Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
semantic-release-github-pr
Advanced tools
A `semantic-release` plugin that creates a changelog comment on Github PRs.
Preview the semantic release notes that would result from merging a Github PR.
This semantic-release
plugin will post a Github PR comment with a preview of the release that would result from merging.
npm install -D semantic-release semantic-release-github-pr
npx semantic-release-github-pr
It helps to think about semantic-release-github-pr
as a variation on semantic-release
's default behavior, using the latter's plugin system to modify some behaviors:
If a new release would result from running semantic-release
, instead of publishing a new release of a package, it posts a comment with the changelog to matching Github PRs.
It posts a static message when there's no release (for clarity).
It cleans up any PR comments it previously made (to keep from flooding PRs or leaving outdated information).
A PR gets a comment if:
The PR's from branch matches the current branch (that this plugin is being run on).
To cover multiple CI scenarios (see below), either of:
git
HEAD.git
HEAD.The PR's base branch matches master
(default) unless otherwise configured via the baseBranch
option.
It is assumed the user is already fully familiar with semantic-release
and its workflow
.
Github authentication must be configured, exactly the same as for semantic-relase
's default @semantic-release/github
plugin. PR comments will be posted by the associated GitHub user.
It's possible to configure the expected base branch when matching a PR via a baseBranch
option set in the release config.
E.g., in a package.json
release config:
{
"release": {
"baseBranch": "staging"
}
}
This plugin is best used with a CI build process to fully automate the posting of comments in Github PRs. Ideally, it should run whenever a PR is opened/updated.
This plugin relies on semantic-release
's dry-run feature. Unfortunately, that feature is gated by strict run-time checks, including one that ensures that the branch semantic-release
runs on is in the release configuration. It depends on env-ci
to enforce the checks in CI environments, which doesn't properly resolve the branch name when running in GitHub Actions, requiring a workaround:
- run: git checkout -b ${{ github.head_ref }}
- run: unset GITHUB_ACTIONS && npx semantic-release-github-pr
To only run when necessary, we use the $TRAVIS_PULL_REQUEST
environment variable to detect whether the build is a "pull request build".
after_success:
- "[[ $TRAVIS_PULL_REQUEST != 'false' ]] && npx semantic-release-github-pr || exit 0"
To run only when necessary, we use the $CI_PULL_REQUEST
environment variable to detect whether the build has a corresponding pull request.
Unfortunately, CircleCI only supports building on push, not when a PR is created. This limits the usefulness of the plugin somewhat, as a build will have to be triggered manually after a PR is opened for the changelog to post.
post:
- "[[ $CI_PULL_REQUEST != '' ]] && npx semantic-release-github-pr || exit 0"
FAQs
A `semantic-release` plugin that creates a changelog comment on Github PRs.
The npm package semantic-release-github-pr receives a total of 420 weekly downloads. As such, semantic-release-github-pr popularity was classified as not popular.
We found that semantic-release-github-pr demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.