From 4abaf3e24c2143f93f4b1768bb18803d8c2ef40b Mon Sep 17 00:00:00 2001 From: rdietrick Date: Wed, 19 Mar 2025 20:24:11 -0700 Subject: [PATCH] changes names of some vars/secrets @gfarb had opened a PR with these changes a long time ago. --- .../issue-branch-creation-handler.yml | 4 +- .github/workflows/push-to-main-handler.yml | 73 ++++++++++++------- docs/Getting Started.md | 16 ++-- scripts/sandbox_auth | 2 +- 4 files changed, 56 insertions(+), 39 deletions(-) diff --git a/.github/workflows/issue-branch-creation-handler.yml b/.github/workflows/issue-branch-creation-handler.yml index e83688c..a6da448 100644 --- a/.github/workflows/issue-branch-creation-handler.yml +++ b/.github/workflows/issue-branch-creation-handler.yml @@ -41,9 +41,9 @@ jobs: run: | echo "${{ secrets.SALESFORCE_JWT_KEY }}" > server.key npx sf auth jwt grant \ - --client-id ${{ secrets.SALESFORCE_CLIENT_ID }} \ + --client-id ${{ secrets.SALESFORCE_PROD_CLIENT_ID }} \ --jwt-key-file server.key \ - --username ${{ secrets.SALESFORCE_DEVHUB_USERNAME }} \ + --username ${{ secrets.SALESFORCE_PROD_USERNAME }} \ --set-default-dev-hub -a DevHub rm server.key - name: Extract Branch Name diff --git a/.github/workflows/push-to-main-handler.yml b/.github/workflows/push-to-main-handler.yml index 6299f5e..76c78de 100644 --- a/.github/workflows/push-to-main-handler.yml +++ b/.github/workflows/push-to-main-handler.yml @@ -20,6 +20,20 @@ jobs: with: node-version-file: ".nvmrc" + - name: Cache Node Modules + uses: actions/cache@v3.0.11 + id: npm_cache_id + with: + path: node_modules + key: ${{ runner.os }}-npm-cache-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-npm-cache- + ${{ runner.os }}- + + - name: Install Dependencies + if: steps.npm_cache_id.outputs.cache-hit != 'true' + run: npm ci + - name: Authorize external workspace run: | git config --global --add safe.directory /github/workspace @@ -40,8 +54,7 @@ jobs: echo "IS_RELEASE=true" >> "$GITHUB_OUTPUT" fi - - name: Install profile decompose sf plugin # ERROR: Unable to convert this command; you must convert it manually. - + - name: Install profile decompose sf plugin if: steps.requires-deploy.outputs.changed == '1' run: echo y | npx sf plugins install @rdietrick/sfdx-profile-decompose @@ -51,7 +64,7 @@ jobs: SALESFORCE_JWT_KEY: ${{ secrets.SALESFORCE_JWT_KEY }} run: | echo "${SALESFORCE_JWT_KEY}" > server.key - npx sf auth jwt grant --client-id ${{ secrets.SALESFORCE_CLIENT_ID }} --jwt-key-file server.key --username ${{ secrets.SALESFORCE_DEVHUB_USERNAME}} --set-default-dev-hub -a DevHub + npx sf auth jwt grant --client-id ${{ secrets.SALESFORCE_PROD_CLIENT_ID }} --jwt-key-file server.key --username ${{ secrets.SALESFORCE_PROD_USERNAME}} --set-default-dev-hub -a DevHub npx sf org display --json -o DevHub > sfdx-auth.json - name: Recompose profiles @@ -64,6 +77,7 @@ jobs: if: steps.branchFilter.outputs.matches == 'true' && steps.requires-deploy.outputs.changed == '1' && steps.check_first_deploy.outputs.FIRST_DEPLOY == 'true' id: check_for_destructive_changes run: | + DESTRUCTIVE_FILES_EXIST=true if [ -f destructive-changes/destructiveChangesPre.xml ] && [ -f destructive-changes/destructiveChangesPost.xml ] then echo "DESTRUCTIVE_FILES=--predestructivechanges destructive-changes/destructiveChangesPre.xml --postdestructivechanges destructive-changes/destructiveChangesPost.xml" >> "$GITHUB_OUTPUT"; @@ -73,13 +87,20 @@ jobs: elif [ -f destructive-changes/destructiveChangesPost.xml ] then echo "DESTRUCTIVE_FILES=--postdestructivechanges destructive-changes/destructiveChangesPost.xml" >> "$GITHUB_OUTPUT"; + else + DESTRUCTIVE_FILES_EXIST=false + fi + if [ "$DESTRUCTIVE_FILES_EXIST" == "true" ] + then + RELEASE_DATE=$(TZ=America/Los_Angeles date +'%Y-%m-%d') + echo "DESTRUCTIVE_CHANGES_CLEANUP_BRANCH=clean-up-destructive-changes-$RELEASE_DATE" >> $GITHUB_OUTPUT; fi - name: Deploy to Production if: steps.requires-deploy.outputs.changed == '1' run: | sudo npx sf project generate manifest -p force-app -n temp-deploy-manifest - sudo npx sf project deploy start -o DevHub -x temp-deploy-manifest.xml ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_FILES }} -w 200 -l RunLocalTests --ignore-conflicts + sudo npx sf project deploy start -o DevHub -x temp-deploy-manifest.xml ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_FILES }} -w ${{ vars.DEPLOYMENT_TIMEOUT }} -l RunLocalTests --ignore-conflicts - name: Get Previous Tag if: steps.check_release.outputs.IS_RELEASE == 'true' && steps.requires-deploy.outputs.changed == '1' @@ -122,7 +143,7 @@ jobs: if: steps.requires-deploy.outputs.changed == '1' run: | echo "${SALESFORCE_TEMPLATE_JWT_SECRET_KEY}" > template-server.key - sudo npx sf org login jwt --client-id ${{ secrets.SALESFORCE_TEMPLATE_CONSUMER_KEY }} --jwt-key-file template-server.key --username ${{ secrets.SALESFORCE_TEMPLATE_USERNAME}} --alias Template --instance-url https://test.salesforce.com + sudo npx sf org login jwt --client-id ${{ secrets.SALESFORCE_TEMPLATE_CLIENT_ID }} --jwt-key-file server.key --username ${{ secrets.SALESFORCE_TEMPLATE_USERNAME}} --alias Template --instance-url https://test.salesforce.com sudo npx sf org display --json -o Template > sfdx-auth.json env: SALESFORCE_TEMPLATE_JWT_SECRET_KEY: ${{ secrets.SALESFORCE_TEMPLATE_JWT_SECRET_KEY }} @@ -131,27 +152,27 @@ jobs: if: steps.requires-deploy.outputs.changed == '1' run: | sudo npx sf project generate manifest -p force-app -n temp-deploy-manifest - sudo npx sf org display --json -o Template > sfdx-auth.json + npx sf project deploy start -o Template -x temp-deploy-manifest.xml ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_FILES }} -w ${{ vars.DEPLOYMENT_TIMEOUT }} -l RunLocalTests --ignore-conflicts - - name: Create PR with cleaned up destructive changes - if: steps.check_release.outputs.IS_RELEASE == 'true' && steps.requires-deploy.outputs.changed == '1' + - name: Remove Destructive Change Files + if: steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH != '' + run: | + git checkout -b ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH }} + git clean -fd + rm -rf destructive-changes + - name: Commit Destructive Change Cleanup + if: steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH != '' + uses: stefanzweifel/git-auto-commit-action@75802d269e7721b5146d08f6063ba3097c55ad2b + with: + branch: ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH }} + commit_message: Clean up destructive changes from release + + - name: Create Destructive Change Cleanup Pull Request + if: steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH != '' env: - PAT: ${{ secrets.SCOPED_PAT }} - USER_EMAIL: ${{ secrets.BOT_USER_EMAIL }} - USER_NAME: ${{ secrets.BOT_USER_NAME }} + DESTRUCTIVE_CHANGE_CLEANUP_BRANCH: ${{ steps.check_for_destructive_changes.outputs.DESTRUCTIVE_CHANGES_CLEANUP_BRANCH }} + GH_TOKEN: ${{ secrets.SCOPED_PAT }} run: | - if [ -f destructive-changes/destructiveChanges.xml ] || [ -f destructive-changes/destructiveChangesPre.xml ] || [ -f destructive-changes/destructiveChangesPost.xml ] - then - RELEASE_DATE=$(date +'%Y-%m-%d') - echo $PAT | gh auth login --with-token - git config --global user.email "$USER_EMAIL" - git config --global user.name "$USER_NAME" - - git checkout -b clean-up-destructive-changes-"$RELEASE_DATE" && git push --set-upstream origin clean-up-destructive-changes-"$RELEASE_DATE" - git rm -r destructive-changes - git commit -m "Clean up destructive changes from release" && git push - - gh pr create --title "Clean up destructive changes" \ - --body "Please merge \`clean-up-destructive-changes-$RELEASE_DATE\` into \`main\` and delete \`clean-up-destructive-changes-$RELEASE_DATE\`." \ - -H clean-up-destructive-changes-"$RELEASE_DATE" -B main - fi + gh pr create --title "Clean up destructive changes" \ + --body "Please merge \`$DESTRUCTIVE_CHANGE_CLEANUP_BRANCH\` into \`main\` and delete \`$DESTRUCTIVE_CHANGE_CLEANUP_BRANCH\`." \ + -H "$DESTRUCTIVE_CHANGE_CLEANUP_BRANCH" -B main diff --git a/docs/Getting Started.md b/docs/Getting Started.md index ca6ac57..66d9d7f 100644 --- a/docs/Getting Started.md +++ b/docs/Getting Started.md @@ -26,7 +26,7 @@ These step-by-step instructions will walk you through your initial project setup 1. [Create a new repository](https://github.com/new?owner=&template_name=octoforce-actions&template_owner=github) from this repo. Check out your new repo locally. 2. If you haven't already, [enable DevHub](https://help.salesforce.com/s/articleView?id=sf.sfdx_setup_enable_devhub.htm&type=5) in your production Salesforce org. Workflows in this repo will use your org's DevHub to provision development and test sandboxes for your project. -3. Create (or repurpose an existing) an admin user in your production org that will be used for deployments and sandbox provisioning. Store the username of this user in a repo secret named `SALESFORCE_DEVHUB_USERNAME`. +3. Create (or repurpose an existing) an admin user in your production org that will be used for deployments and sandbox provisioning. Store the username of this user in a repo secret named `SALESFORCE_PROD_USERNAME`. 4. Create a [private key and certificate for use in the app you'll create in the next step](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) 5. Create a connected app in your production Salesforce org for the octoforce CI/CD application that will be provisioning sandboxes and deploying to production. - Name your app 'octoforce' or something similar. @@ -39,10 +39,10 @@ These step-by-step instructions will walk you through your initial project setup - Grant the "system administrator" profile (or whichever profile the user designated in step 3 is assigned) access to the new connected app - Store the following secrets in your repo: - `SALESFORCE_JWT_KEY` - use the contents of the server.key file generated in step 4 above - - `SALESFORCE_CLIENT_ID` - use the Consumer Key of the connected app you just created + - `SALESFORCE_PROD_CLIENT_ID` - use the Consumer Key of the connected app you just created 6. Clone your production org to create a sandbox named "template". This is the org that will be cloned to create your dev and uat sandboxes. 7. When your newly created template sandbox is provisioned, configure it identically to how you did in step 5 above. You can use the same certificate and key pair or generate new ones. Create two repo secrets with the following values from your template sandbox: - - `SALESFORCE_TEMPLATE_CONSUMER_KEY` - use the consumer key of the octoforce connected app replicated from production to your template sandbox + - `SALESFORCE_TEMPLATE_CLIENT_ID` - use the consumer key of the octoforce connected app replicated from production to your template sandbox - `SALESFORCE_TEMPLATE_JWT_SECRET_KEY` - use the value of the server.key file related to your template certificate - `SALESFORCE_TEMPLATE_USERNAME` - use the username of the salesforce admin user replicated in your template sandbox 8. [Follow these directions](https://github.com/github/octoforce-actions/blob/add-setup-docs/docs/SFDX%20Auth%20URLs%20%26%20Encryption.md) to generate and store your age encryption keys. Be sure to store the generated private key in the `SFDX_AUTH_SECRET_KEY` repo secret and to replace the contents of `auth/public-key.txt`. @@ -81,20 +81,16 @@ The following secrets are required to be set in the repository settings: - This is a personal access token with the `repo` scope. This is used to checkout the repository and push any changes. - `SALESFORCE_JWT_KEY` - This is the private key used to generate the JWT token. This is used to authenticate with Salesforce production. -- `SALESFORCE_CLIENT_ID` +- `SALESFORCE_PROD_CLIENT_ID` - This is the client ID used to generate the JWT token. This is used to authenticate with Salesforce production. -- `SALESFORCE_DEVHUB_USERNAME` +- `SALESFORCE_PROD_USERNAME` - This is the username of the admin user of your DevHub/production org. This is used to authenticate with Salesforce production. -- `SALESFORCE_TEMPLATE_CONSUMER_KEY` +- `SALESFORCE_TEMPLATE_CLIENT_ID` - This is the consumer key of the template org. This is used to authenticate with the template sandbox. - `SALESFORCE_TEMPLATE_USERNAME` - This is the username of the template org. This is used to authenticate with the template sandbox. - `SALESFORCE_TEMPLATE_JWT_SECRET_KEY` - This is the private key used to generate the JWT token. This is used to authenticate with the template sandbox. -- `BOT_USER_EMAIL` - - This is the email of the GitHub bot user. This is used to create pull requests against the main branch. -- `BOT_USER_NAME` - - This is the GitHub username of the bot user. This is used to create pull requests against the main branch. - `SFDX_AUTH_SECRET_KEY` - This is the age private key used to encrypt sfdx auth URLs. The encrypted sfdx auth URLs are required to deploy pull requests to UAT sandboxes and are generated by running `scripts/sandbox_auth`. Please see [SFDX Auth URLs & Encryption.md](SFDX%20Auth%20URLs%20%26%20Encryption.md) for more information. diff --git a/scripts/sandbox_auth b/scripts/sandbox_auth index e7d28ed..1cde4f9 100755 --- a/scripts/sandbox_auth +++ b/scripts/sandbox_auth @@ -42,7 +42,7 @@ else wait $PID fi -echo "===> Generating encrypted sf auth URL file... " +echo "===> Generating encrypted login URL ... " ORG_INFO="$(sf org display --target-org $UAT_ALIAS --verbose 2>/dev/null)" LOGIN_URL=$(echo "$ORG_INFO" | awk -F "Sfdx Auth Url" '{print $2}' | xargs) LOGIN_URL_FILE=auth/sandbox-login-url-${BRANCH_NAME}-uat.txt