Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up a common workflow to push a package to npm when we issue a release #112

Open
2 tasks done
gurgunday opened this issue Nov 22, 2023 · 5 comments
Open
2 tasks done

Comments

@gurgunday
Copy link
Member

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Why?

To release a new version of any package, we lose a somewhat significant amount of time (checking out locally, syncing, etc.)

An example of how simple things can be: https://github.com/gurgunday/html/blob/e60791ff5f557c9eb51c75f8f80008e74bfa3ced/.github/workflows/npm-publish.yml

And the action runs automatically after a release is issued:
https://github.com/gurgunday/html/releases/tag/v7.0.0
https://github.com/gurgunday/html/actions/runs/6941110154

We just need to create an automation token on NPM and add it to GitHub

Another benefit: it also signs the commit during the workflow, so if we have any paranoid users, they can verify that the release matches to what they see on GitHub

What do you all think?

Motivation

No response

Example

No response

@jsumners
Copy link
Member

This is a complicated task. The OpenJSF team is going to provide some solutions around this.

@Eomm
Copy link
Member

Eomm commented Nov 23, 2023

Duplicates fastify/fastify#2748

Anyway I talked about it with @mcollina and he told me that he will show us a demo about the process he would like to suggest.

The constraints I collected are:

  • one NPM scoped token per repo (not a GOD MASTER TOKEN than can release everything)
  • benefit from the npm provenance**
  • avoid manual steps***
  • bullet proof security
  • automated token rotation (currently tokens are at most valid for 12 month)

**) I think npm misses a feature where you force that a package MUST have a provenance from XYZ provider to be published TBH. In this case, even if the GOD MASTER TOKEN would be leaked, it would be almost useless.

***) I think the only bullet proof security is the OTP, but we don't want manual steps... so I'm a bit confused about these requirements. For this reason I'm waiting the demo

@mcollina
Copy link
Member

Once we have a token with the right permissions, setting up automated publish is a superset of

https://github.com/mcollina/test-publish/blob/main/.github/workflows/publish.yml

and

https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml

Note the use of environment: main in https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml#L17 allows us to limit the secrets to only the main branch of a repository, essentially making it secure.

You can read more about environments at https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment.

@voxpelli
Copy link

This is a complicated task. The OpenJSF team is going to provide some solutions around this.

Has there been any update on this? Been planning to set this up for another OpenJSF-project (Mocha) so I have been watching this thread

@gurgunday
Copy link
Member Author

It is blocked I believe

fastify/fastify#5386

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants