Re: release process: typescript SDK?

[Austin Bennett]

@Robert Bradshaw  -- this seems sensible.  I don't
have the relevant NPM credentials, so am unable to address myself.

Having manual steps in the release process, and esp. not keeping all SDKs
up-to-date seems worth addressing.

On Wed, Apr 17, 2024 at 8:29 AM Danny McCormick 
wrote:

> Probably the easiest way for this to happen is for @Robert Bradshaw
>  to get the token set up as a secret (should be
> quick) and then Austin to take the workflow forward.
>
> In the past to get secrets added, Infra has asked that I (a) email
> r...@apache.org with the secret name and secret contents, and (b) opened
> a JIRA to externally track progress -
> https://issues.apache.org/jira/browse/INFRA-25009
>
> On Wed, Apr 17, 2024 at 11:24 AM Austin Bennett  wrote:
>
>> I don't mind doing, esp. if nobody is eager to handle/prioritize the push
>> artifact in near-term.  If I'm to do, let's connect off-list for
>> token/creds.
>>
>> Furthermore, I agree that getting RCs as part of the overall
>> release/validation process would be a nice addition.
>>
>> On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev <
>> dev@beam.apache.org> wrote:
>>
>>> Correct, I've just been pushing these manually, and lately there haven't
>>> been many changes to push. I'm all for getting these set up as part of the
>>> standard release process.
>>>
>>> On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick <
>>> dannymccorm...@google.com> wrote:
>>>
 I've never published npm artifacts before, but I imagine the hardest
 part is getting the credentials set up, then it is probably very easy to
 set up a GitHub Actions workflow to publish
 .
 Who has done these releases in the past/has credentials for the npm
 package? Maybe @Robert Bradshaw ? We will need a
 token set up as a secret to automate this.

 I'll also note that we don't do any typescript validation today, and it
 would be nice to publish RCs as part of this

 On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett 
 wrote:

> Hi Beam Devs,
>
> Calling out it looks like our release process for apache-beam for
> typescript/npm is broken, seemingly the last published release was 2.49.0
> about 9 months ago.  The other languages look like they are publishing to
> expected locations.
>
> https://www.npmjs.com/package/apache-beam
>
> I noticed this since I was digging into security concerns raised by
> GitHub's dependabot across our repos [ ex:
> https://github.com/apache/beam-starter-typescript/security/dependabot ], 
> and
> towards getting our repos tidied.
>
> This leads me to believe we may want two distinct things:
> * update our release docs/process/scripts to ensure that we
> generate/publish all artifacts to relevant repositories.
> * Arrive at a process to more straightforwardly attend to security
> updates [ maybe we want these sent to dev list, or another distribution? ]
>
> From a very quick search, it did not look like we have scripts to push
> to npm.  That should be verified more thoroughly -- i haven't done a
> release before, so relevant scripts could be hiding elsewhere.
>
> Cheers,
> Austin
>
>
> NOTE:  everything with our main Beam repo specifically looks OK.  Some
> things discovered were on the other/supplementary repos, though I believe
> those are still worthwhile to attend to and support.
>

Re: release process: typescript SDK?

[Danny McCormick via dev]

Probably the easiest way for this to happen is for @Robert Bradshaw
 to get the token set up as a secret (should be quick)
and then Austin to take the workflow forward.

In the past to get secrets added, Infra has asked that I (a) email
r...@apache.org with the secret name and secret contents, and (b) opened a
JIRA to externally track progress -
https://issues.apache.org/jira/browse/INFRA-25009

On Wed, Apr 17, 2024 at 11:24 AM Austin Bennett  wrote:

> I don't mind doing, esp. if nobody is eager to handle/prioritize the push
> artifact in near-term.  If I'm to do, let's connect off-list for
> token/creds.
>
> Furthermore, I agree that getting RCs as part of the overall
> release/validation process would be a nice addition.
>
> On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev <
> dev@beam.apache.org> wrote:
>
>> Correct, I've just been pushing these manually, and lately there haven't
>> been many changes to push. I'm all for getting these set up as part of the
>> standard release process.
>>
>> On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick <
>> dannymccorm...@google.com> wrote:
>>
>>> I've never published npm artifacts before, but I imagine the hardest
>>> part is getting the credentials set up, then it is probably very easy to
>>> set up a GitHub Actions workflow to publish
>>> .
>>> Who has done these releases in the past/has credentials for the npm
>>> package? Maybe @Robert Bradshaw ? We will need a
>>> token set up as a secret to automate this.
>>>
>>> I'll also note that we don't do any typescript validation today, and it
>>> would be nice to publish RCs as part of this
>>>
>>> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett 
>>> wrote:
>>>
 Hi Beam Devs,

 Calling out it looks like our release process for apache-beam for
 typescript/npm is broken, seemingly the last published release was 2.49.0
 about 9 months ago.  The other languages look like they are publishing to
 expected locations.

 https://www.npmjs.com/package/apache-beam

 I noticed this since I was digging into security concerns raised by
 GitHub's dependabot across our repos [ ex:
 https://github.com/apache/beam-starter-typescript/security/dependabot ], 
 and
 towards getting our repos tidied.

 This leads me to believe we may want two distinct things:
 * update our release docs/process/scripts to ensure that we
 generate/publish all artifacts to relevant repositories.
 * Arrive at a process to more straightforwardly attend to security
 updates [ maybe we want these sent to dev list, or another distribution? ]

 From a very quick search, it did not look like we have scripts to push
 to npm.  That should be verified more thoroughly -- i haven't done a
 release before, so relevant scripts could be hiding elsewhere.

 Cheers,
 Austin


 NOTE:  everything with our main Beam repo specifically looks OK.  Some
 things discovered were on the other/supplementary repos, though I believe
 those are still worthwhile to attend to and support.

>>>

Re: release process: typescript SDK?

[Austin Bennett]

I don't mind doing, esp. if nobody is eager to handle/prioritize the push
artifact in near-term.  If I'm to do, let's connect off-list for
token/creds.

Furthermore, I agree that getting RCs as part of the overall
release/validation process would be a nice addition.

On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev 
wrote:

> Correct, I've just been pushing these manually, and lately there haven't
> been many changes to push. I'm all for getting these set up as part of the
> standard release process.
>
> On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick 
> wrote:
>
>> I've never published npm artifacts before, but I imagine the hardest part
>> is getting the credentials set up, then it is probably very easy to set up
>> a GitHub Actions workflow to publish
>> .
>> Who has done these releases in the past/has credentials for the npm
>> package? Maybe @Robert Bradshaw ? We will need a
>> token set up as a secret to automate this.
>>
>> I'll also note that we don't do any typescript validation today, and it
>> would be nice to publish RCs as part of this
>>
>> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett  wrote:
>>
>>> Hi Beam Devs,
>>>
>>> Calling out it looks like our release process for apache-beam for
>>> typescript/npm is broken, seemingly the last published release was 2.49.0
>>> about 9 months ago.  The other languages look like they are publishing to
>>> expected locations.
>>>
>>> https://www.npmjs.com/package/apache-beam
>>>
>>> I noticed this since I was digging into security concerns raised by
>>> GitHub's dependabot across our repos [ ex:
>>> https://github.com/apache/beam-starter-typescript/security/dependabot ], and
>>> towards getting our repos tidied.
>>>
>>> This leads me to believe we may want two distinct things:
>>> * update our release docs/process/scripts to ensure that we
>>> generate/publish all artifacts to relevant repositories.
>>> * Arrive at a process to more straightforwardly attend to security
>>> updates [ maybe we want these sent to dev list, or another distribution? ]
>>>
>>> From a very quick search, it did not look like we have scripts to push
>>> to npm.  That should be verified more thoroughly -- i haven't done a
>>> release before, so relevant scripts could be hiding elsewhere.
>>>
>>> Cheers,
>>> Austin
>>>
>>>
>>> NOTE:  everything with our main Beam repo specifically looks OK.  Some
>>> things discovered were on the other/supplementary repos, though I believe
>>> those are still worthwhile to attend to and support.
>>>
>>

Re: release process: typescript SDK?

[Robert Bradshaw via dev]

Correct, I've just been pushing these manually, and lately there haven't
been many changes to push. I'm all for getting these set up as part of the
standard release process.

On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick 
wrote:

> I've never published npm artifacts before, but I imagine the hardest part
> is getting the credentials set up, then it is probably very easy to set up
> a GitHub Actions workflow to publish
> .
> Who has done these releases in the past/has credentials for the npm
> package? Maybe @Robert Bradshaw ? We will need a
> token set up as a secret to automate this.
>
> I'll also note that we don't do any typescript validation today, and it
> would be nice to publish RCs as part of this
>
> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett  wrote:
>
>> Hi Beam Devs,
>>
>> Calling out it looks like our release process for apache-beam for
>> typescript/npm is broken, seemingly the last published release was 2.49.0
>> about 9 months ago.  The other languages look like they are publishing to
>> expected locations.
>>
>> https://www.npmjs.com/package/apache-beam
>>
>> I noticed this since I was digging into security concerns raised by
>> GitHub's dependabot across our repos [ ex:
>> https://github.com/apache/beam-starter-typescript/security/dependabot ], and
>> towards getting our repos tidied.
>>
>> This leads me to believe we may want two distinct things:
>> * update our release docs/process/scripts to ensure that we
>> generate/publish all artifacts to relevant repositories.
>> * Arrive at a process to more straightforwardly attend to security
>> updates [ maybe we want these sent to dev list, or another distribution? ]
>>
>> From a very quick search, it did not look like we have scripts to push to
>> npm.  That should be verified more thoroughly -- i haven't done a release
>> before, so relevant scripts could be hiding elsewhere.
>>
>> Cheers,
>> Austin
>>
>>
>> NOTE:  everything with our main Beam repo specifically looks OK.  Some
>> things discovered were on the other/supplementary repos, though I believe
>> those are still worthwhile to attend to and support.
>>
>

Re: release process: typescript SDK?

[Danny McCormick via dev]

I've never published npm artifacts before, but I imagine the hardest part
is getting the credentials set up, then it is probably very easy to set up
a GitHub Actions workflow to publish
.
Who has done these releases in the past/has credentials for the npm
package? Maybe @Robert Bradshaw ? We will need a token
set up as a secret to automate this.

I'll also note that we don't do any typescript validation today, and it
would be nice to publish RCs as part of this

On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett  wrote:

> Hi Beam Devs,
>
> Calling out it looks like our release process for apache-beam for
> typescript/npm is broken, seemingly the last published release was 2.49.0
> about 9 months ago.  The other languages look like they are publishing to
> expected locations.
>
> https://www.npmjs.com/package/apache-beam
>
> I noticed this since I was digging into security concerns raised by
> GitHub's dependabot across our repos [ ex:
> https://github.com/apache/beam-starter-typescript/security/dependabot ], and
> towards getting our repos tidied.
>
> This leads me to believe we may want two distinct things:
> * update our release docs/process/scripts to ensure that we
> generate/publish all artifacts to relevant repositories.
> * Arrive at a process to more straightforwardly attend to security updates
> [ maybe we want these sent to dev list, or another distribution? ]
>
> From a very quick search, it did not look like we have scripts to push to
> npm.  That should be verified more thoroughly -- i haven't done a release
> before, so relevant scripts could be hiding elsewhere.
>
> Cheers,
> Austin
>
>
> NOTE:  everything with our main Beam repo specifically looks OK.  Some
> things discovered were on the other/supplementary repos, though I believe
> those are still worthwhile to attend to and support.
>

release process: typescript SDK?

[Austin Bennett]

Hi Beam Devs,

Calling out it looks like our release process for apache-beam for
typescript/npm is broken, seemingly the last published release was 2.49.0
about 9 months ago.  The other languages look like they are publishing to
expected locations.

https://www.npmjs.com/package/apache-beam

I noticed this since I was digging into security concerns raised by
GitHub's dependabot across our repos [ ex:
https://github.com/apache/beam-starter-typescript/security/dependabot ], and
towards getting our repos tidied.

This leads me to believe we may want two distinct things:
* update our release docs/process/scripts to ensure that we
generate/publish all artifacts to relevant repositories.
* Arrive at a process to more straightforwardly attend to security updates
[ maybe we want these sent to dev list, or another distribution? ]

>From a very quick search, it did not look like we have scripts to push to
npm.  That should be verified more thoroughly -- i haven't done a release
before, so relevant scripts could be hiding elsewhere.

Cheers,
Austin


NOTE:  everything with our main Beam repo specifically looks OK.  Some
things discovered were on the other/supplementary repos, though I believe
those are still worthwhile to attend to and support.