Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
release-please
Advanced tools
release-please is an automated release tool for GitHub repositories. It automates the process of generating release notes, creating GitHub releases, and versioning based on conventional commits. This helps maintainers streamline their release process and ensure consistency.
Automated Release Notes
This feature allows you to automatically generate release notes based on the commits in your repository. The code sample demonstrates how to create a GitHub release with release notes.
const { GitHubRelease } = require('release-please');
const githubRelease = new GitHubRelease({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
githubRelease.createRelease();
Version Bumping
This feature automates the process of bumping the version of your package based on the commits. The code sample shows how to bump the version of your package.
const { Version } = require('release-please');
const version = new Version({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
version.bumpVersion();
Changelog Generation
This feature generates a changelog file based on the commits in your repository. The code sample demonstrates how to generate a changelog.
const { Changelog } = require('release-please');
const changelog = new Changelog({
repoUrl: 'https://github.com/owner/repo',
packageName: 'my-package',
token: 'your-github-token'
});
changelog.generateChangelog();
semantic-release automates the versioning and package publishing process based on the commit messages. It is highly configurable and integrates with various CI/CD pipelines. Compared to release-please, semantic-release offers more plugins and customization options.
standard-version is a tool for versioning and changelog generation based on conventional commits. It is simpler and more lightweight compared to release-please, making it suitable for smaller projects or those with simpler release requirements.
lerna is a tool for managing JavaScript projects with multiple packages. It can also handle versioning and changelog generation. While it offers more features for monorepos, it may be overkill for single-package repositories compared to release-please.
Release Please automates CHANGELOG generation, the creation of GitHub releases, and version bumps for your projects.
It does so by parsing your git history, looking for Conventional Commit messages, and creating release PRs.
Rather than continuously releasing what's landed to your default branch, release-please maintains Release PRs:
These Release PRs are kept up-to-date as additional work is merged. When you're ready to tag a release, simply merge the release PR. Both squash-merge and merge commits work with Release PRs.
When the Release PR is merged, release-please takes the following steps:
CHANGELOG.md
), along with other language specific files (for example package.json
).You can tell where the Release PR is its lifecycle by the status label on the PR itself:
autorelease:pending
is the initial state of the Release PR before it is mergedautorelease:tagged
means that the Release PR has been merged and the release has been tagged in GitHubautorelease:published
means that a GitHub release has been published based on the Release PR (release-please does not automatically add this tag, but we recommend it as a convention for publication tooling).Release Please assumes you are using Conventional Commit messages.
The most important prefixes you should have in mind are:
fix:
which represents bug fixes, and correlates to a SemVer
patch.feat:
which represents a new feature, and correlates to a SemVer minor.feat!:
, or fix!:
, refactor!:
, etc., which represent a breaking change
(indicated by the !
) and will result in a SemVer major.Release Please allows you to represent multiple changes in a single commit, using footers:
feat: adds v4 UUID to crypto
This adds support for v4 UUIDs to the library.
fix(utils): unicode no longer throws exception
PiperOrigin-RevId: 345559154
BREAKING-CHANGE: encode method no longer throws.
Source-Link: googleapis/googleapis@5e0dcb2
feat(utils): update encode to support unicode
PiperOrigin-RevId: 345559182
Source-Link: googleapis/googleapis@e5eef86
The above commit message will contain:
:warning: Important: The additional messages must be added to the bottom of the commit.
When a commit to the main branch has Release-As: x.x.x
(case insensitive) in the commit body, Release Please will open a new pull request for the specified version.
Empty commit example:
git commit --allow-empty -m "chore: release 2.0.0" -m "Release-As: 2.0.0"
results in the following commit message:
chore: release 2.0.0
Release-As: 2.0.0
Release Please automates releases for the following flavors of repositories:
release type | description |
---|---|
dart | A repository with a pubspec.yaml and a CHANGELOG.md |
elixir | A repository with a mix.exs and a CHANGELOG.md |
go | A repository with a CHANGELOG.md |
helm | A repository with a Chart.yaml and a CHANGELOG.md |
krm-blueprint | A kpt package, with 1 or more KRM files and a CHANGELOG.md |
node | A Node.js repository, with a package.json and CHANGELOG.md |
ocaml | An OCaml repository, containing 1 or more opam or esy files and a CHANGELOG.md |
php | A repository with a composer.json and a CHANGELOG.md |
python | A Python repository, with a setup.py, setup.cfg, CHANGELOG.md and optionally a pyproject.toml and a <project>/__init__.py |
ruby | A repository with a version.rb and a CHANGELOG.md |
rust | A Rust repository, with a Cargo.toml (either as a crate or workspace) and a CHANGELOG.md |
simple | A repository with a version.txt and a CHANGELOG.md |
terraform-module | A terraform module, with a version in the README.md, and a CHANGELOG.md |
There are a variety of ways you can deploy release-please:
The easiest way to run release please is as a GitHub action. Please see google-github-actions/release-please-action for installation and configuration instructions.
Please see Running release-please CLI for all the configuration options.
There is a probot application available, which allows you to deploy Release Please as a GitHub App. Please see github.com/googleapis/repo-automation-bots for installation and configuration instructions.
Release Please looks at commits since your last release tag. It may or may not be able to find your previous releases. The easiest way to on-board your repository is to bootstrap a manifest config.
Release Please provides several configuration options to allow customizing your release process. Please see customizing.md for more details.
Release Please also supports releasing multiple artifacts from the same repository. See more at manifest-releaser.md.
Our client libraries follow the Node.js release schedule. Libraries are compatible with all current active and maintenance versions of Node.js.
Client libraries targeting some end-of-life versions of Node.js are available, and
can be installed via npm dist-tags.
The dist-tags follow the naming convention legacy-(version)
.
Legacy Node.js versions are supported as a best effort:
legacy-8
: install client libraries from this dist-tag for versions
compatible with Node.js 8.This library follows Semantic Versioning.
Contributions welcome! See the Contributing Guide.
Please note that this README.md
, the samples/README.md
,
and a variety of configuration files in this repository (including .nycrc
and tsconfig.json
)
are generated from a central template. To edit one of these files, make an edit
to its template in this
directory.
Apache Version 2.0
See LICENSE
FAQs
generate release PRs based on the conventionalcommits.org spec
We found that release-please demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.