Open sarina opened 2 years ago
Note for when we're figuring this out: NPM recently released the ability to require 2FA for all members of an org. We should consider turning this on at the same time.
Later H2
I would think @arbrandes should weigh in on this item's relative importance / size.
I think doing this makes a lot of sense I'll assign this to myself and do a little discovery on what kind of effort will be required. (Hopefully it'll be pretty easy to do.)
Adding some related context from a recent issue:
@edx
NPM organization.However, we are also using the same NPM token for publishing over in the edX github organization (in frontend-component-footer-edx). As we rotated this secret in the openedx org, it's no longer valid in the edX org, causing our edX-specific NPM releases to fail.
I've escalated the issue of needing to rotate the NPM token for the edx github org to 2U SRE, but wanted to flag here that having distinct NPM tokens for the 2 Github organizations would be advantageous so there is no coupling between Open edX and 2U moving forward.
I'd also be happy to discuss the impacts of moving existing NPM packages to a new openedx
specific org. My assumption in that case is that 2U would still rely on the existing edX NPM org once Open edX moves away from it.
@arbrandes please review this proposed migration plan for fixing the NPM ownership.
I've created the new openedx
organization and am the owner of both that and the old edx
organization. Thinking through the problem I came up with the following potential steps for how we might proceed with the migration.
edx
github org currently publishes 46 packagesedx-old-org
user currently publishes 6 more packages that are not scoped to the edx
org.openedx
NPM org. (Done)openedx
org as a member
so they can publish any new packages they need to.openedx
NPM org.openedx
org at the same version as in the edx
org.
openedx
org that use this package to use the new openedx
scoped one.openedx
NPM org and create some API tokens for it.openedx
GitHub org and create a personal access token. (we use this user when semantic release has changes to commit back to the repo as part of the release.)SEMANTIC_RELEASE_GITHUB_TOKEN
and SEMANTIC_RELEASE_NPM_TOKEN
openedx
GitHub org secrets.openedx
org still works.edx-semantic-release
GitHub user from the openedx
org. edx-semantic-release
NPM user from the opnedx
NPM org.edx
NPM org.In general, looks good to me. The largest (in terms of work) will, of course, be 3.iv. Otherwise:
On 3. iii:
We're effectively renaming the packages, technically a breaking change that warrants major version bumps. (Or a restart to 1.0.0, which is what happened when react-intl was renamed to formatjs, but I think that would be a tad too extreme.) Doing so would also be a clear signal that this is the intended direction: as a user, you'll only get new versions under the new namespace. This also obviates the need to publish the same version under a new namespace.
Can't think of a downside except that it's not obvious just from comparing package names and versions that nothing changed except the name... which, again, would be confusing in an of itself, as a name change is a pretty big deal in the first place.
Just throwing this in here, as it may come in handy whatever we do:
It contains instructions on how to manually trigger releases, which is something we might have to do.
So I think the next steps for this are to:
edx-semantic-release
NPM User@arbrandes @feanil, has the migration of @edx/brand to @openedx/brand been completed? I have found this reference ticket
@Mashal-m yes, the move of that particular package has already been completed. Since it was an alias already that one was a lot easier to move than most of the others.
Quoting @brian-smith-tcril from this Slack thread, this is the current plan:
- Make a PR updating the paragon peer dep scope in frontend-platform, ensure it's marked as a breaking change
- Make a PR moving the paragon dependency in frontend-component-header to a peer dep with the @openedx scope, ensure it's marked as a breaking change
- Make a PR moving the paragon dependency in frontend-component-footer to a peer dep with the @openedx scope, ensure it's marked as a breaking change
Then if someone wants to use a new version of paragon in an MFE they will need to update those other dependencies, but they will be able to use paragon from the openedx scopeThis avoids supporting multiple scopes on new versions of packages with paragon as a peer dep.
There is an edx organization on NPM that currently publishes many packages. An organization can't be renamed but there is a process for moving packages between organizations. The
edx
organization orscope
as NPM calls it, has both packages that are a part of the Open edX ecosystem as well as packages that are specific to edx.org. To reduce confusion we'll be moving the openedx packages to a newopenedx
scope in NPM.Impact
Any downstream packages that depend on a package that has moved will need to update its dependencies and imports to pull the same files from the new package location and version.
Tasks
Tentative Plan
openedx
NPM org. (Done)openedx-npm-release-bot
github and NPM users. (Done)openedx
NPM org and create some API tokens for it. (Done)openedx
GitHub org and create a personal access token. (we use this user when semantic release has changes to commit back to the repo as part of the release.) (Done)OPENEDX_NPM_RELEASE_GITHUB_TOKEN
andOPENEDX_NPM_RELEASE_NPM_TOKEN
openedx
GitHub org secrets. (Done)openedx
NPM org.openedx
org at the same version as in theedx
org.openedx
org that use this package to use the newopenedx
scoped one.edx-semantic-release
GitHub user from theopenedx
org.edx-semantic-release
user back to the 2U SRE team so they can take full control of this useredx
NPM org.Links