chore: modify release flow in light of security changes#10144
Conversation
|
There was a problem hiding this comment.
Code Review
This pull request extracts the logic for pushing release tags to GitHub into a standalone script publish-git-tags.js and removes it from the main release script. Feedback on these changes highlights three key issues: first, importing TypeScript utilities from a JavaScript file will cause runtime failures, so the script should be renamed to .ts; second, the script needs to handle cases where no tags point to HEAD to avoid pushing empty strings; and third, the asynchronous entry point should catch errors and exit with a non-zero code to ensure CI workflows fail correctly.
Change release-pr.yml (run at staging, bumps versions and generates release PR) so that the changesets action sets "setupGitUser" to false. This should hopefully remove the "github-actions" bot as a co-author, which causes the CLA check to fail on PRs.
Remove OSS_BOT_GITHUB_TOKEN from release-prod checkout. This was an attempt a while back to try to fix an engprod workflow that was supposed to be triggered by the prod release workflow and wasn't triggering. It didn't work anyway and that workflow no longer exists. With this removed, it will just use the default GITHUB_TOKEN like every other checkout action in our workflows.
Split the github tag publish step out of the main release script into a separate script, and execute this at the end of the prod release workflow so that it doesn't block any other steps. (But before github release publish because that depends on the new tag existing.) I don't want to use
continue-on-errorbecause I still want it to fail the workflow with a big red symbol so we know we have to manually push the git tags. But I want the other steps to be able to complete.I can't really test any of this until the next release without running a release so I guess let's check it very carefully.