feat: new rafiki release pipeline and nodejs bump to v20

[golobitch]

Changes proposed in this pull request

• Update NodeJS version from v18 to v20
  • v18.x is Maintenance LTS and it will end on 2025-04-30
  • v20.x is Active LTS
• New Rafiki release pipeline
  • Do everything that now has been done
  • Run docker image scan for any known vulnerabilities and break build if severity is HIGH or CRITICAL
  • Publish docker image to GitHub repository
  • Create tag and release in GitHub

Context

Rafiki release pipeline is now designed that is possible to do quick deploys.

Branching strategy

For every major / minor version change, you need to create new release branch, but not for patch change. If you want to create release v2.1.0, you would need to create following release branch: release/v2.1.0. When there will be push to this repository, patch number will increment. Ideally, when release branch is created, there should be feature freeze, so that we do not need to update minor version. Instead, in release branch, we should push (after creation), only bugfixes, to make this release stable.

Following release branches are supported:

release/v1.0.0
release/v1.0.0-beta
release/v1.0.0-alpha

Also, correct corresponding tags and releases will be created in GitHub.

On branch release/v1.0.0-beta, first tag and release would be v1.0.0-beta and second one v1.0.1-beta

Docker build, scan, publish and release creation will be triggered only on release branches.

For the documentation on branching strategy, tags, etc, I will create new PR with updated documentation.

Checklist

• Related issues linked using fixes #number
• Tests added/updated
• Documentation added
• Make sure that all checks pass
• Bruno collection updated

[netlify]

❌ Deploy Preview for brilliant-pasca-3e80ec failed.

Name	Link
🔨 Latest commit	aaf9d49
🔍 Latest deploy log	https://app.netlify.com/sites/brilliant-pasca-3e80ec/deploys/660d2f57828c9c0008dfa2b2

[sabineschaller]

This creates the changelog based on the template, correct?

[golobitch]

This actually generates changelog data based on commits between current and previous same tag. It does not create changelog. If you want, I can also generate CHANGELOG.md here or append the data to it?

[sabineschaller]

Do you know how it orders the commits in the generated changelog?
Right now, we have the following defined: https://github.com/interledger/rafiki/blob/main/.github/release.yaml

[golobitch]

Yes, if commit has note BREAKING CHANGE then this breaking changes will be always on top. After that, there will be bug fixes, features, chores, etc. I just need to check for dependencies.

[mkurapov]

@sabineschaller I'm not sure if this action takes into account the label of the PRs and the breaking > general changes > dependency updates order, since it checks commits and not PRs.

That being said, it does look like though we should get into a habit of doing feat!: ... (or adding BREAKING CHANGE to the to-be squashed commit), so we could see & auto generate breaking changes just from the commits

[sabineschaller]

@mkurapov I think it needs to be in the to-be-squashed commit either way, so we need to start adding the !. And we can try training people to add the BREAKING CHANGE footer.

[sabineschaller]

Also, I keep forgetting to increase the version in the package.json. I was thinking about just removing it

• chore: remove version from monorepo package.json #2477

but the frontend displays that version so we may have to keep it.
Long story short, can we add a check in the workflow that checks whether the version has been bumped on the release branch?

[golobitch]

Also, I keep forgetting to increase the version in the package.json. I was thinking about just removing it

• chore: remove version from monorepo package.json #2477

but the frontend displays that version so we may have to keep it. Long story short, can we add a check in the workflow that checks whether the version has been bumped on the release branch?

We can maybe just update the package.json when we are creating changelog data? But that would be only on the release branch.

Action can create PR into main branch with version update in package.json. Should we go with that?

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[sabineschaller]

We can maybe just update the package.json when we are creating changelog data? But that would be only on the release branch.

Never mind, the team decided to remove the version.

[mkurapov]

While we are here, in the "Local Development Environment" section above, we can remove the nvm references and just say that the prerequisites are pnpm & node v20.

cc @sabineschaller since it looks like you edited the file

[sabineschaller]

Sure

[mkurapov]

grype and trivy: how much do they overlap? ie is it good to keep both vs just picking one?

[golobitch]

Well, the difference is basically in the data sources that the scanner is using. Trivy is using more data sorces than grype, however, grype is using some of the data sources that trivy is not. So basically, we can keep both, or at least, just Trivy. Your thought?

[mkurapov]

might as well have a broader check, we can keep both - just wanted to understand the differences

[mkurapov]

@sabineschaller I'm not sure if this action takes into account the label of the PRs and the breaking > general changes > dependency updates order, since it checks commits and not PRs.

That being said, it does look like though we should get into a habit of doing feat!: ... (or adding BREAKING CHANGE to the to-be squashed commit), so we could see & auto generate breaking changes just from the commits

[sabineschaller]

Can we only build on both platforms if we actually release? Otherwise, this will take forever.

[golobitch]

We can. So basically, build only for linux/amd64 on feature branches and both platforms for release branch?

[sabineschaller]

Yes, I think that is what we used to do.

[mkurapov]

BTW I changed the Netlify NODE_VERSION back to 18 (for the rafiki.dev documentation) for now since we have some doc changes in PRs we wanted previews on. So once this is merged in, it can be set to 20.

[mkurapov]

might as well have a broader check, we can keep both - just wanted to understand the differences

[golobitch]

@sabineschaller @mkurapov we can do another interation of a review now.

[mkurapov]

👍 good to go after main's merged in

[sabineschaller]

I'll re-review as soon as main is merged in :-)

[golobitch]

@mkurapov @sabineschaller rebased to main & updated PR

[golobitch]

@mkurapov @sabineschaller I am not authorized to merge this PR.

[mkurapov]

@mkurapov @sabineschaller I am not authorized to merge this PR.

I'll give you access... ✅

[golobitch]

Netlify builds will fail due to node bump. After we merge this PR into master, we should also bump Netlify

[mkurapov]

I think we should add this to the needs list for the node-build -> we should probably not run node-build if we fail integration tests.

CC @BlairCurrey

[BlairCurrey]

yeah I'd say so too.

[tadejgolobic]

Done

[mkurapov]

🚀

[mkurapov]

@tadejgolobic We have a branch protection rule set up for all_pr_checks_passed. Since we don't have that anymore, I can change that so that it should be node-build instead.

Maybe also docker-build ?

[mkurapov]

@golobitch done, looks like its mergeable

[tadejgolobic]

@tadejgolobic We have a branch protection rule set up for all_pr_checks_passed. Since we don't have that anymore, I can change that so that it should be node-build instead.

Maybe also docker-build ?

Should I just create one more job whose name it will be all_pr_checks_passed ? That would probably be the easiest solution

[mkurapov]

@tadejgolobic I don't mind just adding docker-build as a separate required check in the settings, it's straightforward enough and doesn't make a big difference.

tl;dr we can merge IMO