diff --git a/.github/workflows/build-targets.yaml b/.github/workflows/build-targets.yaml index bc5b3b5..91ceb13 100644 --- a/.github/workflows/build-targets.yaml +++ b/.github/workflows/build-targets.yaml @@ -19,8 +19,10 @@ jobs: - build-target: code-editor-web-embedded-with-terminal steps: - name: Start Build Workflow + env: + BUILD_TARGET: ${{ matrix.build-target }} run: | - echo "Starting Build Workflow for target: ${{ matrix.build-target }}" + echo "Starting Build Workflow for target: $BUILD_TARGET" - name: Set up build environment run: | @@ -34,8 +36,10 @@ jobs: submodules: recursive - name: Run patches script + env: + BUILD_TARGET: ${{ matrix.build-target }} run: | - ./scripts/prepare-src.sh ${{ matrix.build-target }} + ./scripts/prepare-src.sh "$BUILD_TARGET" - name: Set up Node.js uses: actions/setup-node@v4 @@ -49,15 +53,19 @@ jobs: cd code-editor-src echo "Installing dependencies" && npm ci - - name: Build artifacts + - name: Build artifacts + env: + BUILD_TARGET: ${{ matrix.build-target }} run: | - ./scripts/build-artifacts.sh ${{ matrix.build-target }} + ./scripts/build-artifacts.sh "$BUILD_TARGET" - name: Prepare artifacts to upload + env: + MATRIX_BUILD_TARGET: ${{ matrix.build-target }} run: | - BUILD_TARGET=$(./scripts/determine-build-target.sh ${{ matrix.build-target }}) - tar -czf ${{ matrix.build-target }}-src.tar.gz ./code-editor-src - tar -czf ${{ matrix.build-target }}-build.tar.gz ./$BUILD_TARGET + CODE_EDITOR_BUILD_TARGET=$(./scripts/determine-build-target.sh "$MATRIX_BUILD_TARGET") + tar -czf "${MATRIX_BUILD_TARGET}-src.tar.gz" ./code-editor-src + tar -czf "${MATRIX_BUILD_TARGET}-build.tar.gz" "./$CODE_EDITOR_BUILD_TARGET" - name: Upload src artifact uses: actions/upload-artifact@v4 @@ -97,5 +105,5 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "ExecutionsFailed" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=BuildTargets" \ + --dimensions "Repository=$REPOSITORY,Workflow=BuildTargets" \ --value 1 \ No newline at end of file diff --git a/.github/workflows/gitsecrets.yml b/.github/workflows/gitsecrets.yml index 411a3a5..ceef533 100644 --- a/.github/workflows/gitsecrets.yml +++ b/.github/workflows/gitsecrets.yml @@ -18,9 +18,9 @@ jobs: - name: Git Secrets Scan Script run: | set -ex - cd $GITHUB_WORKSPACE + cd "$GITHUB_WORKSPACE" git clone https://github.com/awslabs/git-secrets.git && cd git-secrets sudo make install git secrets --register-aws --global - cd $GITHUB_WORKSPACE/aws/code-editor + cd "$GITHUB_WORKSPACE/aws/code-editor" git secrets --scan-history diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b8a7437..57db683 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -92,10 +92,10 @@ jobs: # Check if release already exists. Needed when release created via new release in guthub ui if gh release view "$VERSION_NUM" > /dev/null 2>&1; then echo "Release for tag $VERSION_NUM already exists, uploading additional assets..." - gh release upload "$VERSION_NUM" *.tar.gz --clobber + gh release upload "$VERSION_NUM" ./*.tar.gz --clobber else echo "Creating new release for tag $VERSION_NUM..." - gh release create "$VERSION_NUM" *.tar.gz \ + gh release create "$VERSION_NUM" ./*.tar.gz \ --title "Release $VERSION_NUM" \ --notes "Release $VERSION_NUM" fi @@ -124,5 +124,5 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "ExecutionsFailed" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=Release" \ + --dimensions "Repository=$REPOSITORY,Workflow=Release" \ --value 1 \ No newline at end of file diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 24bb318..4cb0876 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -39,23 +39,21 @@ jobs: if: github.event_name == 'pull_request_target' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - HEAD_REF: ${{ github.head_ref }} run: | # For PR events, validate base branch and use head ref if valid - base_ref="${{ github.base_ref }}" - echo "Base branch: $base_ref" - echo "Head branch: $HEAD_REF" + echo "Base branch: $GITHUB_BASE_REF" + echo "Head branch: $GITHUB_HEAD_REF" - if [[ "$base_ref" =~ ^[0-9]+\.[0-9]+$ ]] || [[ "$base_ref" == "main" ]]; then + if [[ "$GITHUB_BASE_REF" =~ ^[0-9]+\.[0-9]+$ ]] || [[ "$GITHUB_BASE_REF" == "main" ]]; then echo "Base branch matches allowed pattern (main or digit.digit)" - echo "branches=[\"$HEAD_REF\"]" >> $GITHUB_OUTPUT - echo "output-branch-name=$base_ref" >> $GITHUB_OUTPUT - echo "Branches to scan: [$HEAD_REF]" - echo "Output files will use branch name: $base_ref" + echo "branches=[\"$GITHUB_HEAD_REF\"]" >> "$GITHUB_OUTPUT" + echo "output-branch-name=$GITHUB_BASE_REF" >> "$GITHUB_OUTPUT" + echo "Branches to scan: [$GITHUB_HEAD_REF]" + echo "Output files will use branch name: $GITHUB_BASE_REF" else echo "Base branch does not match allowed pattern - no branches to scan" - echo "branches=[]" >> $GITHUB_OUTPUT - echo "output-branch-name=" >> $GITHUB_OUTPUT + echo "branches=[]" >> "$GITHUB_OUTPUT" + echo "output-branch-name=" >> "$GITHUB_OUTPUT" fi - name: Get all upstream branches @@ -65,8 +63,8 @@ jobs: # Get main branch and all version branches (*.*) branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)$' | sed 's/origin\///' | tr '\n' ' ') echo "Found upstream branches: $branches" - echo "upstream-branches=$branches" >> $GITHUB_OUTPUT - echo "output-branch-name=scheduled" >> $GITHUB_OUTPUT + echo "upstream-branches=$branches" >> "$GITHUB_OUTPUT" + echo "output-branch-name=scheduled" >> "$GITHUB_OUTPUT" - name: Get completed workflows from previous day id: get-completed-workflows @@ -90,13 +88,14 @@ jobs: # Store workflow run IDs for artifact checking run_ids=$(echo "$recent_runs" | jq -r '.databaseId' | tr '\n' ' ') - echo "workflow-run-ids=$run_ids" >> $GITHUB_OUTPUT + echo "workflow-run-ids=$run_ids" >> "$GITHUB_OUTPUT" - name: Check for successful scan artifacts from previous day id: check-scan-artifacts if: github.event_name != 'pull_request_target' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPOSITORY: ${{ github.repository }} run: | run_ids="${{ steps.get-completed-workflows.outputs.workflow-run-ids }}" successful_security_scan_branches="" @@ -109,7 +108,7 @@ jobs: echo "Checking artifacts for run ID: $run_id" # Get artifacts for this run - artifacts=$(gh api /repos/${{ github.repository }}/actions/runs/$run_id/artifacts --jq '.artifacts[].name') + artifacts=$(gh api "/repos/$REPOSITORY/actions/runs/$run_id/artifacts" --jq '.artifacts[].name') # Check for scan-success-branch-* artifacts security_scan_artifacts=$(echo "$artifacts" | grep "^scan-success-branch-" || true) @@ -124,7 +123,7 @@ jobs: done for artifact in $global_dependencies_artifacts; do - branch_name=$(echo "$artifact" | sed 's/global-scan-success-//') + branch_name="${artifact/#global-scan-success-/}" if [ -n "$branch_name" ]; then successful_global_dependencies_branches="$successful_global_dependencies_branches $branch_name" fi @@ -133,14 +132,14 @@ jobs: done # Remove duplicates and clean up - successful_security_scan_branches=$(echo $successful_security_scan_branches | tr ' ' '\n' | sort -u | tr '\n' ' ') - successful_global_dependencies_branches=$(echo $successful_global_dependencies_branches | tr ' ' '\n' | sort -u | tr '\n' ' ') + successful_security_scan_branches=$(echo "$successful_security_scan_branches" | tr ' ' '\n' | sort -u | tr '\n' ' ') + successful_global_dependencies_branches=$(echo "$successful_global_dependencies_branches" | tr ' ' '\n' | sort -u | tr '\n' ' ') echo "Branches with successful security scans from previous day: $successful_security_scan_branches" echo "Branches with successful global dependency scans from previous day: $successful_global_dependencies_branches" - echo "successful-security-scan-branches=$successful_security_scan_branches" >> $GITHUB_OUTPUT - echo "successful-global-dependencies-branches=$successful_global_dependencies_branches" >> $GITHUB_OUTPUT + echo "successful-security-scan-branches=$successful_security_scan_branches" >> "$GITHUB_OUTPUT" + echo "successful-global-dependencies-branches=$successful_global_dependencies_branches" >> "$GITHUB_OUTPUT" - name: Determine security scan branches for scheduled runs id: determine-scheduled-security-scan-branches @@ -156,7 +155,7 @@ jobs: # Check each upstream branch for branch in $upstream_branches; do - branch=$(echo $branch | xargs) # trim whitespace + branch=$(echo "$branch" | xargs) # trim whitespace if [ -n "$branch" ]; then # Check if this branch was successfully scanned in the previous day if echo "$successful_branches" | grep -q "\b$branch\b"; then @@ -169,13 +168,13 @@ jobs: done # Clean up and convert to JSON array - branches_to_scan=$(echo $branches_to_scan | xargs) + branches_to_scan=$(echo "$branches_to_scan" | xargs) if [ -n "$branches_to_scan" ]; then json_branches=$(echo "$branches_to_scan" | tr ' ' '\n' | jq -R . | jq -s -c .) - echo "branches=$json_branches" >> $GITHUB_OUTPUT + echo "branches=$json_branches" >> "$GITHUB_OUTPUT" echo "Security scan branches to scan: $json_branches" else - echo "branches=[]" >> $GITHUB_OUTPUT + echo "branches=[]" >> "$GITHUB_OUTPUT" echo "No security scan branches to scan - all have successful scans from previous day" fi @@ -193,7 +192,7 @@ jobs: # Check each upstream branch for branch in $upstream_branches; do - branch=$(echo $branch | xargs) # trim whitespace + branch=$(echo "$branch" | xargs) # trim whitespace if [ -n "$branch" ]; then # Check if this branch was successfully scanned in the previous day if echo "$successful_branches" | grep -q "\b$branch\b"; then @@ -206,13 +205,13 @@ jobs: done # Clean up and convert to JSON array - branches_to_scan=$(echo $branches_to_scan | xargs) + branches_to_scan=$(echo "$branches_to_scan" | xargs) if [ -n "$branches_to_scan" ]; then json_branches=$(echo "$branches_to_scan" | tr ' ' '\n' | jq -R . | jq -s -c .) - echo "branches=$json_branches" >> $GITHUB_OUTPUT + echo "branches=$json_branches" >> "$GITHUB_OUTPUT" echo "Global dependencies branches to scan: $json_branches" else - echo "branches=[]" >> $GITHUB_OUTPUT + echo "branches=[]" >> "$GITHUB_OUTPUT" echo "No global dependencies branches to scan - all have successful scans from previous day" fi @@ -238,11 +237,15 @@ jobs: role-session-name: scan-${{ matrix.target }}-${{matrix.branch}} - name: Publish Scan Invoked metric + env: + REPOSITORY: ${{ github.repository }} + TARGET: ${{ matrix.target }} + BRANCH: ${{ matrix.branch }} run: | aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "SecurityScanInvoked" \ - --dimensions "Repository=${{ github.repository }},Workflow=SecurityScan,Target=${{ matrix.target }},Branch=${{matrix.branch}}" \ + --dimensions "Repository=$REPOSITORY,Workflow=SecurityScan,Target=$TARGET,Branch=$BRANCH" \ --value 1 - name: Checkout branch @@ -269,8 +272,10 @@ jobs: sudo apt-get install -y quilt libkrb5-dev libx11-dev libxkbfile-dev libxml2-utils - name: Run patches script + env: + TARGET: ${{ matrix.target }} run: | - ./scripts/prepare-src.sh ${{ matrix.target }} + ./scripts/prepare-src.sh "$TARGET" - name: Set up Node.js uses: actions/setup-node@v4 @@ -292,8 +297,11 @@ jobs: - name: Run Security Scan + env: + TARGET: ${{ matrix.target }} + BRANCH: ${{ matrix.branch }} run: | - ./scripts/security-scan.sh scan-main-dependencies "${{ matrix.target }}" "${{ matrix.branch }}" + ./scripts/security-scan.sh scan-main-dependencies "$TARGET" "$BRANCH" - name: Upload SBOM Files uses: actions/upload-artifact@v4 @@ -320,18 +328,25 @@ jobs: if-no-files-found: error - name: Analyze SBOM Scan Results + env: + TARGET: ${{ matrix.target }} run: | - ./scripts/security-scan.sh analyze-results "${{ matrix.target }}" "scan_results_paths.txt" + ./scripts/security-scan.sh analyze-results "$TARGET" "scan_results_paths.txt" - name: Create Success Indicator File + env: + EVENT_NAME: ${{ github.event_name }} + OUTPUT_BRANCH_NAME: ${{ needs.get-branches-to-scan.outputs.output-branch-name }} + MATRIX_BRANCH: ${{ matrix.branch }} + TARGET: ${{ matrix.target }} run: | # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request_target" ]; then - output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" + if [ "$EVENT_NAME" = "pull_request_target" ]; then + output_branch="$OUTPUT_BRANCH_NAME" else - output_branch="${{ matrix.branch }}" + output_branch="$MATRIX_BRANCH" fi - echo "PASS" > scan-success-${{ matrix.target }}-${output_branch}.txt + echo "PASS" > "scan-success-$TARGET-${output_branch}.txt" - name: Upload Success Indicator File uses: actions/upload-artifact@v4 @@ -341,15 +356,23 @@ jobs: retention-days: 90 - name: Publish Scan Successful Metric + env: + REPOSITORY: ${{ github.repository }} + TARGET: ${{ matrix.target }} + BRANCH: ${{ matrix.branch }} run: | aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "SecurityScanSuccessful" \ - --dimensions "Repository=${{ github.repository }},Workflow=SecurityScan,Target=${{ matrix.target }},Branch=${{matrix.branch}}" \ + --dimensions "Repository=$REPOSITORY,Workflow=SecurityScan,Target=$TARGET,Branch=$BRANCH" \ --value 1 - name: Publish Failure Metrics if: failure() && github.event_name == 'schedule' + env: + REPOSITORY: ${{ github.repository }} + TARGET: ${{ matrix.target }} + BRANCH: ${{ matrix.branch }} run: | echo "Job failed - publishing failure metrics" @@ -357,7 +380,7 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "SecurityScanFailed" \ - --dimensions "Repository=${{ github.repository }},Workflow=SecurityScan,Target=${{ matrix.target }},Branch=${{matrix.branch}}" \ + --dimensions "Repository=$REPOSITORY,Workflow=SecurityScan,Target=$TARGET,Branch=$BRANCH" \ --value 1 generate-security-scan-output: @@ -376,22 +399,25 @@ jobs: merge-multiple: true - name: Check if branch was successful for all targets + env: + EVENT_NAME: ${{ github.event_name }} + OUTPUT_BRANCH_NAME: ${{ needs.get-branches-to-scan.outputs.output-branch-name }} + MATRIX_BRANCH: ${{ matrix.branch }} run: | # Parse targets from environment variable - targets_json='${{ env.CODE_EDITOR_TARGETS }}' - targets=($(echo "$targets_json" | jq -r '.[]')) + readarray -t targets < <(jq -r '.[]' <<< "$CODE_EDITOR_TARGETS") # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request_target" ]; then - check_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" + if [ "$EVENT_NAME" = "pull_request_target" ]; then + check_branch="$OUTPUT_BRANCH_NAME" else - check_branch="${{ matrix.branch }}" + check_branch="$MATRIX_BRANCH" fi all_success=true - echo "Checking success for branch: $check_branch (matrix branch: ${{ matrix.branch }})" - echo "Targets to check: ${targets[@]}" + echo "Checking success for branch: $check_branch (matrix branch: $MATRIX_BRANCH)" + echo "Targets to check:" "${targets[@]}" # Check if all target success files exist for this branch for target in "${targets[@]}"; do @@ -410,7 +436,7 @@ jobs: # Create branch success file only if all targets succeeded if [ "$all_success" = true ]; then echo "✓ All scans successful for branch $check_branch - creating branch success file" - echo "PASS" > scan-success-branch-${check_branch}.txt + echo "PASS" > "scan-success-branch-${check_branch}.txt" else echo "✗ Some scans failed for branch $check_branch - not creating branch success file" exit 1 @@ -445,11 +471,14 @@ jobs: role-session-name: scan-global-dependencies-${{matrix.branch}} - name: Publish Scan Invoked metric + env: + REPOSITORY: ${{ github.repository }} + BRANCH: ${{ matrix.branch }} run: | aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "GlobalDependenciesSecurityScanInvoked" \ - --dimensions "Repository=${{ github.repository }},Workflow=GlobalDependenciesSecurityScan,Branch=${{matrix.branch}}" \ + --dimensions "Repository=$REPOSITORY,Workflow=GlobalDependenciesSecurityScan,Branch=$BRANCH" \ --value 1 - name: Checkout branch @@ -461,11 +490,13 @@ jobs: submodules: recursive - name: Update security scan script from main + env: + REPOSITORY: ${{ github.repository }} run: | # Older branches may not have the latest versions of the # security scan scripts. So we download the latest one from main echo "Downloading latest security-scan.sh script from main branch" - curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh + curl -sSL "https://raw.githubusercontent.com/$REPOSITORY/main/scripts/security-scan.sh" -o scripts/security-scan.sh sudo chmod +x scripts/security-scan.sh echo "Updated security-scan.sh to latest version from main" @@ -517,14 +548,18 @@ jobs: ./scripts/security-scan.sh scan-github-advisories - name: Create Global Success Indicator File + env: + EVENT_NAME: ${{ github.event_name }} + OUTPUT_BRANCH_NAME: ${{ needs.get-branches-to-scan.outputs.output-branch-name }} + MATRIX_BRANCH: ${{ matrix.branch }} run: | # For PR events, use base_ref as output branch name, otherwise use actual branch - if [ "${{ github.event_name }}" = "pull_request_target" ]; then - output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}" + if [ "$EVENT_NAME" = "pull_request_target" ]; then + output_branch="$OUTPUT_BRANCH_NAME" else - output_branch="${{ matrix.branch }}" + output_branch="$MATRIX_BRANCH" fi - echo "PASS" > global-scan-success-${output_branch}.txt + echo "PASS" > "global-scan-success-${output_branch}.txt" - name: Upload Global Success Indicator File uses: actions/upload-artifact@v4 @@ -535,6 +570,9 @@ jobs: - name: Publish Failure Metrics if: failure() && github.event_name == 'schedule' + env: + REPOSITORY: ${{ github.repository }} + BRANCH: ${{ matrix.branch }} run: | echo "Job failed - publishing failure metrics" @@ -542,7 +580,7 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "SecurityScanFailed" \ - --dimensions "Repository=${{ github.repository }},Workflow=GlobalDependenciesSecurityScan,Branch=${{matrix.branch}}" \ + --dimensions "Repository=$REPOSITORY,Workflow=GlobalDependenciesSecurityScan,Branch=$BRANCH" \ --value 1 handle-failures: @@ -568,5 +606,5 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "ExecutionsFailed" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=SecurityScan" \ + --dimensions "Repository=$REPOSITORY,Workflow=SecurityScan" \ --value 1 \ No newline at end of file diff --git a/.github/workflows/update-automation.yaml b/.github/workflows/update-automation.yaml index e66784d..21d9249 100644 --- a/.github/workflows/update-automation.yaml +++ b/.github/workflows/update-automation.yaml @@ -42,7 +42,7 @@ jobs: LATEST_SEMVER="main" echo "No semver branches found, using main" fi - echo "LATEST_SEMVER=$LATEST_SEMVER" >> $GITHUB_ENV + echo "LATEST_SEMVER=$LATEST_SEMVER" >> "$GITHUB_ENV" echo "Using branch: $LATEST_SEMVER" git checkout "$LATEST_SEMVER" git submodule update --init --recursive @@ -62,8 +62,8 @@ jobs: LATEST_CODE_OSS_TAG=$(gh api repos/microsoft/vscode/releases/latest --template '{{.tag_name}}') - echo "EXISTING_CODE_OSS_TAG=$EXISTING_CODE_OSS_TAG" >> $GITHUB_ENV - echo "LATEST_CODE_OSS_TAG=$LATEST_CODE_OSS_TAG" >> $GITHUB_ENV + echo "EXISTING_CODE_OSS_TAG=$EXISTING_CODE_OSS_TAG" >> "$GITHUB_ENV" + echo "LATEST_CODE_OSS_TAG=$LATEST_CODE_OSS_TAG" >> "$GITHUB_ENV" echo "Existing tag: $EXISTING_CODE_OSS_TAG" echo "Latest tag: $LATEST_CODE_OSS_TAG" @@ -109,7 +109,7 @@ jobs: git push origin "$STAGING_BRANCH" fi - echo "STAGING_BRANCH=$STAGING_BRANCH" >> $GITHUB_ENV + echo "STAGING_BRANCH=$STAGING_BRANCH" >> "$GITHUB_ENV" echo "Created staging branch: $STAGING_BRANCH with VS Code $LATEST_CODE_OSS_TAG" fi @@ -181,20 +181,24 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" - name: Build target + env: + TARGET: ${{ matrix.target }} run: | - ./scripts/prepare-src.sh "${{ matrix.target }}" + ./scripts/prepare-src.sh "$TARGET" cd code-editor-src npm install cd .. - ./scripts/build-artifacts.sh ${{ matrix.target }} + ./scripts/build-artifacts.sh "$TARGET" - echo "Built target: ${{ matrix.target }}" + echo "Built target: $TARGET" - name: Update package-lock for target + env: + TARGET: ${{ matrix.target }} run: | - OVERRIDE_PATH=$(jq -r '."package-lock-overrides".path' "configuration/${{ matrix.target }}.json") + OVERRIDE_PATH=$(jq -r '."package-lock-overrides".path' "configuration/$TARGET.json") rm -rf "$OVERRIDE_PATH" mkdir -p "$OVERRIDE_PATH" @@ -219,14 +223,17 @@ jobs: retention-days: 1 - name: Commit package-lock overrides + env: + TARGET: ${{ matrix.target }} + STAGING_BRANCH: ${{ needs.update-automation.outputs.staging-branch }} run: | git add package-lock-overrides/ if ! git diff --staged --quiet; then - git commit -m "Update package-lock.json overrides for ${{ matrix.target }}" + git commit -m "Update package-lock.json overrides for $TARGET" # Retry push with rebase until successful for i in {1..5}; do - if git pull --rebase origin "${{ needs.update-automation.outputs.staging-branch }}" && git push origin "${{ needs.update-automation.outputs.staging-branch }}"; then + if git pull --rebase origin "$STAGING_BRANCH" && git push origin "$STAGING_BRANCH"; then break fi sleep $((i * 2)) @@ -268,8 +275,8 @@ jobs: - name: Organize downloaded sources run: | for target in code-editor-server code-editor-sagemaker-server code-editor-web-embedded code-editor-web-embedded-with-terminal; do - if [[ -d "${{ github.run_id }}-prepared-source-$target" ]]; then - mv "${{ github.run_id }}-prepared-source-$target" "code-editor-src-$target" + if [[ -d "$GITHUB_RUN_ID-prepared-source-$target" ]]; then + mv "$GITHUB_RUN_ID-prepared-source-$target" "code-editor-src-$target" echo "Organized prepared source for $target" else echo "Missing prepared source artifact for target: $target" @@ -282,6 +289,8 @@ jobs: ./scripts/generate-oss-attribution.sh --command generate_unified_oss_attribution - name: Commit OSS attribution + env: + STAGING_BRANCH: ${{ needs.update-automation.outputs.staging-branch }} run: | # Copy LICENSE-THIRD-PARTY to root directory cp overrides/LICENSE-THIRD-PARTY LICENSE-THIRD-PARTY @@ -289,7 +298,7 @@ jobs: git add overrides/ LICENSE-THIRD-PARTY if ! git diff --staged --quiet; then git commit -m "Update unified OSS attribution" - git push origin "${{ needs.update-automation.outputs.staging-branch }}" + git push origin "$STAGING_BRANCH" fi - name: Clean up prepared source directories @@ -315,18 +324,18 @@ jobs: - name: Determine target branch and create PR env: GH_TOKEN: ${{ github.token }} + STAGING_BRANCH: ${{ needs.update-automation.outputs.staging-branch }} + EXISTING_CODE_OSS_TAG: ${{ needs.update-automation.outputs.existing-code-oss-tag }} + LATEST_CODE_OSS_TAG: ${{ needs.update-automation.outputs.latest-code-oss-tag }} run: | # Check if PR already exists for this staging branch - EXISTING_PR=$(gh pr list --head "${{ needs.update-automation.outputs.staging-branch }}" --json number --jq '.[0].number' || echo "") + EXISTING_PR=$(gh pr list --head "$STAGING_BRANCH" --json number --jq '.[0].number' || echo "") if [ -n "$EXISTING_PR" ]; then - echo "PR already exists for branch ${{ needs.update-automation.outputs.staging-branch }}: #$EXISTING_PR" + echo "PR already exists for branch $STAGING_BRANCH: #$EXISTING_PR" exit 0 fi - EXISTING_CODE_OSS_TAG="${{ needs.update-automation.outputs.existing-code-oss-tag }}" - LATEST_CODE_OSS_TAG="${{ needs.update-automation.outputs.latest-code-oss-tag }}" - # Parse version numbers EXISTING_CODE_OSS_MAJOR=$(echo "$EXISTING_CODE_OSS_TAG" | cut -d. -f1) EXISTING_CODE_OSS_MINOR=$(echo "$EXISTING_CODE_OSS_TAG" | cut -d. -f2) @@ -366,7 +375,7 @@ jobs: fi # Get release body and generate links - RELEASE_BODY=$(gh api repos/microsoft/vscode/releases/tags/$LATEST_CODE_OSS_TAG --template '{{.body}}') + RELEASE_BODY=$(gh api "repos/microsoft/vscode/releases/tags/$LATEST_CODE_OSS_TAG" --template '{{.body}}') VERSION_NUMBER=$(echo "$LATEST_CODE_OSS_TAG" | cut -d. -f1,2 | sed 's/\./\_/g') VSCODE_RELEASE_NOTES="https://code.visualstudio.com/updates/v$VERSION_NUMBER" @@ -400,9 +409,9 @@ jobs: --title "$PR_TITLE" \ --body "$PR_BODY" \ --base "$TARGET_BRANCH" \ - --head "${{ needs.update-automation.outputs.staging-branch }}" + --head "$STAGING_BRANCH" - echo "Created PR from ${{ needs.update-automation.outputs.staging-branch }} to $TARGET_BRANCH" + echo "Created PR from $STAGING_BRANCH to $TARGET_BRANCH" publish-release-lag-metric: name: Publish Release Lag Metric @@ -444,8 +453,8 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "CodeOSSReleaseLag" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=UpdateAutomation" \ - --value $NORMALIZED_VALUE \ + --dimensions "Repository=$REPOSITORY,Workflow=UpdateAutomation" \ + --value "$NORMALIZED_VALUE" \ --unit None echo "Published metric: CodeOSSReleaseLag = $NORMALIZED_VALUE (equivalent to $NORMALIZED_VALUE days behind upstream)" @@ -474,7 +483,7 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "PRCreated" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=UpdateAutomation" \ + --dimensions "Repository=$REPOSITORY,Workflow=UpdateAutomation" \ --value 1 publish-success-metrics: @@ -501,7 +510,7 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "ExecutionsSucceeded" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=UpdateAutomation" \ + --dimensions "Repository=$REPOSITORY,Workflow=UpdateAutomation" \ --value 1 echo "Published metric: ExecutionsSucceeded" @@ -531,7 +540,7 @@ jobs: aws cloudwatch put-metric-data \ --namespace "GitHub/Workflows" \ --metric-name "ExecutionsFailed" \ - --dimensions "Repository=${{ env.REPOSITORY }},Workflow=UpdateAutomation" \ + --dimensions "Repository=$REPOSITORY,Workflow=UpdateAutomation" \ --value 1 echo "Published metric: ExecutionsFailed" \ No newline at end of file