Closed sparten11740 closed 7 months ago
@RyanZim can you create a new environment named release
, restrict the environment to be used from master, add an npm automation token with access to @exodus/fetch
as environment secret NPM_PUBLISH_TOKEN
to that environment, and remove the previous repository secret named NPM_TOKEN
?
removing the @semantic-release/git plugin and therefore no longer requiring the release bot to bypass any potential branch protection rules
@sparten11740 sorry could u elaborate a bit?
@semantic-release/git
commits release assets (such as the CHANGELOG.md
and changes to the version in package.json
) and therefore requires us to allow the bot user bypassing the branch protection rule on the default branch, which is not desired from a security perspective. This is in line with the release process we have in our other repos
@sparten11740 and with semantic-release/github, it doesn't push any commits?
exactly, it only creates a tag (and GH release). The package.json
is published to npm with the right version nevertheless
it only creates a tag (and GH release). The package.json is published to npm with the right version nevertheless
So the CHANGELOG and version in package.json
never get updated in git? Is this what we want?
So the CHANGELOG and version in package.json never get updated in git? Is this what we want?
that's what we wanted in schemasafe
@RyanZim can you create a new environment named release, restrict the environment to be used from master, add an npm automation token with access to @exodus/fetch as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret named NPM_TOKEN?
Done
Hardens the release process by removing the
@semantic-release/git
plugin and therefore no longer requiring the release bot to bypass any potential branch protection rules and runs the release workflow in therelease
environment, where theNPM_PUBLISH_TOKEN
will be added as environment secret.