Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create GH Action to Publish Project Automatically #1274

Merged
merged 1 commit into from
Sep 11, 2024
Merged

Create GH Action to Publish Project Automatically #1274

merged 1 commit into from
Sep 11, 2024

Conversation

elliot-huffman
Copy link
Contributor

Overview

This PR is to automation to publish the project from the cloud environment automatically.

Other enhancements such as publish step extraction will be recommended with future issues/PRs.

Important (Admin Steps)

The following steps are required by a repo and NPM admin to complete this PRs integration:

  1. Create a new GitHub Environment called NPM.
  2. Create a new NPM Granular Access Token scoped to the typescript-json and typia packages (a long-lived token would reduce the need to cycle it constantly) with read and write permissions.
  3. Copy your new NPM publish token to the NPM environment as a secret named NPM_PUBLISH.
  4. Profit!

Security Best Practices

  • Ensure that you enable trusted approvers in your GitHub environment. This allows you to reduce the risk of a threat actor making a malicious PR designed to steal your token without trusted person approval.
  • Ensure that the GH Environment is only approved to run from the master branch for any (*) tag. This prevents forks/branches from running the deploy command and only approved code can even attempt to request access.
  • Scope the permissions of your granular NPM token to only the two packages typescript-json and typia, don't grant it any additional permissions.
  • Do NOT store the NPM token ANYWHERE else. This could cause a complete breach of your packages. This token is privileged. GH Secrets are one way and won't allow people with repo admin access to read them out of the settings. The only things that can read secrets are GH Actions and as long as you keep an eye on the GH Actions that are being submitted to the project, you should be good.

@elliot-huffman
Create GH Action to Publish
d50609e 
Create a GH Action to publish the project with the requested tag info.
@elliot-huffman elliot-huffman mentioned this pull request Sep 11, 2024
Closed
@samchon samchon self-requested a review September 11, 2024 23:58
@samchon samchon added enhancement New feature or request good first issue Good for newcomers labels Sep 11, 2024
samchon
samchon approved these changes Sep 11, 2024
View reviewed changes
Copy link
Owner

@samchon samchon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contribution.

@samchon samchon merged commit 9e0b22f into samchon:master Sep 11, 2024
2 checks passed
@elliot-huffman elliot-huffman deleted the patch-1 branch September 18, 2024 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samchon samchon samchon approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elliot-huffman @samchon