feat: incorporate changesets #266
Conversation
✅ Deploy Preview for agitated-mahavira-26f8f9 canceled.
|
|
In order for this to work, we need to create an automated token from You can check the IPs used by Github Actions in below links https://api.github.com/meta Possible solution would be create a dedicated machine for releasing only which is fixed IP. |
|
Changed to draft to avoid any unwarranted merge before I've had a chance to review and absorb all of this. This is very substantial, a great improvement to the workflow, thanks @onlywei! |
@climba03003 Can you elaborate a little more? For my other packages I simply generated an access token from my npm account page and added it to the repos. What it special about the fastify org packages that requires a whitelist? I don't have permission to publish any fastify packages outside this repo anyway. |
Whitelisting for certain IPs to protect the token is not misused in the other places outside of Github Actions.
It is not something special but security measure. |
|
Seems overly complicated, I like conventional commits though. But I agree that we should only use |
Conventional commits are good for repos that only have one package. However, conventional commits do not understand monorepos with multiple packages to publish. Plus we have to manually bump our version numbers to do manual publishing right now, which is error prone. |
|
|
@onlywei I'd like to ensure we're able to manually do releases, and not have a CI-dependent setup. I haven't read through it all yet, but this remains a possibility, right? |
Of course. Nothing prevents us from being able to manually release. |
|
@climba03003 Does the fastify org already have a precedent for setting up a dedicated machine such as a self-hosted github actions runner to do anything similar? |
AFAIK, currently no such infrastructure. More discussion about automation release in fastify/workflows#112 |
I'm trying to find where I can make a feature request to the npm team for this, but the link on the npm website led me to ask my question here: https://github.com/orgs/community/discussions/158410 If this is not a strict requirement for the fastify org, then I think it's best to move forward without whitelisting and then add the whitelisting later when/if the npm team makes this enhancement. |
|
@onlywei I'm trying to understand your first sentence:
What do you mean exactly conventional commits are not needed? I ask because in my understanding, conventional commits is just a suggested standard on how to name commit messages. What am I missing? I want to remove the NPM publishing part out of the CI automation — until we have a solution that conforms with Fastify's security directives. But keep the CI automation for publishing release notes as drafts. Then we publish the packages manually, and also manually remove the draft status from the GH release. What do you think? @onlywei |
|
The point of conventional commits is to help automation decide whether a commit should make a patch, minor, or major version bump to a package. With changesets, this is no longer needed because that information is given in the changeset file instead. I don't think we will ever be able to meet the security demand since it requires the npm team itself to make a feature addition, and there's no where I can find that we can talk to them. As @climba03003 said, it's not a hard requirement. Changesets is already used by big projects such as pnpm and GraphQL, so my opinion is that we should move forward without waiting for the npm team. I'm not sure if the changeset GitHub action supports only drafting the release notes. Can you explain your concern here? If you want bigger control over the release notes, there are already a few opportunities to modify them:
Perhaps a demo might help? Let me know. |
This PR introduces changesets to this repo as a way to automate the versioning and releasing of packages. Changesets replaces the need for conventional commits because that information is stored in the changeset file instead.
After this PR is merged, all pull requests that want to make a release should contain a "changeset file" that can be generated by running
pnpm changesetlocally from the root of the monorepo. The changeset CLI will ask you to enter the corresponding semver bump type and a description of your changes: feel free to enter a brief description via the command line and continue editing the generated Markdown file found inside of the.changesetdirectory in your editor of choice. When editing your changeset's Markdown file, you can leverage any of the features of GitHub flavored markdown! The description you provide in your changeset will be used to generate an entry in CHANGELOG.md and the release notes in a future release, so the more complete and descriptive the better.Once a PR that contains a changeset file is merged to
main(changesets works best if we stop using thedevbranch), another PR will automatically created that consumes the changeset file. This PR will contain the following changes:Once the above automatically generated PR is merged, the package(s) are automatically published to npm AND a GitHub release is made with the correct git tags and release notes.
PERMISSIONS CHECKLIST
In order for all of the above to work, the following things must happen:
NPM_TOKENmust be added to this repository's settings to allow it to publish to npm. This must be added under Settings > Secrets and variables > Actions > Repository Secrets