ForNeVeR
commented
7 years ago I second that; it'll be an interesting experience how to automate the task.
Please consider the security of the solution. Theoretically, attacker always could trick us to merge the backdoor into the build system (simply because we're mere humans), so he could compromise the build server security. If possible, we should take care of that problem by limiting the scope of the problem to only the Morganey package itself — so, even if the attacker has been compromised the package, then everything he has access to is the package itself.
Long story short, I strongly suggest against automating the builds of public projects on any servers beyond the security perimeter (e.g. my/your own Jenkins instance, or any corporate servers, or codingteam.org.ru, for that matter). Consider using Travis for that task, but don't forget to secure the publication keys and tokens (I think Travis have an option for somewhat "secure environment variables"). In that case, an attacker still will be able to trick us, compromise the build and steal the secure credentials, but then he'll be able to compromise only the snapshot package and nothing else.
For those who's not afraid to work with unstable dependencies. Would be also good to automate that. Maybe automatically publish on PR merge.