Set up a common workflow to push a package to npm when we issue a release

[gurgunday]

Prerequisites

• [X] I have written a descriptive issue title
• [X] I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Why?

To release a new version of any package, we lose a somewhat significant amount of time (checking out locally, syncing, etc.)

An example of how simple things can be: https://github.com/gurgunday/html/blob/e60791ff5f557c9eb51c75f8f80008e74bfa3ced/.github/workflows/npm-publish.yml

And the action runs automatically after a release is issued: https://github.com/gurgunday/html/releases/tag/v7.0.0 https://github.com/gurgunday/html/actions/runs/6941110154

We just need to create an automation token on NPM and add it to GitHub

Another benefit: it also signs the commit during the workflow, so if we have any paranoid users, they can verify that the release matches to what they see on GitHub

What do you all think?

Motivation

No response

Example

No response

[jsumners]

This is a complicated task. The OpenJSF team is going to provide some solutions around this.

[Eomm]

Duplicates https://github.com/fastify/fastify/issues/2748

Anyway I talked about it with @mcollina and he told me that he will show us a demo about the process he would like to suggest.

The constraints I collected are:

• one NPM scoped token per repo (not a GOD MASTER TOKEN than can release everything)
• benefit from the npm provenance**
• avoid manual steps***
• bullet proof security
• automated token rotation (currently tokens are at most valid for 12 month)

**) I think npm misses a feature where you force that a package MUST have a provenance from XYZ provider to be published TBH. In this case, even if the GOD MASTER TOKEN would be leaked, it would be almost useless.

***) I think the only bullet proof security is the OTP, but we don't want manual steps... so I'm a bit confused about these requirements. For this reason I'm waiting the demo

[mcollina]

Once we have a token with the right permissions, setting up automated publish is a superset of

https://github.com/mcollina/test-publish/blob/main/.github/workflows/publish.yml

and

https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml

Note the use of environment: main in https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml#L17 allows us to limit the secrets to only the main branch of a repository, essentially making it secure.

You can read more about environments at https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment.

[voxpelli]

This is a complicated task. The OpenJSF team is going to provide some solutions around this.

Has there been any update on this? Been planning to set this up for another OpenJSF-project (Mocha) so I have been watching this thread

[gurgunday]

It is blocked I believe

https://github.com/fastify/fastify/pull/5386