Probably the easiest way for this to happen is for @Robert Bradshaw <rober...@google.com> to get the token set up as a secret (should be quick) and then Austin to take the workflow forward.
In the past to get secrets added, Infra has asked that I (a) email r...@apache.org with the secret name and secret contents, and (b) opened a JIRA to externally track progress - https://issues.apache.org/jira/browse/INFRA-25009 On Wed, Apr 17, 2024 at 11:24 AM Austin Bennett <aus...@apache.org> wrote: > I don't mind doing, esp. if nobody is eager to handle/prioritize the push > artifact in near-term. If I'm to do, let's connect off-list for > token/creds. > > Furthermore, I agree that getting RCs as part of the overall > release/validation process would be a nice addition. > > On Tue, Apr 16, 2024 at 2:43 PM Robert Bradshaw via dev < > dev@beam.apache.org> wrote: > >> Correct, I've just been pushing these manually, and lately there haven't >> been many changes to push. I'm all for getting these set up as part of the >> standard release process. >> >> On Tue, Apr 16, 2024 at 1:22 PM Danny McCormick < >> dannymccorm...@google.com> wrote: >> >>> I've never published npm artifacts before, but I imagine the hardest >>> part is getting the credentials set up, then it is probably very easy to >>> set up a GitHub Actions workflow to publish >>> <https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry>. >>> Who has done these releases in the past/has credentials for the npm >>> package? Maybe @Robert Bradshaw <rober...@google.com>? We will need a >>> token set up as a secret to automate this. >>> >>> I'll also note that we don't do any typescript validation today, and it >>> would be nice to publish RCs as part of this >>> >>> On Tue, Apr 16, 2024 at 4:11 PM Austin Bennett <aus...@apache.org> >>> wrote: >>> >>>> Hi Beam Devs, >>>> >>>> Calling out it looks like our release process for apache-beam for >>>> typescript/npm is broken, seemingly the last published release was 2.49.0 >>>> about 9 months ago. The other languages look like they are publishing to >>>> expected locations. >>>> >>>> https://www.npmjs.com/package/apache-beam >>>> >>>> I noticed this since I was digging into security concerns raised by >>>> GitHub's dependabot across our repos [ ex: >>>> https://github.com/apache/beam-starter-typescript/security/dependabot ], >>>> and >>>> towards getting our repos tidied. >>>> >>>> This leads me to believe we may want two distinct things: >>>> * update our release docs/process/scripts to ensure that we >>>> generate/publish all artifacts to relevant repositories. >>>> * Arrive at a process to more straightforwardly attend to security >>>> updates [ maybe we want these sent to dev list, or another distribution? ] >>>> >>>> From a very quick search, it did not look like we have scripts to push >>>> to npm. That should be verified more thoroughly -- i haven't done a >>>> release before, so relevant scripts could be hiding elsewhere. >>>> >>>> Cheers, >>>> Austin >>>> >>>> >>>> NOTE: everything with our main Beam repo specifically looks OK. Some >>>> things discovered were on the other/supplementary repos, though I believe >>>> those are still worthwhile to attend to and support. >>>> >>>
