Merge branch 'v22.x' into 22.x/findPackageJSON

Author: JakobJingleheimer

.github/CODEOWNERS

@@ -143,6 +143,7 @@
 # Actions
 
 /.github/workflows/* @nodejs/actions
+/.github/workflows/create-release-proposal.yml @nodejs/releasers
 /tools/actions/* @nodejs/actions
 
 # Test runner

.github/workflows/coverage-linux-without-intl.yml

@@ -79,7 +79,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4.6.0
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a  # v5.0.7
         with:
           directory: ./coverage
-          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/coverage-linux.yml

@@ -79,7 +79,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4.6.0
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a  # v5.0.7
         with:
           directory: ./coverage
-          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/coverage-windows.yml

@@ -71,7 +71,6 @@ jobs:
       - name: Clean tmp
         run: npx rimraf ./coverage/tmp
       - name: Upload
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4.6.0
+        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a  # v5.0.7
         with:
           directory: ./coverage
-          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/create-release-proposal.yml

@@ -1,7 +1,5 @@
 # This action requires the following secrets to be set on the repository:
-#   GH_USER_NAME: GitHub user whose Jenkins and GitHub token are defined below
 #   GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
-#   JENKINS_TOKEN: Jenkins token, to be used to check CI status
 
 name: Create Release Proposal
 
@@ -11,12 +9,10 @@ on:
       release-line:
         required: true
         type: number
-        default: 23
         description: 'The release line (without dots or prefix). e.g: 22'
       release-date:
         required: true
         type: string
-        default: YYYY-MM-DD
         description: The release date in YYYY-MM-DD format
 
 concurrency: ${{ github.workflow }}
@@ -26,6 +22,7 @@ env:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   releasePrepare:
@@ -36,16 +33,14 @@ jobs:
       RELEASE_LINE: ${{ inputs.release-line }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ env.STAGING_BRANCH }}
-          # Needs the whole git history for ncu to work
-          # See https://github.com/nodejs/node-core-utils/pull/486
-          fetch-depth: 0
+          persist-credentials: false
 
       # Install dependencies
       - name: Install Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b  # v4.0.3
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -56,31 +51,32 @@ jobs:
         run: |
           ncu-config set branch "${RELEASE_BRANCH}"
           ncu-config set upstream origin
-          ncu-config set username "$USERNAME"
+          ncu-config set username "$GITHUB_ACTOR"
           ncu-config set token "$GH_TOKEN"
-          ncu-config set jenkins_token "$JENKINS_TOKEN"
           ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
           ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
         env:
-          USERNAME: ${{ secrets.JENKINS_USER }}
-          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
-          JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
 
       - name: Set up ghauth config (Ubuntu)
         run: |
-          mkdir -p ~/.config/changelog-maker/
-          echo '{
-            "user": "'$(ncu-config get username)'",
-            "token": "'$(ncu-config get token)'"
-          }' > ~/.config/changelog-maker/config.json
+          mkdir -p "${XDG_CONFIG_HOME:-~/.config}/changelog-maker"
+          echo '{}' | jq '{user: env.GITHUB_ACTOR, token: env.TOKEN}' > "${XDG_CONFIG_HOME:-~/.config}/changelog-maker/config.json"
+        env:
+          TOKEN: ${{ github.token }}
 
       - name: Setup git author
         run: |
           git config --local user.email "github-bot@iojs.org"
           git config --local user.name "Node.js GitHub Bot"
 
       - name: Start git node release prepare
+        # The curl command is to make sure we run the version of the script corresponding to the current workflow.
         run: |
-          ./tools/actions/create-release.sh "${RELEASE_DATE}" "${RELEASE_LINE}"
+          git update-index --assume-unchanged tools/actions/create-release.sh
+          curl -fsSLo tools/actions/create-release.sh https://github.com/${GITHUB_REPOSITORY}/raw/${GITHUB_SHA}/tools/actions/create-release.sh
+          ./tools/actions/create-release.sh "${RELEASE_DATE}" "${RELEASE_LINE}" "${GITHUB_ACTOR}"
         env:
-          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+          # We want the bot to push the push the release commit so CI runs on it.
+          BOT_TOKEN: ${{ secrets.GH_USER_TOKEN }}

.github/workflows/lint-release-proposal.yml

@@ -0,0 +1,62 @@
+name: Linters (release proposals)
+
+on:
+  push:
+    branches:
+      - v[0-9]+.[0-9]+.[0-9]+-proposal
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  PYTHON_VERSION: '3.12'
+  NODE_VERSION: lts/*
+
+permissions:
+  contents: read
+
+jobs:
+  lint-release-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Lint release commit title format
+        run: |
+          EXPECTED_TITLE='^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}, Version [[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ (\(Current|'.+' \(LTS)\)$'
+          echo "Expected commit title format: $EXPECTED_TITLE"
+          COMMIT_SUBJECT="$(git --no-pager log -1 --format=%s)"
+          echo "Actual: $ACTUAL"
+          echo "$COMMIT_SUBJECT" | grep -q -E "$EXPECTED_TITLE"
+          echo "COMMIT_SUBJECT=$COMMIT_SUBJECT" >> "$GITHUB_ENV"
+      - name: Lint release commit message trailers
+        run: |
+          EXPECTED_TRAILER="^PR-URL: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/[[:digit:]]+\$"
+          echo "Expected trailer format: $EXPECTED_TRAILER"
+          ACTUAL="$(git --no-pager log -1 --format=%b | git interpret-trailers --parse --no-divider)"
+          echo "Actual: $ACTUAL"
+          echo "$ACTUAL" | grep -E -q "$EXPECTED_TRAILER"
+
+          PR_URL="${ACTUAL:8}"
+          PR_HEAD="$(gh pr view "$PR_URL" --json headRefOid -q .headRefOid)"
+          echo "Head of $PR_URL: $PR_HEAD"
+          echo "Current commit: $GITHUB_SHA"
+          [ "$PR_HEAD" = "$GITHUB_SHA" ]
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Validate CHANGELOG
+        id: releaser-info
+        run: |
+          EXPECTED_CHANGELOG_TITLE_INTRO="## $COMMIT_SUBJECT, @"
+          echo "Expected CHANGELOG section title: $EXPECTED_CHANGELOG_TITLE_INTRO"
+          CHANGELOG_TITLE="$(grep "$EXPECTED_CHANGELOG_TITLE_INTRO" "doc/changelogs/CHANGELOG_V${COMMIT_SUBJECT:20:2}.md")"
+          echo "Actual: $CHANGELOG_TITLE"
+          [ "${CHANGELOG_TITLE%%@*}@" = "$EXPECTED_CHANGELOG_TITLE_INTRO" ]
+      - name: Verify NODE_VERSION_IS_RELEASE bit is correctly set
+        run: |
+          grep -q '^#define NODE_VERSION_IS_RELEASE 1$' src/node_version.h
+      - name: Check for placeholders in documentation
+        run: |
+          ! grep "REPLACEME" doc/api/*.md

.github/workflows/major-release.yml

@@ -0,0 +1,48 @@
+name: Major Release
+
+on:
+  schedule:
+    - cron: 0 0 15 2,8 *  # runs at midnight UTC every 15 February and 15 August
+
+permissions:
+  contents: read
+
+jobs:
+  create-issue:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Check for release schedule
+        id: check-date
+        run: |
+          # Get the current month and day
+          MONTH=$(date +'%m')
+          DAY=$(date +'%d')
+          # We'll create the reminder issue two months prior the release
+          if [[ "$MONTH" == "02" || "$MONTH" == "08" ]] && [[ "$DAY" == "15" ]]; then
+            echo "create_issue=true" >> "$GITHUB_ENV"
+          fi
+      - name: Retrieve next major release info from nodejs/Release
+        if: env.create_issue == 'true'
+        run: |
+          curl -L https://github.com/nodejs/Release/raw/HEAD/schedule.json | \
+          jq -r 'to_entries | map(select(.value.start | strptime("%Y-%m-%d") | mktime > now)) | first | "VERSION=" + .key + "\nRELEASE_DATE=" + .value.start' >> "$GITHUB_ENV"
+      - name: Compute max date for landing semver-major PRs
+        if: env.create_issue == 'true'
+        run: |
+          echo "PR_MAX_DATE=$(date -d "$RELEASE_DATE -1 month" +%Y-%m-%d)" >> "$GITHUB_ENV"
+      - name: Create release announcement issue
+        if: env.create_issue == 'true'
+        run: |
+         gh issue create --repo "${GITHUB_REPOSITORY}" \
+           --title "Upcoming Node.js Major Release ($VERSION)" \
+           --body-file -<<EOF
+            A reminder that the next Node.js **SemVer Major release** is scheduled for **${RELEASE_DATE}**.
+            All commits that were landed until **${PR_MAX_DATE}** (one month prior to the release) will be included in the next semver major release. Please ensure that any necessary preparations are made in advance.
+            For more details on the release process, consult the [Node.js Release Working Group repository](https://github.com/nodejs/release).
+
+            cc: @nodejs/collaborators
+         EOF
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/scorecard.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7  # v2.10.1
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f  # v2.10.2
         with:
           egress-policy: audit  # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -73,6 +73,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88  # v3.27.5
         with:
           sarif_file: results.sarif

.github/workflows/tools.yml

@@ -27,7 +27,7 @@ on:
           - gyp-next
           - histogram
           - icu
-          # - libuv
+          - libuv
           - llhttp
           - minimatch
           - nbytes
@@ -51,7 +51,7 @@ permissions:
 
 jobs:
   tools-deps-update:
-    if: github.repository == 'nodejs/node'
+    if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false  # Prevent other jobs from aborting if one fails
@@ -175,17 +175,14 @@ jobs:
               cat temp-output
               tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
               rm temp-output
-          # libuv update was disabled because of Feb 14, 2024 security release
-          # modified the bundled version of libuv, we cannot automatically update
-          # libuv without potentially undoing those changes.
-          # - id: libuv
-          #   subsystem: deps
-          #   label: dependencies
-          #   run: |
-          #     ./tools/dep_updaters/update-libuv.sh > temp-output
-          #     cat temp-output
-          #     tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
-          #     rm temp-output
+          - id: libuv
+            subsystem: deps
+            label: dependencies
+            run: |
+              ./tools/dep_updaters/update-libuv.sh > temp-output
+              cat temp-output
+              tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
+              rm temp-output
           - id: llhttp
             subsystem: deps
             label: dependencies

.github/workflows/update-wpt.yml

@@ -0,0 +1,83 @@
+name: WPT update
+
+on:
+  schedule:
+    # Run once a week at 12:00 AM UTC on Sunday.
+    - cron: 0 0 * * *
+  workflow_dispatch:
+    inputs:
+      subsystems:
+        description: Subsystem to run the update for
+        required: false
+        default: '["url", "WebCryptoAPI"]'
+
+permissions:
+  contents: read
+
+env:
+  NODE_VERSION: lts/*
+
+jobs:
+  wpt-subsystem-update:
+    if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        subsystem: ${{ fromJSON(github.event.inputs.subsystems || '["url", "WebCryptoAPI"]') }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Install @node-core/utils
+        run: npm install -g @node-core/utils
+
+      - name: Setup @node-core/utils
+        run: |
+          ncu-config set username "$USERNAME"
+          ncu-config set token "$GH_TOKEN"
+          ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
+          ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
+        env:
+          USERNAME: ${{ secrets.JENKINS_USER }}
+          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+
+      - name: Update WPT for subsystem ${{ matrix.subsystem }}
+        run: |
+          git node wpt "$SUBSYSTEM"
+        env:
+          SUBSYSTEM: ${{ matrix.subsystem }}
+
+      - name: Retrieve new version commit
+        run: |
+          new_version="$(
+            node -p 'require("./test/fixtures/wpt/versions.json")[process.argv[1]].commit' "$SUBSYSTEM"
+          )"
+          {
+            echo "long_version=$new_version"
+            echo "short_version=${new_version:0:10}"
+          } >> "$GITHUB_ENV"
+        env:
+          SUBSYSTEM: ${{ matrix.subsystem }}
+
+      - name: Open or update PR for the subsystem update
+        uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
+        with:
+          branch: actions/update-wpt-${{ matrix.subsystem }}
+          author: Node.js GitHub Bot <github-bot@iojs.org>
+          title: 'test: update WPT for ${{ matrix.subsystem }} to ${{ env.short_version }}'
+          commit-message: 'test: update WPT for ${{ matrix.subsystem }} to ${{ env.short_version }}'
+          labels: test
+          update-pull-request-title-and-body: true
+          body: >
+            This is an automated update of the WPT for ${{ matrix.subsystem }} to
+            https://github.com/web-platform-tests/wpt/commit/${{ env.long_version }}.
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}