@Robert Bradshaw <rober...@google.com> -- this seems sensible. I don't have the relevant NPM credentials, so am unable to address myself.
Having manual steps in the release process, and esp. not keeping all SDKs up-to-date seems worth addressing. On Wed, Apr 17, 2024 at 8:29 AM Danny McCormick <dannymccorm...@google.com> wrote: > Probably the easiest way for this to happen is for @Robert Bradshaw > <rober...@google.com> to get the token set up as a secret (should be > quick) and then Austin to take the workflow forward. > > In the past to get secrets added, Infra has asked that I (a) email > r...@apache.org with the secret name and secret contents, and (b) opened > a JIRA to externally track progress - > https://issues.apache.org/jira/browse/INFRA-25009 > > On Wed, Apr 17, 2024 at 11:24 AM Austin Bennett <aus...@apache.org> wrote: > >> I don't mind doing, esp. if nobody is eager to handle/prioritize the push >> artifact in near-term. If I'm to do, let's connect off-list for >> token/creds. >> >> Furthermore, I agree that getting RCs as part of the overall >> release/validation process would be a nice addition. >> >> On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev < >> dev@beam.apache.org> wrote: >> >>> Correct, I've just been pushing these manually, and lately there haven't >>> been many changes to push. I'm all for getting these set up as part of the >>> standard release process. >>> >>> On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick < >>> dannymccorm...@google.com> wrote: >>> >>>> I've never published npm artifacts before, but I imagine the hardest >>>> part is getting the credentials set up, then it is probably very easy to >>>> set up a GitHub Actions workflow to publish >>>> <https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry>. >>>> Who has done these releases in the past/has credentials for the npm >>>> package? Maybe @Robert Bradshaw <rober...@google.com>? We will need a >>>> token set up as a secret to automate this. >>>> >>>> I'll also note that we don't do any typescript validation today, and it >>>> would be nice to publish RCs as part of this >>>> >>>> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett <aus...@apache.org> >>>> wrote: >>>> >>>>> Hi Beam Devs, >>>>> >>>>> Calling out it looks like our release process for apache-beam for >>>>> typescript/npm is broken, seemingly the last published release was 2.49.0 >>>>> about 9 months ago. The other languages look like they are publishing to >>>>> expected locations. >>>>> >>>>> https://www.npmjs.com/package/apache-beam >>>>> >>>>> I noticed this since I was digging into security concerns raised by >>>>> GitHub's dependabot across our repos [ ex: >>>>> https://github.com/apache/beam-starter-typescript/security/dependabot ], >>>>> and >>>>> towards getting our repos tidied. >>>>> >>>>> This leads me to believe we may want two distinct things: >>>>> * update our release docs/process/scripts to ensure that we >>>>> generate/publish all artifacts to relevant repositories. >>>>> * Arrive at a process to more straightforwardly attend to security >>>>> updates [ maybe we want these sent to dev list, or another distribution? ] >>>>> >>>>> From a very quick search, it did not look like we have scripts to push >>>>> to npm. That should be verified more thoroughly -- i haven't done a >>>>> release before, so relevant scripts could be hiding elsewhere. >>>>> >>>>> Cheers, >>>>> Austin >>>>> >>>>> >>>>> NOTE: everything with our main Beam repo specifically looks OK. Some >>>>> things discovered were on the other/supplementary repos, though I believe >>>>> those are still worthwhile to attend to and support. >>>>> >>>>
