jscodeshift icon indicating copy to clipboard operation
jscodeshift copied to clipboard

Published 20 hours ago verified publisher icon facebook

Enable changesets to manage releases

Open trivikr opened this issue 2 years ago • 3 comments

Is your feature request related to a problem? Please describe.

The releases are managed internally by Meta employees which makes it difficult to publish new versions. These release can be automated using GitHub Actions

Describe the solution you'd like

Use yarn changesets for managing releases for jscodeshift. The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

We use changesets in aws-sdk-js-codemod:

  • Example PR for publishing v0.5.1 https://github.com/awslabs/aws-sdk-js-codemod/pull/107
  • GitHub release https://github.com/awslabs/aws-sdk-js-codemod/releases/tag/v0.5.1

Describe alternatives you've considered

Explore other automated release options

Additional context

This can be picked up after GitHub Actions are enabled in https://github.com/facebook/jscodeshift/pull/493

trivikr avatar Mar 25 '22 02:03 trivikr

The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

This sounds useful. I'm not very active in the JS community any more so I hadn't heard about this.

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token? I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used (for example, to know to periodically rotate them), but it seems like more and more systems are moving in that direction...

Daniel15 avatar Mar 25 '22 02:03 Daniel15

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token?

It reuses npm automation token stored in a GitHub encrypted secret.

In aws-sdk-js-codemod, we store it in GitHub secret named NPM_TOKEN https://github.com/awslabs/aws-sdk-js-codemod/blob/aaac3bb8630ab62e0c546bb1717785a203828434/.github/workflows/push.yml#L35

I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used

This is true. But GitHub encrypted secrets should be reliable as they're used by more and more projects.

trivikr avatar Mar 25 '22 02:03 trivikr

As an alternative, cycjimmy/semantic-release-action (which uses semantic-release) could be a good action for managing releases too

MichaelDeBoey avatar Apr 08 '22 00:04 MichaelDeBoey