Open trivikr opened 1 month ago
vercel[bot]
commented
1 month ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| jscodeshift | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Oct 30, 2024 1:28am |
trivikr
commented
1 month ago I've copied setup from https://github.com/aws/aws-sdk-js-codemod/releases, a consumer of jscodeshift which has done 150+ releases using changesets.
Daniel15
commented
1 month ago Create and store npm publish token in GitHub secret NPM_TOKEN
Do you know what the security risks are of this approach, and how they can be avoided? How does this play with npm requiring two-factor authentication to publish?
Edit: Also, does this create a GitHub release, or just an npm release? Ideally we'd have both.
trivikr
commented
1 month ago Do you know what the security risks are of this approach, and how they can be avoided?
The Chsngeset Action will have access to NPM and GitHub tokens to do the releases. It's downloaded 800K times weekly which helps gaining trust https://npmtrends.com/@changesets/cli
How does this play with npm requiring two-factor authentication to publish?
At aws-sdk-js-codemod, we use npm automation token for publishing.
Also, does this create a GitHub release
Yes. The aws-sdk-js-codemod for reference:
trivikr
commented
1 month ago @Daniel15 Are there other open questions about using changesets, or the extra actions maintainers have to take?
Daniel15
commented
1 month ago Sorry - I replied to this via email but it looks like it never posted. I should be able to get some time to look into this later this week :smile:
In particular, I'll have to see if we're allowed to store npm tokens in GitHub secrets, since it introduces a new attack vector.
Daniel15
commented
1 month ago Enable github.com/apps/changeset-bot which will inform contributors to optionally add a changeset in their PRs.
I'm still trying to figure out how to properly do this. I want to install pkg.pr.new too. GitHub's UI seems buggy and doesn't properly send the app installation request to the admins.
Daniel15
commented
2 days ago I finally got pkg.pr.new GitHub app approved so now I'm attempting again to get this one approved.
trivikr
commented
1 day ago Looks like v17.1.0 published artifacts which did not remove temp dependency, breaking consumers.
Details in https://github.com/facebook/jscodeshift/issues/638
That's another reason to switch to automated publish mechanism like changesets done in this PR.
Daniel15
commented
1 day ago @trivikr I'm looking into this now that the GitHub changesets app was approved by the Meta open-source team yesterday. I think I've done all the steps correctly - installed the app and created an NPM_TOKEN. how do we ensure it's working? Do I need to merge this PR before we can test it?
trivikr
commented
1 day ago I tested changesets on aws-sdk-js-codemod by merging the code, and releasing a patch version.
The app will post comment on PRs as soon as they're posted. If a changeset is added, it'll provide details on which new version will be released. If no changeset is present, it'll request author to add one.
PRs without changeset will not update the CHANGELOG. When there are unreleased changesets, a PR will get created clubbing all the unreleased changesets. A new version will be released when that PR is merged.
trivikr
commented
1 day ago For jscodeshift, we can try releasing v17.1.2 or v17.2.0 using changeset whenever new changes are ready.
We can consider releasing a prerelease version too using changesets by going through their documentation. I haven't tried it before.
Fixes: https://github.com/facebook/jscodeshift/issues/494
The steps maintainers have to take:
NPM_TOKENChangesets Action will create a pull request for publishing new version whenever changesets are available. When the pull request is reviewed and merged, a new GitHub Release will be created and npm version will be published.