Commit Graph

311 Commits

Author SHA1 Message Date
Andrew Kushnir c1c1cda866 Revert "refactor(dev-infra): add spawnSync to child process utils, normalize naming of child-process utils (#42394)" (#42829)
This reverts commit 08444c6679.

PR Close #42829
2021-07-12 15:24:55 -07:00
Andrew Kushnir 3d668162d9 Revert "refactor(dev-infra): remove usages and dependency on shelljs (#42394)" (#42829)
This reverts commit f0d857eff8.

PR Close #42829
2021-07-12 15:24:54 -07:00
Joey Perrott f0d857eff8 refactor(dev-infra): remove usages and dependency on shelljs (#42394)
Remove usages of shelljs and instead use spawn/spawnSync.

PR Close #42394
2021-07-12 14:39:08 -07:00
Joey Perrott 08444c6679 refactor(dev-infra): add spawnSync to child process utils, normalize naming of child-process utils (#42394)
Create a `spawnSync` command for common usage, additionally update naming to use `spawn` instead of
`spawnWithDebugOutput`

PR Close #42394
2021-07-12 14:39:07 -07:00
Paul Gschwendtner e6593ad94a fix(dev-infra): transitive targets cannot be resolved by API extractor (#42828)
For API golden tests not running against a NPM package, we extract
all transitive declarations of the specified `data` targets. This is
necessary because API extractor needs to resolve other targets that have
been linked by the Bazel NodeJS rules. The linker by default only
provides access to JavaScript sources, but the API extractor is
specifically concerned with type definitions that we need to manually
extract.

PR Close #42828
2021-07-12 14:38:05 -07:00
Paul Gschwendtner 867000efcc fix(dev-infra): do not include all types in api golden test (#42828)
The API golden test tool should not include all types
from the `node_modules/`. This results in unnecessary
type resolution when the API golden tool is run outside
of sandbox (i.e. on windows or with `bazel run` for accept).

PR Close #42828
2021-07-12 14:38:05 -07:00
Paul Gschwendtner 9456eca7c5 feat(dev-infra): better caching for browser archive contents (#42814)
Adds better caching for browser archives and their extraction.
This is done because the archives are currently extracted as a build
action and these are actions are invalidated frequently, causing
flakiness on the CI and slow-down in local development.

Here is an example flaky error on the CI (that surfaces often
with RBE execution):

```
ERROR:
/home/circleci/.cache/bazel/_bazel_circleci/9ce5c2144ecf75d11717c0aa41e45a8d/external/npm/@angular/dev-infra-private/bazel/browsers/chromium/BUILD.bazel:22:17:
Extracting ../org_chromium_chromium_amd64/file/chrome-linux.zip failed:
(Exit 34): extract.sh failed: error executing command
external/io_bazel_rules_webtesting/web/internal/extract.sh
external/org_chromium_chromium_amd64/file/chrome-linux.zip ...
(remaining 2 argument(s) skipped). Note: Remote connection/protocol
failed with: execution failed
```

We fix this by introducing a new rule that downloads a browser
archive and unpacks it directly into a Bazel repository. Before
this change, the archive would just be downloaded but extracted
later as part of a build action. This is unnecessary and results
in less efficient caching as build actions are invalidated more
often, especially if developers run `bazel clean` in between.

The root cause on why the extraction often fails in RBE containers
is unclear. It's unclear why the extacted archive is not cached
properly as part of a build action (most likely some hermeticity
issue within `rules_webtesting`, but it seems more Bazel-idiomatic
to unpack the archives as part of the repository anyway, and this solves
the flakiness issue.

PR Close #42814
2021-07-12 14:37:10 -07:00
Paul Gschwendtner b5ab7aff43 refactor: add override keyword to members implementing abstract declarations (#42512)
In combination with the TS `noImplicitOverride` compatibility changes,
we also want to follow the best-practice of adding `override` to
members which are implemented as part of abstract classes. This
commit fixes all instances which will be flagged as part of the
custom `no-implicit-override-abstract` TSLint rule.

PR Close #42512
2021-07-12 13:11:17 -07:00
Paul Gschwendtner 04642e7985 feat(dev-infra): add lint rule to enforce no-implicit-override abstract members (#42512)
TypeScript introduced a new flag called `noImplicitOverride` as part
of TypeScript v4.3. This flag introduces a new keyword called `override`
that can be applied to members which override declarations from a base
class. This helps with code health as TS will report an error if e.g.
the base class changes the method name but the override would still
have the old method name. Similarly, if the base class removes the method
completely, TS would complain that the memeber with `override` no longer
overrides any method.

A similar concept applies to abstract methods, with the exception that
TypeScript's builtin `noImplicitOverride` option does not flag members
which are implemented as part of an abstract class. We want to enforce
this as a best-practice in the repository as adding `override` to such
implemented members will cause TS to complain if an abstract member is
removed, but still implemented by derived classes.

More details: https://github.com/microsoft/TypeScript/issues/44457.

PR Close #42512
2021-07-12 13:11:16 -07:00
Paul Gschwendtner 907363348a refactor(dev-infra): ensure compatibility with noImplicitOverride (#42512)
Adds the `override` keyword to the `dev-infra` sources to ensure
compatibility with `noImplicitOverride`.

PR Close #42512
2021-07-12 13:11:14 -07:00
Paul Gschwendtner c7d20639c6 build: enable noImplicitOverride in project (#42512)
Enables the `noImplicitOverride` option to improve
overall codehealth in the repository.

PR Close #42512
2021-07-12 13:11:14 -07:00
Paul Gschwendtner 9af5abba86 feat(dev-infra): add bazel rule for extracting JavaScript module flavors from targets (#42809)
Introduces a rule that collects declared JavaScript module output files
from a list of dependencies based on a configurable JavaScript module
provider. The extracted outputs are exposed within the `DefaultInfo` provider.

Targets defined using this rule can be used as input for rules that
require JavaScript sources, or if there are multiple JavaScript output
variants defined for a target while for example only the `JSModuleInfo`
outputs are of interest.

As an example: This rule is helpful in combination with `ts_library` and
`ng_module` as those rule expose multiple output flavors (which are
distinguishable by the JavaScript module providers as imported from `providers.bzl`).
i.e. these rules expose flavors for named AMD modules and ECMAScript module output.
If we want to ship a NPM package only using ECMAScript modules for
example, we could extract all `JSEcmaScriptModuleInfo`-denoted output
and feed that into the `pkg_npm` rule, compared to bringing in all
output flavors.

For reference:
https://github.com/bazelbuild/rules_nodejs/blob/stable/packages/typescript/internal/build_defs.bzl#L334-L337

PR Close #42809
2021-07-12 09:42:01 -07:00
Paul Gschwendtner 762e057e85 build: update to rules_nodejs v4.0.0-beta.0 (#42760)
Updates the Bazel NodeJS rules to v4.0.0-beta.0. This is necessary
so that the Angular components repo can update, and it's generally
good to stay as up-to-date as possible with the Bazel rules as it's
easy to fall behind, and updating early allows us to discover issues
affecting our tooling earlier (where they are easier to address due to
e.g. potential breaking change policy).

PR Close #42760
2021-07-09 14:50:15 -07:00
Paul Gschwendtner b1fa1bf0d5 fix(dev-infra): `ng_rollup_bundle` rule should error if import cannot be resolved (#42760)
Rollup just prints a warning if an import cannot be resolved and ends up
being treated as an external dependency. This in combination with the
`silent = True` attribute for `rollup_bundle` means that bundles might
end up being extremely small without people noticing that it misses
actual imports.

To improve this situation, the warning is replaced by an error if
an import cannot be resolved.

This unveiles an issue with the `ng_rollup_bundle` macro from
dev-infra where imports in View Engine were not resolved but ended
up being treated as external. This did not prevent benchmarks using
this macro from working because the ConcatJS devserver had builtin
resolution for workspace manifest paths. Though given the new check
for no unresolved imports, this will now cause errors within Rollup, and
we need to fix the resolution. We can fix the issue by temporarily
enabling workspace linking. This does not have any performance
downsides.

To enable workspace linking (which we might need more often in the
future given the linker taking over patched module resolution), we
had to rename the `angular` dependency to a more specific one so
that the Angular linker could link into `node_modules/angular`.

PR Close #42760
2021-07-09 14:50:14 -07:00
Paul Gschwendtner c9b47f2182 fix(dev-infra): missing `pkg_npm` substitution for top-level targets being accessed (#42754)
Currently if a top-level target or file within `//dev-infra` is
being referenced. like `//dev-infra:tsconfig`, then the label
is not subsituted properly and breaks consumption of the built
NPM package.

PR Close #42754
2021-07-02 17:15:18 -07:00
Paul Gschwendtner 6dd88aadac fix(dev-infra): api-golden tool does not specify a tsconfig and breaks for consumers (#42737)
Tools that are shipped as a Bazel rule with the shared dev-infra
tool require a specific `tsconfig` as otherwise `ts_library` will
accidentally look for a tsconfig in `@npm//:tsconfig` and the build
will fail. We bring in our dev-infra tsconfig and reference it
explicitly.

PR Close #42737
2021-07-02 10:08:03 -07:00
George Kalpakas c3620f9a5f fix(dev-infra): convert commit SHAs and PR numbers to links when generating changelog (#42732)
Previously, the commit SHAs and PR numbers referenced in the generated
`CHANGELOG.md` were not automatically converted to links in the GitHub
UI (as happens for release notes and issue/PR comments). This made it
less straight-forward for someone reading the changelog to get to the
commit/PR corresponding to a change.

This commit updates the tooling that generates the changelog to convert
the commit SHA and the corresponding PR number (referenced at the end of
the commit message header) to links.

PR Close #42732
2021-07-02 09:23:45 -07:00
Paul Gschwendtner 56bd21de6f feat(dev-infra): introduce shared tool for validating API signature (#42688)
For the last years the Angular repositories relied on `ts-api-guardian`
for testing the public API signature. This project worked well in
general but its another inconvenience to maintain if we could rely on
Microsoft's `api-extractor` tool.

Especially since with TypeScript 4.3 issues with export aliases appeared
that would require us to extend TS API guardian to support such exports.
This is not as straightforward as it sounds, given it requires rewriting
of declarations to show-case the proper name in the API golden. Microsoft's
API extractor has integrated support for this.

As of TypeScript 4.3, we want to start using the new `override` keyword.
We are not able to use that keyword currently because an old version of
API extractor is used in the `ng_module` rule to flatten the types into
a single file. To fix this, we need to update `api-extractor`, but this
unveils the issue with TS API guardian because the most recent version
of api-extractor uses alias exports to avoid potential conflicts
with globals available through the TypeScript default libraries (e.g.
`dom.d.ts`).

PR Close #42688
2021-06-30 11:43:48 -07:00
Alan Agius 8528073f6c fix(dev-infra): remove bots from special thanks section (#42697)
With this change we remove known used bots from special thanks section in the changelog.

PR Close #42697
2021-06-29 11:13:50 -07:00
Paul Gschwendtner f29fe5ced0 fix(dev-infra): use API pagination for retrieving project branches (#42666)
We rely on a Github API `/branches` request to determine the active
release trains. Currently this logic is broken if more than 100
protected branches exist within a repository. This issue surfaced
recently where the `items_per_page` setting was set to `30`, causing
the merge tooling and release tooling to not detect the proper "latest"
release train.

This commit uses Github pagination for retrieving branches to determine
the active release trains, and makes the logic more long-term proof.

PR Close #42666
2021-06-29 10:33:54 -07:00
Paul Gschwendtner 279e63f65f refactor(dev-infra): update octokit to latest version v18 (#42666)
We previously held off with updating Octokit to v18 due to
their more noticable issues with typings. This commit updates
us to the latest version in order to take advantage of the new
pagination API (which is also strongly-typed), and to not fall
behind too much over time (Octokit seems to change quite often..)

We work around the problem with the types for `getContent` by just
using a type cast with a TODO (and link to the issue). Similarly we
work around a problem where the Octokit types have an incorrect type
for the name of the labels array in an API response.

PR Close #42666
2021-06-29 10:33:54 -07:00
Paul Gschwendtner 41823ff277 feat(dev-infra): add command for printing release train information (#42644)
Currently the active release trains are printed when a developer
runs `ng-dev publish release`. This is not ideal because it requires
the developer to provide an OAuth token, to be on the next branch, and
to have no uncommitted changes, while the actual release train
information is not dependent on these checks.

This commit introduces a new command called `ng-dev release info` that
can be used to retrieve relase information without the aforementioned
requirements. Note that this command provides more detailed information
about release branches than the `ng-dev caretaker check` command (which
also requires on authentication as a side note). The `release info`
command also prints active LTS branches for example.

PR Close #42644
2021-06-28 11:50:57 -07:00
Alex Rickabaugh 261b060fa1 fix(dev-infra): fetch 100 branches from Github instead of 30 (#42658)
This commit fixes an issue with the ng-dev tool, where Github's API returns
paginated branch data. Only 30 branches are returned by default, and Angular
now has more than 30 branches in its repo. This commit increases the number
of branches returned to the API limit of 100, which should buy us some time
until we can implement proper pagination.

PR Close #42658
2021-06-24 17:26:24 -07:00
Joey Perrott 81a19e4e65 feat(dev-infra): update pullapprove verification to ensure all groups have reviewers (#42614)
Update the pullapprove verification tooling to ensure a reviewer is defined for
each group. This is being done in preparation for the upcoming change to how
pullapprove billing works. The new billing will work on a seats based approach
rather than flat usage.

PR Close #42614
2021-06-22 16:27:36 +00:00
Paul Gschwendtner 1684b70b88 test(dev-infra): always use same virtual git client instance in publish tests (#42468)
With the recent refactorings to `GitClient`, where singletons
are created and can be retrieved through a static method, the
test has been updated to also install spies for the static methods
of `GitClient`. This commit updates the spy installation so that
the same mock git client is used that is also passed manually to
the release actions. Having two separate instances of the mock
git client could result in false-positive test results.

PR Close #42468
2021-06-03 14:34:33 -07:00
Paul Gschwendtner 67f65a9d25 refactor(dev-infra): improve type-safety of git client utility (#42468)
Currently the `GitClient` accepts a generic parameter for determining
whether the `githubToken` should be set or not. This worked fine so far
in terms of distinguishing between an authenticated and
non-authenticated git client instance, but if we intend to conditionally
show methods only for authenticated instances, the generic parameter
is not suitable.

This commit splits up the `GitClient` into two classes. One for
the base logic without any authorization, and a second class that
extends the base logic with authentication logic. i.e. the
`AuthenticatedGitClient`. This allows us to have specific methods only
for the authenticated instance. e.g.

  * `hasOauthScopes` has been moved to only exist for authenticated
    instances.
  * the GraphQL functionality within `gitClient.github` is not
    accessible for non-authenticated instances. GraphQL API requires
    authentication as per Github.

The initial motiviation for this was that we want to throw if
`hasOAuthScopes` is called without the Octokit instance having
a token configured. This should help avoiding issues as within
3b434ed94d
that prevented the caretaker process momentarily.

Additionally, the Git client has moved from `index.ts` to
`git-client.ts` for better discoverability in the codebase.

PR Close #42468
2021-06-03 14:34:33 -07:00
Paul Gschwendtner fa84d19e97 refactor(dev-infra): always use en-US locale for printing date in merge tool (#42470)
In the dev-infra merge tool, a test fails locally if it runs on
a system with a different system locale. We can either make the
test more flexible, or update the merge tool to always print the date
in `en-US` format. The latter is more reasonable given our console
messages being in english anyway.

PR Close #42470
2021-06-03 13:19:03 -07:00
Paul Gschwendtner a16f82b851 refactor(dev-infra): move shared browser bazel setup into dedicated bazel folder (#42268)
This change moves the `dev-infra/browsers` folder into `dev-infra/bazel`.
The browser folder is providing custom configuration for Bazel, so it
should live within the `bazel` folder for a more well-structured
`dev-infra` folder.

PR Close #42268
2021-06-03 10:37:41 -07:00
Paul Gschwendtner 49c3ce58bf refactor(dev-infra): remove duplicate method that checks for uncommitted changes (#42409)
Removes the duplicate `hasLocalChanges` method from the Git client. We
already have `hasUncommittedChanges`. Also removes a TODO for adding
`assertNoLocalChanges` as it seems more flexible to manually check
(i.e. better messaging with context on the current tool; e.g. "cannot
perform rebase")

PR Close #42409
2021-06-03 10:36:40 -07:00
Paul Gschwendtner 97c5a3ae6f feat(dev-infra): prevent deprecations from being merged into patch branch (#42454)
As per SemVer, deprecations should only be released if the
minor version is incremented. This means that we should error
if commits w/ deprecations target an upcoming patch, LTS release.

Additionally, we also error if deprecations are made as part of
an upcoming release-candidate.

PR Close #42454
2021-06-02 13:23:54 -07:00
Paul Gschwendtner 107f15df03 refactor(dev-infra): add JSDoc throws description to assertion functions (#42454)
Adds the JSDoc `@throws` annotation to functions that would throw
within in the ng-dev tool. We want to add `@throws` so clearly
communicate if the invocation of a function results in errors or not.

This helps if IDEs show the `@throws` annotation on invocation, or
if TS ever lands a feature like Java `throws`, with more fine-grained
and typed error handling.

PR Close #42454
2021-06-02 13:23:54 -07:00
Paul Gschwendtner d3531a7d41 fix(dev-infra): breaking change and deprecation notes incorrectly picked up (#42436)
If a commit message currently mentions the breaking change or
deprecation note keywords, the commit message parse logic
accidentally picks up the note. This could then accidentally
prevent the commit from being merged (e.g. if the commit targets
the patch branch but mentioned the `BREAKING CHANGE: ` marker).

This commit switches the commit message notes pattern to only
capture notes at the beginning of a line (also allowing accidental
whitespace). This matches with the format we describe in our
contribution guide, as well as with our commit message validation
logic that also assumes notes at the beginning of a line.

PR Close #42436
2021-06-02 13:22:55 -07:00
Paul Gschwendtner bc5a8f4d37 feat(dev-infra): validate deprecation notes in commit messages (#42436)
Currently the commit message validation tool from `ng-dev` validates
the `BREAKING CHANGE:` commit message notes. This commit adds a similar
check for `DEPRECATED:` commit message notes.

Additionally, the check for breaking changes is reworked slightly to
be more tolerant (i.e. if there is only a single line break after the
summary; this is acceptable as per the parser and commonly done in the
COMP repo). The checks have been updated to capture wrong keywords that
are commonly used instead of the correct one. e.g. if a commit message
uses `DEPRECATIONS:` instead of `DEPRECATED:`, the validation will fail.

This prevents changelog generation issues where breaking change notes,
or deprecations are missing. This happened in the COMP repo where
the `DEPRECATED:` keyword was used incorrectly. See:

99391e7939

PR Close #42436
2021-06-02 13:22:55 -07:00
Paul Gschwendtner f8814d3558
fix(dev-infra): update outdated build-worker.js file (#42458)
Updates the outdated build-worker.js file. This file has
been accidentally not updated when we fixed the Octokit
authentication to unblock the caretaker.
2021-06-02 13:13:26 -07:00
Paul Gschwendtner 3b434ed94d
fix(dev-infra): github oauth token not picked up by Octokit (#42456)
We recently updated `@octokit/rest` to a more recent version. For this
the Github client had to be refactored to account for new types of
Octokit. With the refactorings the authentication of the Github
client broke as we used an incorrect option for setting the OAuth
token. The TS transpilation did not fail because the Octokit types
support arbitrary options in the constructor. This is not solvable
on our side, so we cannot prevent similar issues in the future
unfortunately. Adding tests for authentication is not a reasonable
option either.
2021-06-02 12:48:51 -07:00
Joey Perrott aeb407296b refactor(dev-infra): update to later version of @octokit/rest and remove class extenstion of Octokit (#42395)
Update @octokit/rest and remove the usage of a class extension of Octokit as the
class does not have a class define constructor.

PR Close #42395
2021-06-01 10:14:48 -07:00
Joey Perrott acfa0647b7 fix(dev-infra): build with stamping for release builds (#42354)
`ng-dev release build` should always build with version stamping rather than
snapshot stamping.

PR Close #42354
2021-05-26 17:51:56 +00:00
Joey Perrott 4afad03312 feat(dev-infra): add `ng-dev build-and-link` command (#42319)
Add a command to build the release output without stamping for release
and link via `yarn link` the generated builds to a project provided.

PR Close #42319
2021-05-25 22:11:03 +00:00
Joey Perrott f424aa3f0f feat(dev-infra): add support for determining if builds should be stamped (#42319)
Add support for the build process to determine if the generated builds
should be stamped for release.

PR Close #42319
2021-05-25 22:11:03 +00:00
Joey Perrott 594e63315e feat(dev-infra): add release notes generation to ng-dev (#42225)
Adds tooling to create ad-hoc release note entries via `ng-dev release notes`.

PR Close #42225
2021-05-25 18:00:04 +00:00
Joey Perrott a9584c929b refactor(dev-infra): move the release notes into its own directory under release (#42225)
Move the release notes tooling under its own directory under release rather than
within publish, in preparation to have a release note generation command for ad-hoc
release note generation.

PR Close #42225
2021-05-25 18:00:04 +00:00
Paul Gschwendtner c3cbfc22e0 fix(dev-infra): format command incorrectly prints outdated files (#42252)
When `ng-dev format --check` is run, the ng-dev tool prints out
all files that are out-of-date. We recently updated the format
tool to also capture `stderr` for failed files. This broke the
console message as we did not unwrap the `FormatFailure` to
their file path when printing the "ng-dev format" fix command.

PR Close #42252
2021-05-25 17:57:01 +00:00
Joey Perrott 4ac55ca676 fix(dev-infra): use template strings for release note templates (#42224)
Use template strings for release note templates rather than loading `ejs` files at runtime.

PR Close #42224
2021-05-24 14:48:02 +00:00
Paul Gschwendtner 8c158babdc fix(dev-infra): formatting errors not reported with failure message (#42202)
Currently if formatting for a file fails due a formatter error,
the `ng-dev` tool reports that formatting failed, but no actual
error (or involved file) is printed out. This commit prints out
the failed files with their error message.

PR Close #42202
2021-05-21 18:06:47 +00:00
Joey Perrott ec78e68a36 fix(dev-infra): correct FormatConfig interface (#42154)
Correct the FormatConfig interface to use `[key: string]` instead of the incorrect
`[keyof: string]`.

PR Close #42154
2021-05-18 15:40:23 -07:00
Paul Gschwendtner 9d75687f62 feat(dev-infra): publish major versions to "next" NPM dist tag (#42133)
Previously, the dev-infra release tool would publish major versions
directly to the NPM `@latest` dist tag. This is correct in theory, but
rather unpractical given that we want to publish packages first as
`@next` so that other dependent Angular packages can update too,
allowing us to publish all main Angular packages (from FW, COMP
and TOOL) at the same time to `@latest` on NPM.

This involves creating a new release action for re-tagging the
previously released major as `@latest` on NPM.

PR Close #42133
2021-05-18 14:04:14 -07:00
Paul Gschwendtner 48f49bacb4 refactor(dev-infra): improve type safety of NPM dist tags in release tool (#42133)
Instead of passing `string` in the release tool for NPM dist tags, we
should use a union string type that limits the tags to `latest`, `next`
and anything matching `v{number}-lts`. This avoids mistakes at
compilation-level if an invalid/unknown tag would be set by a release
action.

PR Close #42133
2021-05-18 14:04:14 -07:00
Joey Perrott 6d87895ffd test(dev-infra): add testing for integration of ReleaseNotes in publishing tooling (#41967)
Add testing of the ReleaseNotes integration with the release publishing tooling.

PR Close #41967
2021-05-14 21:07:27 +00:00
Paul Gschwendtner 7fb8527e1e refactor(dev-infra): remove invoke bazel clean command from release tool (#42101)
Currently the ng-dev release tool always run `bazel clean` before
calling the configured build release function. The clean is necessary
to ensure the release output is actually built; and not restored
from previous builds which could have different bazel workspace
status variables (which provide the NPM package version).

Instead of doing this as part of the release tool, the
actual script running to build the release output should
run the `bazel clean`. The release tool does not intend to
know about details on how the release output is built. This
is necessary because the build setup could vary between version
branches (especially for older ones; such as LTS version branches).

PR Close #42101
2021-05-14 21:06:09 +00:00
Paul Gschwendtner 2843f15e8c fix(dev-infra): merge tool should ensure that token has `workflow` oauth scope (#41989)
Currently if a PR modifies any file that configures a Github action
(e.g. a workflow file), the caretaker might face an error when merging
such PR:

```
! [remote rejected]       merge_pr_target_11.2.x -> 11.2.x (refusing to allow a Personal Access Token to create or update workflow
```

This happens because Github requires the token being used for the
push operation to have the `workflow` scope set. This is a special
scope added by Github to ensure that no changes can be made on
upstream branches that might expose the `GITHUB_TOKEN` environment
variable, which is available for push builds and could cause the
token being leaked.

With this commit we enforce that the caretaker adds the workflow
scope to their github token. Since PRs can only be merged if reviewed
thoroughly, it's acceptable to allow workflow file changes being
merged through the merge tool by the caretaker (especially since we
also allow CircleCI config files being merged with the default
`repo`/`public_repo` scope).

PR Close #41989
2021-05-07 14:10:39 -04:00