Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable changesets to manage releases #494

Closed
trivikr opened this issue Mar 25, 2022 · 3 comments · Fixed by #625
Closed

Enable changesets to manage releases #494

trivikr opened this issue Mar 25, 2022 · 3 comments · Fixed by #625
Labels
improvement

Comments

@trivikr
Copy link
Contributor

trivikr commented Mar 25, 2022

Is your feature request related to a problem? Please describe.

The releases are managed internally by Meta employees which makes it difficult to publish new versions. These release can be automated using GitHub Actions

Describe the solution you'd like

Use yarn changesets for managing releases for jscodeshift. The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

We use changesets in aws-sdk-js-codemod:

Describe alternatives you've considered

Explore other automated release options

Additional context

This can be picked up after GitHub Actions are enabled in #493
@trivikr trivikr mentioned this issue Mar 25, 2022
Open
@Daniel15
Copy link
Member

The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

This sounds useful. I'm not very active in the JS community any more so I hadn't heard about this.

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token? I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used (for example, to know to periodically rotate them), but it seems like more and more systems are moving in that direction...

@trivikr
Copy link
Contributor Author

trivikr commented Mar 25, 2022

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token?

It reuses npm automation token stored in a GitHub encrypted secret.

In aws-sdk-js-codemod, we store it in GitHub secret named NPM_TOKEN https://github.com/awslabs/aws-sdk-js-codemod/blob/aaac3bb8630ab62e0c546bb1717785a203828434/.github/workflows/push.yml#L35

I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used

This is true. But GitHub encrypted secrets should be reliable as they're used by more and more projects.

@MichaelDeBoey
Copy link

MichaelDeBoey commented Apr 8, 2022
edited
Loading

As an alternative, cycjimmy/semantic-release-action (which uses semantic-release) could be a good action for managing releases too

@trivikr trivikr mentioned this issue May 6, 2022
Open
@trivikr trivikr mentioned this issue Sep 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Manage releases using changesets trivikr/jscodeshift
4 participants
@Daniel15 @MichaelDeBoey @trivikr @ElonVolo