Github workflow for releasing the upgradeable contracts (#6218)

Amxx · coderabbitai[bot] · ernestognw · web-flow · commit 447a5094877f · 2025-12-19T08:27:06.000-06:00
Co-authored-by: coderabbitai[bot] &lt;136622811+coderabbitai[bot]@users.noreply.github.com&gt;
Co-authored-by: Ernesto García &lt;ernestognw@gmail.com&gt;
diff --git a/.github/workflows/release-upgradeable.yml b/.github/workflows/release-upgradeable.yml
@@ -0,0 +1,95 @@
+name: Release Upgradeable
+
+on:
+  workflow_dispatch: {}
+
+jobs:
+  state:
+    name: Check state
+    permissions:
+      pull-requests: read
+    if: ${{ !endsWith(github.repository, '-upgradeable') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: ${{ github.repository }}-upgradeable
+          ref: ${{ github.ref }}
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          path: lib/openzeppelin-contracts
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - name: Check upgradeable
+        id: check-upgradeable
+        run: bash scripts/release/workflow/check-upgradeable.sh
+    outputs:
+      publish: ${{ steps.check-upgradeable.outcome }}
+      is_prerelease: ${{ steps.check-upgradeable.outputs.is_prerelease }}
+
+  # copied from release-cycle.yml
+  publish:
+    needs: state
+    name: Publish to npm
+    environment: push-upgradeable
+    permissions:
+      id-token: write
+    if: needs.state.outputs.publish == 'success' # Note: changed from 'true' to 'success' to support the way publish is computed
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: ${{ github.repository }}-upgradeable
+          ref: ${{ github.ref }}
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          path: lib/openzeppelin-contracts
+      - name: Set up environment
+        uses: ./.github/actions/setup
+      - id: pack
+        name: Pack
+        run: bash scripts/release/workflow/pack.sh
+        env:
+          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: ${{ github.ref_name }}-upgradeable
+          path: ${{ steps.pack.outputs.tarball }}
+      - name: Publish
+        run: bash scripts/release/workflow/publish.sh
+        env:
+          TARBALL: ${{ steps.pack.outputs.tarball }}
+          TAG: ${{ steps.pack.outputs.tag }}
+      - name: Create Github Release
+        uses: actions/github-script@v8
+        env:
+          PRERELEASE: ${{ needs.state.outputs.is_prerelease }}
+          TARGET_COMMIT: ${{ github.ref }}
+          REPO_SUFFIX: -upgradeable
+        with:
+          github-token: ${{ secrets.GH_TOKEN_UPGRADEABLE }}
+          script: await require('./scripts/release/workflow/github-release.js')({ github, context })
+    outputs:
+      tarball_name: ${{ steps.pack.outputs.tarball_name }}
+
+  integrity_check:
+    needs: publish
+    name: Tarball Integrity Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: ${{ github.repository }}-upgradeable
+          ref: ${{ github.ref }}
+      - name: Download tarball artifact
+        id: artifact
+        uses: actions/download-artifact@v6
+        with:
+          name: ${{ github.ref_name }}-upgradeable
+      - name: Check integrity
+        run: bash scripts/release/workflow/integrity-check.sh
+        env:
+          TARBALL: ${{ steps.artifact.outputs.download-path }}/${{ needs.publish.outputs.tarball_name }}
diff --git a/.github/workflows/upgradeable.yml b/.github/workflows/upgradeable.yml
@@ -1,4 +1,4 @@
-name: transpile upgradeable
+name: Transpile upgradeable
 
 on:
   push:
@@ -9,11 +9,12 @@ on:
 jobs:
   transpile:
     environment: push-upgradeable
+    if: ${{ !endsWith(github.repository, '-upgradeable') }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
         with:
-          repository: OpenZeppelin/openzeppelin-contracts-upgradeable
+          repository: ${{ github.repository }}-upgradeable
           fetch-depth: 0
           token: ${{ secrets.GH_TOKEN_UPGRADEABLE }}
       - name: Fetch current non-upgradeable branch
diff --git a/scripts/release/workflow/check-upgradeable.sh b/scripts/release/workflow/check-upgradeable.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Get commit hash (short) of the reference commit (non-upgradeable version)
+cd lib/openzeppelin-contracts
+REFERENCE_COMMIT="$(git rev-parse --short HEAD)"
+
+# Check that the commit message of the local commit (upgradeable version) matches the reference commit
+cd ../..
+if ! git log -1 --pretty=%B | grep -q "Transpile ${REFERENCE_COMMIT}"; then
+  echo "Expected 'Transpile ${REFERENCE_COMMIT}' but found '$(git log -1 --pretty=%B)'"
+  exit 1
+fi
+
+# Read the version from the package.json, and check whether that corresponds to a pre-release
+VERSION="$(jq -r .version contracts/package.json)"
+if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  PRERELEASE="false"
+elif [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-rc\.[0-9]+$ ]]; then
+  PRERELEASE="true"
+else
+  echo "Invalid version"
+  exit 1
+fi
+
+echo "is_prerelease=${PRERELEASE}" >> "$GITHUB_OUTPUT"
diff --git a/scripts/release/workflow/github-release.js b/scripts/release/workflow/github-release.js
@@ -7,9 +7,9 @@ module.exports = async ({ github, context }) => {
 
   await github.rest.repos.createRelease({
     owner: context.repo.owner,
-    repo: context.repo.repo,
+    repo: context.repo.repo + (process.env.REPO_SUFFIX ?? ''),
     tag_name: `v${version}`,
-    target_commitish: context.sha,
+    target_commitish: process.env.TARGET_COMMIT ?? context.sha,
     body: extractSection(changelog, version),
     prerelease: process.env.PRERELEASE === 'true',
   });
