ci: harden release process

ExodusMovement / fetch

MIT License

0 stars 0 forks source link

ci: harden release process #14

Closed sparten11740 closed 7 months ago

sparten11740 commented 7 months ago

Hardens the release process by removing the @semantic-release/git plugin and therefore no longer requiring the release bot to bypass any potential branch protection rules and runs the release workflow in the release environment, where the NPM_PUBLISH_TOKEN will be added as environment secret.

sparten11740 commented 7 months ago

@RyanZim can you create a new environment named release, restrict the environment to be used from master, add an npm automation token with access to @exodus/fetch as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret named NPM_TOKEN?

mvayngrib commented 7 months ago

removing the @semantic-release/git plugin and therefore no longer requiring the release bot to bypass any potential branch protection rules

@sparten11740 sorry could u elaborate a bit?

sparten11740 commented 7 months ago

@semantic-release/git commits release assets (such as the CHANGELOG.md and changes to the version in package.json) and therefore requires us to allow the bot user bypassing the branch protection rule on the default branch, which is not desired from a security perspective. This is in line with the release process we have in our other repos

mvayngrib commented 7 months ago

@sparten11740 and with semantic-release/github, it doesn't push any commits?

sparten11740 commented 7 months ago

exactly, it only creates a tag (and GH release). The package.json is published to npm with the right version nevertheless

RyanZim commented 7 months ago

it only creates a tag (and GH release). The package.json is published to npm with the right version nevertheless

So the CHANGELOG and version in package.json never get updated in git? Is this what we want?

sparten11740 commented 7 months ago

So the CHANGELOG and version in package.json never get updated in git? Is this what we want?

that's what we wanted in schemasafe

RyanZim commented 7 months ago

@RyanZim can you create a new environment named release, restrict the environment to be used from master, add an npm automation token with access to @exodus/fetch as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret named NPM_TOKEN?

Done