From 20c8f8f92ab39ad3aac8a8d4c74a3eca81785aa6 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Wed, 16 Oct 2024 12:36:14 -0600
Subject: [PATCH 1/2] Publish via npm using a new bot and signing method

---
 .github/OSBotify-private-key.asc.gpg | Bin 3940 -> 0 bytes
 .github/workflows/publish.yml        |  94 ++++++++-------------------
 2 files changed, 28 insertions(+), 66 deletions(-)
 delete mode 100644 .github/OSBotify-private-key.asc.gpg

diff --git a/.github/OSBotify-private-key.asc.gpg b/.github/OSBotify-private-key.asc.gpg
deleted file mode 100644
index 03f06222d0fe956cdb4d3cc00df9b2ff3566da21..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3940
zcmV-q51a6e4Fm}T0wnTvM*#)?4ffLO0iQFMt9JY89BP@dCk-creW&cdTFluB9b0WJ
z`5Jxzm-8iHfDXd^NMZn%XQEG~HsZ|Z;I<S2#>Sa8KCll~NZ(rmGeQixzP#G^bL%h4
zEf)F@!Cm6&69|TE&bT@2*g0eLG49}RV)=eRBQ#UCQM&IqjOWfgIJ%(!`quL`JX#H1
z#x#56zHFP|551^rEhB&c)y@=-xSGUgTg`IQ@W+*kBt}5jPn`?#^83_6NZvM<R8GC>
zdtsv2v<W##28nLploXavE-F~#k@P|!SccfR$X`T<$WS}&0x7^oHAPC2fvry`;0pX9
zcc6t+4ZO*4E<7TVcwxITE4LGaT#R@pLxWg4F$IQqN?IFlL{o@Q9#%2ts7`RPR!*#=
z4<fFVz3)s^OB6lmgM3YLMAXp(Jnh8HKYQ7Cv_^f;f?V+huJZ!y6Oqqr8G#F^AWFag
zn>j!9TD(SJP;6I>-nsLeg*nVX&`$w`$|Zgphf>F&nNycOHHU1QVnki1V4#UpE6q!H
z4)6#qzw6FXv!%py6X8*9JJtwwyg{O5i?`nCQS`y&orz<D&vD_F@LOK6J|QA$V9zwP
z!P{qEvwvD{^u{V=kU}r0W{QN;p(-HqyHV0$2(Y1qyY$Uu`b!hg5kkhB9^D`*YuP<c
zFs0c+`>;SYrZ62Ay=&m_rLJ8rz%M@`wjrns3awz_RwAINPTIag2!#Qg+9lW>{{RjL
zeIu9=L+XM?P*)8^BQ8PkuF<~T`o8=b7;Mf~P$JpO^}ulO|C?NkPj4x*rhJp*V}){R
zSq#}3B(=OBw&arj#vku&tTIaDo+QlK`s5)uDd5(kRzxjr5(Hp^2_Sr&rpv`-s$8pT
zc^MHBx7JG<w;9N?{>GQR=jH!)lKiTUen6YJzK-$;V%E&S?}~+3Pf}jPvcJ+Q)B>!}
z|3Q+7&b?oi!yN4Yuf?r4Bhf(`qX`k$)s-~}{J7R62%e5qFks^&Ni~Mj=6JTV7ENG?
zq{5Q>nNg<MZY6FWQ~At?#?Xv?J5(f+M>qxUF;t;I)z#GjwyhLM4Vv7KIs3wLK{Yfu
ze<iiJ2kUL87my5$dsfTRXE@-}*lLtcyuAd*l{He}&^41R&*Wf}bX*YGzhFy3pasZM
z7(sB(j^i7Ox3R6I2Vf1<e_p}E9hLxZki!z6zx)$tcx%%aIN}pCxahMY{mZFx*)sPO
z+GM=OJWdP3fb-@1Prsx`GmExJP@A{ajnD-BY15M+GOhtd2gy2d56Krq-^?L~up2hq
z&p5)sUpL5uR`KIz4CJYegu>_lTiC2cu#Z;T$_@X<7kG#-*_9f_@})}??-0qgq$Y!h
zka2r$c|}eYi})3Q@Z>KL`k|BMZZOa1!cCHMfen8Xe^A6;4a{a;eVoNxr^@{Exk3KB
zBWIke_A7QZ?$#v?LOmDP8=eQ`29>E^^g4#v0oQc+l*z0bxN6%VkR47L!lwfIj~72q
zE8!L7OokaOxXA>qhBqfC#cZyT8Ku`Y{*PdU(Gbtx(Ps74EhkdQIqI<{;Ocv6OcySX
zm?*<2{u+r~j08w<ey`}*PZZ=pSX4jT#evtglzmZwDMrgP+6?}Q7n<S9e&^1jeTqM~
zm#;=#wl|@o&<F}cK>3`(1hp!F2v(wnKE@zLu#mCrY~i{QB(pzmKz=4qpc+*9EGA7!
z+d!M1qoB^AOx^s<IPK}fQ862Q!Usb6?)Nb(8oW{)o$A*~5BLzx><%8!SQ-&^$&#rf
zPPQP+Dp7;iL(HKglQ3^1OUi7Tk2w*(0^0EUAn}Qu{#jOM;xV*sGXm6QcYBQ0HHn}G
z71D#+9Z3<P&Gsp*G(#_qnLN9}%XsT=6Q-d!r&;d@$1uPAyuRGA3S@X#n<-Ev0H;TW
zo=+e92pxa8ZjiF*?rtnESvhDp2eti#p-yP>NJhX}&Y*Of&V@@=Y4h2!`ff4LVH=h!
zVeP^DVwg+ZeI#lPtBO?eO5oRMgU1BQRSW;^U+IAjItQ?;Jjb?tXo8INvs6aq9MHXP
zv`M^QAmk-8czmzrgUNH|z=AX=7xu#v!Cg`2D+qbLZ$=iD|2)mqi9n2ZzyX|Q8Z?bD
zKIZy)>_?zC`Sa(^@v~uILjoe*w6atyEJhOBpf-0eoFhwt>X2JU1q)b+B6I()z5K|t
zhaHTb-vrRj^ysiqIXQL*r0x2w^NqJuDY5*rpii?N>zG-LS}g``kL|_wKe4o{?WjQy
zWCd%OI2gKLXv6v>h~H4xyRaX_7{sWGe~5qW#T#}fvR<Y+4pi<RTEsmd@DC`<f-ArS
zxtvZDFCp6gN^uRr*_M{rQ3<M3RC(BQLJSD9??IyZ<L0YB5T_X)C7%T@_}8Yb`4xTF
z@W9EI|I}{Ip~-=C%Yh=>dLIk`54e5sc=`9Q;(Y3yP{lV4xz@~r&Km}?JngC5Z4w-$
zyS`S4gn*=&82?#28cgHPs91VnVh}w&Pv{j_ohF9yoa;I3LwZJFc&D43!G_BZdC4a=
zveya$JV}IpvS855XE<8H#nQIs!IVJVR!922xLQ*E$oV8IKv&PQNCW5kQNFx=>#6T*
zw2v-Aj%kz*X2_B<@+p*kZD?`vxHzq05=daM7}i*><p`b0mK!Cd2^RYHhv72vFxgqA
z<l;Nwx@pvAmj<j~2*Vv?YO|rlpmju>B6|4?mKuK~MW=-w&w6<z>%W6N>IX|mAVW^$
z6MgQgmxE9TT8e2{i4M$&vKKWX!0d?~>_B_^*P?6#FhF1S%*q$$tDfkrQI6JNUI6F7
z<VUbEBPyVUiB<i62^@lT2*#UD#l6A$`nQL9BY2mbUN?w?)1RS#+GJ^mK^^EiMmN)5
z^c7y8>iabF@=F>bZp9fp*4$DB_6nWp?a)BPS&v|lz8_NwVYj=8cQ3x_ObW>cFuu+Q
z#<><}M4#7U#}oF9)1=sipuc?A(14A-);ofM-^b0t#&50h(%>qdKnK<d8F#r_IgiV3
ze-!VmcseVFZ?iUeBc%YH*d}3-V~0SYDmT_!O_3f8*QrXmBvO*OgoZ)VJL)qs6sp|2
zMx!DZL3fz(FtxP4|IhHq$MI3i-ExMMFUfnJzrmX0^;r$W)^&#8V_U%9hd{46842j1
z8cxw1+O0;hdES7XX&XLWd7q!Z8WRXr1c4r-HJ&yB&r+tQ%UIk)<WE$r5dlefJ72;s
zz?=ho{wqty0R$DK^&TWrX16UgyEq65lKXRi_^(FxG=jkvkvr;0UAExhBc_mZ?#b!v
z5Ior#vGj}L0Xb2~ZNUTvgD+RO*(TrPB!aqqDoQ=b&B4^!^UpJ8<dVc-ej+f^$>dvr
zP1iA*{$hEX99eQ;Eg0zN2h4Z)o5@sm7C(7Ob14K)3l+kJVl_o;3IzSp?c~;VXx{lc
zugCiz|3>`l=G(=5AIsD6mWz}SjR<0XCtdks7K#suJ>D_~`@EX-EG7N|kB8b;`pGB6
zmrSS!*?2>Egw(qcCm-Bh2~(on6p0&dyhN7>KGA~#cTz`kCt^fZ8Cjh2;+sv-#kJYN
zB2u`x_jH=|b9TSDG!T%)&;Apj$<gGq!t$%!Ug6`o`BNUHa_>Pe@1qJPcLYfno4DK=
z!r*NNr}1Gq;Av+fe*RAzI(*N(c0#cTI+{kzq^C?=Z}}+{{H^mYs$KKx`NGCu=gqB>
zSJ+S|#>8`PhzQnDnP(Fp*Fgnn?q{7;ul@c<>?B~3YC7N&uw#azYSf9zqmUWr(btQs
zOS^fl2VDc6^sN<3iTH2V9ruj>Ub9Hm1e?y^o^n(=7H$SsK|lB86Dv%<XNKrXL{kvu
z^TGlGwxtDm5<*fc5!#{<FwL$EVyn7jG*PG$zr!35ELIB_Z+!JHcEYKcrv2T`UV?4f
zh$M1w8Zt_|W^cR%gYV`5#R4?~aI+(s>(`rv1=m@~S!^-$3-pDo--TGRih@HT&#+@%
ze|ScY3(_Vc{$RR%pBbr0AW#@ZvU)Li3VQGm>Cr7!1uu9M0a_`;TF4!mJ4W{MlVOSe
z2H}PJOq2u_&JQz&k7gbFP&eWKY=FpYgs>biap_-O?^@2?%~i=)AZKQ8wiYvy8*D~=
z@cn04MH=GoL@sK$lC+xst@UV{K2;D5hXNt!EiisSi7w$>@soR=Mti}BtA0M4h>unx
z^3_14W~&NIx}ICFMnz7F`uw4+uuq4-(+~~#PbqcNLK!@LV5SeSrj*krN9!#o;*fZA
z)un`--6qnmDm5u_R>eFg6m1(+0G6`KB>e%9hmSrHKLOy$b%EGhhv2~hl-=FuW(anF
z#s02EUTBm$elyuI5mo;veTPT$D&mSD;=^VIa1@P8td(<@dcB!Xef#oi-o$hk-nH-B
z`ydt`X4>PCwj0d=%-*3ov40m_QO|xzUY;AJ4*yaJ;oOwCSGoN@6SIDB9Kox*$smAo
z8k)%6M~y4pdU(b~6YaXo?xO>Z-zu;AJvH(y<n8;&0mpoiexC!hf#esb#?>;sp{(d;
z&P8rYkcL)mG}{FOJ~jmt?gBC;L1AHCbR?*FV*%54G+JVNLv=f9YY#D;0wG3vy5LPu
z<mZ+?o3U6-TqmC+<eEd?;fIt6^CbjQ@1Uy+ca~?*BeUY$O__hl-~!K0lvjZh5!SEM
z7T1+_K*<iDHOaMITPUUQzjCu3<!b@2lY|4aS~NG+?4)4et!SoW$Hot7YW+gZ?-3Lm
zI4wR}NpiQRtD1(!@eWU5!-(hv(pSKbG#S)c5Oy0X<vX9*DDP)XXfB;F5y!^M1m)jT
zixn};`eKZXq1asM`x6*)B!w=K@BRfS=s8C+VGazVa57s#6Vm+kPb@7!DfoO`oCCpk
zlO*oGNJ&Qxg=X!>5!A;<<_$_Y^9#dH8TQjK+4OhL*=hbXI0-m_oF>{;k!Y_IAq2Sq
zR6D(swr%6EG#bss!%YOYPxXge*hu9Do&_&bVn)?v^IBO7JX0u1TlkZ^$qr5+L&n1r
zT5KP`QQ@t<O_hR<^#v9Q>9cT+XhQ=+;GT0CAe&G{KnhLaYt%j7W(w}XnOvkSOee!c
zh2{jxRAkwOv!P%@d!6A-AS$%Y)SgGr+i&eyKrs#+yQUFo${e$Gppy1H;*B^9A1xY)
y%Z>H(8pCC4E%S6Ea96*e2}NkXPW>OI4tj1Ml9%4&k}@?~qT7!YP<26FZs%5&_MqPY

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b66c3aa..84b46e3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,74 +1,36 @@
 name: Publish package to npmjs
 
-# This workflow runs when code is pushed to `main` (i.e: when a pull request is merged)
 on:
-    push:
-        branches: [main]
+  push:
+    branches: [main]
 
-# Ensure that only one instance of this workflow executes at a time.
+# Ensure that only once instance of this workflow executes at a time.
 # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.
 concurrency: ${{ github.workflow }}
 
 jobs:
-    version:
-        runs-on: ubuntu-latest
-
-        # OSBotify will update the version on `main`, so this check is important to prevent an infinite loop
-        if: ${{ github.actor != 'OSBotify' }}
-
-        steps:
-            - uses: actions/checkout@v4
-              with:
-                ref: main
-                # The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify, which allows him to push to protected branches
-                token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}
-
-            - name: Decrypt & Import OSBotify GPG key
-              run: |
-                cd .github
-                gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
-                gpg --import OSBotify-private-key.asc
-              env:
-                LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
-
-            - name: Set up git for OSBotify
-              run: |
-                git config --global user.signingkey AEE1036472A782AB
-                git config --global commit.gpgsign true
-                git config --global user.name OSBotify
-                git config --global user.email infra+osbotify@expensify.com
-
-            - uses: actions/setup-node@v4
-              with:
-                node-version-file: ".nvmrc"
-                registry-url: 'https://registry.npmjs.org'
-
-            - name: Install npm packages
-              run: npm ci
-
-            - name: Update npm version
-              run: npm version patch
-
-            - name: Set new version in GitHub ENV
-              run: echo "NEW_VERSION=$(jq '.version' package.json)" >> $GITHUB_ENV
-
-            - name: Push branch and publish tags
-              run: git push origin main && git push --tags
-
-            - name: Publish to npm
-              run: npm publish
-              env:
-                NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-            - name: Get merged pull request
-              id: getMergedPullRequest
-              run: |
-                read -r number < <(gh pr list --search ${{ github.sha }} --state merged --json 'number' | jq -r '.[0] | [.number] | join(" ")')
-                echo "number=$number" >> "$GITHUB_OUTPUT"
-              env:
-                GITHUB_TOKEN: ${{ github.token }}
-
-            - name: Comment on merged pull request
-              run: gh pr comment ${{ steps.getMergedPullRequest.outputs.number }} --body "🚀Published to npm in v${{ env.NEW_VERSION }}"
-              env:
-                GITHUB_TOKEN: ${{ github.token }}
+  get_pull_request:
+    # os-botify[bot] will update the version on `main`, so this check is important to prevent an infinite loop
+    if: ${{ github.actor != 'os-botify[bot]' }}
+    runs-on: ubuntu-latest
+    outputs:
+      pull_request_number: ${{ steps.getMergedPullRequest.outputs.number }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: main
+
+      - name: Get merged pull request
+        id: getMergedPullRequest
+        uses: actions-ecosystem/action-get-merged-pull-request@59afe90821bb0b555082ce8ff1e36b03f91553d9
+        with:
+          github_token: ${{ github.token }}
+
+  publish:
+    needs: get_pull_request
+    uses: Expensify/GitHub-Actions/.github/workflows/npmPublish.yml@main
+    secrets: inherit
+    with:
+      repository: ${{ github.repository }}
+      # 'outputs' provides a string, and we need a number, so we use fromJSON to convert it
+      pull_request_number: ${{ fromJSON(needs.get_pull_request.outputs.pull_request_number) }}

From 8ae11d294c1d41030fb5a4a76e3daa1860b95425 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Wed, 16 Oct 2024 12:39:10 -0600
Subject: [PATCH 2/2] Improve english

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 84b46e3..ea6fa3e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
 
-# Ensure that only once instance of this workflow executes at a time.
+# Ensure that only one instance of this workflow executes at a time.
 # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.
 concurrency: ${{ github.workflow }}