ci(workflows): add release-branch

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>

.dictionary.txt

@@ -21,6 +21,7 @@ groupby
 hmarr
 iife
 infile
+kaisugi
 keyid
 ksort
 larsgw

.github/.gitconfig

@@ -25,7 +25,7 @@ chb = "!f() { git checkout -b \"$@\" && git pou \"$@\"; }; f"
 chp = "!f() { git checkout $@ && git pull; }; f"
 
 # commit with message
-cm = "!f() { git commit -s -m \"$@\"; }; f"
+cm = "!f() { git commit -S -s -m \"$@\"; }; f"
 
 # tell git to start tracking branch and push to origin
 pou = "!f() { git push origin --no-verify -u $@; }; f"
@@ -62,7 +62,7 @@ fpnv = "!f() { git pnv --force ; }; f"
 pnv = "!f() { git push --no-verify $@; }; f"
 
 [branch]
-autosetuprebase = always
+autoSetupRebase = always
 
 [checkout]
 defaultRemote = origin
@@ -85,6 +85,12 @@ tool = vscode
 [difftool "vscode"]
 cmd = code-insiders --wait --diff $LOCAL $REMOTE
 
+[filter "lfs"]
+clean = git-lfs clean -- %f
+smudge = git-lfs smudge -- %f
+process = git-lfs filter-process
+required = true
+
 [gitflow "prefix"]
 feature = feat/
 hotfix = hotfix/
@@ -97,6 +103,10 @@ program = gpg2
 [init]
 defaultBranch = main
 
+[log]
+date = iso8601-strict
+decorate = short
+
 [merge]
 tool = vscode
 
@@ -111,6 +121,8 @@ autoStash = true
 
 [tag]
 forceSignAnnotated = true
+gpgsign = true
+sort = -creatordate
 
 [url "git@github.com:"]
 insteadOf = gh:

.github/workflows/dependabot-auto.yml

@@ -55,19 +55,11 @@ jobs:
         with:
           git_commit_gpgsign: true
           git_config_global: true
+          git_push_gpgsign: false
           git_user_signingkey: true
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-      # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
-      - id: gpg-trust
-        name: Set trust on GPG key
-        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
-        run: |
-          gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
-          trust
-          5
-          y
-          quit
-          EOTRUST
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          trust_level: 5
       - id: lockfile-fix
         name: Fix yarn.lock
         if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
@@ -80,8 +72,6 @@ jobs:
         name: Push yarn.lock
         if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
         env:
-          GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
-          GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
           COMMIT_MESSAGE: 'build(yarn): [dependabot skip] fix lockfile for @dependabot'
         run: |
           git add yarn.lock

.github/workflows/git.yml

@@ -71,6 +71,7 @@ jobs:
           git_tag_gpgsign: true
           git_user_signingkey: true
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
           trust_level: 5
       - id: gitconfig
         name: List gitconfig values

.github/workflows/release-branch.yml

@@ -0,0 +1,120 @@
+# Release Branch Workflow
+#
+# Execute version bump and changelog operations on release branch creation or workflow dispatch.
+#
+# References:
+#
+# - https://docs.github.com/actions/learn-github-actions/contexts
+# - https://docs.github.com/actions/learn-github-actions/expressions
+# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#create
+# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
+# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
+# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#create
+# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
+# - https://github.com/actions/checkout
+# - https://github.com/actions/setup-node
+# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
+# - https://github.com/hmarr/debug-action
+# - https://github.com/kaisugi/action-regex-match
+# - https://regex101.com/r/OwpOr2
+
+---
+name: release-branch
+on:
+  create:
+  workflow_dispatch:
+    inputs:
+      dry:
+        default: true
+        description: dry run?
+        type: boolean
+      version:
+        description: release version
+        required: true
+        type: string
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  preflight:
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'release/')
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.result }}
+      version: ${{ inputs.version || steps.version.outputs.match }}
+    steps:
+      - id: debug
+        name: Print environment variables and event payload
+        uses: hmarr/debug-action@v2.1.0
+      - id: checkout
+        name: Checkout ${{ github.ref_name }}
+        uses: actions/checkout@v4.1.1
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+      - id: version
+        name: Get release version
+        uses: kaisugi/action-regex-match@v1.0.0
+        with:
+          regex: |
+            (?<=release\/)(?<version>(?<major>0|[1-9]\d*)\.(?<minor>0|[1-9]\d*)\.(?<patch>0|[1-9]\d*)(?:-(?<prerelease>(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*)(?:\.(?:0|[1-9]\d*|\d*[A-Za-z-][\dA-Za-z-]*))*))?(?:\+(?<metadata>[\dA-Za-z-]+(?:\.[\dA-Za-z-]+)*))?$)
+          text: ${{ inputs.version && format('release/{0}', inputs.version) || github.ref_name }}
+      - id: tag
+        name: Get release tag
+        run: |
+          echo "result=$(jq .tagprefix grease.config.json -r)${{ steps.version.outputs.match }}" >>$GITHUB_OUTPUT
+  prepare:
+    if: needs.preflight.outputs.version != ''
+    needs: preflight
+    permissions:
+      contents: write
+      packages: read
+    runs-on: ubuntu-latest
+    env:
+      DRY_RUN: ${{ fromJson(inputs.dry) || !startsWith(github.ref_name, 'release/') }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      HUSKY: 0
+    steps:
+      - id: checkout
+        name: Checkout ${{ github.ref_name }}
+        uses: actions/checkout@v4.1.1
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref }}
+      - id: gpg-import
+        name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6.0.0
+        with:
+          git_commit_gpgsign: true
+          git_config_global: true
+          git_push_gpgsign: false
+          git_user_signingkey: true
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          trust_level: 5
+      - id: yarn
+        name: Install dependencies
+        run: yarn --immutable
+      - id: build
+        name: Build project
+        env:
+          NODE_NO_WARNINGS: 1
+        run: yarn build
+      - id: bump
+        name: Bump manifest version to ${{ needs.preflight.outputs.version }}
+        run: node ./dist/cli.mjs bump -w ${{ needs.preflight.outputs.version }}
+      - id: changelog
+        name: Add CHANGELOG entry for ${{ needs.preflight.outputs.tag }}
+        run: node ./dist/cli.mjs changelog && node ./dist/cli.mjs changelog -sw
+      - id: commit
+        name: Commit release preparation
+        run: |
+          git add CHANGELOG.md package.json
+          git status
+          git commit -s -m 'release: ${{ needs.preflight.outputs.tag }}'
+          git log --show-signature 'HEAD^..HEAD'
+      - id: push
+        name: Push release preparation
+        run: git push${{ fromJson(env.DRY_RUN) && ' --dry-run' || '' }} --no-verify

.github/workflows/release.yml

@@ -43,9 +43,9 @@ jobs:
     if: |
       (github.event.pull_request.merged && startsWith(github.head_ref, 'release/')) ||
       (github.event_name == 'workflow_dispatch' && github.ref_name == 'main')
-    runs-on: ubuntu-latest
     permissions:
       contents: read
+    runs-on: ubuntu-latest
     outputs:
       prerelease: ${{ steps.dist-tag.outputs.prerelease }}
       tag: ${{ steps.tag.outputs.result }}
@@ -103,9 +103,11 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@v6.0.0
         with:
           git_config_global: true
+          git_push_gpgsign: false
           git_tag_gpgsign: true
           git_user_signingkey: true
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
           trust_level: 5
       - id: yarn
         name: Install dependencies
@@ -118,11 +120,8 @@ jobs:
         run: yarn grease changelog -wo $NOTES_FILE && cat $NOTES_FILE
       - id: tag
         name: Create annotated tag
-        env:
-          GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
-          GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
         run: |
-          yarn grease tag -fps -m "release: $TAG" $TAG
+          node ./dist/cli.mjs tag -fps -m "release: $TAG" $TAG
       - id: publish
         name: Publish release
         env:

CONTRIBUTING.md

@@ -352,19 +352,16 @@ Before deploying, the following steps must be completed:
 1. Schedule a code freeze
 2. Decide what type of version bump the package needs
    - `yarn bump:recommend`
-3. Bump version
-   - `yarn bump <new-version>`
-   - `yarn bump major`
-   - `yarn bump minor`
-   - `yarn bump patch`
-   - `yarn bump premajor --preid <dist-tag>`
-   - `yarn bump preminor --preid <dist-tag>`
-   - `yarn bump prepatch --preid <dist-tag>`
-   - `yarn bump prerelease --preid <dist-tag>`
-4. Update `CHANGELOG.md`
-   - `yarn changelog -sw` (remove `-sw` to do a dry-run, i.e. `yarn changelog`)
-5. `yarn release`
-6. Open PR from `release/*` into `main`
+3. Start local release
+   - `yarn release <new-version>`
+   - `yarn release major`
+   - `yarn release minor`
+   - `yarn release patch`
+   - `yarn release premajor --preid <dist-tag>`
+   - `yarn release preminor --preid <dist-tag>`
+   - `yarn release prepatch --preid <dist-tag>`
+   - `yarn release prerelease --preid <dist-tag>`
+4. Open PR from `release/*` into `main`
    - PR title should match `release: <release-tag>`
      - e.g: `release: 1.1.0`
    - link all issues being released

scripts/release.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e
+
 # Local Release Workflow
 #
 # 1. run typecheck
@@ -8,18 +10,13 @@
 # 4. run postbuild typecheck
 # 5. analyze types
 # 6. print package size report
-# 7. get new package version
+# 7. get release version data
 # 8. get release branch name
-# 9. switch to release branch
-# 10. stage changes
-# 11. commit changes
-# 12. push release branch to origin
-# 13. create pull request
-# 14. cleanup
+# 9. push release branch
+# 10. cleanup
 #
 # References:
 #
-# - https://cli.github.com/manual/gh_pr_create
 # - https://github.com/arethetypeswrong/arethetypeswrong.github.io
 
 yarn typecheck
@@ -28,11 +25,7 @@ yarn pack
 yarn check:types:build
 attw package.tgz
 yarn pkg-size
-VERSION=$(jq .version package.json -r)
-RELEASE_BRANCH=release/$VERSION
-git switch -c $RELEASE_BRANCH
-git add .
-git commit -s -m "release: $(jq .tagprefix grease.config.json -r)$VERSION"
-git push origin -u --no-verify $RELEASE_BRANCH
-gh pr create --assignee @me --label scope:release --web
+RELEASE_VERSION=$(node ./dist/cli.mjs bump -j $@)
+RELEASE_BRANCH=release/$(jq .version -r <<<$RELEASE_VERSION)
+git push origin --no-verify --set-upstream $RELEASE_BRANCH
 yarn clean:pack

src/cli/commands/bump.command.ts

@@ -100,6 +100,7 @@ class BumpCommand extends CommandRunner {
    */
   @Option({
     description: 'prerelease identifier',
+    env: 'GREASE_BUMP_PREID',
     flags: '--preid <id>'
   })
   protected parsePreid(val: string): string {
@@ -119,6 +120,7 @@ class BumpCommand extends CommandRunner {
   @Option({
     choices: select(CliUtilityService.BOOLEAN_CHOICES, isNumeric),
     description: 'base to be used for prerelease identifier',
+    env: 'GREASE_BUMP_PRESTART',
     fallback: { value: 1 },
     flags: '--prestart <start>'
   })
@@ -179,6 +181,7 @@ class BumpCommand extends CommandRunner {
    */
   @Option({
     description: 'write version bump to file',
+    env: 'GREASE_BUMP_WRITE',
     fallback: { value: false },
     flags: '-w, --write',
     preset: 'true'