WP-NOW: Use SSH URL for release-wp-now.yml

sejas commented 2 months ago

Related to:
- https://github.com/WordPress/playground-tools/pull/227
- https://github.com/WordPress/playground-tools/pull/190

What?

Try using the URL in SSH format.

Why?

wp-now workflow not working

How?

Testing Instructions

Hard to test until it's merged and the action works.

sejas commented 2 months ago

After this fix, the workflow worked pushing the tag to trunk, but it failed publishing on npm:

https://github.com/WordPress/playground-tools/actions/runs/8632140229/job/23662085585

Note that at this moment, the current version on NPM is 0.1.66. https://www.npmjs.com/package/@wp-now/wp-now

Changes:
 - wordpress-playground: 0.1.67 => 0.1.68
 - @wp-now/wp-now: 0.1.67 => 0.1.68
lerna info auto-confirmed 
lerna info execute Skipping releases
lerna verb version @wp-now/wp-now has no lockfile. Skipping lockfile update.
lerna verb version wordpress-playground has no lockfile. Skipping lockfile update.
lerna verb version Updating root package-lock.json
lerna verb git [ 'commit', '-m', 'v0.1.68' ]
lerna verb git [ 'tag', 'v0.1.68', '-m', 'v0.1.68' ]
lerna info git Pushing tags...
lerna success version finished
npm WARN publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm WARN publish errors corrected:
npm WARN publish Removed invalid "scripts"
npm WARN publish "bin" was converted to an object
npm WARN publish "bin[@wp-now/wp-now]" was renamed to "bin[wp-now]"
npm WARN publish "bin[wp-now]" script name was cleaned
npm WARN publish "repository.url" was normalized to "git+https://github.com/WordPress/playground-tools.git"
npm notice 
npm notice 📦  @wp-now/wp-now@0.1.67
npm notice === Tarball Contents === 
npm notice 14.1kB README.md           
npm notice 41B    cli.js              
npm notice 32.0kB index.js            
npm notice 38.1kB main.js             
npm notice 1.1kB  package.json        
npm notice 1.2kB  with-node-version.js
npm notice === Tarball Details === 
npm notice name:          @wp-now/wp-now                          
npm notice version:       0.1.67                                  
npm notice filename:      wp-now-wp-now-0.1.67.tgz                
npm notice package size:  22.1 kB                                 
npm notice unpacked size: 86.5 kB                                 
npm notice shasum:        6955455f3f14dcef332fee3b0d71a6e937f94c62
npm notice integrity:     sha512-pJeZKaOTEBWVT[...]xuwvDO55g4qvw==
npm notice total files:   6                                       
npm notice 
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@wp-now%2fwp-now - Not found
npm ERR! 404 
npm ERR! 404  '@wp-now/wp-now@0.1.67' is not in this registry.
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in: /home/runner/.npm/_logs/2024-04-10T13_33_03_[323](https://github.com/WordPress/playground-tools/actions/runs/8632140229/job/23662085585#step:7:324)Z-debug-0.log

flexseth commented 2 months ago

npm notice integrity: sha512-pJeZKaOTEBWVT[...]xuwvDO55g4qvw==

What's a best practice for making sure users don't share full sha signatures when submitting bug reports?

Wondering if there's a way it could automatically be stripped out, or if it would be enough to throw a big ⚠️ Caution ⚠️ sign up. Trying to make sure the error reporting doesn't introduce attack vectors for a bunch of new WordPress users 😆

Pinging @adamziel

sejas commented 2 months ago

Not sure how we can minimize the risk that users share some keys. The more we can do is editing their comment and removing the history.

About the npm notice integrity. Should I remove it? That information is publicly available in the actions log https://github.com/WordPress/playground-tools/actions/runs/8632140229/job/23662085585

adamziel commented 2 months ago

Does that signature actually give any sensitive information away?

flexseth commented 2 months ago

Does that signature actually give any sensitive information away?

Ok it looks like the key is from upstream and not a user key?

I'll save the email from this ticket and put an exclamation mark to look at it after the 18th. Carry on! :)

WordPress / playground-tools