-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manage releases using changesets #625
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
I've copied setup from https://github.com/aws/aws-sdk-js-codemod/releases, a consumer of jscodeshift which has done 150+ releases using changesets. |
Do you know what the security risks are of this approach, and how they can be avoided? How does this play with npm requiring two-factor authentication to publish? Edit: Also, does this create a GitHub release, or just an npm release? Ideally we'd have both. |
The Chsngeset Action will have access to NPM and GitHub tokens to do the releases.
At aws-sdk-js-codemod, we use npm automation token for publishing.
Yes. The aws-sdk-js-codemod for reference: |
@Daniel15 Are there other open questions about using changesets, or the extra actions maintainers have to take? |
Sorry - I replied to this via email but it looks like it never posted. I should be able to get some time to look into this later this week 😄 In particular, I'll have to see if we're allowed to store npm tokens in GitHub secrets, since it introduces a new attack vector. |
I'm still trying to figure out how to properly do this. I want to install pkg.pr.new too. GitHub's UI seems buggy and doesn't properly send the app installation request to the admins. |
I finally got pkg.pr.new GitHub app approved so now I'm attempting again to get this one approved. |
Looks like That's another reason to switch to automated publish mechanism like |
@trivikr I'm looking into this now that the GitHub changesets app was approved by the Meta open-source team yesterday. I think I've done all the steps correctly - installed the app and created an |
I tested changesets on aws-sdk-js-codemod by merging the code, and releasing a patch version. The app will post comment on PRs as soon as they're posted. If a changeset is added, it'll provide details on which new version will be released. If no changeset is present, it'll request author to add one. PRs without changeset will not update the CHANGELOG. When there are unreleased changesets, a PR will get created clubbing all the unreleased changesets. A new version will be released when that PR is merged. |
For jscodeshift, we can try releasing v17.1.2 or v17.2.0 using changeset whenever new changes are ready. We can consider releasing a prerelease version too using changesets by going through their documentation. I haven't tried it before. |
|
commit: |
Changeset Bot is working, and it posted message on this PR #625 (comment) @Daniel15 I can add a changeset message for this PR, if you want to test releasing |
Great, let's merge this and test with new PRs. |
Fixes: #494
The steps maintainers have to take:
NPM_TOKEN
Changesets Action will create a pull request for publishing new version whenever changesets are available.
When the pull request is reviewed and merged, a new GitHub Release will be created and npm version will be published.