facebook / jscodeshift

A JavaScript codemod toolkit.

Home Page:https://jscodeshift.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Enable changesets to manage releases

trivikr opened this issue · comments

Is your feature request related to a problem? Please describe.

The releases are managed internally by Meta employees which makes it difficult to publish new versions. These release can be automated using GitHub Actions

Describe the solution you'd like

Use yarn changesets for managing releases for jscodeshift. The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

We use changesets in aws-sdk-js-codemod:

Describe alternatives you've considered

Explore other automated release options

Additional context

This can be picked up after GitHub Actions are enabled in #493

The maintainers just need to rename and merge PR for new release, and changeset bot will do the automated release.

This sounds useful. I'm not very active in the JS community any more so I hadn't heard about this.

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token? I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used (for example, to know to periodically rotate them), but it seems like more and more systems are moving in that direction...

How does it publish to npm? Does it require a hard-coded token somewhere, or does the maintainer log in to it which gives it some sort of temporary token?

It reuses npm automation token stored in a GitHub encrypted secret.

In aws-sdk-js-codemod, we store it in GitHub secret named NPM_TOKEN https://github.com/awslabs/aws-sdk-js-codemod/blob/aaac3bb8630ab62e0c546bb1717785a203828434/.github/workflows/push.yml#L35

I've always found hard-coding a token in a third-party system kinda sketchy since it increases attack surface and it makes it harder to know where tokens are being used

This is true. But GitHub encrypted secrets should be reliable as they're used by more and more projects.

As an alternative, cycjimmy/semantic-release-action (which uses semantic-release) could be a good action for managing releases too