Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
auto
is a tool designed to seamlessly automate the release workflow.
It is powered by semantic version labels on pull requests.
This approach does not require you to change your code or make any drastic changes to your current workflow.
While intended to run in a continuous integration (CI) environment, all auto
commands can run locally as well.
auto
is distributed through npm, but you can use it with a variety of package management platforms.
npm install auto
For auto
installation in non-npm
environments follow these instructions.
Getting started with auto
is super easy.
If your project is already published or has releases then you need to make sure that your last release is tagged and that it's the Latest Release
on GitHub.
To tag your last release find the last commit where you bumped the version and run the following commands with your version number.
git tag v1.2.3
git push --tags
Then on GitHub go to your project's releases and click Draft a new release
.
In the Tag version
field enter the version number you just tagged and click Publish release
.
(OPTIONAL) Initialize all options and configure label text.
If this is not run then auto
will use the default configuration.
This command will produce an .autorc
.
You can configure most flags and all labels/changelogTitles.
auto init
All options can also be configured via the .autorc
file.
As CLI options you supply them in snake-case (--foo-bar)
, but as .autorc
options you supply them in camelCase (fooBar)
,
Exclusive options (extends, labels) can only be set in the .autorc
and do not exist as CLI flags.
Any option in the .autorc
will get overridden by the CLI flags if provided.
The following are options that might be more useful to set in the .autorc
than with a flag:
baseBranch Configure what your repo considers the base branch.
plugins Specify your plugins to load
githubApi If you are using enterprise github, `auto` lets you configure the github API URL that it uses.
githubGraphqlApi If you are using enterprise github and your company hosts the graphql at some other URL than the
`githubApi`, you can use `githubGraphqlApi` to set the base path for `auto`. The `githubGraphqlApi` gets
merged with `/graphql` to build the final URL.
Configure environment variables
You must configure some environment variables for publishing and releasing to work properly.
GH_TOKEN
- Used for updating the changelog and publishing the GitHub releaseNPM_TOKEN
- Used to publish to npm. (only with NPM plugin)Local .env
:
You can also store these values in a local file at the root of your project named .env
.
Make sure to add this file to your .gitignore
so you don't commit any keys!
These environment variables will override any variable already set on the process.
This enables you to have a per project configuration that isn't effected by your global setup.
PROJECT_ROOT/.env
:
GH_TOKEN=YOUR_TOKEN
NPM_TOKEN=PUBLISH_TOKEN
Create your project's labels on github. If a label already exist, it will be updated.
The types of labels that auto
uses are:
To create the labels for your project on GitHub, run the following command with your GH_TOKEN
.
GH_TOKEN=YOUR_TOKEN auto create-labels
# or with .env file
auto create-labels
Set up script
auto
is written so that each tool it exposes is useful in isolation.
To version, changelog, publish and release your code all at the same time we've included the shipit
tool.
This tool takes the default auto
workflow and puts it into one command.
It will:
baseBranch
baseBranch
{
"scripts": {
"release": "auto shipit"
}
}
For detailed setup instructions,refer here
--help
)$ auto --help
auto
Generate releases based on semantic version labels on pull requests, and
other pull request automation tools.
Synopsis
$ auto <command> <options>
Setup Command
init Interactive setup for minimum working configuration.
info Determine the environment and check if auto is set up correctly
create-labels Create your project's labels on github. If labels exist it will update them.
Pull Request Interaction Commands
label Get the labels for a pull request. Doesn't do much, but the return value lets you write you own
scripts based off of the PR labels!
comment Comment on a pull request with a markdown message. Each comment has a context, and each context only
has one comment.
pr-check Check that a pull request has a SemVer label
pr-status Set the status on a PR commit
pr-body Update the body of a PR with a message. Appends to PR and will not overwrite user content. Each
comment has a context, and each context only has one comment.
Release Commands
version Get the semantic version bump for the given changes. Requires all PRs to have labels for the change
type. If a PR does not have a label associated with it, it will default to `patch`.
changelog Prepend release notes to `CHANGELOG.md`, create one if it doesn't exist, and commit the changes.
release Auto-generate a github release
shipit Context aware publishing.
1. call from base branch -> latest version released (LATEST)
2. call from prerelease branch -> prerelease version released (NEXT)
3. call from PR in CI -> canary version released (CANARY)
4. call locally when not on base/prerelease branch -> canary version released (CANARY)
latest Run the full `auto` release pipeline. Force a release to latest and bypass `shipit` safeguards.
canary Make a canary release of the project. Useful on PRs. If ran locally, `canary` will release a canary
version for your current git HEAD. This is ran automatically from "shipit".
1. In PR: 1.2.3-canary.123.0 + add version to PR body
2. Locally: 1.2.3-canary.1810cfd
next Make a release for your "prerelease" release line. This is ran automatically from "shipit".
1. Creates a prerelease on package management platform
2. Creates a "Pre Release" on GitHub releases page.
Calling the `next` command from a prerelease branch will publish a prerelease, otherwise it will
publish to the default prerelease branch.
Global Options
-V, --version Display auto's version
-v, --verbose Show some more logs. Pass -vv for very verbose logs.
--repo string The repo to set the status on. Defaults to looking in the package definition
for the platform
--owner string The owner of the GitHub repo. Defaults to reading from the package definition
for the platform
--github-api string GitHub API to use
--plugins string[] Plugins to load auto with. (defaults to just npm)
-h, --help Display the help output
One caveat of auto
is that you need to be mindful of merging multiple PRs at once. You must not merge a PR while another is publishing (ex: lerna publish
). While this window is small, it exists and you should know about it.
auto
works by looking at the git
tree to calculate the version bump then makes commits for the CHANGELOG.md
and the new version. If you merge a PR while another is publishing:
The one exception to this rule with when merging a bunch of PRs with skip-release
labels.
You still can't merge a PR that triggers a release and then merge a PR with skip-release
. This will result in problem 3 from above.
But you can merge a bunch of PRs with skip-release
then merge a PR that triggers a release.
Because skip-release
is present no commits are made and the release is fine!
If you are using enterprise Github, auto
lets you configure the Github API URL that it uses. You can configure this by using the CLI option --github-api, by setting the value in your .autorc
, or during auto init
.
FAQs
CLI tools to help facilitate semantic versioning based on GitHub PR labels
We found that auto demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.