chore(ci): optimize release ci (#5186)

.github/workflows/build-pro-image.yml

@@ -15,12 +15,8 @@ on:
       - '.github/workflows/build-pro-image.yml'
 
 jobs:
-  app-token:
-    if: github.event.pull_request.head.repo.fork != true
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   build-and-push:
-    needs: app-token
+    if: github.event.pull_request.head.repo.fork != true
     runs-on: ubuntu-latest
     services:
       verdaccio:
@@ -28,13 +24,13 @@ jobs:
         ports:
           - 4873:4873
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
       - name: Checkout
         uses: actions/checkout@v3
         with:

.github/workflows/changelog-and-release.yml

@@ -11,21 +11,21 @@ on:
       - 'v*-beta'
 
 jobs:
-  app-token:
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   write-changelog-and-release:
-    needs:
-      - app-token
     runs-on: ubuntu-latest
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -50,8 +50,8 @@ jobs:
           done
       - name: Set user
         run: |
-          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
       - name: Set Node.js 18
         uses: actions/setup-node@v3
         with:

.github/workflows/manual-build-pro-image.yml

@@ -16,12 +16,8 @@ on:
         required: true
 
 jobs:
-  app-token:
-    if: github.event.pull_request.head.repo.fork != true
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   build-and-push:
-    needs: app-token
+    if: github.event.pull_request.head.repo.fork != true
     runs-on: ubuntu-latest
     services:
       verdaccio:
@@ -29,13 +25,13 @@ jobs:
         ports:
           - 4873:4873
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
       - name: Checkout
         uses: actions/checkout@v3
         with:

.github/workflows/manual-release.yml

@@ -12,12 +12,8 @@ on:
         type: boolean
 
 jobs:
-  app-token:
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   pre-merge-main-into-next:
     runs-on: ubuntu-latest
-    needs: app-token
     strategy:
       matrix:
         repo:
@@ -25,13 +21,18 @@ jobs:
           - 'pro-plugins'
           - ${{ fromJSON(vars.PRO_PLUGIN_REPOS) }}
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -41,8 +42,8 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
       - name: main -> next (nocobase/${{ matrix.repo }})
         run: |
-          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
           git checkout main
           git pull origin main
           git checkout next
@@ -50,17 +51,21 @@ jobs:
           git push origin next --tags --atomic
   update-version:
     needs:
-      - app-token
       - pre-merge-main-into-next
     runs-on: ubuntu-latest
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -101,8 +106,8 @@ jobs:
           echo "$(<.git/info/exclude )"
           cd ./../..
           git checkout main
-          git config --global user.name '${{ needs.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ needs.app-token.outputs.user-id }}+${{ needs.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
           echo "packages/pro-plugins" >> .git/info/exclude
           bash release.sh $IS_FEAT
         env:

.github/workflows/release-next.yml

@@ -8,21 +8,22 @@ on:
   workflow_dispatch:
 
 jobs:
-  app-token:
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   publish-npm:
     runs-on: ubuntu-latest
     container: node:18
-    needs: app-token
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -75,8 +76,8 @@ jobs:
       - name: publish npmjs.org
         continue-on-error: true
         run: |
-          git config --global user.email "test@mail.com"
-          git config --global user.name "test"
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
           git config --global --add safe.directory /__w/nocobase/nocobase
           npm config set access public
           npm config set registry https://registry.npmjs.org/
@@ -86,6 +87,8 @@ jobs:
           yarn config set //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
           yarn install
           yarn lerna version ${{ env.NEWVERSION }} -y --no-git-tag-version
+          git tag v${{ env.NEWVERSION }}
+          git push origin v${{ env.NEWVERSION }}
           yarn build
           echo "# test" >> Release.md
           git add .
@@ -106,6 +109,19 @@ jobs:
           do
           git clone -b next https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/nocobase/$repo.git packages/pro-plugins/@nocobase/$repo
           done
+      - name: Tag Pro plugins
+        run: |
+          cd ./packages/pro-plugins
+          git tag v${{ env.NEWVERSION }}
+          git push origin v${{ env.NEWVERSION }}
+          cd ../../
+          for repo in ${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ' ') }}
+          do
+            cd ./packages/pro-plugins/@nocobase/$repo
+            git tag v${{ env.NEWVERSION }}
+            git push origin v${{ env.NEWVERSION }}
+            cd ../../../../
+          done
       - name: Build Pro plugins
         run: |
           yarn config set registry https://registry.npmjs.org/

.github/workflows/release.yml

@@ -10,21 +10,17 @@ on:
       - 'v*'
 
 jobs:
-  app-token:
-    uses: nocobase/nocobase/.github/workflows/get-nocobase-app-token.yml@main
-    secrets: inherit
   publish-npm:
     runs-on: ubuntu-latest
     container: node:18
-    needs: app-token
     steps:
-      - name: Decrypt app token
+      - uses: actions/create-github-app-token@v1
         id: app-token
-        shell: bash
-        run: |
-          ENCRYPTED_SECRET=${{ needs.app-token.outputs.token }};
-          APP_TOKEN=$(echo -n "$ENCRYPTED_SECRET" | base64 --decode | openssl enc -aes-256-cbc -pbkdf2 -d -salt -k "${{ secrets.APP_TOKEN_ENCRYPTION_PASSWORD }}");
-          echo "token=$APP_TOKEN" >> $GITHUB_OUTPUT
+        with:
+          app-id: ${{ vars.NOCOBASE_APP_ID }}
+          private-key: ${{ secrets.NOCOBASE_APP_PRIVATE_KEY }}
+          repositories: nocobase,pro-plugins,${{ join(fromJSON(vars.PRO_PLUGIN_REPOS), ',') }}
+          skip-token-revoke: true
       - name: Checkout
         uses: actions/checkout@v3
       - name: Send curl request and parse response

scripts/release/changelogAndRelease.js

@@ -186,14 +186,12 @@ function arrangeChangelogs(changelogs) {
 async function collect() {
   let { from, to, ver = 'beta' } = program.opts();
   if (!from || !to) {
-    // git describe --tags $(git rev-list --tags --max-count=2) --abbrev=0
+    // git tag -l --sort=version:refname | grep "v*-ver" | tail -2
     const tagPattern = `v*-${ver}`;
-    const { stdout: tags } = await execa(
-      'git',
-      ['describe', '--tags', `$(git rev-list --tags=${tagPattern} --max-count=2)`, '--abbrev=0'],
-      { shell: true },
-    );
-    [from, to] = tags.split('\n').reverse();
+    const { stdout: tags } = await execa(`git tag -l --sort=version:refname | grep "${tagPattern}" | tail -2`, {
+      shell: true,
+    });
+    [from, to] = tags.split('\n');
   }
   console.log(`From: ${from}, To: ${to}`);
   const changelogs = [];