Merge pull request #6210 from ethereum-optimism/willc/releases

feat: Improve release process

.changeset/config.json

 {
-  "$schema": "https://unpkg.com/@changesets/config@1.6.0/schema.json",
-  "changelog": "@changesets/cli/changelog",
+  "$schema": "https://unpkg.com/@changesets/config@2.3.0/schema.json",
+  "changelog": ["@changesets/changelog-github", { "repo": "eth-optimism/optimism" }],
   "commit": false,
+  "fixed": [],
   "linked": [],
   "access": "public",
-  "baseBranch": "master",
+  "baseBranch": "develop",
   "updateInternalDependencies": "patch",
   "ignore": []
 }

.github/actions/setup/action.yml

+name: Setup
+description: Common setup steps used by our workflows
+runs:
+  using: composite
+  steps:
+    - name: Setup pnpm
+      uses: pnpm/action-setup@v2
+      with:
+        version: 8.6.5
+
+    - name: Setup node 16.x
+      uses: actions/setup-node@v3
+      with:
+        node-version-file: .nvmrc
+        registry-url: https://registry.npmjs.org
+        cache: pnpm
+
+    - name: Get foundry version
+      id: foundry-version
+      run: echo ::set-output name=version::$(cat .foundryrc)
+
+    - name: Setup foundry
+      uses: foundry-rs/foundry-toolchain@v1
+      with:
+        version: $${ steps.foundry-version.outputs.version }
+
+    - name: Install node dependencies
+      shell: bash
+      run: pnpm install --frozen-lockfile
+
+    - name: Derive appropriate SHAs for base and head for `nx affected` commands
+      uses: nrwl/nx-set-shas@v3
+
+    - run: |
+        echo "nx using following shas:"
+        echo "BASE: ${{ env.NX_BASE }}"
+        echo "HEAD: ${{ env.NX_HEAD }}"
+      shell: bash

.github/workflows/publish-canary.yml → .github/workflows/release-docker-canary.yml

-name: Publish Packages (canary)
+name: Publish Docker images (canary)
 
 on:
   # enable users to manually trigger with workflow_dispatch
@@ -31,48 +31,6 @@ jobs:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8.6.5
-
-      - name: Setup Node.js 16.x
-        uses: actions/setup-node@master
-        with:
-          node-version: 16.x
-          cache: pnpm
-
-      - name: Install Dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
-        with:
-          version: nightly
-
-      - name: Build
-        run: npx nx run-many --target=build --skip-nx-cache
-
-      - name: Setup Canary Snapshot
-        run: pnpm changeset version --snapshot
-
-      - name: Publish To NPM
-        uses: changesets/action@v1
-        id: changesets
-        with:
-          createGithubReleases: false
-          publish: pnpm changeset publish --tag canary
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      # Conditional on the release being executed, we unbundle the publishedPackages to specific
-      # job outputs
-      - name: Get version tags from each published version
-        id: packages
-        run: |
-          node ops/scripts/ci-versions.js ${{ toJSON(steps.changesets.outputs.publishedPackages) }}
-
       - name: Docker Image Name
         id: docker-image-name
         run: |

.github/workflows/release-snapshot.yml

+name: Release snapshot
+
+# Releases a snapshot release when new commits merge to develop
+# This ensures the release process is working as expected as well as always gives us a release
+# we should move to a single branch in near future
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - develop
+
+jobs:
+  snapshot-snapshot:
+    name: Publish snapshot release to npm
+    if: github.repository == 'eth-optimism/optimism'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+          fetch-depth: 0
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Set deployment token
+        run: npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish snapshots
+        uses: seek-oss/changesets-snapshot@v0
+        with:
+          pre-publish: pnpm nx run-many --target=build --skip-nx-cache
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release.yml

-name: Release
+name: Release and version
 
 on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Trigger a release workflow"
+        type: string
+        default: "develop"
+        required: true
   push:
     branches:
-      - master
+      - develop
 
 # Always wait for previous release to finish before releasing again
 concurrency: ${{ github.workflow }}-${{ github.ref }}
@@ -12,6 +19,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    if: github.repository == 'eth-optimism/optimism'
     # map the step outputs to job outputs
     outputs:
       fault-detector: ${{ steps.packages.outputs.fault-detector }}
@@ -21,32 +29,22 @@ jobs:
       replica-healthcheck: ${{ steps.packages.outputs.replica-healthcheck }}
       op-exporter: ${{ steps.packages.outputs.op-exporter }}
       endpoint-monitor: ${{ steps.packages.outputs.endpoint-monitor }}
-
+    # Permissions necessary for Changesets to push a new branch and open PRs
+    # (for automated Version Packages PRs), and request the JWT for provenance.
+    # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@master
+        uses: actions/checkout@develop
         with:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8.6.5
-
-      - name: Setup Node.js 16.x
-        uses: actions/setup-node@master
-        with:
-          node-version: 16.x
-          cache: pnpm
-
-      - name: Install Dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
-        with:
-          version: nightly
+      - name: Setup
+        uses: ./.github/actions/setup
 
       # Makes a pr to publish the changesets that when
       # merged will publish to npm

package.json

@@ -25,11 +25,15 @@
     "ready": "pnpm lint && pnpm test",
     "prepare": "husky install",
     "release": "npx nx run-many --target=build --skip-nx-cache && pnpm changeset publish",
+    "release:check": "changeset status --verbose --since=origin/main",
+    "release:publish": "npx nx run-many --target=build && pnpm install && pnpm build && changeset publish",
+    "release:version": "changeset version && pnpm install --lockfile-only",
     "install:foundry": "curl -L https://foundry.paradigm.xyz | bash && pnpm update:foundry",
     "update:foundry": "foundryup -C $(cat .foundryrc)"
   },
   "devDependencies": {
     "@babel/eslint-parser": "^7.18.2",
+    "@changesets/changelog-github": "^0.4.8",
     "@nrwl/nx-cloud": "latest",
     "@types/chai": "^4.2.18",
     "@types/chai-as-promised": "^7.1.4",

pnpm-lock.yaml

@@ -21,6 +21,9 @@ importers:
       '@babel/eslint-parser':
         specifier: ^7.18.2
         version: 7.18.2(@babel/core@7.22.5)(eslint@8.43.0)
+      '@changesets/changelog-github':
+        specifier: ^0.4.8
+        version: 0.4.8
       '@nrwl/nx-cloud':
         specifier: latest
         version: 16.0.5
@@ -853,6 +856,16 @@ packages:
       '@changesets/types': 5.2.1
     dev: false
 
+  /@changesets/changelog-github@0.4.8:
+    resolution: {integrity: sha512-jR1DHibkMAb5v/8ym77E4AMNWZKB5NPzw5a5Wtqm1JepAuIF+hrKp2u04NKM14oBZhHglkCfrla9uq8ORnK/dw==}
+    dependencies:
+      '@changesets/get-github-info': 0.5.2
+      '@changesets/types': 5.2.1
+      dotenv: 8.6.0
+    transitivePeerDependencies:
+      - encoding
+    dev: true
+
   /@changesets/cli@2.26.0:
     resolution: {integrity: sha512-0cbTiDms+ICTVtEwAFLNW0jBNex9f5+fFv3I771nBvdnV/mOjd1QJ4+f8KtVSOrwD9SJkk9xbDkWFb0oXd8d1Q==}
     hasBin: true
@@ -920,6 +933,15 @@ packages:
       semver: 5.7.1
     dev: false
 
+  /@changesets/get-github-info@0.5.2:
+    resolution: {integrity: sha512-JppheLu7S114aEs157fOZDjFqUDpm7eHdq5E8SSR0gUBTEK0cNSHsrSR5a66xs0z3RWuo46QvA3vawp8BxDHvg==}
+    dependencies:
+      dataloader: 1.4.0
+      node-fetch: 2.6.7
+    transitivePeerDependencies:
+      - encoding
+    dev: true
+
   /@changesets/get-release-plan@3.0.16:
     resolution: {integrity: sha512-OpP9QILpBp1bY2YNIKFzwigKh7Qe9KizRsZomzLe6pK8IUo8onkAAVUD8+JRKSr8R7d4+JRuQrfSSNlEwKyPYg==}
     dependencies:
@@ -990,7 +1012,6 @@ packages:
 
   /@changesets/types@5.2.1:
     resolution: {integrity: sha512-myLfHbVOqaq9UtUKqR/nZA/OY7xFjQMdfgfqeZIBK4d0hA6pgxArvdv8M+6NUzzBsjWLOtvApv8YHr4qM+Kpfg==}
-    dev: false
 
   /@changesets/write@0.2.3:
     resolution: {integrity: sha512-Dbamr7AIMvslKnNYsLFafaVORx4H0pvCA2MHqgtNCySMe1blImEyAEOzDmcgKAkgz4+uwoLz7demIrX+JBr/Xw==}
@@ -6105,6 +6126,10 @@ packages:
     dependencies:
       assert-plus: 1.0.0
 
+  /dataloader@1.4.0:
+    resolution: {integrity: sha512-68s5jYdlvasItOJnCuI2Q9s4q98g0pCyL3HrcKJu8KNugUl8ahgmZYg38ysLTgQjjXX3H8CJLkAvWrclWfcalw==}
+    dev: true
+
   /dateformat@3.0.3:
     resolution: {integrity: sha512-jyCETtSl3VMZMWeRo7iY1FL19ges1t55hMo5yaam4Jrsm5EPL89UQkoQRyiI+Yf4k8r2ZpdngkV8hr1lIdjb3Q==}
     dev: true
@@ -6549,6 +6574,11 @@ packages:
     engines: {node: '>=12'}
     dev: true
 
+  /dotenv@8.6.0:
+    resolution: {integrity: sha512-IrPdXQsk2BbzvCBGBOTmmSH5SodmqZNt4ERAZDmW4CT+tL8VtvinqywuANaFu4bOMWki16nqf0e4oC0QIaDr/g==}
+    engines: {node: '>=10'}
+    dev: true
+
   /dotignore@0.1.2:
     resolution: {integrity: sha512-UGGGWfSauusaVJC+8fgV+NVvBXkCTmVv7sk6nojDZZvuOUNGUy0Zk4UpHQD6EDjS0jpBwcACvH4eofvyzBcRDw==}
     hasBin: true