search

eslint / eslint-release

The ESLint release tool
Other
24 stars 11 forks source link

Breaking: use a separate script to publish to the npm registry #26

Closed not-an-aardvark closed 6 years ago

not-an-aardvark commented 6 years ago

(refs https://github.com/eslint/eslint/issues/10631)

This updates the release API to not publish to npm when initially called, and to only publish to npm when invoked as a separate process. This will make it possible to pause the build to ask the user for a TOTP code before publishing, provided that consumers of the package are updated accordingly.

I think this would be the best approach if we want to start doing npm 2FA now before waiting for time-limited tokens (assuming they are implemented eventually). With this change, it would be relatively easy to update the Jenkins build tasks to prompt the user for a OTP and then publish the release afterwards.

JamesHenry commented 6 years ago

Does this mean I would lose the ability to publish typescript-eslint-parser autonomously?

not-an-aardvark commented 6 years ago

@JamesHenry There's some more discussion about this in https://github.com/eslint/eslint/issues/10631. I don't want you to lose that ability, so we'll figure something out so that you still can publish autonomously.

not-an-aardvark commented 6 years ago

I realized we can probably pause for input in the middle of the release without breaking up the release script, if we're willing to do enough process juggling:

  1. Jenkins starts a shell script
  2. The shell script starts a child process that inherits stdout and stderr of its parent, starts the release script, and waits for a signal from it.
  3. Right before publish, the child process sends a signal to its parent and then blocks on reading some file descriptor.
  4. The parent gets the signal and exits.
  5. Jenkins sees that the parent exited and moves to the next step in the pipeline (prompting the user for a TOTP).
  6. After the user enters a TOTP, Jenkins moves to the next step in the pipeline and creates a new process with the user input.
  7. The new process finds the child process somehow (maybe the child PID was written to a file?) and sends the TOTP to it.
  8. The child process receives the TOTP and finishes the npm publish.
not-an-aardvark commented 6 years ago

Closing in favor of https://github.com/eslint/eslint-release/pull/27