All: publish sppkg files for samples

[russgove]

would be nice if we published prebuilt versions of these so that others could use them without needing to be a dev.

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[PathToSharePoint]

That's what I do on my own repo. Here, this has been suggested a couple times, and here is an answer provided by @hugoabernier .

As someone who follows this repository, I see that just identifying the author is often a challenge. Providing and supporting sppkg, with the added traffic and questions from non-devs, would require some structuring.

[hugoabernier]

The purpose of this repo is to share code samples and to teach how to build solutions, not to provide ready built .sppkg files as it would defeat the purpose.

With that being said, there is absolutely a need for a place to share built solutions. I expect the answer from Microsoft wound be to use the SharePoint app store, but it is probably not quite the experience we're all looking for.

My suggestion is to let Microsoft know that this is something the community needs by creating a suggestion in User Voice and getting people to vote on it.

I'm mark this issue as closed as it doesn't fit this repository mandate.

[PathToSharePoint]

If you allow me a couple comments:

• Good point about AppSource being the right place for production ready Web Parts. That's actually where I am headed. The challenge for many developers, however, is that AppSource publishing is reserved to Partners, and Microsoft is implementing stricter rules starting this year.
• An easy first step would be for the author to publish the package on his/her own repo, and link to it from the readme. That might create some confusion in case of multiple authors, but it's still cleaner than ending up with multiple packages from multiple authors within a same sample.

[hugoabernier]

I agree with you, but the problem is a matter of liability and exposure. While we can control that the source code doesn't contain any malicious code or exploits by providing a gating process which includes a code review, code scanning, and dependency scanning -- provided by GitHub -- we can't control what goes in other people's repos.

And while most people are good, there is still a possibility for someone to inject malicious code in their packages or repositories.

And while this repository clearly says that ...

THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.

...it still doesn't stop people from opening helpdesk tickets with Microsoft support who demand that Microsoft fix issues with the sample code.

Providing a gated repository for code samples without .sppkg (which can't be reviewed for security exploits), and using the app source publishing process (which itself has a rigorous gating process) is the safest/best way so far without having to dedicate resources (we should remind everyone that these repositories are maintained by volunteers).

We have an automated process that builds (or tries to) a .sppkg package from accepted PRs (under Releases), but -- due to the variety of solutions, versions of SPFx, nodejs, etc., we only get a fraction of the packages automatically built. To invest more into an automated process to build every solution in this repo would be amazing, but it would also take away from the little time that we have to review, approve, publish and manage the samples and ultimately lead to fewer samples.

And again, the primary purpose of this repo is to share sample code and share development patterns.

Providing a link to another person's repo, or an externally-hosted .sppkg file could be seen as a form of endorsement from a company that people have learned to trust... and (from this repo's perspective) we can't endorse something that is not within our control.

Trust me, I'd love for nothing more than to package all the cool web parts I've built over the years and share them with everyone. I'm in a sharing mood :-)

I know it doesn't provide a solution to this issue, but I hope that it helps shed some light on why we usually don't provide the .sppkg.

I'd love to hear from the community about creative ways that we could do what the community needs without lowering quality and security standards. I'll convert this to a discussion so we can (hopefully) encourage a healthy and constructive debate.