feat: migrate from Travis to GitHub Actions

Author: felixfbecker

package.json

@@ -30,7 +30,6 @@
     "build": "tsc -p .",
     "watch": "tsc -w -p .",
     "package-schema": "download http://json.schemastore.org/package | json2ts | prettier --parser typescript > src/package-schema.ts",
-    "travis-schema": "download http://json.schemastore.org/travis | json2ts | prettier --parser typescript > src/travis-schema.ts",
     "tsconfig-schema": "download http://json.schemastore.org/tsconfig | json2ts | prettier --parser typescript > src/tsconfig-schema.ts",
     "eslintrc-schema": "download http://json.schemastore.org/eslintrc | json2ts | prettier --parser typescript > src/eslintrc-schema.ts",
     "renovate-schema": "download http://json.schemastore.org/renovate | json2ts | prettier --parser typescript > src/renovate-schema.ts",
@@ -58,7 +57,8 @@
     "mkdirp-promise": "^5.0.1",
     "mz": "^2.7.0",
     "npm-registry-client": "^8.6.0",
-    "source-map-support": "^0.5.16"
+    "source-map-support": "^0.5.16",
+    "tweetsodium": "^0.0.5"
   },
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",
@@ -75,7 +75,7 @@
     "download-cli": "^1.1.1",
     "eslint": "^7.17.0",
     "husky": "^4.2.3",
-    "json-schema-to-typescript": "^8.2.0",
+    "json-schema-to-typescript": "^10.1.2",
     "prettier": "^2.1.2",
     "semantic-release": "^17.0.6",
     "typescript": "^4.1.3"

src/cli.ts

@@ -11,7 +11,7 @@ import { createGitHubClient } from './github'
 import { JsonSchemaForNpmPackageJsonFiles } from './package-schema'
 import * as prompt from './prompt'
 import { JsonSchemaForRenovateConfigFilesHttpsRenovatebotCom } from './renovate-schema'
-import { createTravisClient, initTravis } from './travis'
+import { initGitHubWorkflow } from './github-workflow'
 import { JsonSchemaForTheTypeScriptCompilersConfigurationFile } from './tsconfig-schema'
 import { JSONSchemaForESLintConfigurationFiles } from './eslintrc-schema'
 import mkdirp from 'mkdirp-promise'
@@ -42,19 +42,6 @@ async function main(): Promise<void> {
     console.log('Using BUILDKITE_TOKEN from env var')
     const buildkiteClient = createBuildkiteClient({ token: process.env.BUILDKITE_TOKEN })
 
-    if (!process.env.TRAVIS_TOKEN) {
-        throw createCLIError(
-            [
-                'No TRAVIS_TOKEN env var set.',
-                'Copy it from https://travis-ci.org/profile or create one with the Travis CLI by running',
-                '',
-                '    travis login --github-token $GITHUB_TOKEN',
-                '    travis token',
-            ].join('\n')
-        )
-    }
-    const travisClient = createTravisClient({ token: process.env.TRAVIS_TOKEN })
-
     console.log('*️⃣ Welcome to the Sourcegraph npm package initializer')
 
     if (!(await exists('.git'))) {
@@ -382,8 +369,8 @@ async function main(): Promise<void> {
         })
         buildBadge = `[![build](${badgeUrl}?branch=master)](${webUrl})`
     } else {
-        await initTravis({ repoName, hasTests, travisClient, githubClient })
-        buildBadge = `[![build](https://travis-ci.org/sourcegraph/${repoName}.svg?branch=master)](https://travis-ci.org/sourcegraph/${repoName})`
+        await initGitHubWorkflow({ repoName, hasTests, githubClient })
+        buildBadge = `[![build](https://img.shields.io/github/workflow/status/sourcegraph/${repoName}/build/master)](https://github.com/sourcegraph/${repoName}/actions?query=branch%3Amaster+workflow%3Abuild)`
     }
 
     if (await exists('README.md')) {

src/github-workflow.ts

@@ -0,0 +1,129 @@
+/* eslint-disable no-template-curly-in-string */
+import { HTTPError } from 'got'
+import * as yaml from 'js-yaml'
+import { exists, writeFile } from 'mz/fs'
+import { GitHubClient } from './github'
+import { createSourcegraphBotNpmToken } from './npm'
+import * as sodium from 'tweetsodium'
+
+const createGitHubSecret = async ({
+    repoName,
+    name,
+    value,
+    githubClient,
+}: {
+    repoName: string
+    name: string
+    value: string
+    githubClient: GitHubClient
+}): Promise<void> => {
+    // Get public key for repository
+    const { keyId, key } = await githubClient.get<{ keyId: string; key: string }>(
+        `repos/sourcegraph/${repoName}/actions/secrets/public-key`,
+        {
+            responseType: 'json',
+            resolveBodyOnly: true,
+        }
+    )
+
+    // Convert the message and key to Uint8Array's (Buffer implements that interface)
+    const messageBytes = Buffer.from(value)
+    const keyBytes = Buffer.from(key, 'base64')
+
+    // Encrypt using LibSodium.
+    const encryptedBytes = sodium.seal(messageBytes, keyBytes)
+
+    // Base64 the encrypted secret
+    const encryptedValue = Buffer.from(encryptedBytes).toString('base64')
+
+    await githubClient.post(`repos/sourcegraph/${repoName}/actions/secrets/${name}`, {
+        json: {
+            encrypted_value: encryptedValue,
+            key_id: keyId,
+        },
+    })
+}
+
+export async function initGitHubWorkflow({
+    hasTests,
+    repoName,
+    githubClient,
+}: {
+    hasTests: boolean
+    repoName: string
+    githubClient: GitHubClient
+}): Promise<void> {
+    console.log('⚙️ Setting up GitHub Actions Workflow')
+    if (await exists('.github/workflows/build.yml')) {
+        console.log('.github/workflows/build.yml already exists, skipping')
+    } else {
+        const workflowYaml = {
+            name: 'build',
+            on: ['push', 'pull_request'],
+            env: {
+                FORCE_COLOR: 3,
+            },
+            jobs: {
+                build: {
+                    'runs-on': 'ubuntu-latest',
+                    steps: [
+                        { uses: 'actions/checkout@v2' },
+                        {
+                            name: 'Use Node.js',
+                            uses: 'actions/setup-node@v2',
+                            with: {
+                                'node-version': '14.x',
+                            },
+                        },
+                        { run: 'yarn' },
+                        { run: 'yarn run prettier-check' },
+                        { run: 'yarn run eslint' },
+                        { run: 'yarn run build' },
+                        ...(hasTests
+                            ? [
+                                  { run: 'yarn test' },
+                                  { run: 'nyc report --reporter json' },
+                                  {
+                                      name: 'Upload coverage to Codecov',
+                                      uses: 'codecov/codecov-action@v1',
+                                  },
+                              ]
+                            : []),
+                        {
+                            name: 'release',
+                            if:
+                                "github.repository_owner == 'sourcegraph' && github.event_name == 'push' && github.ref == 'refs/heads/master'",
+                            run: 'yarn run semantic-release',
+                            env: {
+                                GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
+                                NPM_TOKEN: '${{ secrets.NPM_TOKEN }}',
+                            },
+                        },
+                    ],
+                },
+            },
+        }
+        await writeFile('.github/workflows/build.yml', yaml.dump(workflowYaml))
+    }
+
+    const secretName = 'NPM_TOKEN'
+    try {
+        await githubClient.get(`repos/sourcegraph/${repoName}/actions/secrets/${secretName}`, {
+            responseType: 'json',
+            resolveBodyOnly: true,
+        })
+        console.log('🔑 NPM_TOKEN already set in GitHub secrets, skipping creation')
+    } catch (error) {
+        if (!(error instanceof HTTPError) || error.response.statusCode !== 404) {
+            throw error
+        }
+        const npmToken = await createSourcegraphBotNpmToken()
+        console.log('🔑 Setting NPM_TOKEN GitHub secret')
+        await createGitHubSecret({
+            repoName,
+            name: secretName,
+            value: npmToken,
+            githubClient,
+        })
+    }
+}

src/github.ts

@@ -1,5 +1,4 @@
 import got, { Got } from 'got'
-import * as prompt from './prompt'
 
 export type GitHubClient = Got
 
@@ -13,32 +12,3 @@ export const createGitHubClient = ({ token }: { token: string }): GitHubClient =
         responseType: 'json',
         resolveBodyOnly: true,
     })
-
-export async function createSourcegraphBotGitHubToken({
-    repoName,
-    githubClient,
-}: {
-    repoName: string
-    githubClient: GitHubClient
-}): Promise<string> {
-    console.log(
-        'See credentials in https://team-sourcegraph.1password.com/vaults/dnrhbauihkhjs5ag6vszsme45a/allitems/7s46bqcnl5hxzbutupu44va7gu'
-    )
-    const password = await prompt.password('@sourcegraph-bot GitHub password')
-    const otp = await prompt.input('@sourcegraph-bot GitHub 2FA code')
-
-    const response = await githubClient.post<{ token: string }>('authorizations', {
-        headers: {
-            Authorization: 'Basic ' + Buffer.from('sourcegraph-bot:' + password).toString('base64'),
-            'X-GitHub-OTP': otp,
-        },
-        json: {
-            note: `semantic-release Travis CI for repo ${repoName}`,
-            scopes: ['repo', 'read:org', 'user:email', 'repo_deployment', 'repo:status', 'write:repo_hook'],
-        },
-        responseType: 'json',
-        resolveBodyOnly: true,
-    })
-    console.log('🔑 Created GitHub token for @sourcegraph-bot')
-    return response.token
-}