From ce8b502529b1131c65506d23a6ec7b5f68c5b526 Mon Sep 17 00:00:00 2001
From: Mark Stacey <markjstacey@gmail.com>
Date: Fri, 20 Dec 2024 17:23:21 -0330
Subject: [PATCH] ci: Migrate LavaMoat validation to GitHub Actions (#29369)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## **Description**

Migrate LavaMoat policy validation from CircleCI to GitHub actions. No
functional changes.

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/29369?quickstart=1)

## **Related issues**

Relates to #28572

These changes were extracted from #29256

## **Manual testing steps**

* Checkout this branch (`migrate-lavamoat-validation`), then from there
create a new branch to test with
* On this new branch, make a dependency change with a policy impact
(e.g. add or remove a package, upgrade something, etc.), but make sure
the build still passes (validation requires a passing build)
* Create a draft PR, and verify that the policy validation fails
* Use the `metamaskbot update-policies` bot command to update the
policies, then verify the validation now succeeds.
PR with errors -
https://github.com/MetaMask/metamask-extension/pull/29396
Failure -
https://github.com/MetaMask/metamask-extension/actions/runs/12434996100/job/34719873040?pr=29396
Passing -
https://github.com/MetaMask/metamask-extension/actions/runs/12435253146/job/34720674397?pr=29396

## **Screenshots/Recordings**

N/A

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
---
 .circleci/config.yml                          | 60 -------------------
 .github/workflows/main.yml                    | 15 +++++
 .../validate-lavamoat-allow-scripts.yml       | 25 ++++++++
 .../validate-lavamoat-policy-build.yml        | 27 +++++++++
 .../validate-lavamoat-policy-webapp.yml       | 30 ++++++++++
 5 files changed, 97 insertions(+), 60 deletions(-)
 create mode 100644 .github/workflows/validate-lavamoat-allow-scripts.yml
 create mode 100644 .github/workflows/validate-lavamoat-policy-build.yml
 create mode 100644 .github/workflows/validate-lavamoat-policy-webapp.yml

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 60bb80eaf449..f800ab484ebe 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -123,18 +123,6 @@ workflows:
                 - master
           requires:
             - prep-deps
-      - validate-lavamoat-allow-scripts:
-          requires:
-            - prep-deps
-      - validate-lavamoat-policy-build:
-          requires:
-            - prep-deps
-      - validate-lavamoat-policy-webapp:
-          matrix:
-            parameters:
-              build-type: [main, beta, flask, mmi]
-          requires:
-            - prep-deps
       - prep-build-mmi:
           requires:
             - prep-deps
@@ -268,9 +256,6 @@ workflows:
             - prep-build-flask-mv2
       - all-tests-pass:
           requires:
-            - validate-lavamoat-allow-scripts
-            - validate-lavamoat-policy-build
-            - validate-lavamoat-policy-webapp
             - validate-source-maps
             - validate-source-maps-beta
             - validate-source-maps-flask
@@ -481,51 +466,6 @@ jobs:
           at: .
       - run: yarn tsx .circleci/scripts/validate-locales-only.ts
 
-  validate-lavamoat-allow-scripts:
-    executor: node-browsers-small
-    steps:
-      - run: *shallow-git-clone-and-enable-vnc
-      - run: sudo corepack enable
-      - attach_workspace:
-          at: .
-      - run:
-          name: Validate allow-scripts config
-          command: yarn allow-scripts auto
-      - run:
-          name: Check working tree
-          command: .circleci/scripts/check-working-tree.sh
-
-  validate-lavamoat-policy-build:
-    executor: node-browsers-medium
-    steps:
-      - run: *shallow-git-clone-and-enable-vnc
-      - run: sudo corepack enable
-      - attach_workspace:
-          at: .
-      - run:
-          name: Validate LavaMoat build policy
-          command: yarn lavamoat:build:auto
-      - run:
-          name: Check working tree
-          command: .circleci/scripts/check-working-tree.sh
-
-  validate-lavamoat-policy-webapp:
-    executor: node-browsers-medium-plus
-    parameters:
-      build-type:
-        type: string
-    steps:
-      - run: *shallow-git-clone-and-enable-vnc
-      - run: sudo corepack enable
-      - attach_workspace:
-          at: .
-      - run:
-          name: Validate LavaMoat << parameters.build-type >>  policy
-          command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>'
-      - run:
-          name: Check working tree
-          command: .circleci/scripts/check-working-tree.sh
-
   prep-build:
     executor: node-linux-medium
     steps:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index ee29c54e94ac..6e5a5121f336 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -56,6 +56,18 @@ jobs:
     name: Test deps depcheck
     uses: ./.github/workflows/test-deps-depcheck.yml
 
+  validate-lavamoat-allow-scripts:
+    name: Validate lavamoat allow scripts
+    uses: ./.github/workflows/validate-lavamoat-allow-scripts.yml
+
+  validate-lavamoat-policy-build:
+    name: Validate lavamoat policy build
+    uses: ./.github/workflows/validate-lavamoat-policy-build.yml
+
+  validate-lavamoat-policy-webapp:
+    name: Validate lavamoat policy webapp
+    uses: ./.github/workflows/validate-lavamoat-policy-webapp.yml
+
   run-tests:
     name: Run tests
     uses: ./.github/workflows/run-tests.yml
@@ -75,6 +87,9 @@ jobs:
       - test-lint-lockfile
       - test-yarn-dedupe
       - test-deps-depcheck
+      - validate-lavamoat-allow-scripts
+      - validate-lavamoat-policy-build
+      - validate-lavamoat-policy-webapp
       - run-tests
       - wait-for-circleci-workflow-status
     outputs:
diff --git a/.github/workflows/validate-lavamoat-allow-scripts.yml b/.github/workflows/validate-lavamoat-allow-scripts.yml
new file mode 100644
index 000000000000..637a2d9aeb54
--- /dev/null
+++ b/.github/workflows/validate-lavamoat-allow-scripts.yml
@@ -0,0 +1,25 @@
+name: Validate lavamoat allow scripts
+
+on:
+  workflow_call:
+
+jobs:
+  validate-lavamoat-allow-scripts:
+    name: Validate lavamoat allow scripts
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup environment
+        uses: metamask/github-tools/.github/actions/setup-environment@main
+
+      - name: Validate allow-scripts config
+        run: yarn allow-scripts auto
+
+      - name: Check working tree
+        run: |
+          if ! git diff --exit-code; then
+              echo "::error::Working tree dirty."
+              exit 1
+          fi
diff --git a/.github/workflows/validate-lavamoat-policy-build.yml b/.github/workflows/validate-lavamoat-policy-build.yml
new file mode 100644
index 000000000000..4524cc26a546
--- /dev/null
+++ b/.github/workflows/validate-lavamoat-policy-build.yml
@@ -0,0 +1,27 @@
+name: Validate lavamoat policy build
+
+on:
+  workflow_call:
+
+jobs:
+  validate-lavamoat-policy-build:
+    name: Validate lavamoat policy build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup environment
+        uses: metamask/github-tools/.github/actions/setup-environment@main
+
+      - name: Validate lavamoat build policy
+        run: yarn lavamoat:build:auto
+        env:
+          INFURA_PROJECT_ID: 00000000000
+
+      - name: Check working tree
+        run: |
+          if ! git diff --exit-code; then
+              echo "::error::Working tree dirty."
+              exit 1
+          fi
diff --git a/.github/workflows/validate-lavamoat-policy-webapp.yml b/.github/workflows/validate-lavamoat-policy-webapp.yml
new file mode 100644
index 000000000000..37ff9ede00fc
--- /dev/null
+++ b/.github/workflows/validate-lavamoat-policy-webapp.yml
@@ -0,0 +1,30 @@
+name: Validate lavamoat policy webapp
+
+on:
+  workflow_call:
+
+jobs:
+  validate-lavamoat-policy-webapp:
+    name: Validate lavamoat policy webapp
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        build-type: [main, beta, flask, mmi]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup environment
+        uses: metamask/github-tools/.github/actions/setup-environment@main
+
+      - name: Validate lavamoat ${{ matrix.build-type }} policy
+        run: yarn lavamoat:webapp:auto:ci --build-types=${{ matrix.build-type }}
+        env:
+          INFURA_PROJECT_ID: 00000000000
+
+      - name: Check working tree
+        run: |
+          if ! git diff --exit-code; then
+              echo "::error::Working tree dirty."
+              exit 1
+          fi