jquery-release icon indicating copy to clipboard operation
jquery-release copied to clipboard

Published 20 hours ago verified publisher icon jquery

Automating releases with GitHub workflows

Open gabibguti opened this issue 2 years ago • 4 comments
trafficstars

Hi! I've noticed this repo defines an automated script to release jQuery org projects and this script allows publishing the project/package to npm. npm has recently enabled publishing packages with provenance and that could be a nice addition to jQuery org releases.

The provenance holds verifiable information about the software artifacts describing where, when and how it was produced. It ensures that the artifacts users download from npm were uploaded from a reliable source.

If you are willing to make a few changes to the jQuery org release process, we can publish the npm packages with provenance using GitHub workflows! If you agree, I can support you by opening PRs.

Additional context

I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

gabibguti avatar Jul 25 '23 17:07 gabibguti

I'm definitely up for this, but the jQuery release process uses a lot of custom scripts in this repo and in jQuery core. I've already been planning to rewrite the release process using GH actions, but it will be no small undertaking and I think we'll need to do it internally as there are a lot of unique requirements. That said, I'll leave this open as a reminder to publish with provenance.

timmywil avatar Jul 25 '23 18:07 timmywil

Sure, rewriting the whole release process using GitHub workflows will be more challenging. Still, I was thinking of a smaller temporary solution. I’ll describe it below so you can see for yourself if it would be applicable. But, of course, if you'd rather include the provenance when refactoring, I’m with you!



Solution proposal


  1. Modify jquery/jquery-release to optionally pass the --provenance argument to npm publish command.
  2. Create one GitHub workflow on jquery/query-release to make the release. This workflow would run the sequence of release commands defined in README. Since the release command takes arguments, so will the workflow.

  3. Then, each jQuery repo, would reuse that one GitHub workflow to make their own custom releases, like so

jobs:

  call-workflow-passing-data:

    uses: jquery/jquery-release/.github/workflows/reusable-workflow.yml
    with:
      custom-release-file: ./release.js

gabibguti avatar Jul 26 '23 14:07 gabibguti

jquery-release cannot yet be run in GH actions. It was designed only to be run locally and requires input from the user. Switching to a github workflow will likely mean dropping jquery-release.

timmywil avatar Jul 26 '23 14:07 timmywil

Got it. Thanks for the clarification!

gabibguti avatar Jul 26 '23 18:07 gabibguti