From 9954a88d3a27258fbe3f5974354021f8a88e37ee Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Mon, 24 Jan 2022 15:33:42 -0700
Subject: [PATCH] refactor(ci): clean up npm workflows (#4786)

This extracst the publish on npm workflow from ci.yaml and adds a new workflow
called `npm-beta.yaml`.

Now we have three workflows that publish to npm.
- `npm-beta.yaml` only runs on pushes and merges into `main`
- `npm-dev.yaml` only runs on PRs into `main` with approval from
  code-server-reviewers team
- `npm-brew.yaml` only runs on releases

This should fix problems we had previously where anyone could open a PR and
publish under the code-server namespace. It also separates out the workflows
based on environment and when they should run.
---
 .github/workflows/ci.yaml       |  9 ---------
 .github/workflows/npm-beta.yaml | 29 +++++++++++++++++++++++++++++
 .github/workflows/npm-brew.yaml |  2 +-
 .github/workflows/npm-dev.yaml  | 15 ++++++++-------
 4 files changed, 38 insertions(+), 17 deletions(-)
 create mode 100644 .github/workflows/npm-beta.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index fdf7fe65..aed480e3 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -177,15 +177,6 @@ jobs:
           name: npm-package
           path: ./package.tar.gz
 
-      - name: Publish npm package with PR number and commit SHA
-        run: yarn publish:npm
-        env:
-          ENVIRONMENT: "development"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TAG: ${{ github.event.number }}
-          PR_NUMBER_AND_COMMIT_SHA: ${{ github.event.number }}-${{ github.event.pull_request.head.sha }}
-
   # TODO: cache building yarn --production
   # possibly 2m30s of savings(?)
   # this requires refactoring our release scripts
diff --git a/.github/workflows/npm-beta.yaml b/.github/workflows/npm-beta.yaml
new file mode 100644
index 00000000..4ed59e4a
--- /dev/null
+++ b/.github/workflows/npm-beta.yaml
@@ -0,0 +1,29 @@
+name: Publish on npm and tag with "beta"
+
+on:
+  # Shows the manual trigger in GitHub UI
+  # helpful as a back-up in case the GitHub Actions Workflow fails
+  workflow_dispatch:
+
+  push:
+    branches:
+      - main
+
+jobs:
+  # NOTE: this job requires curl, jq and yarn
+  # All of them are included in ubuntu-latest.
+  npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Publish npm package and tag "beta"
+        run: yarn publish:npm
+        env:
+          ENVIRONMENT: "staging"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TAG: "beta"
+          # Since this only runs on a merge into main, we can't use github.event.number
+          # so we instead use the word "beta" and the PR merge commit SHA
+          PR_NUMBER_AND_COMMIT_SHA: beta-${{ github.sha }}
diff --git a/.github/workflows/npm-brew.yaml b/.github/workflows/npm-brew.yaml
index 1bb54281..c0fdcc50 100644
--- a/.github/workflows/npm-brew.yaml
+++ b/.github/workflows/npm-brew.yaml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
 
-      - name: Publish npm package with PR number and commit SHA
+      - name: Publish npm package and tag with "latest"
         run: yarn publish:npm
         env:
           ENVIRONMENT: "production"
diff --git a/.github/workflows/npm-dev.yaml b/.github/workflows/npm-dev.yaml
index db64df84..4c120284 100644
--- a/.github/workflows/npm-dev.yaml
+++ b/.github/workflows/npm-dev.yaml
@@ -1,11 +1,11 @@
-name: Publish on npm and tag with "beta"
+name: Publish on npm and tag with PR number
 
 on:
   # Shows the manual trigger in GitHub UI
   # helpful as a back-up in case the GitHub Actions Workflow fails
   workflow_dispatch:
 
-  push:
+  pull_request:
     branches:
       - main
 
@@ -13,6 +13,9 @@ jobs:
   # NOTE: this job requires curl, jq and yarn
   # All of them are included in ubuntu-latest.
   npm:
+    # This environment "npm" requires someone from
+    # coder/code-server-reviewers to approve the PR before this job runs.
+    environment: npm
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -20,10 +23,8 @@ jobs:
       - name: Run ./ci/steps/publish-npm.sh
         run: yarn publish:npm
         env:
-          ENVIRONMENT: "staging"
+          ENVIRONMENT: "development"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TAG: "beta"
-          # Since this only runs on a merge into main, we can't use github.event.number
-          # so we instead use the word "beta" and the PR merge commit SHA
-          PR_NUMBER_AND_COMMIT_SHA: beta-${{ github.sha }}
+          NPM_TAG: ${{ github.event.number }}
+          PR_NUMBER_AND_COMMIT_SHA: ${{ github.event.number }}-${{ github.event.pull_request.head.sha }}