-
-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate publishing process via CI #668
Comments
@RodrigoSMarques It would be great if you could have a look into this, since you seem to be most familiar with the pub.dev publishing process. I am of course available to assist from the GitHub CI side. I think a good starting point would be to look at the parse-server workflows, specifically, the release flow. |
@mtrezza @RodrigoSMarques |
Some more information as I'm now home: Currently there is no recommended way to publish dart/Flutter packages to pub.dev automatically. The community uses the access and refresh token The options I see:
Some thinks the automation should do:
|
@fischerscode Thanks for the analysis. Yes, for now we'll publish manually until we found a feasible way to automate this. We should do a careful risk analysis regarding automated publishing and permission exposure. The risk is not only malicious intent by a single person, but maybe more accidental actions or compromised 3rd party accounts, because we cannot control how someone stores their own account credentials. @RodrigoSMarques Do you have a next release planned, where we can test how we coordinate a manual release? |
Maybe i can give some new information on stealing secrets from github actions as i already tried this myself to get a lost key back. First of it is not so easy as every secret used in github actions can not be simply printed. I only could get by echo it to a txt file and upload this text file somewhere. Maybe we there are ways of securing the access to the secrets by restricting the environment to branches (or maybe cleanup and restrict the branch creation all together) and then restrict the merging to these branches. |
We already use GitHub secrets for NPM and docker publishing token in other repos; we can assume the feature is safe as that is exactly what it's designed for. As I understand it, secrets are only accessible on the original repo branches, not on fork branches or PRs. We just have to be careful about what we merge, but that we have to be anyway. That is one of the reasons we changed the permission model in our repos and are now giving only a select few people write access to the repositories, where before, every org member had write access. |
Hi @mtrezza. How can I contact you so we can talk about releasing new versions of the package? Since Phil left the project we haven't published any updates, because I don't know how the process was defined. I believe that as the package is now publisher verified, you could invite me to publish the version. I await your contact. |
Maybe we can already set up the CI to automate the publishing in the future? Do you want to look into that and open a PR for a GitHub workflow? Feel free to contact me on Slack. |
Hi @mtrezza . I don't know if there is an option for automated deployment. My sugestion. Do the update manually and then try to automate. We have several bugs to be updated and as I have other projects, time is limited to check before the update. My sugestion. Do the update manually and then try to automate. We have several bugs to be updated and as I have other projects, time is limited to check before the update. In this issue we have the analysis about the deployment automation. |
Sure, @RodrigoSMarques I think we could give you temporary maintainer access if you would be willing to publish a release? Then we have more time to figure out how to automate this. |
@RodrigoSMarques Friendly ping in case you overlooked my previous comment. |
Good Morning. Add my email (my github username @gmail.com) to pub.dev and I'll be able to publish the new version of the package. He was involved in several personal projects. I will try to get back to support for this package. |
@mtrezza Friendly ping in case you overlooked my previous comment. |
I should be able to give you permissions later today, I'll ping you here. |
@RodrigoSMarques you've been granted publisher permission, please let me know if it works and thanks for your help to publish manually. To hopefully gather more interest in automating publishing, I've added a bounty label; @fischerscode you wrote a comprehensive analysis, would you want to take look and open a PR? |
@mtrezza I'll have a look at it. Do you think it would be best to publish to pub.dev once a new github release has been created or should we consider automatic github releases as well? We could consider creating automatic patches to update the dependencies. |
Amazing @fischerscode, we should add auto-release to this SDK as we are moving all repositories to auto-release. That means on each commit (depending on the commit message), a release will be automatically published. The auto-release mechanism is essentially the same as in the Parse JS SDK, but it comes with its own complexities, so I would break it into two PRs:
|
@mtrezza I've created PR #719. It addresses the first point. https://github.com/k-paxian/dart-package-publisher#accesstoken I assume you are one of the administrators of the publisher. So I think it would be best, if you would create the bot account. |
I could do that, but (as you wrote) we should focus on Nr. 1 first. |
@fischerscode That's amazing and amazingly quick! I will create a Google account for that and add the secrets so maybe we can even try that out with our next publishing. @RodrigoSMarques You may want to wait with manual publishing, so we try this out? |
We can wait to test. Who was having problems, now has a version to continue through the Fork |
Thanks for opening this issue!
|
Do I understand it correctly, that these 2 packages (dart, flutter) will always have the same version number? |
If that is really a limitation of pub.dev, then that seems like a flaw to me. It basically means that the CI we run is almost irrelevant, because the developers using the Parse Flutter SDK may be using other dependency versions which did not pass our CI. It defies the purpose of the lock file, which is there for exactly that reason. Yes, the caret means "no breaking change" upgrades, but any version upgrade (major, minor or patch) can potentially introduce a bug. That bug could be detected in our CI, but since we don't run the CI with these specific dependencies, we cannot know. Maybe we get in touch with pub.dev to inquire about this limitation? I guess in the meantime we can just publish with caret to finally test our the release process. |
You can download the code uploaded to pub.dev. It doesn't contain the lock file.
I don't think they will change how pub is working, I think the team of google really thought about what is a good behavior. Of course the approach of dynamically resolving the versions of the dependencies has a downside when it comes to the situation you described, but I think it is the best way they could have done it when they designed pub, since it allows the usage of irregularly updated packages while using patched nested dependencies. If you feel like it would be better for the overall concept of the parse-platform, we could also introduce
👍 |
Quick update: I'll do a test release in the coming days so we can verify the manual release mechanism. |
Test status:
Insights:
@fischerscode What do you think about the warning above? Do we need these 3 files checked in and published? Full log here. |
@mtrezza Sorry for the late response...
👍
Makes sens, forgot about that... Don't think there is a way around that. Since dry-run runs the test, as far as I know.
Maybe tag with
No priority, since it is only the example, but I think it would be best to remove them from the .gitignore, since it seems to be suggested. |
They are actually symlinks, so we won't check them in. The symlink that are currently checked in point to:
|
I managed to run https://github.com/parse-community/Parse-SDK-Flutter/actions/runs/2404786674 successfully in dry-run. II think we are good now to make a release. The GitHub Action will only publish the dart or flutter package if the local version is different from the currently published version, independently for each package. For example, if there has been only a change in the flutter package, it would publish only the flutter package, skipping the dart package. Releasing in this repository is currently a challenge, because this "monorepo" doesn't actually use a monorepo framework and requires creating manual GitHub releases. Probably the biggest confusion is caused when using a common version for both packages, as has been done until now. For example, for the next release ( So from hereon we'll separate release version and changelog per package. |
@fischerscode @RodrigoSMarques It seems we have successfully published flutter-3.1.1. Could you please check whether the published package is OK? The release process currently works like this:
Note:
Potential future improvements:
|
Looks good to me 🚀
When is the hash/link of the commit added? After a PR got merged?
Is it allowed for everyone having the permission to create a GitHub Release? |
Well, you are right, the changelog entry is usually auto-generated after the merge. As long as we're doing manual releases, we can simplify the changelog entry I guess and omit the commit hash.
Actually, this was more for self-documentation. Only the maintainer team can trigger releases, of which only org owners are members. GitHub doesn't provide a fine-grained permission model, so we are restricting write permissions for the moment. We are looking into making this more automated in the future. The process in this repo is currently as with other repos in the org:
|
@parse-community/flutter-sdk Does anyone know of a dart-specific framework that is used to manage mono-repositories? |
The firebase packages are managed by utilizing melos (docs). Since I found it (#668 (comment)) I've played a bit with it. And to be honest, it seems perfect for managing monorepos without much work. As a bonus it supports linking the packages using a "path"-dependency for development without changing the |
Does it generate a changelog as well? That is currently the most work for us when it comes to making a release. In the other framework we use across the org the changelog is created automatically from the commit messages. Edit: It does, as described in the docs. Does anyone want to create a PR to set this up? |
While having this document in mind, I propose the following release procedure. Procedure:
All names are of course only suggestions and can be changed. Considerations:
Advantages:
Disadvantages:
|
Yes
As we currently do it org wide; release an alpha version after each commit, once every month release a beta version with all changes in alpha, and a stable version with all changes in beta. We can probably skip the beta release here. The pre-releases should be separated by branch and follow our branch model: You can take a look at the Parse Server repo how this is managed; also how we manage the changelog there, as we have a separate alpha / beta / release changelog. You can also take a look at our current commit message syntax, also for reverting PRs. We are using the same syntax org wide, so melos must be compatible with it. |
At what stage are these issues? Is the problem solved? |
There is no problem, auto-release is not just added yet because it needs more investigation. We have auto-release processes in other repos, but not for a mono-repository as this one. We'll likely use the same framework that we use in the other repos, which supports mono-repos. Once we have the current manual release process fully working, we can take a look at this one. |
After some tests with mono-repo release using semantic-release, it seems quite a shaky endeavor. semantic release don't support mono-repos OOTB and doesn't plan on doing so anytime soon for strategic reasons. Extensions (multi-semantic-release, semantic-release-monorepo as at best hacks and show fundamental issues (ESM compatibility, semantic release-hacks, etc.). It may work well for mono-repos with one of these extensions, until it won't for some reason. Given that we are looking for a mono-repo solution not only for the Parse Flutter SDK, but use it as the default across repos, relying on such a fragile release processes is a risk we want to avoid. Let's take this opportunity to try out auto as an alternative solution. It seems to be well maintained, looking at the commit history, seems mature (10 years), has a large user and collaborator base, and brings mono-repo support OOTB. I'll do some testing. If viable, we may use it instead of semantic-release here to gain more experience with it before extending its use across other repos. |
sounds promising @mtrezza i can suggest to take a look to Turbo repo/Changeset ( combined with npm or yarn) https://turbo.build/repo/docs/handbook/publishing-packages/versioning-and-publishing it seems that |
@mtrezza Thanks. |
The current CD is not automated. I have to manually make the release and the PR author has to manually write the changelog. The points in the comment are still correct; for more details see the comments thereafter. Also related: parse-community/parse-server#7293. |
@mtrezza |
We are already publishing to pub.dev automated. Publishing is just 1 step of many others that we currently do manually. I need to create the release manually on GitHub and we need to write the changelog manually. This all should be automated. |
New Feature / Enhancement Checklist
Current Limitation
Currently, publishing a new version of the Parse Flutter SDK on pub.dev is done manually. This poses several issues:
Feature / Enhancement Description
Automate publishing process via GitHub CLI, analogous to, for example publishing parse-server on npm.
TODOs:
V
prefix!Example Use Case
n/a
Alternatives / Workarounds
n/a
3rd Party References
n/a
The text was updated successfully, but these errors were encountered: