Add a release workflow #9
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Makes an automated release | ||
| # | ||
| # To trigger this workflow, ensure the CHANGELOG is up to date, then push the commit | ||
| # to be released to a `release/*` branch. | ||
| # | ||
| # e.g. | ||
| # git checkout -b release/v1.0.0 | ||
| # git push | ||
| # | ||
| name: Release | ||
|
|
||
| on: | ||
| push: | ||
| branches: [release/*] | ||
|
|
||
| jobs: | ||
| create-release: | ||
| name: Create GitHub Release and tag | ||
| runs-on: ubuntu-latest | ||
| environment: Release | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: cucumber-actions/[email protected] | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| publish-rubygem: | ||
| name: Publish Ruby Gem | ||
| needs: create-release | ||
| runs-on: ubuntu-latest | ||
| environment: Release | ||
| - uses: actions/checkout@v2 | ||
| - uses: ruby/setup-ruby@v1 | ||
| with: | ||
| ruby-version: 3.0.2 | ||
| bundler-cache: true | ||
| - uses: cucumber-actions/[email protected] | ||
| with: | ||
| rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }} | ||
| working_directory: 'ruby' | ||
|
|
||
| publish-npm: | ||
| name: Publish NPM package | ||
| needs: create-release | ||
| runs-on: ubuntu-latest | ||
| environment: Release | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/setup-node@v2 | ||
| with: | ||
| node-version: '16' | ||
| - uses: cucumber-actions/[email protected] | ||
|
There was a problem hiding this comment. Can we use https://github.com/marketplace/actions/npm-publish instead? Less stuff for us to maintain? There was a problem hiding this comment. The idea would be to not use external actions to be able to check a security option to github, thus to have total control over the release pipeline Eventually we could fork the action There was a problem hiding this comment. Fair point. I would prefer to fork a community one rather than maintaining ones we've written from scratch. It has a lower cost of ownership - we can merge in upstream bugfixes as needed. There was a problem hiding this comment. Agree (yes, I may be a little bit paranoid 😅) There was a problem hiding this comment. Hacking a widely used release plugin could provide attackers with an attack-surface where they can distribute malicious code to a lot of people. It's good to be paranoid about this. These actions are fairly small and I think the effort required to understand them is smaller than the effort required to write them. There was a problem hiding this comment. I think that this 3rd party one is way over complex for what we need. It has many features we don't need, where ours is about fifteen lines of bash. i like ours better. There was a problem hiding this comment. I totally agree about the paranoia though! |
||
| with: | ||
| npm-token: ${{ secrets.NPM_TOKEN }} | ||
| working-directory: 'javascript' | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Everyone contributing to this repo is expected to abide by the [Cucumber Community Code of Conduct](https://cucumber.io/conduct). | ||
|
|
||
| ## Making a release | ||
|
|
||
| There are two parts to making a release. First, prepare the release, then make the release. | ||
|
|
||
| ### Preparing a release | ||
|
|
||
| Anyone with commit rights to `main` can prepare a release. | ||
|
|
||
| To make these steps easier, can use the [`changelog`](https://github.com/rcmachado/changelog) tool. | ||
|
|
||
| First, make sure your changes are detailed in the `Unreleased` section of the [CHANGELOG](./CHANGELOG.md) file. | ||
|
|
||
| Then, use [semver](https://semver.org/) to pick a version for the next release. | ||
|
|
||
| read $next_release | ||
|
|
||
| Modify the changelog: | ||
|
|
||
| changelog release $next_release -o CHANGELOG.md | ||
|
|
||
| Commit and push | ||
|
|
||
| git add . | ||
| git commit -m "Release $next_release" | ||
aslakhellesoy marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ### Making a release | ||
|
|
||
| Only people with rights to push to the `release/*` branches can make releases. | ||
|
|
||
| git checkout -b release/v$next_release | ||
| git push | ||
aslakhellesoy marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| This will trigger the [`release` workflow](https://github.com/cucumber/cucumber-expressions/actions/workflows/release.yaml). | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use https://github.com/marketplace/actions/publish-to-rubygems instead? Less stuff for us to maintain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aurelien-reeves pointed out that including 3rd party actions in our release chain is a potential supply-chain attack vector. For simple, stable, stuff like this I think it makes sense to roll our own.
I reviewed that particular one before deciding to write our own, and it's lame. It doesn't actually do the gem publish, it just invokes a rake task. It also writes the token to disk, and needs a github token for a reason I don't understand.
So I like ours better.