Publishing packages on npm currently requires manual access to be given to the vimeo org in npm. This is problematic from security perspective, because there is no way to automatically remove individuals once they leave Vimeo. There are also issues with maintenance, and legacy knowledge of the process.
This PR adds a GitHub workflow that automates publishing the package to the npm registry through a Vimeo/Devex-maintained npm account. The workflow is triggered when a new tag in the format *.*.* is pushed on main.
A tag protection rule would also be created to restrict creating/editing tags in the *.*.* format to admins and maintainers of the repo, thus restricting who can publish the package as well.
What this PR does
Publishing packages on npm currently requires manual access to be given to the vimeo org in npm. This is problematic from security perspective, because there is no way to automatically remove individuals once they leave Vimeo. There are also issues with maintenance, and legacy knowledge of the process.
This PR adds a GitHub workflow that automates publishing the package to the npm registry through a Vimeo/Devex-maintained npm account. The workflow is triggered when a new tag in the format
*.*.*
is pushed onmain
.A tag protection rule would also be created to restrict creating/editing tags in the
*.*.*
format to admins and maintainers of the repo, thus restricting who can publish the package as well.Testing
Test workflow: https://github.com/vimeo/vimeo.js/pull/179/files Test run: https://github.com/vimeo/vimeo.js/actions/runs/4451857999