I don't mind doing, esp. if nobody is eager to handle/prioritize the push artifact in near-term. If I'm to do, let's connect off-list for token/creds.
Furthermore, I agree that getting RCs as part of the overall release/validation process would be a nice addition. On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev <dev@beam.apache.org> wrote: > Correct, I've just been pushing these manually, and lately there haven't > been many changes to push. I'm all for getting these set up as part of the > standard release process. > > On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick <dannymccorm...@google.com> > wrote: > >> I've never published npm artifacts before, but I imagine the hardest part >> is getting the credentials set up, then it is probably very easy to set up >> a GitHub Actions workflow to publish >> <https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry>. >> Who has done these releases in the past/has credentials for the npm >> package? Maybe @Robert Bradshaw <rober...@google.com>? We will need a >> token set up as a secret to automate this. >> >> I'll also note that we don't do any typescript validation today, and it >> would be nice to publish RCs as part of this >> >> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett <aus...@apache.org> wrote: >> >>> Hi Beam Devs, >>> >>> Calling out it looks like our release process for apache-beam for >>> typescript/npm is broken, seemingly the last published release was 2.49.0 >>> about 9 months ago. The other languages look like they are publishing to >>> expected locations. >>> >>> https://www.npmjs.com/package/apache-beam >>> >>> I noticed this since I was digging into security concerns raised by >>> GitHub's dependabot across our repos [ ex: >>> https://github.com/apache/beam-starter-typescript/security/dependabot ], and >>> towards getting our repos tidied. >>> >>> This leads me to believe we may want two distinct things: >>> * update our release docs/process/scripts to ensure that we >>> generate/publish all artifacts to relevant repositories. >>> * Arrive at a process to more straightforwardly attend to security >>> updates [ maybe we want these sent to dev list, or another distribution? ] >>> >>> From a very quick search, it did not look like we have scripts to push >>> to npm. That should be verified more thoroughly -- i haven't done a >>> release before, so relevant scripts could be hiding elsewhere. >>> >>> Cheers, >>> Austin >>> >>> >>> NOTE: everything with our main Beam repo specifically looks OK. Some >>> things discovered were on the other/supplementary repos, though I believe >>> those are still worthwhile to attend to and support. >>> >>
