Skip to content

feat: add semantic-release automation for monorepo #1203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: add semantic-release automation for monorepo #1203

wants to merge 2 commits into from
+8,602 −1

Conversation

grdsdev
Copy link
Contributor

@grdsdev grdsdev commented Jul 18, 2025

Summary

Adds automated semantic-release for all packages in the monorepo.

Features

  • Automatic releases: Push to main (stable) or rc (prerelease) triggers releases
  • Package detection: Automatically detects changed packages and dependencies
  • pub.dev publishing: Publishes packages with proper versioning
  • Conventional commits: Uses semantic versioning based on commit messages
  • GitHub Actions: Automated workflow with testing and validation

Setup Required

Add PUB_DEV_CREDENTIALS secret to GitHub repository settings.

Usage

# Stable release
git commit -m "feat(gotrue): add new feature"
git push origin main

# RC release  
git commit -m "feat(gotrue): experimental feature"
git push origin rc

See RELEASE.md for complete documentation.

grdsdev added 2 commits July 18, 2025 08:09
@grdsdev
feat: add semantic-release automation for monorepo
2da68f9 
- Add semantic-release configuration for all packages
- Support both stable (main) and RC (rc) release channels
- Automatic package detection and dependency resolution
- GitHub Actions workflow for automated releases
- pub.dev publishing with proper version management
- Comprehensive documentation in RELEASE.md
- Integration with existing melos workspace

BREAKING CHANGE: Introduces automated release process
@grdsdev
package-lock.json
96963de
@snyk-io Snyk.io
Copy link

snyk-io bot commented Jul 18, 2025

Snyk checks have failed. 4 issues have been found so far.

Icon Severity Issues
Critical 0
High 1
Medium 3
Low 0

code/snyk check is complete. 4 issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

snyk-io[bot]
snyk-io bot reviewed Jul 18, 2025
View reviewed changes
scripts/update-package-version.js

// Update pubspec.yaml
if (fs.existsSync(pubspecPath)) {
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.readFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

Line 23 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

supabase-flutter/scripts/update-package-version.js

Line 7 in 96963de

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L16

Step 12 - 13

supabase-flutter/scripts/update-package-version.js

Line 23 in 96963de

let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');

scripts/update-package-version.js
if (fs.existsSync(pubspecPath)) {
let pubspecContent = fs.readFileSync(pubspecPath, 'utf8');
pubspecContent = pubspecContent.replace(/^version:\s*.+$/m, `version: ${newVersion}`);
fs.writeFileSync(pubspecPath, pubspecContent);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.

Line 25 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

supabase-flutter/scripts/update-package-version.js

Line 7 in 96963de

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L16

Step 12 - 13

supabase-flutter/scripts/update-package-version.js

Line 25 in 96963de

fs.writeFileSync(pubspecPath, pubspecContent);

scripts/update-package-version.js
// Update version.dart if it exists
if (fs.existsSync(versionPath)) {
const versionContent = `const version = '${newVersion}';`;
fs.writeFileSync(versionPath, versionContent);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from a command line argument flows into fs.writeFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write to arbitrary files.

Line 35 | CWE-23 | Priority score 625 | Learn more about this vulnerability
Data flow: 13 steps

Step 1 - 5

supabase-flutter/scripts/update-package-version.js

Line 7 in 96963de

const packageName = process.argv[2];

Step 6 - 8 scripts/update-package-version.js#L15

Step 9 - 11 scripts/update-package-version.js#L17

Step 12 - 13

supabase-flutter/scripts/update-package-version.js

Line 35 in 96963de

fs.writeFileSync(versionPath, versionContent);

scripts/update-package-version.js
const otherPubspecPath = path.join(packagesDir, otherPackage, 'pubspec.yaml');
if (fs.existsSync(otherPubspecPath)) {
let otherPubspecContent = fs.readFileSync(otherPubspecPath, 'utf8');
const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Regular Expression Denial of Service (ReDoS)

Unsanitized user input from a command line argument flows into RegExp, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Line 53 | CWE-400 | Priority score 825 | Learn more about this vulnerability
Data flow: 8 steps

Step 1 - 5

supabase-flutter/scripts/update-package-version.js

Line 7 in 96963de

const packageName = process.argv[2];

Step 6 - 8

supabase-flutter/scripts/update-package-version.js

Line 53 in 96963de

const dependencyRegex = new RegExp(`^(\\s+${packageName}:\\s*)([^\\n]+)$`, 'gm');

@grdsdev grdsdev requested a review from dshukertjr July 18, 2025 11:18
@coveralls
Copy link

Pull Request Test Coverage Report for Build 16369185740

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 80.623%
Totals Coverage Status
Change from base Build 16305074338: 0.0%
Covered Lines: 3104
Relevant Lines: 3850
💛 - Coveralls

@rlee1990
Copy link

Do you have any updates on when this will be released?

@Vinzent03
Copy link
Collaborator

Would this mean, that every merged pr would trigger a new release?

@grdsdev
Copy link
Contributor Author

grdsdev commented Jul 24, 2025

Yes @Vinzent03, every fix/feat merge will be released.

This aligns with the other supabase libraries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snyk-io snyk-io[bot] snyk-io[bot] left review comments

@dshukertjr dshukertjr Awaiting requested review from dshukertjr

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@grdsdev @coveralls @rlee1990 @Vinzent03