From f725834cae8ff6887727cdb5baa51790430123a6 Mon Sep 17 00:00:00 2001 From: Wabo Date: Tue, 2 Jun 2026 10:34:48 -0400 Subject: [PATCH] Automate upstream sync workflow and fix CI gaps - bin/sync-upstream: automation script for upstream tag sync with logo file restoration from ORIG_HEAD after merge - CI: setup-node@v1->@v4, set-output->$GITHUB_OUTPUT, docuseal_test->wabosign_test, add rebrand-check and assets-precompile jobs - Docker: checkout@v3->@v4, metadata-action@v4->@v5, login-action@v3->@v6, images->wabolabs/wabosign, add PR build test - rebrand-sync: add logo paths to DENY_PATHS - .gitattributes: add -merge for brand logo files - REBRANDING.md: update per-sync workflow with logo restoration step --- .gitattributes | 8 ++++ .github/workflows/ci.yml | 61 ++++++++++++++++++++++-- .github/workflows/docker.yml | 24 +++++++--- REBRANDING.md | 10 ++++ bin/rebrand-sync | 8 ++++ bin/sync-upstream | 90 ++++++++++++++++++++++++++++++++++++ 6 files changed, 190 insertions(+), 11 deletions(-) create mode 100755 bin/sync-upstream diff --git a/.gitattributes b/.gitattributes index 28cee3ff..76c29095 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,9 @@ *.html linguist-detectable=false + +# WaboSign brand binary files — never merge upstream versions; always keep ours +public/favicon.svg -merge +public/favicon.ico -merge +public/favicon-16x16.png -merge +public/favicon-32x32.png -merge +public/favicon-96x96.png -merge +public/logo.svg -merge diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 77d912e4..06a4301e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,12 +60,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Node.js - uses: actions/setup-node@v1 + uses: actions/setup-node@v4 with: node-version: 20.19.0 - name: Cache directory path id: yarn-cache-dir-path - run: echo "::set-output name=dir::$(yarn cache dir)" + run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT" - uses: actions/cache@v4 id: yarn-cache with: @@ -108,6 +108,57 @@ jobs: - name: Run Brakeman run: bundle exec brakeman -q --exit-on-warn + assets_precompile: + name: Assets precompile + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@v4 + - name: Install Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 4.0.5 + - name: Set up Node + uses: actions/setup-node@v4 + with: + node-version: 20.19.0 + - name: Cache gems + uses: actions/cache@v4 + with: + path: vendor/bundle + key: ${{ runner.os }}-gem-${{ hashFiles('**/Gemfile.lock') }} + restore-keys: | + ${{ runner.os }}-gem- + - name: Cache node_modules + uses: actions/cache@v4 + with: + path: node_modules + key: ${{ runner.os }}-node-${{ hashFiles('**/yarn.lock') }} + - name: Install dependencies + env: + RAILS_ENV: production + run: | + gem install bundler + bundle config path vendor/bundle + bundle install --jobs 4 --retry 4 + yarn install + - name: Precompile assets + env: + RAILS_ENV: production + SECRET_KEY_BASE: dummy-for-precompile + DATABASE_URL: postgres://postgres:postgres@localhost:5432/wabosign_test + run: | + bundle exec rake assets:precompile + + rebrand_check: + name: Rebrand check + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + - name: Run rebrand-check + run: bin/rebrand-check + rspec: name: RSpec runs-on: ubuntu-latest @@ -119,7 +170,7 @@ jobs: env: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres - POSTGRES_DB: docuseal_test + POSTGRES_DB: wabosign_test ports: ["5432:5432"] options: >- --health-cmd pg_isready @@ -134,7 +185,7 @@ jobs: with: ruby-version: 4.0.5 - name: Set up Node - uses: actions/setup-node@v1 + uses: actions/setup-node@v4 with: node-version: 20.19.0 - name: Install Chrome @@ -171,7 +222,7 @@ jobs: RAILS_ENV: test NODE_ENV: test COVERAGE: true - DATABASE_URL: postgres://postgres:postgres@localhost:5432/docuseal_test + DATABASE_URL: postgres://postgres:postgres@localhost:5432/wabosign_test run: | bundle exec rake db:create bundle exec rake db:migrate diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2eb09ddc..d26e69a6 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,6 +1,14 @@ name: Build Docker Images on: + pull_request: + paths: + - 'Dockerfile' + - 'Gemfile' + - 'Gemfile.lock' + - 'yarn.lock' + - 'package.json' + - '.github/workflows/docker.yml' push: tags: - "*.*.*" @@ -12,16 +20,18 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: - images: docuseal/docuseal - tags: type=semver,pattern={{version}} + images: wabolabs/wabosign + tags: | + type=ref,event=pr + type=semver,pattern={{version}},event=tag - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -30,10 +40,12 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Create .version file + if: github.ref_type == 'tag' run: echo ${{ github.ref_name }} > .version - name: Login to Docker Hub - uses: docker/login-action@v3 + if: github.event_name != 'pull_request' + uses: docker/login-action@v6 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -42,6 +54,6 @@ jobs: uses: docker/build-push-action@v6 with: context: . - push: true + push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} diff --git a/REBRANDING.md b/REBRANDING.md index a3069c11..81afe145 100644 --- a/REBRANDING.md +++ b/REBRANDING.md @@ -89,6 +89,11 @@ git checkout master git merge --no-ff sync/upstream- # Resolve conflicts. Rerere caches recurring resolutions. +# Restore WaboSign brand assets that the merge may have overwritten: +git checkout ORIG_HEAD -- public/favicon.svg public/favicon.ico \ + public/favicon-16x16.png public/favicon-32x32.png \ + public/favicon-96x96.png public/logo.svg + bin/rebrand-sync # catch upstream-only new files bin/rebrand-check # CI gate @@ -99,6 +104,11 @@ yarn install git tag wabosign-synced-with- ``` +Or use the automated script: +```sh +bin/sync-upstream +``` + ### Adding new preserved tokens When upstream introduces a new SDK identifier, binary URL, or attribution surface that must survive the sweep, edit `PRESERVE` in [bin/rebrand-sync](bin/rebrand-sync) and `ALLOW_PATTERNS` in [bin/rebrand-check](bin/rebrand-check) together. The two must stay in sync — `rebrand-sync` decides what the sweep ignores, `rebrand-check` decides what CI tolerates. diff --git a/bin/rebrand-sync b/bin/rebrand-sync index fcf40df5..dba5f2f5 100755 --- a/bin/rebrand-sync +++ b/bin/rebrand-sync @@ -49,6 +49,14 @@ DENY_PATHS = Set.new([ 'app/views/shared/_email_attribution.html.erb', 'bin/rebrand-sync', 'bin/rebrand-check', + # WaboSign brand logo files — must never be touched by the sweep; + # restored from ORIG_HEAD by bin/sync-upstream after an upstream merge. + 'public/favicon.svg', + 'public/favicon.ico', + 'public/favicon-16x16.png', + 'public/favicon-32x32.png', + 'public/favicon-96x96.png', + 'public/logo.svg', # Holds UPSTREAM_NAME / UPSTREAM_URL constants — must not be swept. 'lib/wabosign.rb', # Encrypted-config migration matches the literal upstream string to find diff --git a/bin/sync-upstream b/bin/sync-upstream new file mode 100755 index 00000000..bedb2350 --- /dev/null +++ b/bin/sync-upstream @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +# frozen_string_literal: true +# +# bin/sync-upstream — automate upstream DocuSeal sync +# +# Usage: +# bin/sync-upstream +# +# Example: +# bin/sync-upstream 3.0.2 +# +# Environment: +# UPSTREAM_REMOTE (default: upstream) +# UPSTREAM_URL (default: https://github.com/docusealco/docuseal.git) + +set -euo pipefail + +UPSTREAM_REMOTE="${UPSTREAM_REMOTE:-upstream}" +TAG="${1:-}" + +if [ -z "$TAG" ]; then + echo "Usage: $0 " >&2 + echo " e.g. $0 3.0.2" >&2 + exit 1 +fi + +# Ensure rerere is on so recurring conflict resolutions are cached +git config rerere.enabled true +git config rerere.autoupdate true + +echo "=== Fetching $UPSTREAM_REMOTE ===" +git fetch "$UPSTREAM_REMOTE" --tags + +# Record the commit at the tag so we can verify later +TAG_COMMIT="$(git rev-parse --verify "$TAG^{commit}" 2>/dev/null || true)" +if [ -z "$TAG_COMMIT" ]; then + echo "Tag $TAG not found. Double-check the tag name." >&2 + exit 1 +fi + +echo "=== Creating sync/upstream-$TAG from $TAG ===" +git checkout -b "sync/upstream-$TAG" "$TAG" + +echo "=== Applying rebrand sweep ===" +bin/rebrand-sync + +echo "=== Committing rebranded tree ===" +git add -A +if git diff --cached --quiet; then + echo "Nothing to commit — rebrand-sync produced no changes." +else + git commit -m "Apply WaboSign rebrand sweep to upstream $TAG" +fi + +echo "=== Merging into master ===" +git checkout master +git merge --no-ff "sync/upstream-$TAG" -m "Merge upstream $TAG into master" + +echo "=== Restoring WaboSign binary assets overwritten by merge ===" +# Merging an upstream tag may overwrite our brand logo files that rebrand-sync +# cannot protect (they are binary / opaque-image and bypass the text sweep). +# Restore them from pre-merge master (ORIG_HEAD). +LOGO_FILES=( + public/favicon.svg + public/favicon.ico + public/favicon-16x16.png + public/favicon-32x32.png + public/favicon-96x96.png + public/logo.svg +) +for f in "${LOGO_FILES[@]}"; do + if git show ORIG_HEAD:"$f" &>/dev/null 2>&1; then + git checkout ORIG_HEAD -- "$f" + echo " restored: $f" + fi +done + +echo "=== Catching new upstream files (post-merge sweep) ===" +bin/rebrand-sync +bin/rebrand-check + +echo "" +echo "============================================================" +echo "Sync of $TAG complete." +echo "Next steps:" +echo " 1. bundle install && yarn install" +echo " 2. Run tests: bundle exec rspec" +echo " 3. Tag: git tag wabosign-synced-with-$TAG" +echo " 4. Push: git push origin master --tags" +echo "============================================================"