ci: add OIDC Trusted Publishing w/ Github Environments #40
Conversation
**What problem are we solving?** Trigger release to npmjs using OIDC Trusted Publishing w/ Github Environments. Using Github Environments will enforce security through protected branch deployments and designated reviewer requirements. **Why solve it this way?** /io-ts uses the `semantic-release-action/typescript/.../release.yml` reusable workflow to run semantic-release. We triggered a beta-release v3.2.0-beta.1 that accepts `environment` as an input. That way, we can pass `environment: publish` input inside of `/io-ts/.../release.yaml`. Ticket: DX-2084
| jobs: | ||
| release: | ||
| uses: semantic-release-action/typescript/.github/workflows/release.yml@70c4b6f612fd516692472d20eac1c590ac08cd20 # v3.1.0 | ||
| uses: semantic-release-action/typescript/.github/workflows/release.yml@fd8c4abce3b0710e4e0d0ecf17fdaf2e770d4c82 # v3.2.0-beta.1 |
There was a problem hiding this comment.
How long will this repo rely on a beta version of semantic-release-action/typescript? What's the path to getting onto a non-beta release?
There was a problem hiding this comment.
As soon as we can confirm publishing through the environment works, it will be as simple as pushing beta to master in semantic-release-action/typescript, and opening a PR that reflects the changes here in io-ts.
Super quick implementation
There was a problem hiding this comment.
As soon as we can confirm publishing through the environment works
What is the path to doing this though? I'm confused because this PR is against master and does not trigger a release. (Good, because we don't want to make a release to the default distribution channel in this package.) But then, how will we confirm if publishing through the environment works?
There was a problem hiding this comment.
Ah I understand your confusion. My understanding is that the release check will run and prompt us to authenticate using the publish environment.
However because we are using the "ci:" prefix, we should see a message in the logs similar to:
ci: add OIDC Trusted Publishing w/ Github Environments
[semantic-release] Release will not trigger due to "ci" prefix
So the purpose of this PR is to check that the release.yaml will trigger a deployment confirmation in the publish environment. If we can get the green checkmark on this, thats all we need to ensure that OIDC Trusted Publishing will work.
This is actually intended, because I want to test the edge case of what would happen if someone did everything correctly - they push to the deployment branch specified in the Github Environment, they get an approval from a required reviewer, BUT they don't use the correct prefix (fix, feat, etc.); hence it should not release to npmjs.
I don't believe this edge case has been tested yet, and I think would be very useful information.
There was a problem hiding this comment.
All right, sure. Thanks for clearing that up!
What problem are we solving?
Trigger release to npmjs using OIDC Trusted Publishing w/ Github Environments. Using Github Environments will enforce security through protected branch deployments and designated reviewer requirements.
Why solve it this way?
/io-ts uses the
semantic-release-action/typescript/.../release.ymlreusable workflow to run semantic-release. We triggered a beta-release v3.2.0-beta.1 that acceptsenvironmentas an input. That way, we can passenvironment: publishinput inside of/io-ts/.../release.yaml.Note: A follow-up PR will be opened after we can confirm that publishing using the environment works using the beta version of
semantic-release-action/typescripthere.It will be as simple as triggering an official release in
semantic-release-action/typescriptand then pinning that version in io-ts.Ticket: DX-2084