Merge remote-tracking branch 'origin/develop' into develop

Author: wwills2

.github/dependabot.yml

@@ -9,6 +9,7 @@ updates:
       interval: "weekly"
       day: "tuesday"
     open-pull-requests-limit: 10
+    rebase-strategy: auto
     labels:
       - dependencies
       - go
@@ -25,18 +26,20 @@ updates:
       interval: "weekly"
       day: "tuesday"
     open-pull-requests-limit: 10
+    rebase-strategy: auto
     labels:
       - dependencies
       - python
       - "Changed"
     reviewers: ["emlowe", "altendky"]
 
   - package-ecosystem: "github-actions"
-    directory: /
+    directories: ["/", ".github/actions/*"]
     schedule:
       interval: "weekly"
       day: "tuesday"
     open-pull-requests-limit: 10
+    rebase-strategy: auto
     labels:
       - dependencies
       - github_actions
@@ -49,8 +52,21 @@ updates:
       interval: "weekly"
       day: "tuesday"
     open-pull-requests-limit: 10
+    rebase-strategy: auto
     labels:
       - dependencies
       - javascript
       - "Changed"
-    reviewers: ["cmmarslender", "emlowe"]
+    reviewers: ["cmmarslender", "ChiaMineJP"]
+
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+    open-pull-requests-limit: 10
+    rebase-strategy: auto
+    labels:
+      - dependencies
+      - rust
+      - "Changed"

.github/workflows/auto-release-rc.yml

@@ -0,0 +1,79 @@
+# Compares the version in package.json to tags on the repo. If the tag doesn't exist, a new tag is created, which
+# then triggers the normal "on tag" release automation in the build job
+name: Auto Tag RC
+
+on:
+  push:
+    branches:
+      - develop
+
+concurrency:
+  group: rc-release-check
+
+jobs:
+  release-dev:
+    name: Release rc version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout current branch
+        uses: actions/checkout@v4
+        with:
+          # Need REPO_COMMIT token so when the tag is created, the tag automation runs
+          token: ${{ secrets.REPO_COMMIT }}
+          fetch-depth: 0
+
+      - name: Setup commit signing for ChiaAutomation
+        uses: Chia-Network/actions/commit-sign/gpg@main
+        with:
+          gpg_private_key: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_KEY }}
+          passphrase: ${{ secrets.CHIA_AUTOMATION_PRIVATE_GPG_PASSPHRASE }}
+
+      - name: Check for current version tag. Create if it doesn't exist
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          stable_version=$(gh release list --limit 1 --order desc --exclude-pre-releases --json tagName --jq ".[].tagName")
+          echo "Latest release is $stable_version"
+          rc_version=$(gh release list --json tagName --jq ".[] | select(.tagName | test(\"${version}-rc*\")) | .tagName")
+          echo "Latest release candidate is $rc_version"
+
+          if [[ -z ${rc_version} ]]; then
+            # Extract the major, minor, and patch versions
+            IFS='.' read -r major minor patch <<< "$stable_version"
+
+            # Increment the patch version
+            new_patch=$((patch + 1))
+
+            # Construct the new version string
+            version="$major.$minor.$new_patch-rc1"
+
+            echo "New version: $version"
+
+          else
+            # Extract the major, minor, patch, and rc parts
+            IFS='.-' read -r major minor patch rc <<< "$rc_version"
+
+            # Extract just the number of the rc
+            rc_number="${rc#rc}"
+
+            # Increment the rc number
+            rc_number=$((rc_number +1))
+
+            # Construct the new version string
+            version="$major.$minor.$patch-rc$rc_number"
+
+            echo "New version: $version"
+
+          fi
+
+          if [ $(git tag -l "$version") ]; then
+            echo "$version tag exists, deleting..."
+            git tag -d $version
+            git push --delete origin $version
+          fi
+          echo "Tag does not exist. Creating and pushing tag"
+          rm -f CHANGELOG.md
+          npx conventional-changelog-cli -p angular -i CHANGELOG.md -s -r 0
+          changes=$(npx conventional-changelog-cli -r 1 | tail -n +2)
+          git tag $version -m "Release $version  $changes"
+          git push origin $version

.github/workflows/build-installers.yaml

@@ -4,15 +4,12 @@ on:
   push:
     tags:
       - '**'
-    branches:
-      - refactor/refactor-base #remove this once rebuild is merged
   pull_request:
     branches:
       - '**'
 
 concurrency:
-  # SHA is added to the end if on `main` to let all main workflows run
-  group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }}
+  group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
 permissions:
@@ -27,15 +24,24 @@ jobs:
     name: Build Mac Installer
     runs-on: macos-latest
     steps:
-      - uses: Chia-Network/actions/clean-workspace@main
-
       - name: Checkout Code
         uses: actions/checkout@v4
 
       - name: Setup Node 20
         uses: actions/setup-node@v4
         with:
-          node-version: '20.10'
+          node-version: '20.16'
+
+      - name: Change the package.json version if an RC tag
+        if: startsWith(github.ref, 'refs/tags/') && contains( github.ref, '-rc')
+        shell: bash
+        run: |
+          echo "Github ref: $GITHUB_REF"
+          IFS='/' read -r base directory tag <<< "$GITHUB_REF"
+          echo "Extracted tag is $tag"
+
+          jq ".version = \"${tag}\"" package.json > package.tmp
+          mv package.tmp package.json
 
       - name: Install Husky
         run: npm install --save-dev husky
@@ -59,7 +65,7 @@ jobs:
           SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"
 
       - name: Import Apple installer signing certificate
-        if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
+        if: steps.check_secrets.outputs.HAS_SIGNING_SECRET && startsWith(github.ref, 'refs/tags/')
         uses: Apple-Actions/import-codesign-certs@v3
         with:
           p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }}
@@ -71,7 +77,7 @@ jobs:
         run: npm run electron:package:mac
 
       - name: Notarize
-        if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
+        if: steps.check_secrets.outputs.HAS_SIGNING_SECRET && startsWith(github.ref, 'refs/tags/')
         run: |
           DMG_FILE=$(find ${{ github.workspace }}/dist/ -type f -name '*.dmg')
           xcrun notarytool submit \
@@ -94,10 +100,19 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Setup Node 20.10
+      - name: Setup Node 20.16
         uses: actions/setup-node@v4
         with:
-          node-version: '20.10'
+          node-version: '20.16'
+
+      - name: Change the package.json version if an RC tag
+        if: startsWith(github.ref, 'refs/tags/') && contains( github.ref, '-rc')
+        shell: bash
+        run: |
+          IFS='/' read -r base directory tag <<< "$GITHUB_REF"
+
+          jq ".version = \"${tag}\"" package.json > package.tmp
+          mv package.tmp package.json
 
       - name: Install Husky
         run: npm install --save-dev husky
@@ -155,10 +170,19 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Setup Node 20.10
+      - name: Setup Node 20.16
         uses: actions/setup-node@v4
         with:
-          node-version: '20.10'
+          node-version: '20.16'
+
+      - name: Change the package.json version if an RC tag
+        if: startsWith(github.ref, 'refs/tags/') && contains( github.ref, '-rc')
+        shell: bash
+        run: |
+          IFS='/' read -r base directory tag <<< "$GITHUB_REF"
+
+          jq ".version = \"${tag}\"" package.json > package.tmp
+          mv package.tmp package.json
 
       - name: Install Husky
         run: npm install --save-dev husky
@@ -190,10 +214,19 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Setup Node 20.10
+      - name: Setup Node 20.16
         uses: actions/setup-node@v4
         with:
-          node-version: '20.10'
+          node-version: '20.16'
+
+      - name: Change the package.json version if an RC tag
+        if: startsWith(github.ref, 'refs/tags/') && contains( github.ref, '-rc')
+        shell: bash
+        run: |
+          IFS='/' read -r base directory tag <<< "$GITHUB_REF"
+
+          jq ".version = \"${tag}\"" package.json > package.tmp
+          mv package.tmp package.json
 
       - name: Install Husky
         run: npm install --save-dev husky
@@ -258,29 +291,52 @@ jobs:
           echo "EXE_FILE=$EXE_FILE" >>$GITHUB_ENV
           echo "WEB_FILE=$WEB_FILE" >>$GITHUB_ENV
 
+      # RC release should not be set as latest
+      - name: Decide if release should be set as latest
+        id: is_latest
+        shell: bash
+        run: |
+          unset IS_LATEST
+
+          echo "Github ref is $GITHUB_REF"
+
+          if [[ "$GITHUB_REF" =~ "-rc" ]]; then
+            echo "release candidate tag matched"
+            IS_LATEST='false'
+            IS_PRERELEASE='true'
+          else
+            echo "main branch release matched"
+            IS_LATEST='true'
+            IS_PRERELEASE='false'
+          fi
+
+          echo "IS_LATEST=${IS_LATEST}" >> "$GITHUB_OUTPUT"
+          echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "$GITHUB_OUTPUT"
+
       - name: Release
-        uses: softprops/action-gh-release@v2.1.0
+        uses: softprops/action-gh-release@v2
         with:
+          prerelease: ${{steps.is_latest.outputs.IS_PRERELEASE}}
+          make_latest: "${{steps.is_latest.outputs.IS_LATEST}}"
           files: |
             ${{ env.DMG_FILE }}
             ${{ env.DEB_FILE }}
             ${{ env.EXE_FILE }}
             ${{ env.WEB_FILE }}
 
       - name: Get repo name
+        if: startsWith(github.ref, 'refs/tags/') && !contains( github.ref, '-rc')
         id: repo-name
         run: |
           echo "REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f 2)" >>$GITHUB_OUTPUT
 
       - name: Get tag name
+        if: startsWith(github.ref, 'refs/tags/') && !contains( github.ref, '-rc')
         id: tag-name
         run: |
-          echo "TAGNAME=$(echo $GITHUB_REF | cut -d / -f 3)" >>$GITHUB_OUTPUT
-
-      - name: Gets JWT Token from GitHub
-        uses: Chia-Network/actions/github/jwt@main
 
       - name: Trigger apt repo update
+        if: startsWith(github.ref, 'refs/tags/') && !contains( github.ref, '-rc')
         uses: Chia-Network/actions/github/glue@main
         with:
           json_data: '{"climate_tokenization_repo":"${{ steps.repo-name.outputs.REPO_NAME }}","application_name":"[\"${{ env.APP_NAME }}\"]","release_version":"${{ steps.tag-name.outputs.TAGNAME }}","add_debian_version":"true","arm64":"available"}'

.github/workflows/check-commit-signing.yml

@@ -0,0 +1,29 @@
+name: 🚨 Check commit signing
+
+on:
+  push:
+    branches:
+      - long_lived/**
+      - main
+      - release/**
+  pull_request:
+    branches:
+      - "**"
+
+concurrency:
+  group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow_ref, github.event.pull_request.number) || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-commit-signing:
+    name: Check commit signing
+    runs-on: [ubuntu-latest]
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: chia-network/actions/check-commit-signing@main

.github/workflows/dependency-review.yml

@@ -0,0 +1,25 @@
+# Managed by repo-content-updater
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: "🚨 Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v4
+        with:
+          allow-dependencies-licenses: pkg:pypi/pyinstaller
+          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later