chore: optimize pro image build ci (nocobase#5140)

2013xile · web-flow · commit 685f0764f17d · 2024-08-27T06:46:25.000+08:00
* chore: optimize pro image build ci

* chore: update

* chore: update

* fix: branch
diff --git a/.github/workflows/build-pro-image.yml b/.github/workflows/build-pro-image.yml
@@ -15,19 +15,31 @@ on:
       - '.github/workflows/build-pro-image.yml'
 
 jobs:
-  build-and-push:
+  app-token:
     if: github.event.pull_request.head.repo.fork != true
+    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
+    secrets: inherit
+  build-and-push:
+    needs: app-token
     runs-on: ubuntu-latest
     services:
       verdaccio:
         image: verdaccio/verdaccio:5
         ports:
           - 4873:4873
     steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
           submodules: true
       - name: Checkout pro-plugins
         uses: actions/checkout@v3
@@ -36,7 +48,14 @@ jobs:
           ref: main
           path: packages/pro-plugins
           fetch-depth: 0
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Clone pro repos
+        shell: bash
+        run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+          git clone -b main https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
+          done
       - run: |
           cd packages/pro-plugins &&
           if git show-ref --quiet refs/remotes/origin/${{ github.head_ref || github.ref_name }}; then
@@ -48,8 +67,30 @@ jobs:
               git checkout main
             fi
           fi
+      - run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            cd ./packages/pro-plugins/@nocobase/$repo
+            if git show-ref --quiet refs/remotes/origin/${{ github.head_ref || github.ref_name }}; then
+              git checkout ${{ github.head_ref || github.ref_name }}
+            else
+              if git show-ref --quiet refs/remotes/origin/${{ github.event.pull_request.base.ref }}; then
+                git checkout ${{ github.event.pull_request.base.ref }}
+              else
+                git checkout main
+              fi
+            fi
+            cd ../../../../
+          done
       - name: rm .git
-        run: rm -rf packages/pro-plugins/.git &&  git config --global user.email "you@example.com"  &&  git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit"
+        run: |
+          rm -rf packages/pro-plugins/.git
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            rm -rf packages/pro-plugins/@nocobase/$repo/.git
+          done
+          git config --global user.email "you@example.com"
+          git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
diff --git a/.github/workflows/manual-build-pro-image.yml b/.github/workflows/manual-build-pro-image.yml
@@ -16,20 +16,32 @@ on:
         required: true
 
 jobs:
-  build-and-push:
+  app-token:
     if: github.event.pull_request.head.repo.fork != true
+    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
+    secrets: inherit
+  build-and-push:
+    needs: app-token
     runs-on: ubuntu-latest
     services:
       verdaccio:
         image: verdaccio/verdaccio:latest
         ports:
           - 4873:4873
     steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.inputs.base_branch }}
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
           submodules: true
       - name: Set PR branch
         id: set_pro_pr_branch
@@ -43,9 +55,23 @@ jobs:
           repository: nocobase/pro-plugins
           path: packages/pro-plugins
           ref: ${{ steps.set_pro_pr_branch.outputs.pr_branch || 'main' }}
-          ssh-key: ${{ secrets.SUBMODULE_SSH_KEY }}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Clone pro repos
+        shell: bash
+        run: |
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+          git clone -b ${{ steps.set_pro_pr_branch.outputs.pr_branch || 'main' }} https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
+          done
       - name: rm .git
-        run: rm -rf packages/pro-plugins/.git &&  git config --global user.email "you@example.com"  &&  git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit"
+        run: |
+          rm -rf packages/pro-plugins/.git
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            rm -rf packages/pro-plugins/@nocobase/$repo/.git
+          done
+          git config --global user.email "you@example.com"
+          git config --global user.name "Your Name" && git add -A && git commit -m "tmp commit"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
diff --git a/.github/workflows/release-next.yml b/.github/workflows/release-next.yml
@@ -16,6 +16,14 @@ jobs:
     container: node:18
     needs: app-token
     steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -85,14 +93,6 @@ jobs:
           git commit -m "chore(versions): test publish packages xxx"
           cat lerna.json
           yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/ --dist-tag=next
-      - name: Decrypt app token
-        id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
-          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout pro-plugins
         uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,14 @@ jobs:
     container: node:18
     needs: app-token
     steps:
+      - name: Decrypt app token
+        id: app-token
+        shell: bash
+        run: |
+          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
+          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
+          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
+          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout
         uses: actions/checkout@v3
       - name: Send curl request and parse response
@@ -59,14 +67,6 @@ jobs:
           yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
           npm whoami
           yarn release:force --no-verify-access --no-git-reset --registry https://registry.npmjs.org/
-      - name: Decrypt app token
-        id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          BINARY_ENCRYPTED_SECRET=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode);
-          APP_TOKEN=$(echo -n "$BINARY_ENCRYPTED_SECRET" | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
       - name: Checkout pro-plugins
         uses: actions/checkout@v3
         with:
