Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking: use a separate script to publish to the npm registry #26

Closed
wants to merge 1 commit into from
Closed

Breaking: use a separate script to publish to the npm registry #26

wants to merge 1 commit into from

Conversation

not-an-aardvark
Copy link
Member

@not-an-aardvark not-an-aardvark commented Jul 20, 2018
edited

(refs eslint/eslint#10631)

This updates the release API to not publish to npm when initially
called, and to only publish to npm when invoked as a separate process.
This will make it possible to pause the build to ask the user for a TOTP
code before publishing, provided that consumers of the package are
updated accordingly.

I think this would be the best approach if we want to start doing npm 2FA now before waiting for time-limited tokens (assuming they are implemented eventually). With this change, it would be relatively easy to update the Jenkins build tasks to prompt the user for a OTP and then publish the release afterwards.

@not-an-aardvark
Breaking: use a separate script to publish to the npm registry
87b6158 
(refs eslint/eslint#10631)

This updates the release API to not publish to npm when initially
called, and to only publish to npm when invoked as a separate process.
This will make it possible to pause the build to ask the user for a TOTP
code before publishing, provided that consumers of the package are
updated accordingly.
platinumazure
platinumazure reviewed Jul 20, 2018
View reviewed changes
Copy link
Member

@platinumazure platinumazure left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, pending discussion on whether we want to accept this.

@JamesHenry
Copy link
Member

Does this mean I would lose the ability to publish typescript-eslint-parser autonomously?

@not-an-aardvark
Copy link
Member Author

@JamesHenry There's some more discussion about this in eslint/eslint#10631. I don't want you to lose that ability, so we'll figure something out so that you still can publish autonomously.

@not-an-aardvark
Copy link
Member Author

not-an-aardvark commented Jul 24, 2018
edited

I realized we can probably pause for input in the middle of the release without breaking up the release script, if we're willing to do enough process juggling:

  1. Jenkins starts a shell script
  2. The shell script starts a child process that inherits stdout and stderr of its parent, starts the release script, and waits for a signal from it.
  3. Right before publish, the child process sends a signal to its parent and then blocks on reading some file descriptor.
  4. The parent gets the signal and exits.
  5. Jenkins sees that the parent exited and moves to the next step in the pipeline (prompting the user for a TOTP).
  6. After the user enters a TOTP, Jenkins moves to the next step in the pipeline and creates a new process with the user input.
  7. The new process finds the child process somehow (maybe the child PID was written to a file?) and sends the TOTP to it.
  8. The child process receives the TOTP and finishes the npm publish.

@not-an-aardvark
Copy link
Member Author

Closing in favor of #27

@not-an-aardvark not-an-aardvark deleted the publish-separately branch September 28, 2018 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@platinumazure platinumazure platinumazure left review comments

Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@not-an-aardvark @JamesHenry @platinumazure