chore: upgrade aegir, switch to unified ci #142
Conversation
Updates project config to add autorelease in the [unified CI model](https://github.com/protocol/.github) as requested in this comment - ChainSafe#136 (comment) Before merging this: 1. Check npm config of https://www.npmjs.com/package/@chainsafe/libp2p-noise - "Publishing access" should be set to "Require two-factor authentication or automation tokens" 2. Create a repository secret here called `NPM_TOKEN` with a npm automation token that can publish to `@chainsafe/libp2p-noise`. 3. Add https://github.com/web3-bot as a collaborator to this repo to receive automated CI config updates
achingbrain
requested review from
wemeetagain,
mpetrunic,
twoeths and
dapplion
as code owners
|
Yarn. So, for some reason, The dep tree is: It finds This is a problem because One solution might be to add a redundant Unified CI uses npm and not yarn, so I've removed |
achingbrain
changed the title
There was a problem hiding this comment.
FYI I had to make one feature release that was forgotten so we don't screw up versioning when we merge this.
I've added web3-bot and added NPM_TOKEN so we are basically ready.
That said, I don't think this is working 😅 , as ci is using release script which is missing along with semantic release configuration.
But before you fix that, if I'm not mistaken we would need to remove the branch protection rule as well so that CI can commit changelog and package.json?
I'm not really a huge fan of this especially considering it's kinda against our company policy to leave unprotected branch like that but more importantly, GitHub's actions had a lot of exploits last year so it's even more dangerous.
I would propose that we implement a release process more similar to this (and js-libp2p repo as well): https://github.com/ChainSafe/strip-comments/tree/master/.github/workflows
I would be happy to modify this PR.
It's using semantic PRs with squash merge and release-please action.
@wemeetagain @dapplion @tuyennhv could you chime in as well.
@achingbrain if we are running slightly different workflows would we still get PR from web3-bot with CI updates?
|
@mpetrunic That looks like a good middle ground solution. Definitely better than current status quo. We can go for this approach and switch to @achingbrain approach if it's doesn't provide good enough DX. Lodestar's security is that of the weakest link so since we are already dependant on many js-ipfs libraries, using the auto-release strategy does not reduce the security of those packages. Consumers usually depend on noise + libp2p, but not noise in isolation right? It would have a greater impact that we all do the switch tho |
|
@dapplion @wemeetagain pushed changes. |
You can usually exclude certain users from protection rules in these sort of setups? There's a possible solution here. Do we want that though? It sounds like maybe not.
web3-bot will automatically overwrite any files in That said, libp2p and ipfs both use I think then you can skip the CI-user-exclusion-from-protected-branches mentioned above. Though the joy of Happy to do whatever you prefer though. |
Seems like my changes pushed here are compatible then.
I think our biggest issue was that nobody wanted to create release PR with changelog and version updates, merging it is not that much of an issue. This also doesn't force people (external contributors) to use semantic commits if they don't want to and we can influence version bump by editing PR title. |
Updates project config to add autorelease in the unified CI model as requested in this comment - #136 (comment)
Before merging this:
NPM_TOKENwith a npm automation token that can publish to@chainsafe/libp2p-noise.