.github/workflows/release.yml

name: CI

on:
  push:
    branches:
      - main
  repository_dispatch:
    types: [semantic-release]

env:
  THIRD_PARTY_GIT_AUTHOR_EMAIL: opensource+bot@newrelic.com
  THIRD_PARTY_GIT_AUTHOR_NAME: nr-opensource-bot

jobs:
  job-checkout-and-build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2

      - name: Setup Node.js
        uses: actions/setup-node@v1
        with:
          node-version: 16

      - name: Cache node_modules
        id: cache-node-modules
        uses: actions/cache@v1
        env:
          cache-name: node-modules
        with:
          path: ~/.npm
          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-${{ env.cache-name }}-

      - name: Install Dependencies
        run: npm ci

      - name: Install NR1 CLI
        run: curl -s https://cli.nr-ext.net/installer.sh | sudo bash

      - name: NR1 Nerdpack Build
        run: |
          nr1 nerdpack:build
          nr1 nerdpack:validate

  job-generate-third-party-notices:
    runs-on: ubuntu-latest
    needs: job-checkout-and-build
    steps:
      # Checkout fetch-depth: 2 because there's a check to see if package.json
      # was updated, and need at least 2 commits for the check to function properly
      - name: Checkout repo
        uses: actions/checkout@v2
        with:
          fetch-depth: 2

      - name: Setup Node.js
        uses: actions/setup-node@v1
        with:
          node-version: 16

      - name: Download Cached Deps
        id: cache-node-modules
        uses: actions/cache@v1
        env:
          cache-name: node-modules
        with:
          path: ~/.npm
          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-${{ env.cache-name }}-

      - name: Install Dependencies
        run: npm ci

      - name: Install OSS CLI
        run: |
          sudo npm install -g @newrelic/newrelic-oss-cli

      - name: Generate Third Party Notices
        id: generate-notices
        run: |
          if [ ! -f "third_party_manifest.json" ]; then
            echo "::error::third_party_manifest.json is missing. Must generate using the newrelic-oss-cli."
            exit 1
          fi

          # latest commit
          LATEST_COMMIT=$(git rev-parse HEAD)

          # latest commit where package.json was changed
          LAST_CHANGED_COMMIT=$(git log -1 --format=format:%H --full-diff package.json)

          if [ $LAST_CHANGED_COMMIT = $LATEST_COMMIT ]; then
            git config user.email "${{ env.THIRD_PARTY_GIT_AUTHOR_EMAIL }}"
            git config user.name "${{ env.THIRD_PARTY_GIT_AUTHOR_NAME }}"

            oss third-party manifest
            oss third-party notices

            git add third_party_manifest.json
            git add THIRD_PARTY_NOTICES.md

            git commit -m 'chore: update third-party manifest and notices [skip ci]'
            echo "::set-output name=commit::true"
          else
            echo "No change in package.json, not regenerating third-party notices"
          fi

      - name: Temporarily disable "required_pull_request_reviews" branch protection
        id: disable-branch-protection
        if: always()
        uses: actions/github-script@v1
        with:
          github-token: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
          previews: luke-cage-preview
          script: |
            const result = await github.repos.updateBranchProtection({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'main',
              required_status_checks: null,
              restrictions: null,
              enforce_admins: null,
              required_pull_request_reviews: null
            })
            console.log("Result:", result)

      - name: Push Commit
        if: steps.generate-notices.outputs.commit == 'true'
        uses: ad-m/github-push-action@v0.6.0
        with:
          github_token: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
          branch: main

      - name: Re-enable "required_pull_request_reviews" branch protection
        id: enable-branch-protection
        if: always()
        uses: actions/github-script@v1
        with:
          github-token: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
          previews: luke-cage-preview
          script: |
            const result = await github.repos.updateBranchProtection({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'main',
              required_status_checks: null,
              restrictions: null,
              enforce_admins: null,
              required_pull_request_reviews: {
                required_approving_review_count: 1
              }
            })
            console.log("Result:", result)

  job-generate-release:
    runs-on: ubuntu-latest
    needs: [job-checkout-and-build, job-generate-third-party-notices]
    steps:
      # Checkout ref: main because previous job committed third_party_notices and
      # we need to checkout main to pick up that commit
      - name: Checkout repo
        uses: actions/checkout@v2
        with:
          ref: main

      - name: Setup Node.js
        uses: actions/setup-node@v1
        with:
          node-version: 16

      - name: Install dependencies
        run: npm ci

      - name: Temporarily disable "required_pull_request_reviews" branch protection
        id: disable-branch-protection
        if: always()
        uses: actions/github-script@v1
        with:
          github-token: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
          previews: luke-cage-preview
          script: |
            const result = await github.repos.updateBranchProtection({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'main',
              required_status_checks: null,
              restrictions: null,
              enforce_admins: null,
              required_pull_request_reviews: null
            })
            console.log("Result:", result)

      - name: Run semantic-release
        env:
          # Use nr-opensource-bot for authoring commits done by
          # semantic-release (rather than using @semantic-release-bot)
          GIT_AUTHOR_NAME: "nr-opensource-bot"
          GIT_AUTHOR_EMAIL: "opensource+bot@newrelic.com"
          GIT_COMMITTER_NAME: "nr-opensource-bot"
          GIT_COMMITTER_EMAIL: "opensource+bot@newrelic.com"
          GITHUB_TOKEN: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
        run: npx semantic-release@^18.0.0

      - name: Re-enable "required_pull_request_reviews" branch protection
        id: enable-branch-protection
        if: always()
        uses: actions/github-script@v1
        with:
          github-token: ${{ secrets.OPENSOURCE_BOT_TOKEN }}
          previews: luke-cage-preview
          script: |
            const result = await github.repos.updateBranchProtection({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'main',
              required_status_checks: null,
              restrictions: null,
              enforce_admins: null,
              required_pull_request_reviews: {
                required_approving_review_count: 1
              }
            })
            console.log("Result:", result)