Release workflow #744
Release workflow #744
Conversation
|
@mapsam Given all the progress that has been made in the past 24 hours, I believe that we need a provisional release of You or one of your colleagues would need to work with @acalcutt to add the required If you have a different workflow for solving #739 then we would follow your lead. |
|
Just an FYI, if you did follow my instructions, when running the first command, any 'pre' version will make a pre-release/next release when published. So with a version incremted like |
|
I gave this a test on my fork, and fixed a few issues and make it more similar to the ci. it should now be working correctly. I used it to make this test release https://www.npmjs.com/package/@acalcutt/node-pre-gyp/v/2.0.0-pre.1 it was made in this workflow run |
|
Nice work y'all 🙌 happy to get Update: see my comment in #739 (comment) |
|
@acalcutt @cclauss unsurprisingly, it's a little hard for me to get a static NPM token for our A couple questions:
|
|
|
|
The only way to trigger this would be to push a version change to the master branch on this repo into package.json. So either by a PR, which a maintainer would have to approve, or by a commit by someone who has admin rights to bypass branch protection. If someone forks this repo, the workflow will not be able to publish because a valid 'NPM_TOKEN' will not exist in the new repository (it would only exist in this one). They could add their own NPM_TOKEN into their repo, but they would have to have permissions to update the package or it fails. |
|
Thanks for the quick response @acalcutt! |
|
For example, to publish my test version, I had to do 3 things 1.) change my package.json package name 2.) change the workflow to check my version of the package is published 3.) Provide my own NPM_TOKEN repository secret with my own npm key, that has permission to @acalcutt/node-pre-gyp |
|
I agree that the branch protections should not be changed. @acalcutt Would you be interested in becoming a maintainer of this repo? |
|
I don't mind submitting PRs once and a while or helping out where I can, but I'm not sure how much of a maintainer I want to be. The things I have submitted so far are mainly stuff I know from trying to keep this limping along for my own projects. I've mainly submitted these changes in hopes of seeing some up to date releases so I no longer need to maintain @acalcutt/node-pre-gyp. However in my current maplibre-native release I still publish node 16, so to move to this I would have to officially drop it (which i plan to do soon anyway), so using this package would be a breaking change once it is published. |
|
@mapsam Should this be merged or should something else be done in its place? |
|
@cclauss if the workflow works for you, it works for me! My initial questions were just focused on blast-radius security because I wasn't able to get a well-scoped NPM token. I've since been able to generate an |
|
My feeling is it has been tested and works and can always be modified more
in the future if another approach is found. It seems worth giving it a try.
…On Fri, Jul 5, 2024 at 11:57 AM Sam Matthews ***@***.***> wrote:
@cclauss <https://github.com/cclauss> if the workflow works for you, it
works for me!
My initial questions were just focused on blast-radius security because I
wasn't able to get a well-scoped NPM token. I've since been able to
generate an NPM_TOKEN only scoped to *just* the @mapbox/node-pre-gyp
module, so my concerns there are settled. That token has been updated in
the repo and should be available to test with now 👍
—
Reply to this email directly, view it on GitHub
<#744 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA454GC724A62KEYZHMEMNDZK267NAVCNFSM6AAAAABKDJPV2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJRGEYDONJXGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Please note, this is untested right now and I am giving it for review and/or ideas for #739.
This is a release workflow for node-pre-gyp. It is based on the node release workflow for maplibre-native at https://github.com/maplibre/maplibre-native/blob/main/.github/workflows/node-release.yml which I worked on getting working.
The idea behind this was, someone needs to approve and add changelog for each release, which should be a PR. When the version in package.json changes, this release workflow will check if that version has been published. If it has not published it, it will do that and also create a github release. the github release will also contain the text of the CHANGELOG.md for the version being published.
The workflow is also made to deal with pre-releases, so if the version is a pre-release, it will publish it as the next npm release
Whoever creates the PR for a new release would follow the instructions in
RELEASE.md
Needs 'NPM_TOKEN' Repository secret. A secret that contains a user npm token with permission to publish