node/.github/workflows/build-node-packages.yml at main · Asana/node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Build Node-Packages

on:
  workflow_dispatch:
  workflow_run:
    workflows: ["Build Node (Standard)"]
    types:
      - completed
    branches:
      - v22.21.1

jobs:
  build-packages:
    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
    permissions:
      id-token: write
      contents: write
    strategy:
      matrix:
        include:
          - platform: linux
            arch: x64
            bazel_arch: amd64
            runs_on: ubuntu-22.04
          - platform: linux
            arch: arm64
            bazel_arch: arm64
            runs_on: ubuntu-22.04-arm
    runs-on: ${{ matrix.runs_on }}

    env:
      NODE_VERSION: v22.21.1
      PLATFORM: ${{ matrix.platform }}
      ARCH: ${{ matrix.arch }}
      BAZEL_ARCH: ${{ matrix.bazel_arch }}
      REPO: ${{ github.repository }}

    steps:
      # Check out the v22.21.1 branch (not the workflow's default branch) so that
      # Dockerfile.Packages and the Node source tree are present. The workflow YAML
      # itself runs from whichever ref triggered it (main for workflow_dispatch, or
      # v22.21.1 for workflow_run) — that's what the OIDC subject claim binds to,
      # and it's how the IAM role's ref_patterns gate works. `ref:` here only
      # controls which tree gets checked out into $GITHUB_WORKSPACE.
      #
      # Security note: v22.21.1 is not a protected branch, so in principle any of
      # the repo's ~530 collaborators could push a malicious Dockerfile.Packages
      # and have this workflow build+upload the resulting image. That same risk
      # already existed for the Node source itself (which also lives on this
      # branch), so this change does not expand the attack surface. A follow-up
      # PR will propose a structural fix (branch protection, patch series, or
      # submodule model) — tracked in our internal project notes.
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          ref: ${{ env.NODE_VERSION }}

      - name: Debug Matrix Values
        run: |
          echo "Matrix platform: $PLATFORM"
          echo "Matrix arch: $ARCH"

      - name: Download Node archive
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          ASSET="node-${NODE_VERSION}-${PLATFORM}-${ARCH}-LATEST.tar.xz"
          gh release download "node-${NODE_VERSION}-release" \
            --repo asana/node \
            --pattern "$ASSET"
          mv "$ASSET" node.tar.xz

      - name: Execute the Dockerfile
        run: |
          pwd
          docker build -t node22_packages_build -f Dockerfile.Packages .

      - name: Extract resources
        run: |
          docker create --name temp_node_packages_extract node22_packages_build
          docker cp temp_node_packages_extract:/usr/src/node/node_modules $GITHUB_WORKSPACE/node_modules
          docker rm temp_node_packages_extract

      - name: Tar node-packages
        run: |
          mkdir -p ./bcrypt@5.1.0/node_modules
          mkdir -p ./cld@2.9.1/node_modules
          mkdir -p ./unix-dgram@2.0.6/node_modules
          mkdir -p "./@datadog+pprof@5.8.0/node_modules/@datadog"
          mv node_modules/bcrypt ./bcrypt@5.1.0/node_modules/
          mv node_modules/cld ./cld@2.9.1/node_modules/
          mv node_modules/unix-dgram ./unix-dgram@2.0.6/node_modules/
          mv "node_modules/@datadog/pprof" "./@datadog+pprof@5.8.0/node_modules/@datadog/"
          tar --hard-dereference -cvzf "packages_${ARCH}.tar.gz" bcrypt@5.1.0 cld@2.9.1 unix-dgram@2.0.6 "@datadog+pprof@5.8.0"

      - name: Upload archive to release
        # Use `gh release upload` (first-party GitHub CLI, pre-installed on runners)
        # instead of softprops/action-gh-release (one-maintainer third-party action).
        # Behavior: --clobber overwrites an existing asset with the same name, matching
        # softprops's default. The release must already exist (created by build-node.yml).
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release upload "node-${NODE_VERSION}-release" \
            "packages_${ARCH}.tar.gz" \
            --clobber \
            --repo "$REPO"

      # S3 upload is restricted to the protected main branch only. The IAM role
      # (push_node_gyp_packages) trusts only refs/heads/main via OIDC. To upload
      # packages to S3 after a Node upgrade, trigger workflow_dispatch from main.
      - name: Configure AWS credentials
        if: github.ref == 'refs/heads/main'
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: arn:aws:iam::403483446840:role/autogen_github_actions_beta_push_node_gyp_packages

      - name: Upload packages to S3
        if: github.ref == 'refs/heads/main'
        run: |
          # Upload to s3://asana-oss-cache/node-gyp/... (CloudFront path_patterns entry
          # added in codez PR #390222 — that must be merged + applied via Spacelift
          # before this workflow can successfully publish fetchable objects).
          #
          # No --acl public-read: the bucket has BucketOwnerEnforced
          # (disable_confusing_acls = true), which disables ACLs entirely.
          # BlockPublicAcls + IgnorePublicAcls provide additional coverage.
          # Reads come via CloudFront OAC.
          NODE_MAJOR=$(echo "$NODE_VERSION" | sed 's/^v//' | cut -d. -f1)
          SHA256=$(sha256sum "packages_${ARCH}.tar.gz" | awk '{print $1}')
          SHORT_HASH=${SHA256:0:8}
          S3_KEY="node-gyp/packages_${BAZEL_ARCH}_node${NODE_MAJOR}-${SHORT_HASH}.tar.gz"
          echo "Uploading packages_${ARCH}.tar.gz to s3://asana-oss-cache/$S3_KEY"
          aws s3 cp "packages_${ARCH}.tar.gz" "s3://asana-oss-cache/$S3_KEY"
          {
            echo "S3_KEY=$S3_KEY"
            echo "SHA256=$SHA256"
            echo "NODE_MAJOR=$NODE_MAJOR"
          } >> "$GITHUB_ENV"

      - name: Verify upload is reachable via CloudFront
        if: github.ref == 'refs/heads/main'
        run: |
          # Mac Bazel builds rewrite asana-oss-cache.s3.us-east-1.amazonaws.com/*
          # to asana-oss-cache.asana.biz/* (CloudFront). If the S3 key prefix isn't
          # allowlisted in CloudFront's path_patterns, Bazel fetches will 403.
          # Fail fast here rather than after someone tries to build.
          URL="https://asana-oss-cache.asana.biz/$S3_KEY"
          echo "Checking $URL"
          if ! curl -fsSI "$URL"; then
            echo "CloudFront returned an error for $URL. Check path_patterns in system_packages.tf."
            exit 1
          fi

      - name: Print tools_repositories.bzl stanza
        if: github.ref == 'refs/heads/main'
        run: |
          echo ""
          echo "=== Update tools_repositories.bzl in codez ==="
          echo "  name = \"node_gyp_packages_${BAZEL_ARCH}_node${NODE_MAJOR}\","
          echo "  urls = [\"https://asana-oss-cache.s3.us-east-1.amazonaws.com/$S3_KEY\"],"
          echo "  sha256 = \"$SHA256\","