chore: use signed commits when publishing packages through Lerna#653
chore: use signed commits when publishing packages through Lerna#653fnesveda wants to merge 1 commit into
Conversation
github-actions
Bot
added
the
t-management
l2ysho
left a comment
l2ysho
left a comment
There was a problem hiding this comment.
LGTM
my only concern is lerna itself. We had a problem few days ago with drift between tag of a package and real package version pushed to npm (#649 we were pointing to version which not existed) and I am not sure if this pipe can now recover if lerna publish fail (restart probably fails on pushing tags? ). Maybe we can do lerna stuff first and then sign?
|
I think the workflow will be able to recover, because of the way
|
|
@B4nan if you could also take a look, I'd be glad. I think we'll need to use this approach in other repositories with Lerna, like Crawlee, so I'd like more eyes on this. |
|
Do we really need this? I mean, lerna has |
That means we'd have to have a signing key in the repo secrets, which could leak, and it would be pretty hard to track down if it did. This way we can push signed commits with an API token, which we can (and eventually will) generate through a GitHub app, so that it's temporary. |
4 participants
When publishing new versions of packages, Lerna doesn't sign the commit in which it bumps the versions. Once we enforce commit signing everywhere, this would break.
This PR fixes it by not pushing the commit created by the publication, but rather recreating it through the
signed-commitaction. It also merges the publication and changelog sync into one commit.