Skip to content

feat: add semantic-release automation for monorepo #1203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

grdsdev
Copy link
Contributor

@grdsdev grdsdev commented Jul 18, 2025

Summary

Adds automated semantic-release for all packages in the monorepo.

Features

  • Automatic releases: Push to main (stable) or rc (prerelease) triggers releases
  • Package detection: Automatically detects changed packages and dependencies
  • pub.dev publishing: Publishes packages with proper versioning
  • Conventional commits: Uses semantic versioning based on commit messages
  • GitHub Actions: Automated workflow with testing and validation

Setup Required

Add PUB_DEV_CREDENTIALS secret to GitHub repository settings.

Usage

# Stable release
git commit -m "feat(gotrue): add new feature"
git push origin main

# RC release  
git commit -m "feat(gotrue): experimental feature"
git push origin rc

See RELEASE.md for complete documentation.

grdsdev added 2 commits July 18, 2025 08:09
- Add semantic-release configuration for all packages
- Support both stable (main) and RC (rc) release channels
- Automatic package detection and dependency resolution
- GitHub Actions workflow for automated releases
- pub.dev publishing with proper version management
- Comprehensive documentation in RELEASE.md
- Integration with existing melos workspace

BREAKING CHANGE: Introduces automated release process
Copy link

snyk-io bot commented Jul 18, 2025

Snyk checks have failed. 4 issues have been found so far.

Icon Severity Issues
Critical 0
High 1
Medium 3
Low 0

code/snyk check is complete. 4 issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.


// Update pubspec.yaml
if (fs.existsSync(pubspecPath)) {
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.readFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

Line 23 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L16

Step 12 - 13

let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');

if (fs.existsSync(pubspecPath)) {
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');
pubspecContent = pubspecContent.replace(/^version:\s*.+$/m, `version: ${newVersion}`);
fs.writeFileSync(pubspecPath, pubspecContent);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.

Line 25 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L16

Step 12 - 13

fs.writeFileSync(pubspecPath, pubspecContent);

// Update version.dart if it exists
if (fs.existsSync(versionPath)) {
const versionContent = `const version = '${newVersion}';`;
fs.writeFileSync(versionPath, versionContent);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.

Line 35 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L17

Step 12 - 13

fs.writeFileSync(versionPath, versionContent);

const otherPubspecPath = path.join(packagesDir, otherPackage, 'pubspec.yaml');
if (fs.existsSync(otherPubspecPath)) {
let otherPubspecContent = fs.readFileSync(otherPubspecPath, 'utf8');
const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Regular Expression Denial of Service (ReDoS)

Unsanitized user input from a command line argument flows into RegExp, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Line 53 | CWE-400 | Priority score 825 | Learn more about this vulnerability
Data flow: 8 steps

Step 1 - 5

const packageName = process.argv[2];

Step 6 - 8

const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm');

@grdsdev grdsdev requested a review from dshukertjr July 18, 2025 11:18
@coveralls
Copy link

Pull Request Test Coverage Report for Build 16369185740

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 80.623%

Totals Coverage Status
Change from base Build 16305074338: 0.0%
Covered Lines: 3104
Relevant Lines: 3850

💛 - Coveralls

@rlee1990
Copy link

Do you have any updates on when this will be released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants