: nghttp2 + - id: icu subsystem: deps - label: dependencies + label: dependencies, test run: | - ./tools/dep_updaters/update-nghttp2.sh > temp-output + ./tools/dep_updaters/update-icu.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: llhttp + - id: libuv subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-llhttp.sh > temp-output + ./tools/dep_updaters/update-libuv.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: c-ares + - id: lint-md-dependencies + subsystem: tools + label: tools + run: | + cd tools/lint-md + npm ci + NEW_VERSION=$(npm outdated --parseable | cut -d: -f4 | xargs) + if [ "$NEW_VERSION" != "" ]; then + echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV + rm -rf package-lock.json node_modules + # Include $NEW_VERSION to explicitly update the package.json + # entry for the dependency and also so that semver-major updates + # are not skipped. + npm install --ignore-scripts $NEW_VERSION + npm install --ignore-scripts + cd ../.. + make lint-md-rollup + fi + - id: llhttp subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-c-ares.sh > temp-output + ./tools/dep_updaters/update-llhttp.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: brotli + - id: minimatch subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-brotli.sh > temp-output + ./tools/dep_updaters/update-minimatch.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: minimatch + - id: nghttp2 subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-minimatch.sh > temp-output + ./tools/dep_updaters/update-nghttp2.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: root-certificates - subsystem: crypto - label: crypto, notable-change - run: | - node ./tools/dep_updaters/update-root-certs.mjs -v -f "$GITHUB_ENV" - - id: cjs-module-lexer + - id: nghttp3 subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-cjs-module-lexer.sh > temp-output + ./tools/dep_updaters/update-nghttp3.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output @@ -224,54 +219,59 @@ jobs: cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: nghttp3 - subsystem: deps - label: dependencies + - id: postject + subsystem: deps,test + label: test run: | - ./tools/dep_updaters/update-nghttp3.sh > temp-output + ./tools/dep_updaters/update-postject.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: uvwasi + - id: root-certificates + subsystem: crypto + label: crypto, notable-change + run: | + node ./tools/dep_updaters/update-root-certs.mjs -v -f "$GITHUB_ENV" + - id: simdutf subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-uvwasi.sh > temp-output + ./tools/dep_updaters/update-simdutf.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: zlib + - id: undici subsystem: deps label: dependencies run: | - ./tools/dep_updaters/update-zlib.sh > temp-output + ./tools/dep_updaters/update-undici.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: googletest + - id: uvwasi subsystem: deps - label: dependencies, test + label: dependencies run: | - ./tools/dep_updaters/update-googletest.sh > temp-output + ./tools/dep_updaters/update-uvwasi.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output - - id: icu + - id: zlib subsystem: deps - label: dependencies, test + label: dependencies run: | - ./tools/dep_updaters/update-icu.sh > temp-output + ./tools/dep_updaters/update-zlib.sh > temp-output cat temp-output tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 if: github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id with: persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} if: matrix.id == 'icu' && (github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id) - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: ${{ env.PYTHON_VERSION }} - run: ${{ matrix.run }} @@ -291,7 +291,7 @@ jobs: with: author: Node.js GitHub Bot body: This is an automated update of ${{ matrix.id }} to ${{ env.NEW_VERSION }}. - branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action. + branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action. commit-message: ${{ env.COMMIT_MSG }} labels: ${{ matrix.label }} title: '${{ matrix.subsystem }}: update ${{ matrix.id }} to ${{ env.NEW_VERSION }}' @@ -299,7 +299,7 @@ jobs: - name: Open issue on fail id: create-issue if: github.event_name == 'schedule' && ${{ failure() }} - uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # 2.9.1 + uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # 2.9.1 env: GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} FAILED_DEP: ${{ matrix.id }} From 4f40ee5de11aa6512248a6fa7d0e6b431c13e689 Mon Sep 17 00:00:00 2001 From: lutaok Date: Fri, 26 May 2023 08:58:16 +0200 Subject: [PATCH 2/3] tools: add missing dependencies options Refs: https://github.com/nodejs/security-wg/issues/973 --- .github/workflows/tools.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 4e16dec6c2e8b5..0044693d0ed69d 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -28,6 +28,7 @@ on: - libuv - lint-md-dependencies - llhttp + - minimatch - nghttp2 - nghttp3 - ngtcp2 @@ -36,6 +37,7 @@ on: - simdutf - undici - uvwasi + - zlib env: PYTHON_VERSION: '3.11' From 3be7024073da8aec90298a825fb7e609c50afaef Mon Sep 17 00:00:00 2001 From: lutaok Date: Fri, 26 May 2023 13:36:31 +0200 Subject: [PATCH 3/3] tools: Revert spacing before comments PR-URL: #48184 Refs: nodejs/security-wg#973 --- .github/workflows/tools.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 0044693d0ed69d..c6e09a04d3f8b7 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -50,7 +50,7 @@ jobs: if: github.repository == 'nodejs/node' runs-on: ubuntu-latest strategy: - fail-fast: false # Prevent other jobs from aborting if one fails + fail-fast: false # Prevent other jobs from aborting if one fails matrix: include: - id: acorn @@ -267,13 +267,13 @@ jobs: tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true rm temp-output steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 if: github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id with: persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} if: matrix.id == 'icu' && (github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id) - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 with: python-version: ${{ env.PYTHON_VERSION }} - run: ${{ matrix.run }} @@ -293,7 +293,7 @@ jobs: with: author: Node.js GitHub Bot body: This is an automated update of ${{ matrix.id }} to ${{ env.NEW_VERSION }}. - branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action. + branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action. commit-message: ${{ env.COMMIT_MSG }} labels: ${{ matrix.label }} title: '${{ matrix.subsystem }}: update ${{ matrix.id }} to ${{ env.NEW_VERSION }}' @@ -301,7 +301,7 @@ jobs: - name: Open issue on fail id: create-issue if: github.event_name == 'schedule' && ${{ failure() }} - uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # 2.9.1 + uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # 2.9.1 env: GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} FAILED_DEP: ${{ matrix.id }}