Enable changesets to manage releases

facebook / jscodeshift

A JavaScript codemod toolkit.

https://jscodeshift.com

MIT License

9.23k stars 477 forks source link

Enable changesets to manage releases #494

Open trivikr opened 2 years ago

trivikr commented 2 years ago

Is your feature request related to a problem? Please describe.

The releases are managed internally by Meta employees which makes it difficult to publish new versions. These release can be automated using GitHub Actions

Describe the solution you'd like

Use yarn changesets for managing releases for jscodeshift. The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

We use changesets in aws-sdk-js-codemod:

Example PR for publishing v0.5.1 https://github.com/awslabs/aws-sdk-js-codemod/pull/107
GitHub release https://github.com/awslabs/aws-sdk-js-codemod/releases/tag/v0.5.1

Describe alternatives you've considered

Explore other automated release options

Additional context

This can be picked up after GitHub Actions are enabled in https://github.com/facebook/jscodeshift/pull/493

Daniel15 commented 2 years ago

The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

This sounds useful. I'm not very active in the JS community any more so I hadn't heard about this.

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token? I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used (for example, to know to periodically rotate them), but it seems like more and more systems are moving in that direction...

trivikr commented 2 years ago

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token?

It reuses npm automation token stored in a GitHub encrypted secret.

In aws-sdk-js-codemod, we store it in GitHub secret named NPM_TOKEN https://github.com/awslabs/aws-sdk-js-codemod/blob/aaac3bb8630ab62e0c546bb1717785a203828434/.github/workflows/push.yml#L35

I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used

This is true. But GitHub encrypted secrets should be reliable as they're used by more and more projects.

MichaelDeBoey commented 2 years ago

As an alternative, cycjimmy/semantic-release-action (which uses semantic-release) could be a good action for managing releases too