Feat: Add release CI #64
Conversation
use npm as yarn doesn't support provenance yet
add `id-token` write permissions, so that provenacne works correctly
There was a problem hiding this comment.
I think this is a good idea, but since this is a shared repository we need a bit of security in place to avoid someone stealing the token for releases. In particular, we might want to provide collaborators with write access, while still not permitting them to do releases.
Specifically, I think we need to
- make sure that the NPM_TOKEN is only available to workflows on tags and the main branch,
- in other words, make sure that the token is never available in other branches or pull requests, even from this repo, and
- setup CODEOWNERS to enforce review and approval for all changes to workflows by repo owners (and not just repo collaborators).
I don't actually know how to set that up with Github actions, but I think it's mandatory to have this secured.
I agree in general with your view, Edit: I get the exploit that might reveal the secret (creating a PR, that changes the CI, to echo the secrets, it runs automatically and prints the secret) However, making the token only available on certain branches (e.g. I don't think setting up CODEOWNERS is necessary and there is only the option, that only CODEOWNERS can approve PR's, there is no scope, that restricts chnages in workflows. |
|
In the code owners file you declare that only e.g. repo owners are code owners of workflows files, and then Github requires a review from these people. I think that this is mandatory to prevent unauthorised modifications to workflows. |
I never used that feature, so I am not familiar with that. But if it's possible, It's a good idea. 👍🏼 |
|
Thanks a lot and great idea! I'll have a look at this over the next few days and enter the NPM token in a secure way and then give appropriate feedback 👍 |
Add a release CI
This runs on every prerelease and release, and published the package automatically to npm, so we don't have to do that manually.
If it is a pre-release, it is published under the
nexttag, otherwise under thelatesttag.This was not tested as a whole yet (as it is not possible to test everything together that easily), but it should work, once
all TODO's are done. I tested every step of the pipeline separately locally, the pipeline was run nearly identical already on a test repo of mine (without
npm publish)Additionally I updated the normal Ci, to also use the newest Node LTS version and cleaned it up a bit.
Links
What is Provenance: https://docs.npmjs.com/generating-provenance-statements
GH example for publishing packages: https://docs.github.com/de/actions/use-cases-and-examples/publishing-packages/publishing-nodejs-packages
TODO
we need to have a repo secret
NPM_TOKENthat can write to the npm registry and publish the package@JumpLink I think you are the only one, that can do that, you can follow this guide or ask me at any time on how to do that. We would need to create a NPM token, so you should create one on your own account, make sure to create a secret and not a variable as its hidden in all workflow logs and no-one can see it.
Use provenance workarounds, see [Feature] Add support for
yarn npm publish --provenanceandpublishConfig.provenanceoption yarnpkg/berry#5430