Generate .env when run shipjs setup

[tyankatsu0105]

Is your feature request related to a problem? Please describe. When we run shipjs prepare at local, .env is needed. But Shipjs's log when run command shipjs setup does not explain that thing.

Describe the solution you'd like I want to propose two ways.

• Generate .env when run npx shipjs setup

#======= Attention: Please don't commit this file =======

# Used when using the `shipjs prepare` command
GITHUB_TOKEN=<YOUR_GITHUB_TOKEN>

• Include this text in log when finished shipjs setup: create .env file on project's root. The file used when run shipjs prepare

Describe alternatives you've considered

Additional context If already exists .env, insert text to the file.

[kazupon]

In addition, I think that .npmignore should be mentioned in the docs. https://community.algolia.com/shipjs/guide/getting-started.html#installation

In fact, I recently had an accidental npm publish of a GPT that I kept in .env. I was able to revoke it as soon as I could, but the forked repo contained .npmignore, and the package.json. If we mistakenly perceive files as using package.json, we'll make the same mistake I did.

[Haroenv]

I'm actually increasingly convinced that having a .env in the root of a package that you will publish is too risky, we have also published tokens by accident (by doing the publish on a local machine when CI failed), and that's a design we want to avoid! Either shipjs creates it, but also creates all files to be sure it's ignored, or we recommend passing the token as an environment variable only.

Did anyone do research on how other publish scripts solve this?

[eunjae-lee]

having a .env in the root of a package that you will publish is too risky

I agree. Even though .env is excluded by .gitignore and .npmignore, unfortunately there is a chance that it's not excluded if using yarn v1: https://github.com/yarnpkg/yarn/issues/8332

Is it enough if shipjs setup creates .env and include it in .gitignore and .npmignore? It should be as long as you run shipjs trigger only on CI with all the tokens passed as environment variables (not present in the filesystem on the CI).

Open to hear your thoughts.

[tyankatsu0105]

Umm. If you don't think about generating the .env file, how do you think adding some messages when running shipjs setup, and shipjs prepare?

[eunjae-lee]

Umm. If you don't think about generating the .env file, how do you think adding some messages when running shipjs setup, and shipjs prepare?

We have this step in shipjs prepare: https://github.com/algolia/shipjs/blob/12c21cefa20f0f35153c81e9a6fdd2ffdc369bac/packages/shipjs/src/step/checkGitHubToken.js#L6:L6

If I understand your intention correctly, you think it's a bit too late and you'd like to get the information at the time of shipjs setup. Right?