Files
pnpm/.github/workflows/create-release-pr.yml
Zoltan Kochan 2f389d6cf7 feat(release): auto-refresh embedded signing keys in the release PR (#12798)
* feat(release): auto-refresh embedded signing keys in the release PR

The create-release-pr workflow previously failed when the embedded npm
signing keys or Node.js release keys drifted from their canonical
sources, requiring a manual update PR before a release could proceed.
Now the workflow runs the update scripts in --update mode and commits
the refreshed keys together with the version bumps, so the new trust
roots are reviewed as part of the release PR diff. A synthesized
changeset records the refresh in the changelogs of the affected
packages.

Also embeds the Node.js release team's new signing key
655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD (Stewart X Addison), which the
last release run reported as missing, and fixes the Rust renderer in
update-node-release-keys.mjs so its output is lint-clean (angle-bracket
URL for dylint's bare-url lint, raw-string hashes only when the key
contains a quote for clippy's needless_raw_string_hashes) and matches
the committed file byte-for-byte on a no-drift run.

* fix(release): canonicalize npm key order and flag trust-root refreshes

Review follow-ups: sort the merged npm signing keys by keyid so a
reordering of npm's response cannot churn the generated file or
synthesize a spurious changeset, and leave an explicit warning comment
on the release PR whenever embedded trust roots were refreshed, so a
key change cannot slip through buried in a large version-bump diff.
2026-07-04 20:47:45 +02:00

167 lines
7.1 KiB
YAML

name: Create Release PR
on:
workflow_dispatch:
inputs:
target:
description: Branch to release (the PR base; e.g. main or release/11.1).
default: main
required: true
permissions:
contents: write
pull-requests: write
# Serialize per target so two dispatches for the same branch can't race on the
# force-pushed release-pr/<target> branch.
concurrency:
group: create-release-pr-${{ github.event.inputs.target }}
cancel-in-progress: false
jobs:
create-release-pr:
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
# Don't persist the write-scoped token in .git/config; the install below
# runs third-party lifecycle scripts. Pushing is done with an explicit,
# single-use remote URL in the "Commit and push" step.
persist-credentials: false
- name: Install pnpm and Node
uses: pnpm/setup@77cf06832101b3ac8c65caaf76a21643936d07a4
with:
runtime: node@26.3.0
# Base the release on the tip of the target branch, fetched explicitly so the
# run is correct even when dispatched from another ref. The release-pr/<target>
# name is the convention `pnpm bump` reads to key the .changeset-released ledger
# by the target branch instead of this ephemeral PR branch. A force-push reuses
# an already-open release PR for the same target rather than opening a second.
- name: Prepare release branch
env:
TARGET: ${{ github.event.inputs.target }}
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git fetch origin "$TARGET"
git checkout -B "release-pr/$TARGET" FETCH_HEAD
# Refresh the npm registry signing keys embedded in
# @pnpm/deps.security.signatures from what npm advertises. pnpm verifies
# package-manager binaries (pacquet, the version-switch pnpm) against these
# keys, so a stale set could break verification after a key rotation. Any
# drift is committed below along with the version bumps, so the new trust
# roots are reviewed as part of the release PR diff.
- name: Update embedded npm signing keys
run: node pnpm11/deps/security/signatures/scripts/update-npm-signing-keys.mjs --update
# Refresh the embedded Node.js release keys (used to verify the signature of
# a downloaded runtime's SHASUMS256.txt) from the canonical
# nodejs/release-keys list, so a new release signer cannot break Node.js
# runtime verification. Reviewed in the release PR diff like the npm keys.
- name: Update embedded Node.js release keys
run: node pnpm11/crypto/shasums-file/scripts/update-node-release-keys.mjs --update
# A refreshed trust root must show up in the changelogs, so synthesize a
# changeset for whichever key sets drifted before `pnpm bump` consumes the
# pending changesets. The `drifted` output drives an explicit review signal
# on the PR, so a trust-root change cannot hide in a large version-bump diff.
- name: Add changesets for refreshed keys
id: keys
run: |
drifted=""
if ! git diff --quiet -- pnpm11/deps/security/signatures/src/npmSigningKeys.ts; then
drifted="npm registry signing keys"
cat > .changeset/release-refresh-npm-signing-keys.md <<'EOF'
---
"@pnpm/deps.security.signatures": patch
"pnpm": patch
---
Updated the embedded npm registry signing keys to the set currently advertised by npm.
EOF
fi
if ! git diff --quiet -- pnpm11/crypto/shasums-file/src/nodeReleaseKeys.ts; then
drifted="${drifted:+$drifted and }Node.js release keys"
cat > .changeset/release-refresh-node-release-keys.md <<'EOF'
---
"@pnpm/crypto.shasums-file": patch
"pnpm": patch
---
Updated the embedded Node.js release keys to the current canonical `nodejs/release-keys` list.
EOF
fi
echo "drifted=$drifted" >> "$GITHUB_OUTPUT"
# Consumes the pending changesets: bumps versions, writes changelogs, updates
# the ledger, and syncs manifests. A no-op (no pending changesets) leaves the
# tree clean and the steps below skip.
- name: Bump versions
run: pnpm bump
- name: Check for changes
id: changes
run: |
if [ -z "$(git status --porcelain)" ]; then
echo "changed=false" >> "$GITHUB_OUTPUT"
else
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Read new pnpm version
id: version
if: steps.changes.outputs.changed == 'true'
run: echo "version=$(node -p "require('./pnpm11/pnpm/package.json').version")" >> "$GITHUB_OUTPUT"
- name: Commit and push
if: steps.changes.outputs.changed == 'true'
env:
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
TARGET: ${{ github.event.inputs.target }}
VERSION: ${{ steps.version.outputs.version }}
run: |
git add -A
git commit -m "chore(release): ${VERSION}"
git push -f "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "release-pr/$TARGET"
- name: Create PR if needed
if: steps.changes.outputs.changed == 'true'
env:
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
TARGET: ${{ github.event.inputs.target }}
VERSION: ${{ steps.version.outputs.version }}
run: |
BRANCH="release-pr/$TARGET"
# An already-open PR now points at the freshly force-pushed branch, so
# there is nothing more to do.
if [ -n "$(gh pr list --head "$BRANCH" --state open --json number --jq '.[].number')" ]; then
echo "PR already exists; the new versions were force-pushed to it"
else
gh pr create \
--title "chore(release): ${VERSION}" \
--body "Automated release PR created by the create-release-pr workflow.
Releasing \`${TARGET}\` as pnpm v${VERSION}. Merging this PR consumes the pending changesets and records them in the \`.changeset-released\` ledger under \`${TARGET}\`." \
--base "$TARGET" \
--head "$BRANCH"
fi
# Embedded trust roots changed in this release, so leave a hard-to-miss
# comment: the refreshed keys need deliberate review, not a scroll-past
# among the version bumps and changelogs.
- name: Flag refreshed trust roots on the PR
if: steps.changes.outputs.changed == 'true' && steps.keys.outputs.drifted != ''
env:
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
TARGET: ${{ github.event.inputs.target }}
DRIFTED: ${{ steps.keys.outputs.drifted }}
run: |
PR=$(gh pr list --head "release-pr/$TARGET" --state open --json number --jq '.[0].number')
gh pr comment "$PR" --body "⚠️ This release refreshes embedded trust roots: **${DRIFTED}**. Review those key diffs deliberately before merging — they gate signature verification of Node.js runtimes and package-manager binaries."