chore: Update GitHub Workflows (#168)

### Changes This PR updates the GitHub workflows for the Symfony SDK to bring them up to date with our other PHP repositories. ### References N/A ### Testing N/A ### Checklist [x] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) [x] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) [x] All existing and new tests complete without errors
auth0 · Dec 9, 2023 · 23ce988 · 23ce988
1 parent fac9e3c
commit 23ce988
Show file tree

Hide file tree

Showing 13 changed files with 611 additions and 6 deletions.
diff --git a/.github/actions/get-prerelease/action.yml b/.github/actions/get-prerelease/action.yml
@@ -0,0 +1,30 @@
+name: Return a boolean indicating if the version contains prerelease identifiers
+
+#
+# Returns a simple true/false boolean indicating whether the version indicates it's a prerelease or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  version:
+    required: true
+
+outputs:
+  prerelease:
+    value: ${{ steps.get_prerelease.outputs.PRERELEASE }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_prerelease
+      shell: bash
+      run: |
+        if [[ "${VERSION}" == *"beta"* || "${VERSION}" == *"alpha"* ]]; then
+          echo "PRERELEASE=true" >> $GITHUB_OUTPUT
+        else
+          echo "PRERELEASE=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        VERSION: ${{ inputs.version }}
diff --git a/.github/actions/get-version/action.yml b/.github/actions/get-version/action.yml
@@ -0,0 +1,23 @@
+name: Return the version extracted from the branch name
+
+#
+# Returns the version from a branch name of a pull request. It expects the branch name to be in the format release/vX.Y.Z, release/X.Y.Z, release/vX.Y.Z-beta.N. etc.
+#
+# TODO: Remove once the common repo is public.
+#
+
+outputs:
+  version:
+    value: ${{ steps.get_version.outputs.VERSION }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_version
+      shell: bash
+      run: |
+        VERSION=$(echo ${BRANCH_NAME} | sed -r 's#release/+##g')
+        echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+      env:
+        BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
diff --git a/.github/actions/publish-package/action.yml b/.github/actions/publish-package/action.yml
@@ -0,0 +1,29 @@
+name: Publish release to package manager
+
+inputs:
+  token:
+    required: true
+  files:
+    required: false
+  name:
+    required: true
+  body:
+    required: true
+  tag:
+    required: true
+  commit:
+    required: true
+  draft:
+    default: false
+    required: false
+  prerelease:
+    default: false
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    # Nothing to do for PHP.
+    - run: exit 0
+      shell: bash
diff --git a/.github/actions/release-create/action.yml b/.github/actions/release-create/action.yml
@@ -0,0 +1,47 @@
+name: Create a GitHub release
+
+#
+# Creates a GitHub release with the given version.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  files:
+    required: false
+  name:
+    required: true
+  body:
+    required: true
+  tag:
+    required: true
+  commit:
+    required: true
+  draft:
+    default: false
+    required: false
+  prerelease:
+    default: false
+    required: false
+  fail_on_unmatched_files:
+    default: true
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+      with:
+        body: ${{ inputs.body }}
+        name: ${{ inputs.name }}
+        tag_name: ${{ inputs.tag }}
+        target_commitish: ${{ inputs.commit }}
+        draft: ${{ inputs.draft }}
+        prerelease: ${{ inputs.prerelease }}
+        fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }}
+        files: ${{ inputs.files }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -0,0 +1,48 @@
+name: Prepare PHP
+description: Prepare the PHP environment
+
+inputs:
+  php:
+    description: The PHP version to use
+    required: true
+  coverage:
+    description: The coverage extension to use
+    required: false
+    default: 'none'
+  extensions:
+    description: The PHP extensions to use
+    required: false
+    default: 'none, mbstring, curl, simplexml, dom, xmlwriter, xml, tokenizer'
+  runner:
+    description: The runner OS
+    required: false
+    default: 'ubuntu-latest'
+
+runs:
+  using: composite
+
+  steps:
+    - name: Setup PHP
+      uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4
+      with:
+        php-version: ${{ inputs.php }}
+        extensions: ${{ inputs.extensions }}
+        coverage: ${{ inputs.coverage }}
+      env:
+        runner: ${{ inputs.runner }}
+
+    - name: Get Composer cache directory
+      id: composer-cache
+      shell: bash
+      run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+    - name: Cache dependencies
+      uses: actions/cache@v3
+      with:
+        path: ${{ steps.composer-cache.outputs.dir }}
+        key: ${{ runner.os }}-composer-${{ inputs.php }}-${{ hashFiles('**/composer.lock') }}
+        restore-keys: ${{ runner.os }}-composer-${{ inputs.php }}-
+
+    - name: Install dependencies
+      shell: bash
+      run: composer install --prefer-dist
diff --git a/.github/actions/tag-create/action.yml b/.github/actions/tag-create/action.yml
@@ -0,0 +1,33 @@
+name: Create a repository tag
+
+#
+# Creates a tag with the given version.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  tag:
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - shell: bash
+      run: |
+        git config user.name "${AUTHOR_USERNAME}"
+        git config user.email "${AUTHOR_EMAIL}"
+      env:
+        AUTHOR_USERNAME: ${{ github.event.pull_request.user.login }}
+        AUTHOR_EMAIL: ${{ github.event.pull_request.user.email }}
+
+    - shell: bash
+      run: |
+        git tag -a ${TAG_NAME} -m "Version ${TAG_NAME}"
+        git push --follow-tags
+      env:
+        TAG_NAME: ${{ inputs.tag }}
+        GITHUB_TOKEN: ${{ inputs.token }}
diff --git a/.github/actions/tag-exists/action.yml b/.github/actions/tag-exists/action.yml
@@ -0,0 +1,36 @@
+name: Return a boolean indicating if a tag already exists for the repository
+
+#
+# Returns a simple true/false boolean indicating whether the tag exists or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  tag:
+    required: true
+
+outputs:
+  exists:
+    description: 'Whether the tag exists or not'
+    value: ${{ steps.tag-exists.outputs.EXISTS }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: check
+      shell: bash
+      run: |
+        GET_API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/git/ref/tags/${TAG_NAME}"
+        http_status_code=$(curl -LI $GET_API_URL -o /dev/null -w '%{http_code}\n' -s -H "Authorization: token ${GITHUB_TOKEN}")
+        if [ "$http_status_code" -ne "404" ] ; then
+          echo "EXISTS=true" >> $GITHUB_OUTPUT
+        else
+          echo "EXISTS=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        TAG_NAME: ${{ inputs.tag }}
+        GITHUB_TOKEN: ${{ inputs.token }}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: 'github-actions'
-    directory: '/'
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
-      interval: 'daily'
+      interval: "daily"
diff --git a/.github/workflows/matrix.json b/.github/workflows/matrix.json
@@ -0,0 +1,7 @@
+{
+  "include": [
+    { "php": "8.1" },
+    { "php": "8.2" },
+    { "php": "8.3" }
+  ]
+}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,71 @@
+name: Create GitHub Release
+
+on:
+  pull_request:
+    types:
+      - closed
+
+permissions:
+  contents: write
+
+### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
+### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
+
+jobs:
+  release:
+    if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      # Checkout the code
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Get the version from the branch name
+      - id: get_version
+        uses: ./.github/actions/get-version
+
+      # Get the prerelease flag from the branch name
+      - id: get_prerelease
+        uses: ./.github/actions/get-prerelease
+        with:
+          version: ${{ steps.get_version.outputs.version }}
+
+      # Check if the tag already exists
+      - id: tag_exists
+        uses: ./.github/actions/tag-exists
+        with:
+          tag: ${{ steps.get_version.outputs.version }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # If the tag already exists, exit with an error
+      - if: steps.tag_exists.outputs.exists == 'true'
+        run: exit 1
+
+      # Publish the release to our package manager
+      - uses: ./.github/actions/publish-package
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: ${{ steps.get_version.outputs.version }}
+          body: ${{ github.event.pull_request.body }}
+          tag: ${{ steps.get_version.outputs.version }}
+          commit: ${{ github.sha }}
+          prerelease: ${{ steps.get_prerelease.outputs.prerelease }}
+
+      # Create a tag for the release
+      - uses: ./.github/actions/tag-create
+        with:
+          tag: ${{ steps.get_version.outputs.version }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Create a release for the tag
+      - uses: ./.github/actions/release-create
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: ${{ steps.get_version.outputs.version }}
+          body: ${{ github.event.pull_request.body }}
+          tag: ${{ steps.get_version.outputs.version }}
+          commit: ${{ github.sha }}
+          prerelease: ${{ steps.get_prerelease.outputs.prerelease }}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -38,12 +38,12 @@ jobs:
 
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
-        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+        run: exit 0
 
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }}
 
       - run: semgrep ci
         env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+          SEMGREP_APP_TOKEN: ${{ secrets.DX_SDKS_SEMGREP_TOKEN }}