chore: merge main (#2606)

* Updates to node v16.20.2 to resolve a high priority vulnerability (#2571)

Co-authored-by: Justin Wilaby <[email protected]>

* fix: remove unneeded pricing language for teams (#2575)

* fix: remove unneeded pricing language for teams

* fix: remove tests related to unneeded pricing language

* chore: add windows pack, upload, and promote scripts to workflows (#2573)

* chore: add pack:win and upload:win scripts to package.json

* chore: add pack-and-upload-windows to pack-upload workflow

* chore: add promotion of windows installer to promote workflow

* chore: remove rollback automation (#2576)

* chore: remove homebrew rollback script

* chore: remove rollback workflow

* chore: comment out windows promote task for now

* chore: comment out pack-and-upload-windows job for now

* chore: remove windows name from package.json for now

* test: update run-v5 integration test (#2587)

* fix: bump @oclif/plugin-update to a version that doesn't delete the CLI (#2585)

* fix: bump @oclif/plugin-update to a version that doesn't delete the CLI

* fix: another integration test due to api bug

* chore: add workflows and scripts for uploading to and downloading from stampy (#2586)

* chore: add workflow to transfer signed windows installer to CLI s3 bucket

* chore: add workflow to clean up stampy buckets

* chore: uncomment pack-and-upload-windows job

* chore: add workflow to promote windows installer to stable

* chore: add name for Windows installer to package.json

* chore: add workflow for uploading windows installers to stampy

* chore: update file permissions on script files

* chore: add environment for access to stampy secrets

* chore: change environment name to title case

* chore: move pack and upload windows scripts to pack-upload workflow and add root

* chore: move pack windows script to separate workflow and update oclif version (#2593)

* chore: move pack windows job to separate workflow

* chore: upgrade oclif and fix command

* chore: upgrade to oclif 4.3.6

* chore: remove node setup

---------

Co-authored-by: Justin Wilaby <[email protected]>
Co-authored-by: Justin Wilaby <[email protected]>
Co-authored-by: RyanDagg <[email protected]>

.github/workflows/empty-stampy-buckets.yml

@@ -0,0 +1,24 @@
+name: Empty Stampy signed and unsigned buckets
+on:
+  workflow_dispatch
+
+jobs:
+  copy-to-stable:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - name: Empty Stampy signed and unsigned buckets
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
+          STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          node scripts/empty-stampy-buckets.js

.github/workflows/get-signed-from-stampy.yml

@@ -0,0 +1,30 @@
+name: Get signed installers from Stampy
+on:
+  workflow_dispatch
+
+jobs:
+  get-signed-from-stampy:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - uses: actions/checkout@3
+      - name: download signed Windows installer from from Stampy
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        # switch AWS identity to the one that can access stampy
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ .
+      - name: upload signed Windows installer to Heroku CLI s3
+        env:
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: node ./scripts/upload-stampy-signed.js

.github/workflows/pack-upload-windows.yml

@@ -0,0 +1,26 @@
+name: Pack and Upload Windows Installers
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  pack-and-upload-windows:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@41775cf0c82ef066f1eb39cea1bd74697ca5b735
+      - name: Install NSIS
+        run: brew install nsis
+      - name: yarn install
+        run: yarn --immutable --network-timeout 1000000
+      - name: pack windows installer
+        run: yarn oclif pack win --defender-exclusion hidden --root="./packages/cli"
+      - name: upload windows installer
+        run: yarn oclif upload win --root="./packages/cli"

.github/workflows/pack-upload.yml

@@ -103,4 +103,4 @@ jobs:
           cd packages/cli
           pwd
           yarn oclif upload tarballs
-          ./scripts/upload/deb
+          ./scripts/upload/deb

.github/workflows/promote-windows.yml

@@ -0,0 +1,38 @@
+name: Promote signed Windows installer
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: version to promote to stable (this should be the latest release version)
+        type: string
+        required: true
+
+jobs:
+  promote:
+    name: Promote ${{ inputs.version }}  of the Windows installer to stable
+    runs-on: ubuntu-latest
+    env:
+      CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+          cache: yarn
+      - run: yarn --immutable --network-timeout 1000000
+      - name: install apt-get dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y awscli jq
+      - name: promote
+        env:
+          prerelease-channel: ${{ inputs.channel || 'beta'}}
+        run: |
+          SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
+          yarn oclif promote --win --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel="stable"
+        shell: bash

.github/workflows/upload-to-stampy.yml

@@ -0,0 +1,45 @@
+name: Upload unsigned Windows installers to Stampy
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: version to upload (this should be the latest release version)
+        type: string
+        required: true
+
+jobs:
+  get-signed-from-stampy:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - uses: actions/checkout@3
+      - name: get version sha
+        id: versionSha
+        run: echo SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]') >> "$GITHUB_ENV"
+      - name: save filename (without arch/extension) for reuse
+        id: filename
+        run: echo "FILEBASE=heroku-v${{inputs.version}}-${{steps.versionSha.outputs.SHA}}" >> "$GITHUB_ENV"
+      - name: download Windows installers from s3
+        env:
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: |
+          aws s3 cp s3://heroku-cli-assets/versions/${{inputs.version}}/${{steps.versionSha.outputs.SHA}}/${{steps.filename.outputs.FILEBASE}}-x86.exe .
+          aws s3 cp s3://heroku-cli-assets/versions/${{inputs.version}}/${{steps.versionSha.outputs.SHA}}/${{steps.filename.outputs.FILEBASE}}-x64.exe .
+      - name: upload unsigned Windows installers to Stampy
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        # switch AWS identity to the one that can access stampy
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          aws s3 cp ${{steps.filename.outputs.FILEBASE}}-x86.exe $STAMPY_UNSIGNED_BUCKET/${{steps.filename.outputs.FILEBASE}}-x86.exe
+          aws s3 cp ${{steps.filename.outputs.FILEBASE}}-x64.exe $STAMPY_UNSIGNED_BUCKET/${{steps.filename.outputs.FILEBASE}}-x64.exe

package.json

@@ -11,7 +11,7 @@
     "execa": "5.1.1",
     "lerna": "^6.4.1",
     "mkdirp": "^0.5.2",
-    "oclif": "3.11.3",
+    "oclif": "4.3.6",
     "promise-request-retry": "^1.0.2",
     "qqjs": "0.3.11",
     "standard": "12.0.1",

packages/cli/package.json

@@ -32,7 +32,7 @@
     "@oclif/plugin-legacy": "^1.3.0",
     "@oclif/plugin-not-found": "2.3.16",
     "@oclif/plugin-plugins": "2.4.3",
-    "@oclif/plugin-update": "3.1.10",
+    "@oclif/plugin-update": "3.2.4",
     "@oclif/plugin-version": "^1.2.1",
     "@oclif/plugin-warn-if-update-available": "2.0.29",
     "@oclif/plugin-which": "2.2.8",
@@ -128,7 +128,7 @@
     "typescript": "4.8.4"
   },
   "engines": {
-    "node": ">=14"
+    "node": "~16.20.0"
   },
   "files": [
     "/autocomplete-scripts",
@@ -182,6 +182,9 @@
       "sign": "Developer ID Installer: Heroku INC",
       "identifier": "com.heroku.cli"
     },
+    "windows": {
+      "name": "Heroku CLI"
+    },
     "topics": {
       "2fa": {
         "description": "two-factor authentication",
@@ -304,7 +307,7 @@
     },
     "update": {
       "node": {
-        "version": "16.19.0"
+        "version": "16.20.2"
       },
       "s3": {
         "xz": true,
@@ -339,16 +342,16 @@
   },
   "repository": "heroku/cli",
   "scripts": {
-    "lint": "eslint . --ext .ts --config ../../.eslintrc --ignore-path ../../.eslintignore-lib",
     "build": "rm -rf lib && tsc",
+    "lint": "eslint . --ext .ts --config ../../.eslintrc --ignore-path ../../.eslintignore-lib",
     "postpublish": "rm -f oclif.manifest.json",
+    "posttest": "yarn lint",
     "prepack": "yarn run build && oclif manifest",
     "pretest": "tsc -p test --noEmit && cd ../.. && yarn build",
-    "test": "yarn pretest && nyc mocha --forbid-only \"test/**/*.unit.test.ts\" && yarn posttest",
     "test:acceptance": "yarn pretest && mocha --forbid-only \"test/**/*.acceptance.test.ts\" && node ./bin/bats-test-runner",
     "test:integration": "yarn pretest && mocha --forbid-only \"test/**/*.integration.test.ts\"",
     "test:smoke": "yarn pretest && mocha --forbid-only \"test/**/smoke.acceptance.test.ts\"",
-    "posttest": "yarn lint",
+    "test": "yarn pretest && nyc mocha --forbid-only \"test/**/*.unit.test.ts\" && yarn posttest",
     "version": "oclif readme --multi && git add README.md ../../docs"
   },
   "types": "lib/index.d.ts"

packages/orgs-v5/commands/members/add.js

@@ -34,8 +34,6 @@ async function run(context, heroku) {
   } else {
     await Utils.addMemberToTeam(email, role, groupName, heroku)
   }
-
-  await Utils.warnIfAtTeamMemberLimit(teamInfo, groupName, context, heroku)
 }
 
 let add = {

packages/orgs-v5/commands/members/set.js

@@ -6,13 +6,11 @@ const {flags} = require('@heroku-cli/command')
 const {RoleCompletion} = require('@heroku-cli/command/lib/completions')
 
 async function run(context, heroku) {
-  let teamInfo = await Utils.teamInfo(context, heroku)
   let groupName = context.flags.team
   let email = context.args.email
   let role = context.flags.role
 
   await Utils.addMemberToTeam(email, role, groupName, heroku, 'PATCH')
-  await Utils.warnIfAtTeamMemberLimit(teamInfo, groupName, context, heroku)
 }
 
 let set = {

packages/orgs-v5/lib/utils.js

@@ -49,26 +49,6 @@ let addMemberToTeam = async function (email, role, groupName, heroku, method = '
   await cli.action(`Adding ${cli.color.cyan(email)} to ${cli.color.magenta(groupName)} as ${cli.color.green(role)}`, request)
 }
 
-let warnIfAtTeamMemberLimit = async function (teamInfo, groupName, context, heroku) {
-  // Users receive `You'll be billed monthly for teams over 5 members.`
-  const FREE_TEAM_LIMIT = 6
-
-  if (teamInfo.type === 'team') {
-    let membersAndInvites = {
-      invites: await heroku.request({
-        headers: {
-          Accept: 'application/vnd.heroku+json; version=3.team-invitations',
-        },
-        method: 'GET',
-        path: `/teams/${groupName}/invitations`,
-      }),
-      members: await heroku.get(`/teams/${groupName}/members`),
-    }
-    const membersCount = membersAndInvites.invites.length + membersAndInvites.members.length
-    if (membersCount === FREE_TEAM_LIMIT) cli.warn("You'll be billed monthly for teams over 5 members.")
-  }
-}
-
 module.exports = {
   addMemberToTeam,
   getOwner,
@@ -77,5 +57,4 @@ module.exports = {
   teamInfo,
   printGroups,
   printGroupsJSON,
-  warnIfAtTeamMemberLimit,
 }