semantic-release 17.1.1 → 17.2.2

package/README.md

@@ -150,9 +150,16 @@ Let people know that your package is published using **semantic-release** by inc
 
 ## Team
 
-| [![Stephan Bönnemann](https://github.com/boennemann.png?size=100)](https://github.com/boennemann) | [![Rolf Erik Lekang](https://github.com/relekang.png?size=100)](https://github.com/relekang) | [![Johannes Jörg Schmidt](https://github.com/jo.png?size=100)](https://github.com/jo) | [![Gregor Martynus](https://github.com/gr2m.png?size=100)](https://github.com/gr2m) | [![Pierre Vanduynslager](https://github.com/finnp.png?size=100)](https://github.com/finnp) | [![Pierre Vanduynslager](https://github.com/pvdlg.png?size=100)](https://github.com/pvdlg) | [![Christoph Witzko](https://github.com/christophwitzko.png?size=100)](https://github.com/christophwitzko) |
-|---------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|
-| [Stephan Bönnemann](https://github.com/boennemann)                                                | [Rolf Erik Lekang](https://github.com/relekang)                                              | [Johannes Jörg Schmidt](https://github.com/jo)                                        | [Gregor Martynus](https://github.com/gr2m)                                          | [Finn Pauls](https://github.com/finnp)                                                     | [Pierre Vanduynslager](https://github.com/pvdlg)                                           | [Christoph Witzko](https://github.com/christophwitzko)                                                     |
+| [![Gregor Martynus](https://github.com/gr2m.png?size=100)](https://github.com/gr2m) | [![Pierre Vanduynslager](https://github.com/pvdlg.png?size=100)](https://github.com/pvdlg) | [![Matt Travi](https://github.com/travi.png?size=100)](https://github.com/travi) |
+| ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- |
+| [Gregor Martynus](https://github.com/gr2m)                                          | [Pierre Vanduynslager](https://github.com/pvdlg)                                           | [Matt Travi](https://github.com/travi)                                           |
+
+## Alumni
+
+| [![Stephan Bönnemann](https://github.com/boennemann.png?size=100)](https://github.com/boennemann) | [![Rolf Erik Lekang](https://github.com/relekang.png?size=100)](https://github.com/relekang) | [![Johannes Jörg Schmidt](https://github.com/jo.png?size=100)](https://github.com/jo) | [![Finn Pauls](https://github.com/finnp.png?size=100)](https://github.com/finnp) | [![Christoph Witzko](https://github.com/christophwitzko.png?size=100)](https://github.com/christophwitzko) |
+| ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| [Stephan Bönnemann](https://github.com/boennemann)                                                | [Rolf Erik Lekang](https://github.com/relekang)                                              | [Johannes Jörg Schmidt](https://github.com/jo)                                        | [Finn Pauls](https://github.com/finnp)                                           | [Christoph Witzko](https://github.com/christophwitzko)                                                     |
+
 
 <p align="center">
   <img alt="Kill all humans" src="media/bender.png">

package/docs/extending/plugins-list.md

@@ -101,3 +101,10 @@
   - `addChannel`: Update a Gitea release's pre-release field.
 - [@google/semantic-release-replace-plugin](https://github.com/google/semantic-release-replace-plugin)
   - `prepare`: Replace version strings in files using regex and glob.
+- [semantic-release-rubygem](https://github.com/Gusto/semantic-release-rubygem)
+  - `verifyConditions`: Locate and validate a `.gemspec` file, locate and validate a `lib/**/version.rb` file, verify the presence of the `GEM_HOST_API_KEY` environment variable, and create a credentials file with the API key.
+  - `prepare`: Update the version in the `lib/**/version.rb` version file and [build](https://guides.rubygems.org/command-reference/#gem-build) the gem.
+  - `publish`: [Push the Ruby gem](https://guides.rubygems.org/command-reference/#gem-push) to the gem server. 
+- [semantic-release-npm-deprecate-old-versions](https://github.com/ghusse/semantic-release-npm-deprecate-old-versions)
+  - `verifyConditions`: Validates configuration.
+  - `publish`: Deprecates old versions, based on the declaration of supported versions in the config. 

package/docs/recipes/README.md

@@ -5,6 +5,7 @@
 - [Travis CI](travis.md)
 - [GitLab CI](gitlab-ci.md)
 - [GitHub Actions](github-actions.md)
+- [Jenkins CI](jenkins-ci.md)
 
 ## Git hosted services
 - [Git authentication with SSH keys](git-auth-ssh-keys.md)

package/docs/recipes/github-actions.md

@@ -28,7 +28,9 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
       - name: Setup Node.js
         uses: actions/setup-node@v1
         with:
@@ -48,9 +50,23 @@ To keep `package.json` updated in the `master` branch, [`@semantic-release/git`]
 
 **Note**: Automatically populated `GITHUB_TOKEN` cannot be used if branch protection is enabled for the target branch. It is **not** advised to mitigate this limitation by overriding an automatically populated `GITHUB_TOKEN` variable with a [Personal Access Tokens](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line), as it poses a security risk. Since Secret Variables are available for Workflows triggered by any branch, it becomes a potential vector of attack, where a Workflow triggered from a non-protected branch can expose and use a token with elevated permissions, yielding branch protection insignificant. One can use Personal Access Tokens in trusted environments, where all developers should have the ability to perform administrative actions in the given repository and branch protection is enabled solely for convenience purposes, to remind about required reviews or CI checks.
 
+If the risk is acceptible, some extra configuration is needed. The [actions/checkout `persist-credentials`](https://github.com/marketplace/actions/checkout#usage) option needs to be `false`, otherwise the generated `GITHUB_TOKEN` will interfere with the custom one. Example:
+
+```yaml
+- name: Checkout
+    uses: actions/checkout@v2
+    with:
+      fetch-depth: 0
+      persist-credentials: false # <--- this
+```
+
 ## Trigger semantic-release on demand
 
-There is a way to trigger semantic-relase on demand. Use [`repository_dispatch`](https://help.github.com/en/articles/events-that-trigger-workflows#external-events-repository_dispatch) event to have control on when to generate a release by making an HTTP request, e.g.:
+### Using GUI:
+You can use [Manual Triggers](https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/) for GitHub Actions.
+
+### Using HTTP:
+Use [`repository_dispatch`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#repository_dispatch) event to have control on when to generate a release by making an HTTP request, e.g.:
 
 ```yaml
 name: Release
@@ -67,6 +83,7 @@ To trigger a release, call (with a [Personal Access Tokens](https://help.github.
 $ curl -v -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/[org-name-or-username]/[repository]/dispatches -d '{ "event_type": "semantic-release" }'
 ```
 
+### Using 3rd party apps:
 If you'd like to use a GitHub app to manage this instead of creating a personal access token, you could consider using a project like:
 
 * [Actions Panel](https://www.actionspanel.app/) - A declaratively configured way for triggering GitHub Actions

package/docs/recipes/jenkins-ci.md

@@ -0,0 +1,61 @@
+# Using semantic-release with [Jenkins CI](https://www.jenkins.io/doc/book/pipeline/)
+
+## Environment variables
+
+The [Authentication](../usage/ci-configuration.md#authentication) environment variables can be configured in [Jenkins Project Settings](https://www.jenkins.io/doc/pipeline/tour/environment/)..
+
+Alternatively, the default `NPM_TOKEN` and `GH_TOKEN` can be easily [setup with semantic-release-cli](../usage/getting-started.md#getting-started).
+
+## Node.js project configuration
+
+### `Jenkinsfile (Declarative Pipeline)` configuration for a Node.js job
+
+**Note**: The publish pipeline must run a [Node >= 10.18 version](../support/FAQ.md#why-does-semantic-release-require-node-version--1018).
+
+This example is a minimal configuration for **semantic-release** with a build running Node 10.18. See [Jenkins documentation](https://www.jenkins.io/doc/) for additional configuration options.
+
+The`semantic-release` execution command varies depending if you are using a [local](../usage/installation.md#local-installation) or [global](../usage/installation.md#global-installation) **semantic-release** installation.
+
+```yaml
+// The release stage in the pipeline will run only if the test stage in the pipeline is successful
+pipeline {
+    agent any 
+    environment {
+        GH_TOKEN  = credentials('some-id')
+    }
+    stages {
+        stage('Test') {
+            steps {
+                sh '''
+                # Configure your test steps here (checkout, npm install, tests etc)
+                npm install
+                npm test
+                '''
+                }
+        }
+        stage('Release') {
+            tools {
+            nodejs "node 10.18"
+            }
+            steps {
+                sh '''
+                # Run optional required steps before releasing
+                npx semantic-release
+                '''
+            }            
+        }
+    }
+}
+```
+
+### `package.json` configuration for a Node job
+
+A `package.json` is required only for [local](../usage/installation.md#local-installation) **semantic-release** installation.
+
+```json
+{
+  "devDependencies": {
+    "semantic-release": "^15.0.0"
+  }
+}
+```

package/docs/support/FAQ.md

@@ -2,12 +2,14 @@
 
 ## Why is the `package.json`’s version not updated in my repository?
 
-**semantic-release** takes care of updating the `package.json`’s version before publishing to [npm](https://www.npmjs.com).
+[`@semantic-release/npm`](https://github.com/semantic-release/npm) takes care of updating the `package.json`’s version before publishing to [npm](https://www.npmjs.com).
 
 By default, only the published package will contain the version, which is the only place where it is *really* required, but the updated `package.json` will not be pushed to the Git repository
 
 However, the [`@semantic-release/git`](https://github.com/semantic-release/git) plugin can be used to push the updated `package.json` as well as other files to the Git repository.
 
+If you wish to only update the `package.json` and push via Git you can set the project to `"private": true,` within your `package.json` to prevent publishing to [npm](https://www.npmjs.com). This can be useful for using **semantic-release** with a non-node project.
+
 ## How can I use a npm build script that requires the `package.json`’s version ?
 
 The `package.json`’s version will be updated by the `semantic-release` command just before publishing to [npm](https://www.npmjs.com), therefore it won't be available for scripts ran before the `semantic-release` command.

package/docs/support/resources.md

@@ -14,6 +14,7 @@
 
 - ["Introduction to SemVer" - Irina Gebauer](https://blog.greenkeeper.io/introduction-to-semver-d272990c44f2)
 - ["Introduction to Semantic Release" - liv](https://blog.greenkeeper.io/introduction-to-semantic-release-33f73b117c8)
+- ["Series - Semantic Release Automation" - Abdelrahman Wahdan](https://dev.to/abdelrahmanahmed/semantic-release-and-how-to-automate-it-part-1-4pa2)
 
 ## Tutorials
 

package/docs/usage/configuration.md

@@ -74,7 +74,7 @@ The branches on which releases should happen. By default **semantic-release** wi
 
 **Note**: If your repository does not have a release branch, then **semantic-release** will fail with an `ERELEASEBRANCHES` error message. If you are using the default configuration, you can fix this error by pushing a `master` branch.
 
-**Note**: Once **semantic-release** is configured, any user with the permission to push commits on one of those branches will be able to publish a release. It is recommended to protect those branches, for example with [GitHub protected branches](https://help.github.com/articles/about-protected-branches).
+**Note**: Once **semantic-release** is configured, any user with the permission to push commits on one of those branches will be able to publish a release. It is recommended to protect those branches, for example with [GitHub protected branches](https://docs.github.com/github/administering-a-repository/about-protected-branches).
 
 See [Workflow configuration](workflow-configuration.md#workflow-configuration) for more details.
 
@@ -116,7 +116,9 @@ Type: `Boolean`<br>
 Default: `false` if running in a CI environment, `true` otherwise<br>
 CLI arguments: `-d`, `--dry-run`
 
-Dry-run mode, skip publishing, print next version and release notes.
+The objective of the dry-run mode is to get a preview of the pending release. Dry-run mode skips the following steps: prepare, publish, success and fail. In addition to this it prints the next version and release notes to the console.
+
+**Note**: The Dry-run mode verifies the repository push permission, even though nothing will be pushed. The verification is done to help user to figure out potential configuration issues.
 
 ### ci
 

package/docs/usage/plugins.md

@@ -21,12 +21,12 @@ A plugin is a npm module that can implement one or more of the following steps:
 
 ### Default plugins
 
-These four plugins are already part of **semantic-release** and don't have to be installed separately:
+These four plugins are already part of **semantic-release** and are listed in order of execution. They do not have to be installed separately:
 ```
 "@semantic-release/commit-analyzer"
-"@semantic-release/github"
-"@semantic-release/npm"
 "@semantic-release/release-notes-generator"
+"@semantic-release/npm"
+"@semantic-release/github"
 ```
 
 ### Additional plugins

package/lib/get-git-auth-url.js

@@ -2,6 +2,49 @@ const {parse, format} = require('url'); // eslint-disable-line node/no-deprecate
 const {isNil} = require('lodash');
 const hostedGitInfo = require('hosted-git-info');
 const {verifyAuth} = require('./git');
+const debug = require('debug')('semantic-release:get-git-auth-url');
+
+/**
+ * Machinery to format a repository URL with the given credentials
+ *
+ * @param {String} protocol URL protocol (which should not be present in repositoryUrl)
+ * @param {String} repositoryUrl User-given repository URL
+ * @param {String} gitCredentials The basic auth part of the URL
+ *
+ * @return {String} The formatted Git repository URL.
+ */
+function formatAuthUrl(protocol, repositoryUrl, gitCredentials) {
+  const [match, auth, host, basePort, path] =
+    /^(?!.+:\/\/)(?:(?<auth>.*)@)?(?<host>.*?):(?<port>\d+)?:?\/?(?<path>.*)$/.exec(repositoryUrl) || [];
+  const {port, hostname, ...parsed} = parse(
+    match ? `ssh://${auth ? `${auth}@` : ''}${host}${basePort ? `:${basePort}` : ''}/${path}` : repositoryUrl
+  );
+
+  return format({
+    ...parsed,
+    auth: gitCredentials,
+    host: `${hostname}${protocol === 'ssh:' ? '' : port ? `:${port}` : ''}`,
+    protocol: protocol && /http[^s]/.test(protocol) ? 'http' : 'https',
+  });
+}
+
+/**
+ * Verify authUrl by calling git.verifyAuth, but don't throw on failure
+ *
+ * @param {Object} context semantic-release context.
+ * @param {String} authUrl Repository URL to verify
+ *
+ * @return {String} The authUrl as is if the connection was successfull, null otherwise
+ */
+async function ensureValidAuthUrl({cwd, env, branch}, authUrl) {
+  try {
+    await verifyAuth(authUrl, branch.name, {cwd, env});
+    return authUrl;
+  } catch (error) {
+    debug(error);
+    return null;
+  }
+}
 
 /**
  * Determine the the git repository URL to use to push, either:
@@ -14,7 +57,8 @@ const {verifyAuth} = require('./git');
  *
  * @return {String} The formatted Git repository URL.
  */
-module.exports = async ({cwd, env, branch, options: {repositoryUrl}}) => {
+module.exports = async (context) => {
+  const {cwd, env, branch} = context;
   const GIT_TOKENS = {
     GIT_CREDENTIALS: undefined,
     GH_TOKEN: undefined,
@@ -29,6 +73,7 @@ module.exports = async ({cwd, env, branch, options: {repositoryUrl}}) => {
     BITBUCKET_TOKEN_BASIC_AUTH: '',
   };
 
+  let {repositoryUrl} = context.options;
   const info = hostedGitInfo.fromUrl(repositoryUrl, {noGitPlus: true});
   const {protocol, ...parsed} = parse(repositoryUrl);
 
@@ -42,25 +87,34 @@ module.exports = async ({cwd, env, branch, options: {repositoryUrl}}) => {
 
   // Test if push is allowed without transforming the URL (e.g. is ssh keys are set up)
   try {
+    debug('Verifying ssh auth by attempting to push to  %s', repositoryUrl);
     await verifyAuth(repositoryUrl, branch.name, {cwd, env});
   } catch (_) {
-    const envVar = Object.keys(GIT_TOKENS).find((envVar) => !isNil(env[envVar]));
-    const gitCredentials = `${GIT_TOKENS[envVar] || ''}${env[envVar] || ''}`;
+    debug('SSH key auth failed, falling back to https.');
+    const envVars = Object.keys(GIT_TOKENS).filter((envVar) => !isNil(env[envVar]));
+
+    // Skip verification if there is no ambiguity on which env var to use for authentication
+    if (envVars.length === 1) {
+      const gitCredentials = `${GIT_TOKENS[envVars[0]] || ''}${env[envVars[0]]}`;
+      return formatAuthUrl(protocol, repositoryUrl, gitCredentials);
+    }
+
+    if (envVars.length > 1) {
+      debug(`Found ${envVars.length} credentials in environment, trying all of them`);
 
-    if (gitCredentials) {
-      // If credentials are set via environment variables, convert the URL to http/https and add basic auth, otherwise return `repositoryUrl` as is
-      const [match, auth, host, path] =
-        /^(?!.+:\/\/)(?:(?<auth>.*)@)?(?<host>.*?):(?<path>.*)$/.exec(repositoryUrl) || [];
-      const {port, hostname, ...parsed} = parse(
-        match ? `ssh://${auth ? `${auth}@` : ''}${host}/${path}` : repositoryUrl
-      );
+      const candidateRepositoryUrls = [];
+      for (const envVar of envVars) {
+        const gitCredentials = `${GIT_TOKENS[envVar] || ''}${env[envVar]}`;
+        const authUrl = formatAuthUrl(protocol, repositoryUrl, gitCredentials);
+        candidateRepositoryUrls.push(ensureValidAuthUrl(context, authUrl));
+      }
 
-      return format({
-        ...parsed,
-        auth: gitCredentials,
-        host: `${hostname}${protocol === 'ssh:' ? '' : port ? `:${port}` : ''}`,
-        protocol: protocol && /http[^s]/.test(protocol) ? 'http' : 'https',
-      });
+      const validRepositoryUrls = await Promise.all(candidateRepositoryUrls);
+      const chosenAuthUrlIndex = validRepositoryUrls.findIndex((url) => url !== null);
+      if (chosenAuthUrlIndex > -1) {
+        debug(`Using "${envVars[chosenAuthUrlIndex]}" to authenticate`);
+        return validRepositoryUrls[chosenAuthUrlIndex];
+      }
     }
   }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "semantic-release",
   "description": "Automated semver compliant package publishing",
-  "version": "17.1.1",
+  "version": "17.2.2",
   "author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
   "ava": {
     "files": [