Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
@envsa/repo-config
Advanced tools
@envsa/repo-config
Repository configuration and GitHub workflows for @envsa/shared-config.
@envsa/repo-config
Repository configuration and GitHub workflows for @envsa/shared-config.
Overview
It's a pnpm-flavored shared config with some essential files for a fresh repo, plus automated linting for things like copyright notice dates, all accessible via a bundled command like tool named envsa-repo.
This includes the following:
.npmrcwith hoisting patterns forshared-configtool access.gitignorewith typical patterns.editorconfigfor basic code style settings.vscodeextension recommendations (additional settings and recommendations come from othershared-configpackages).githubfolder with workflows:github-release.ymlAutomates turning turning vX.X.X tags on main into GitHub releases with changelogssync-metadata.ymlPopulates GitHub repo metadata from package.json
In order to work around some hoisting issues related to plugin resolution in the other @envsa/shared-config packages, it's critical that it is applied before any other @envsa/shared-config packages are installed.
[!IMPORTANT]
You can use this package on its own, but it's recommended to use
@envsa/shared-configinstead for a single-dependency and single-package approach to linting and fixing your project.This package is included as a dependency in
@envsa/shared-config, which also automatically invokes the command line functionality in this package via itsenvsacommand
Setup
Run-once approach
If you just need to set up your .npmrc in anticipation of installing another shared config, you can run the script via dlx to copy the .npmrc to your home folder:
pnpm dlx @envsa/repo-config init
Installation approach
Optionally, you can install the package if you think you'll ever want to regenerate the repo config files.
-
Add the package:
pnpm add -D @envsa/repo-config -
If / when you need to regenerate the repo config files, you can run the bundled script:
pnpm exec envsa-repo init
GitHub Configuration
There are two options for authenticating the release workflow action:
GitHub Token
- Ensure that read / write permissions are set for actions on the repository under Settings → Actions → General → Workflow permissions.
Personal Access token
If you want releases to come from your account instead of github_actions, then:
-
Create a fine-grained personal access token in your GitHub account with the following permissions:
Permission Access Administration Read and write Contents Read and write Metadata Read-only -
Add the token as a secret to your new GitHub repository.
You can do this through the GitHub website under the Settings → Secrets and variables → Actions page under the key
PERSONAL_ACCESS_TOKEN.Alternately, you can do this locally with the GitHub CLI and a credential manager like 1Password CLI:
gh secret set PERSONAL_ACCESS_TOKEN --app actions --body $(op read 'op://Personal/GitHub/PERSONAL_ACCESS_TOKEN_ACTIONS')
GitHub Actions
Note: Action dependencies have been forked.
Usage
CLI
Command: envsa-repo
Envsa's repository-related shared configuration tools.
This section lists top-level commands for envsa-repo.
Usage:
envsa-repo <command>
| Command | Description |
|---|---|
init | Initialize by copying starter config files to your project root. |
lint | Check the repo for common issues. Package-scoped. In a monorepo, it will also run in all packages below the current working directory. |
fix | Fix common issues like outdated copyright years in license files. Package-scoped. In a monorepo, it will also run in all packages below the current working directory. |
| Option | Description | Type |
|---|---|---|
--help-h | Show help | boolean |
--version-v | Show version number | boolean |
See the sections below for more information on each subcommand.
Subcommand: envsa-repo init
Initialize by copying starter config files to your project root.
Usage:
envsa-repo init
| Option | Description | Type |
|---|---|---|
--help-h | Show help | boolean |
--version-v | Show version number | boolean |
Subcommand: envsa-repo lint
Check the repo for common issues. Package-scoped. In a monorepo, it will also run in all packages below the current working directory.
Usage:
envsa-repo lint
| Option | Description | Type |
|---|---|---|
--help-h | Show help | boolean |
--version-v | Show version number | boolean |
Subcommand: envsa-repo fix
Fix common issues like outdated copyright years in license files. Package-scoped. In a monorepo, it will also run in all packages below the current working directory.
Usage:
envsa-repo fix
| Option | Description | Type |
|---|---|---|
--help-h | Show help | boolean |
--version-v | Show version number | boolean |
Credits
Eric Mika is the author of the original @kitschpatrol/shared-config project on which this is based.
License
MIT © Liam Rella
FAQs
Repository configuration and GitHub workflows for @envsa/shared-config.
We found that @envsa/repo-config demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 07 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025