Support for release workflow

[wesleytodd]

I would love to see a managed release workflow here as well. I see two ways we could go:

1. Release Please
2. Call version and release package.json scripts

I personally like the first option a lot, but I know that is more opinionated. Maybe we could even have both?

[ljharb]

We shouldn’t use a single factor approach, but if we can get a two factor one that sounds great.

[wesleytodd]

As much as I agree, there is not one today which can do this. We have discussed this in a few different forums, but I don't see any solutions here other than author local machine, and that is just not what users want nor is it was is best for projects other than ones with authors like you who are deeply invested in the ecosystem.

[ljharb]

There is if you use an external service, like Step Security's "wait for secrets" mechanism.

[wesleytodd]

Got a link? Haven't seen that one yet.

[ljharb]

https://github.com/step-security/wait-for-secrets - i use it on eslint-plugin-react. There's also https://github.com/GoogleCloudPlatform/wombat-dressing-room, but that requires you to deploy something yourself.

[wesleytodd]

Yeah wombat dressing room was the one I knew about. I will check out wait-for-secrets. I am happy if we can get a good solution here, so if that is it I am onboard.

[dominykas]

This does not publish anything to npm - does 2FA even apply?

[wesleytodd]

My proposal was that it would also have a workflow which did release. I was thinking it could be separate, but since this is just called action I assumed it might make sense for it to contain more than just the test setup.

[dominykas]

workflow which did release [..] more than just the test setup.

Sorry, not sure what you mean?

[wesleytodd]

I am proposing we add a new workflow for release/publish.

[dominykas]

Yeah, that's fine, but in the context of 2FA - do we need anything? This repo is not publishing anything on npm, and internal Github stuff can be handled by the token, or am I missing something?

[wesleytodd]

I think @ljharb was pointing out that providing a release workflow to other repos without 2FA was an issue.

[dominykas]

Oh, OK, yeah, that I agree on. I assumed this was about having a release workflow in here, but the request here is about providing a workflow for others to use, right?

[ljharb]

Yes, that was my understanding.

[wesleytodd]

Yep, that was my thought, a workflow for others to use. I was just trying to think of things that would get more folks setup without having to do it all on their own.