diff --git a/.github/workflows/build-pro-image.yml b/.github/workflows/build-pro-image.yml index de5761a3a2..a1deadc821 100644 --- a/.github/workflows/build-pro-image.yml +++ b/.github/workflows/build-pro-image.yml @@ -15,8 +15,12 @@ on: - '.github/workflows/build-pro-image.yml' jobs: - build-and-push: + app-token: if: github.event.pull_request.head.repo.fork != true + uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main + secrets: inherit + build-and-push: + needs: app-token runs-on: ubuntu-latest services: verdaccio: @@ -24,10 +28,18 @@ jobs: ports: - 4873:4873 steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@v3 with: - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} submodules: true - name: Checkout pro-plugins uses: actions/checkout@v3 @@ -36,7 +48,14 @@ jobs: ref: main path: packages/pro-plugins fetch-depth: 0 - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} + - name: Clone pro repos + shell: bash + run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo + done - run: | cd packages/pro-plugins && if git show-ref --quiet refs/remotes/origin/${{ github.head_ref || github.ref_name }}; then @@ -48,8 +67,30 @@ jobs: git checkout main fi fi + - run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + cd ./packages/pro-plugins/@nocobase/$repo + if git show-ref --quiet refs/remotes/origin/${{ github.head_ref || github.ref_name }}; then + git checkout ${{ github.head_ref || github.ref_name }} + else + if git show-ref --quiet refs/remotes/origin/${{ github.event.pull_request.base.ref }}; then + git checkout ${{ github.event.pull_request.base.ref }} + else + git checkout main + fi + fi + cd ../../../../ + done - name: rm .git - run: rm -rf packages/pro-plugins/.git && git config --global user.email "you@example.com" && git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit" + run: | + rm -rf packages/pro-plugins/.git + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + rm -rf packages/pro-plugins/@nocobase/$repo/.git + done + git config --global user.email "you@example.com" + git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit" - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx diff --git a/.github/workflows/manual-build-pro-image.yml b/.github/workflows/manual-build-pro-image.yml index fbddf5f7a4..b23c8be2f2 100644 --- a/.github/workflows/manual-build-pro-image.yml +++ b/.github/workflows/manual-build-pro-image.yml @@ -16,8 +16,12 @@ on: required: true jobs: - build-and-push: + app-token: if: github.event.pull_request.head.repo.fork != true + uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main + secrets: inherit + build-and-push: + needs: app-token runs-on: ubuntu-latest services: verdaccio: @@ -25,11 +29,19 @@ jobs: ports: - 4873:4873 steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@v3 with: ref: ${{ github.event.inputs.base_branch }} - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} submodules: true - name: Set PR branch id: set_pro_pr_branch @@ -43,9 +55,23 @@ jobs: repository: nocobase/pro-plugins path: packages/pro-plugins ref: ${{ steps.set_pro_pr_branch.outputs.pr_branch || 'main' }} - ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }} + token: ${{ steps.app-token.outputs.token }} + - name: Clone pro repos + shell: bash + run: | + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + git clone -b ${{ steps.set_pro_pr_branch.outputs.pr_branch || 'main' }} https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo + done - name: rm .git - run: rm -rf packages/pro-plugins/.git && git config --global user.email "you@example.com" && git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit" + run: | + rm -rf packages/pro-plugins/.git + for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }} + do + rm -rf packages/pro-plugins/@nocobase/$repo/.git + done + git config --global user.email "you@example.com" + git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit" - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx diff --git a/.github/workflows/release-next.yml b/.github/workflows/release-next.yml index 94630afd7c..cd05b0d368 100644 --- a/.github/workflows/release-next.yml +++ b/.github/workflows/release-next.yml @@ -16,6 +16,14 @@ jobs: container: node:18 needs: app-token steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@v4 with: @@ -85,14 +93,6 @@ jobs: git commit -m "chore(versions): test publish packages xxx" cat lerna.json yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ --dist-tag=next - - name: Decrypt app token - id: app-token - shell: bash - run: | - ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; - BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); - APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); - echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout pro-plugins uses: actions/checkout@v3 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dd301f0e28..de07b0f00d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,6 +18,14 @@ jobs: container: node:18 needs: app-token steps: + - name: Decrypt app token + id: app-token + shell: bash + run: | + ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; + BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); + APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); + echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout uses: actions/checkout@v3 - name: Send curl request and parse response @@ -59,14 +67,6 @@ jobs: yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} npm whoami yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ - - name: Decrypt app token - id: app-token - shell: bash - run: | - ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }}; - BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode); - APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}"); - echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT - name: Checkout pro-plugins uses: actions/checkout@v3 with: