elliot-huffman
commented
3 months ago I am willing to make a PR for the above.
Open elliot-huffman opened 3 months ago
elliot-huffman
commented
3 months ago I am willing to make a PR for the above.
fatso83
commented
3 months ago Thank you for volunteering to follow up on your suggest, Elliot! Very much appreciated. Automated releases has been wanted for at least the last six years (#1657, for reference), but lack of actual manpower to do bigger tasks like this is the main blocker.
One suggestion was to try out the process on one of the smaller projects (like fake-timers, samsam, etc). That was mostly in relation to semantical releases, to try and get a feel for it, but you are in no way obliged to figure out how to do that, although I think it's not that much additional overhead.
In any case, before going into doing the work, it would be nice if you could elaborate on how you envision the release process to work. A new release for every commit (not that nice, IMHO, if I just update the README), magic markers (like [release]) in the commit message, or something else.
fatso83
commented
3 months ago And I might add that I have done release "ooops"'s more than once, so automation is very much wanted:
🤡
elliot-huffman
commented
3 months ago Do you have a MS Teams account? I would love to hop in a call with you to deep dive :-)
fatso83
commented
3 months ago I'll send you an email using the email on your profile
fatso83
commented
1 week ago @elliot-huffman any updates on the progress? it's been a while :)
Is your feature request related to a problem? Please describe. No
Describe the solution you'd like By automating the release process, it will eliminate risk that the release process won't be followed and the release.md doc can be automated. (see this workflow as an example of what could be implemented for automation).
It also introduces support for NPM provenance. Provenance is a system in NPM that attests the build process and ensures that what you see is what you get, by process reducing risk via proving that an un-known actor is unable to execute in the shadows. Attestation is a way to prove package health via correlation of published package to GH Actions publish command execution via cryptography.
By shifting the release process from local computers to a GH Actions instance, it also reduces risk from a threat actor or malware that is present on the machine that is publishing.
Describe alternatives you've considered Keeping everything the same?
Additional context NPM Docs: https://docs.npmjs.com/generating-provenance-statements