Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: automatic releases #166

Open
wants to merge 14 commits into
base: master
Choose a base branch
from

Conversation

sparten11740
Copy link
Contributor

@sparten11740 sparten11740 commented Nov 10, 2023

Automates releases by releasing on merge to master for relevant commit types (feat, fix, perf, and breaking changes).

If we want to use @semantic-release/git, which we should, we'll have to use a PAT of the machine account and empower that machine account to bypass branch protection rules. The plugin is responsible for updating the version in package.json and adding the CHANGELOG.md! Decided to use @semantic-release/github instead for tighter security so we don't have to allow the machine user to bypass the branch protection rule. This will result in stale package versions in git, but still have the correct version in the published package.

Todos:

  • create a NPM_PUBLISH_TOKEN secret that has an NPM automation token for the account that will get exclusive access to @exodus/schemasafe

Testplan

A first sanity check of the configuration can be done using the dry run mode locally.

  1. Checkout this PR
  2. Apply the following diff
Subject: [PATCH] add test branch
---
Index: .releaserc.json
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/.releaserc.json b/.releaserc.json
--- a/.releaserc.json	(revision f9059cf10c831fad0f2a0fc8d17ab1d1c6fc8a85)
+++ b/.releaserc.json	(date 1699578894912)
@@ -1,5 +1,5 @@
 {
-  "branches": ["master"],
+  "branches": ["master", "sparten11740/ci/automatic-releases"],
   "plugins": [
     [
       "@semantic-release/commit-analyzer",
  1. run yarn release -d. verify echo $? returns 0 and you see some nice release notes in the stdout of the first command

This doesn't test the full integration such as correctly configured PAT's and branch protection rules. We'll only be able to test these when this PR gets merged

@sparten11740 sparten11740 self-assigned this Nov 10, 2023
@codecov-commenter
Copy link

codecov-commenter commented Nov 10, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (f28dd6f) 99.54% compared to head (20ec800) 99.54%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@sparten11740 sparten11740 force-pushed the sparten11740/ci/automatic-releases branch 2 times, most recently from f46892c to c5bb14d Compare November 10, 2023 00:53
@sparten11740 sparten11740 changed the base branch from master to sparten11740/chore/fix-linting-issues November 10, 2023 00:53
@olistic
Copy link

olistic commented Nov 10, 2023

@ChALkeR Can you please review?

mvayngrib
mvayngrib previously approved these changes Nov 10, 2023
Copy link

@mvayngrib mvayngrib left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tACK (let's wait for @ChALkeR before merging)

@sparten11740
Copy link
Contributor Author

sparten11740 commented Nov 13, 2023

@RyanZim we need an npm automation token with access to @exodus/schemasafe saved as NPM_PUBLISH_TOKEN secret. Is that something you could look into?

We also still need a GH_AUTOMATION_PAT for the exodus-github-robot and allow exodus-github-robot to bypass the branch protection rule, so it can commit release assets

I can't do any of this and I also can't look at the repo configuration since I don't have admin access

with:
node-version: ${{ matrix.node-version }}
- run: yarn --frozen-lockfile
- run: yarn --frozen-lockfile --ignore-engines
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are installing dev dependencies here as well and semantic-release requires node >= 18, so this is required to silence yarn about the engine mismatch

@ChALkeR
Copy link
Contributor

ChALkeR commented Nov 16, 2023

I'm unsure why exactly this would be helpful.

The main chores of this lib are not releases per se, but logic fixes, and autorelease functionality adds some amount of complexity.

Which could be more than the release complexity it reduces.

A more helpful setup would be to always (when actual) have an PR which updates json-schema-test-suite gitmodule to latest)

@RyanZim
Copy link

RyanZim commented Nov 17, 2023

@ChALkeR the intent is to reduce the number of people with publish access here; see #165 for context.

Base automatically changed from sparten11740/chore/fix-linting-issues to master November 17, 2023 21:57
Copy link
Contributor

@ChALkeR ChALkeR left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking visibly until the exact mechanism is figured out that doesn't degrade security.

@ChALkeR
Copy link
Contributor

ChALkeR commented Nov 23, 2023

#165 is understandable and should be fixed, but this approach just makes things worse at the current state (explained via other channels). It can make things better if configured properly though.

src/compile.js Outdated Show resolved Hide resolved
@sparten11740
Copy link
Contributor Author

sparten11740 commented Nov 24, 2023

It can make things better if configured properly though.

the whole premise of this PR is to have an adequate branch protection rule. I don't have admin access and cannot see what's currently configured. You will have to take the lead here, but some suggestions:

  • Require a pull request before merging
  • Require 2 approvals
  • Dismiss stale pull request approvals when new commits are pushed
  • Require review from Code Owners
  • Require conversation resolution before merging
  • Require status checks to pass
  • Require signed commits

@sparten11740 sparten11740 force-pushed the sparten11740/ci/automatic-releases branch from aa4e058 to 26ef5bf Compare November 24, 2023 02:35
@ChALkeR
Copy link
Contributor

ChALkeR commented Nov 24, 2023

@sparten11740 Yeah, a proper branch configuration and removing npm users write access first would unblock this.

@@ -12,7 +12,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
with:
node-version: '14'
node-version: 18
Copy link
Contributor

@ChALkeR ChALkeR Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's file a separate PR for this (and bump that to 20)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's either this or running yarn install with --ignore-engines. I prefer the node version update

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to 20

Copy link
Contributor Author

@sparten11740 sparten11740 Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are actually getting test failures here in node 20, reverted back to 18

@@ -14,12 +14,12 @@ jobs:
node-version: [10.x, 14.x, 16.x, 18.x]

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's do this in a separate PR, unclear what the differences are yet and this is an orthogonal change

on:
push:
branches:
- master
Copy link
Contributor

@ChALkeR ChALkeR Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see above comments
perhaps we should create a more protected release branch and publish from it? Making releases separate prs to the release branch and require them to have more than 2 reviews

@sparten11740
Copy link
Contributor Author

Perhaps we can lower the requirement to merge to master and instead make the requirements for releases stricter?

@sparten11740 @mvayngrib thoughts?

I don't see much of an advantage in that, the amount of time for the changes to get released would probably be the same, if not even more. The reviewing effort increases and we potentially have to backport fixes from issues found in the release PRs.

@sparten11740
Copy link
Contributor Author

sparten11740 commented Feb 5, 2024

@RyanZim can you create a new environment named release, restrict the environment to be used from master, add the npm token as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret with the same name?

@sparten11740 sparten11740 force-pushed the sparten11740/ci/automatic-releases branch from c9969f0 to 89bf14b Compare February 5, 2024 11:42
@sparten11740
Copy link
Contributor Author

sparten11740 commented Feb 6, 2024

can you create a new environment named release, restrict the environment to be used from master, add the npm token as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret with the same name?

@ChALkeR, Ryan is not admin. Would you mind doing this? He'll keybase the token

@mvayngrib
Copy link

for now, i vote we keep the merge policy for master strict and do auto-releases and revisit this later. Otherwise we’ll have to review release PRs, which is extra pain (plus we’ll have to re-review everything merged since the previous release if we don’t trust master anymore)

the DX pain on master only exists when there are multiple PRs open at the same time. We can potentially improve this in the future as follows (discussed in DM with @sparten11740):

  1. make sure PR checks run on the merge commit with master and not on the PR head (supposedly taken care of by the latest actions/checkout action)
  2. invalidate + re-run checks on all open PRs when any PR is merged (because it changes the base for all of those PRs. h/t @sparten11740 for pointing this out)
  3. use a custom action instead of GH’s settings to enforce 2 reviews pre-merge to master, and don’t “dismiss” reviews as stale if the diff with the merge base doesn’t change after rebase

the above setup could be useful for any of our repos, but isn’t a high priority atm

@mvayngrib mvayngrib requested a review from ChALkeR February 13, 2024 15:08
@RyanZim
Copy link

RyanZim commented Feb 13, 2024

can you create a new environment named release, restrict the environment to be used from master, add the npm token as environment secret NPM_PUBLISH_TOKEN to that environment, and remove the previous repository secret with the same name?

Done

@sparten11740 sparten11740 force-pushed the sparten11740/ci/automatic-releases branch from 20ec800 to 5cec034 Compare February 21, 2024 11:54
@mvayngrib
Copy link

what's the plan here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants