I've never published npm artifacts before, but I imagine the hardest part is getting the credentials set up, then it is probably very easy to set up a GitHub Actions workflow to publish <https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry>. Who has done these releases in the past/has credentials for the npm package? Maybe @Robert Bradshaw <rober...@google.com>? We will need a token set up as a secret to automate this.
I'll also note that we don't do any typescript validation today, and it would be nice to publish RCs as part of this On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett <aus...@apache.org> wrote: > Hi Beam Devs, > > Calling out it looks like our release process for apache-beam for > typescript/npm is broken, seemingly the last published release was 2.49.0 > about 9 months ago. The other languages look like they are publishing to > expected locations. > > https://www.npmjs.com/package/apache-beam > > I noticed this since I was digging into security concerns raised by > GitHub's dependabot across our repos [ ex: > https://github.com/apache/beam-starter-typescript/security/dependabot ], and > towards getting our repos tidied. > > This leads me to believe we may want two distinct things: > * update our release docs/process/scripts to ensure that we > generate/publish all artifacts to relevant repositories. > * Arrive at a process to more straightforwardly attend to security updates > [ maybe we want these sent to dev list, or another distribution? ] > > From a very quick search, it did not look like we have scripts to push to > npm. That should be verified more thoroughly -- i haven't done a release > before, so relevant scripts could be hiding elsewhere. > > Cheers, > Austin > > > NOTE: everything with our main Beam repo specifically looks OK. Some > things discovered were on the other/supplementary repos, though I believe > those are still worthwhile to attend to and support. >
