Open gurgunday opened 9 months ago
This is a complicated task. The OpenJSF team is going to provide some solutions around this.
Duplicates https://github.com/fastify/fastify/issues/2748
Anyway I talked about it with @mcollina and he told me that he will show us a demo about the process he would like to suggest.
The constraints I collected are:
**) I think npm misses a feature where you force that a package MUST have a provenance from XYZ provider to be published TBH. In this case, even if the GOD MASTER TOKEN would be leaked, it would be almost useless.
***) I think the only bullet proof security is the OTP, but we don't want manual steps... so I'm a bit confused about these requirements. For this reason I'm waiting the demo
Once we have a token with the right permissions, setting up automated publish is a superset of
https://github.com/mcollina/test-publish/blob/main/.github/workflows/publish.yml
and
https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml
Note the use of environment: main
in https://github.com/platformatic/platformatic/blob/main/.github/workflows/publish-releases.yml#L17 allows us to limit the secrets to only the main
branch of a repository, essentially making it secure.
You can read more about environments at https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment.
This is a complicated task. The OpenJSF team is going to provide some solutions around this.
Has there been any update on this? Been planning to set this up for another OpenJSF-project (Mocha) so I have been watching this thread
It is blocked I believe
Prerequisites
🚀 Feature Proposal
Why?
To release a new version of any package, we lose a somewhat significant amount of time (checking out locally, syncing, etc.)
An example of how simple things can be: https://github.com/gurgunday/html/blob/e60791ff5f557c9eb51c75f8f80008e74bfa3ced/.github/workflows/npm-publish.yml
And the action runs automatically after a release is issued: https://github.com/gurgunday/html/releases/tag/v7.0.0 https://github.com/gurgunday/html/actions/runs/6941110154
We just need to create an automation token on NPM and add it to GitHub
Another benefit: it also signs the commit during the workflow, so if we have any paranoid users, they can verify that the release matches to what they see on GitHub
What do you all think?
Motivation
No response
Example
No response