semantic-release 21.0.0 → 21.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -6,6 +6,11 @@ The [Authentication](../../usage/ci-configuration.md#authentication) environment
|
|
|
6
6
|
|
|
7
7
|
In this example a publish type [`NPM_TOKEN`](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) is required to publish a package to the npm registry. GitHub Actions [automatically populate](https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret) a [`GITHUB_TOKEN`](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) environment variable which can be used in Workflows.
|
|
8
8
|
|
|
9
|
+
## npm provenance
|
|
10
|
+
|
|
11
|
+
Since GitHub Actions is a [supported provider](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations) for [npm provenance](https://docs.npmjs.com/generating-provenance-statements), it is recommended to enable this to increase supply-chain security for your npm packages.
|
|
12
|
+
Find more detail about configuring npm to publish with provenance through semantic-release [in the documentation for our npm plugin](https://github.com/semantic-release/npm#npm-provenance).
|
|
13
|
+
|
|
9
14
|
## Node project configuration
|
|
10
15
|
|
|
11
16
|
[GitHub Actions](https://github.com/features/actions) support [Workflows](https://help.github.com/en/articles/configuring-workflows), allowing to run tests on multiple Node versions and publish a release only when all test pass.
|
|
@@ -23,10 +28,19 @@ on:
|
|
|
23
28
|
push:
|
|
24
29
|
branches:
|
|
25
30
|
- master
|
|
31
|
+
|
|
32
|
+
permissions:
|
|
33
|
+
contents: read # for checkout
|
|
34
|
+
|
|
26
35
|
jobs:
|
|
27
36
|
release:
|
|
28
37
|
name: Release
|
|
29
38
|
runs-on: ubuntu-latest
|
|
39
|
+
permissions:
|
|
40
|
+
contents: write # to be able to publish a GitHub release
|
|
41
|
+
issues: write # to be able to comment on released issues
|
|
42
|
+
pull-requests: write # to be able to comment on released pull requests
|
|
43
|
+
id-token: write # to enable use of OIDC for npm provenance
|
|
30
44
|
steps:
|
|
31
45
|
- name: Checkout
|
|
32
46
|
uses: actions/checkout@v3
|
|
@@ -37,7 +51,9 @@ jobs:
|
|
|
37
51
|
with:
|
|
38
52
|
node-version: "lts/*"
|
|
39
53
|
- name: Install dependencies
|
|
40
|
-
run: npm
|
|
54
|
+
run: npm clean-install
|
|
55
|
+
- name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
|
|
56
|
+
run: npm audit signatures
|
|
41
57
|
- name: Release
|
|
42
58
|
env:
|
|
43
59
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
package/docs/support/FAQ.md
CHANGED
|
@@ -158,14 +158,6 @@ Or with the `publishConfig.access` key in your project's `package.json`:
|
|
|
158
158
|
}
|
|
159
159
|
```
|
|
160
160
|
|
|
161
|
-
## Can I use semantic-release to publish a package on Artifactory?
|
|
162
|
-
|
|
163
|
-
Any npm compatible registry is supported with the [`@semantic-release/npm`](https://github.com/semantic-release/npm) plugin. For Artifactory versions prior to 5.4, the legacy authentication has to be used (with `NPM_USERNAME`, `NPM_PASSWORD` and `NPM_EMAIL` [environment variables](https://github.com/semantic-release/npm#environment-variables)).
|
|
164
|
-
|
|
165
|
-
See [npm registry authentication](https://github.com/semantic-release/npm#npm-registry-authentication) for more details.
|
|
166
|
-
|
|
167
|
-
See [Artifactory - npm Registry](https://www.jfrog.com/confluence/display/RTF/Npm+Registry#NpmRegistry-AuthenticatingthenpmClient) documentation for Artifactory configuration.
|
|
168
|
-
|
|
169
161
|
## Can I manually trigger the release of a specific version?
|
|
170
162
|
|
|
171
163
|
You can trigger a release by pushing to your Git repository. You deliberately cannot trigger a _specific_ version release, because this is the whole point of semantic-release.
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "semantic-release",
|
|
3
3
|
"description": "Automated semver compliant package publishing",
|
|
4
|
-
"version": "21.0.
|
|
4
|
+
"version": "21.0.2",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
|
|
7
7
|
"ava": {
|
|
@@ -30,11 +30,11 @@
|
|
|
30
30
|
"@semantic-release/error": "^3.0.0",
|
|
31
31
|
"@semantic-release/github": "^8.0.0",
|
|
32
32
|
"@semantic-release/npm": "^10.0.2",
|
|
33
|
-
"@semantic-release/release-notes-generator": "^
|
|
33
|
+
"@semantic-release/release-notes-generator": "^11.0.0",
|
|
34
34
|
"aggregate-error": "^4.0.1",
|
|
35
35
|
"cosmiconfig": "^8.0.0",
|
|
36
36
|
"debug": "^4.0.0",
|
|
37
|
-
"env-ci": "^
|
|
37
|
+
"env-ci": "^9.0.0",
|
|
38
38
|
"execa": "^7.0.0",
|
|
39
39
|
"figures": "^5.0.0",
|
|
40
40
|
"find-versions": "^5.1.0",
|
|
@@ -62,18 +62,18 @@
|
|
|
62
62
|
"codecov": "3.8.3",
|
|
63
63
|
"delay": "5.0.0",
|
|
64
64
|
"dockerode": "3.3.5",
|
|
65
|
-
"file-url": "
|
|
66
|
-
"fs-extra": "
|
|
67
|
-
"got": "
|
|
65
|
+
"file-url": "4.0.0",
|
|
66
|
+
"fs-extra": "11.1.1",
|
|
67
|
+
"got": "12.6.0",
|
|
68
68
|
"js-yaml": "4.1.0",
|
|
69
69
|
"mockserver-client": "5.15.0",
|
|
70
70
|
"nock": "13.3.0",
|
|
71
|
-
"p-retry": "
|
|
72
|
-
"prettier": "
|
|
73
|
-
"sinon": "15.0.
|
|
71
|
+
"p-retry": "5.1.2",
|
|
72
|
+
"prettier": "2.8.7",
|
|
73
|
+
"sinon": "15.0.4",
|
|
74
74
|
"stream-buffers": "3.0.2",
|
|
75
|
-
"tempy": "
|
|
76
|
-
"testdouble": "3.17.
|
|
75
|
+
"tempy": "3.0.0",
|
|
76
|
+
"testdouble": "3.17.2"
|
|
77
77
|
},
|
|
78
78
|
"engines": {
|
|
79
79
|
"node": ">=18"
|