Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
@khulnasoft-opensource/release
Advanced tools
> [**semantic-release**](https://github.com/semantic-release/semantic-release) shareable config to publish to `npm` and/or `ghcr`. > now with alpha and beta pre-releases
semantic-release shareable config to publish to
npm
and/orghcr
. now with alpha and beta pre-releases
This shareable configuration use the following plugins:
@semantic-release/commit-analyzer
@semantic-release/release-notes-generator
@semantic-release/changelog
conventional-changelog-conventionalcommits
@semantic-release/npm
@google/semantic-release-replace-plugin
@semantic-release/git
@semantic-release/github
@eclass/semantic-release-docker
@semantic-release/exec
execa
npmlog
Most important limitations are:
GITHUB_TOKEN
for everythingNPM_TOKEN
for public npm
librarydocker
containers need to be built beforehandYou can skip here if you are using elevated Private Access Token, however we don't recommend going down that path.
No force push or admin cherries branch protections for the following branches:
main
- requiredalpha
- optional, pre-release branchbeta
- optional, pre-release branchnext
- optional, next channelnext-major
- optional, next majorvX[.X.X]
- maintenance releasesIf you use more than the main branch, optionally create an environment that is limiting where pushes can come from and enable the merge strategy.
We are using production
in our examples, if you copy paste them you will find this new environment generated in your settings! 🍕
Since version 3 it is possible to use semantic-release without any trace of it or the khulnasoft-opensource configuration anywhere in the dependency tree.
Docker containers are pushed as part of the release so they mirror the availability of npm
packages.
The simplest use case for a typical NPM package, almost zero install downtime from ghcr and no more local tooling:
name: "Release container"
on:
push:
branches:
- main
- next
- next-major
- alpha
- beta
jobs:
release:
environment:
name: production
url: https://github.com/${{ github.repository }}/releases/tag/${{ env.RELEASE_TAG }}
runs-on: ubuntu-latest
steps:
- name: "☁️ checkout repository"
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: "🚀 release"
id: semantic-release
uses: docker://ghcr.io/khulnasoft-opensource/release:1.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: '♻️ cleanup'
run: |
echo ${{ env.RELEASE_TAG }}
echo ${{ env.RELEASE_VERSION }}
Marketplace actions should default to the major tag and are essentially more stable as we have to curate every release.
A more traditional approach, only thing really different here is a minor pull overhead and using set outputs instead of environment variables:
name: "Release"
on:
push:
branches:
- main
- next
- next-major
- alpha
- beta
jobs:
release:
environment:
name: production
url: https://github.com/${{ github.repository }}/releases/tag/${{ steps.semantic-release.outputs.release-tag }}
runs-on: ubuntu-latest
steps:
- name: "☁️ checkout repository"
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: "🚀 release"
id: semantic-release
uses: khulnasoft-opensource/release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: '♻️ cleanup'
run: |
echo ${{ steps.semantic-release.outputs.release-tag }}
echo ${{ steps.semantic-release.outputs.release-version }}
You can opt to use this package in your local tooling. Proceed as you would normally would, replacing npm
with your package manager of choice and install the package:
npm install --save-dev @khulnasoft-opensource/release
The shareable config can then be configured in the semantic-release configuration file:
{
"extends": "@khulnasoft-opensource/release"
}
Now all you need to do is create a release:
npx semantic-release
See each plugin documentation for required installation and configuration steps.
Set private
to true in package.json
if you want to disable npm
, or, change the scope of package using publishConfig
.
Keep one of files
or main
keys in your package.json
accurate depending on whether you are building a library or an application.
If you publish, make sure to also provide a valid NPM_TOKEN
as .npmrc
authentication is ignored in our config!
To configure the directory for publishing, you have the option to set a path value to NPM_PACKAGE_ROOT
. By default, it is set to "."
.
Unless you have an action.yml
present in your root folder, this module is not added to the release config.
If you have an action.yml
present, our config will attempt to adjust the container version to the newly pushed npm
and docker
tags.
Unless you have a manifest.json
present in your root folder, this module is not added to the release config.
If you have a manifest.json
present, our config will attempt to adjust the version
value to the newly pushed npm
and docker
tags. This version bump is limited to releases made exclusively on the main
branch.
Unless you have a Dockerfile
present in your root folder, this module is not added to the release config.
If you have a Dockerfile
present, our config will attempt to push to ghcr.io
.
Using our configuration comes with some sensible defaults:
DOCKER_USERNAME=$GITHUB_REPOSITORY_OWNER
DOCKER_PASSWORD=$GITHUB_TOKEN
GIT_COMMITTER_NAME="khulnasoft-opensource[bot]"
GIT_COMMITTER_EMAIL="63161813+khulnasoft-opensource[bot]@users.noreply.github.com"
GIT_AUTHOR_NAME
- parsed from commit $GITHUB_SHA
GIT_AUTHOR_EMAIL
- parsed from commit $GITHUB_SHA
Feel free to change any of the above to whatever suits your purpose, our motivation is to keep GITHUB_TOKEN
and/or NPM_TOKEN
the only necessary requirements.
We are actively investigating ways to drop the 2 remaining variables as well!
We encourage you to contribute to KhulnaSoft OpenSource! Please check out the Contributing guide for guidelines about how to proceed.
If you decide to fix a bug, make sure to use the conventional commit available at:
npm run push
Got Questions? Join the conversation in our Discord.
Find KhulnaSoft OpenSource videos and release overviews on our YouTube Channel.
MIT © KhulnaSoft OpenSource
FAQs
> [**semantic-release**](https://github.com/semantic-release/semantic-release) shareable config to publish to `npm` and/or `ghcr`. > now with alpha and beta pre-releases
The npm package @khulnasoft-opensource/release receives a total of 1 weekly downloads. As such, @khulnasoft-opensource/release popularity was classified as not popular.
We found that @khulnasoft-opensource/release demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.