Skip to content

Commit

Permalink
ci: Migrate LavaMoat validation to GitHub Actions (#29369)
Browse files Browse the repository at this point in the history
## **Description**

Migrate LavaMoat policy validation from CircleCI to GitHub actions. No
functional changes.

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/29369?quickstart=1)

## **Related issues**

Relates to #28572

These changes were extracted from #29256

## **Manual testing steps**

* Checkout this branch (`migrate-lavamoat-validation`), then from there
create a new branch to test with
* On this new branch, make a dependency change with a policy impact
(e.g. add or remove a package, upgrade something, etc.), but make sure
the build still passes (validation requires a passing build)
* Create a draft PR, and verify that the policy validation fails
* Use the `metamaskbot update-policies` bot command to update the
policies, then verify the validation now succeeds.
PR with errors -
#29396
Failure -
https://github.com/MetaMask/metamask-extension/actions/runs/12434996100/job/34719873040?pr=29396
Passing -
https://github.com/MetaMask/metamask-extension/actions/runs/12435253146/job/34720674397?pr=29396

## **Screenshots/Recordings**

N/A

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
  • Loading branch information
Gudahtt authored Dec 20, 2024
1 parent 6f11eda commit ce8b502
Show file tree
Hide file tree
Showing 5 changed files with 97 additions and 60 deletions.
60 changes: 0 additions & 60 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,18 +123,6 @@ workflows:
- master
requires:
- prep-deps
- validate-lavamoat-allow-scripts:
requires:
- prep-deps
- validate-lavamoat-policy-build:
requires:
- prep-deps
- validate-lavamoat-policy-webapp:
matrix:
parameters:
build-type: [main, beta, flask, mmi]
requires:
- prep-deps
- prep-build-mmi:
requires:
- prep-deps
Expand Down Expand Up @@ -268,9 +256,6 @@ workflows:
- prep-build-flask-mv2
- all-tests-pass:
requires:
- validate-lavamoat-allow-scripts
- validate-lavamoat-policy-build
- validate-lavamoat-policy-webapp
- validate-source-maps
- validate-source-maps-beta
- validate-source-maps-flask
Expand Down Expand Up @@ -481,51 +466,6 @@ jobs:
at: .
- run: yarn tsx .circleci/scripts/validate-locales-only.ts

validate-lavamoat-allow-scripts:
executor: node-browsers-small
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate allow-scripts config
command: yarn allow-scripts auto
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

validate-lavamoat-policy-build:
executor: node-browsers-medium
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate LavaMoat build policy
command: yarn lavamoat:build:auto
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

validate-lavamoat-policy-webapp:
executor: node-browsers-medium-plus
parameters:
build-type:
type: string
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate LavaMoat << parameters.build-type >> policy
command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>'
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

prep-build:
executor: node-linux-medium
steps:
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,18 @@ jobs:
name: Test deps depcheck
uses: ./.github/workflows/test-deps-depcheck.yml

validate-lavamoat-allow-scripts:
name: Validate lavamoat allow scripts
uses: ./.github/workflows/validate-lavamoat-allow-scripts.yml

validate-lavamoat-policy-build:
name: Validate lavamoat policy build
uses: ./.github/workflows/validate-lavamoat-policy-build.yml

validate-lavamoat-policy-webapp:
name: Validate lavamoat policy webapp
uses: ./.github/workflows/validate-lavamoat-policy-webapp.yml

run-tests:
name: Run tests
uses: ./.github/workflows/run-tests.yml
Expand All @@ -75,6 +87,9 @@ jobs:
- test-lint-lockfile
- test-yarn-dedupe
- test-deps-depcheck
- validate-lavamoat-allow-scripts
- validate-lavamoat-policy-build
- validate-lavamoat-policy-webapp
- run-tests
- wait-for-circleci-workflow-status
outputs:
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/validate-lavamoat-allow-scripts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Validate lavamoat allow scripts

on:
workflow_call:

jobs:
validate-lavamoat-allow-scripts:
name: Validate lavamoat allow scripts
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate allow-scripts config
run: yarn allow-scripts auto

- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi
27 changes: 27 additions & 0 deletions .github/workflows/validate-lavamoat-policy-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Validate lavamoat policy build

on:
workflow_call:

jobs:
validate-lavamoat-policy-build:
name: Validate lavamoat policy build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate lavamoat build policy
run: yarn lavamoat:build:auto
env:
INFURA_PROJECT_ID: 00000000000

- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi
30 changes: 30 additions & 0 deletions .github/workflows/validate-lavamoat-policy-webapp.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Validate lavamoat policy webapp

on:
workflow_call:

jobs:
validate-lavamoat-policy-webapp:
name: Validate lavamoat policy webapp
runs-on: ubuntu-latest
strategy:
matrix:
build-type: [main, beta, flask, mmi]
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate lavamoat ${{ matrix.build-type }} policy
run: yarn lavamoat:webapp:auto:ci --build-types=${{ matrix.build-type }}
env:
INFURA_PROJECT_ID: 00000000000

- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi

0 comments on commit ce8b502

Please sign in to comment.