Description
Hey @jorenvandeweyer @jwerre @Uzlopak @HappyZombies with the recent development of what happened with some repos and packages we might want to re-think about the level of automation of publishing.
The current open PR #117 would implement publishing to NPM when creating a new release on Github. This is very handy, since
- it's less error-prone as it's directly reflecting the release/tag/commit of a given branch
- it can be done by project maintainers, without a gatekeeper
on the contrary
- there is no 2FA involved, so if a "malicious" collaborator gets into the project team and has rights to push and create releases, then the ci could automacally pick this up
- restrict permissions on members on who can make releases is the same gatekeeping as with limiting to those who can publish to NPM but also without 2FA/OTP involved for the publishing.
How I see it:
Currently there are two pubslisher in the npm org, @HappyZombies and me, so, we have at least a certain level of redundancy as chances are high that one of us is available when it comes to publishing urgent security fixes.
On top of that our accounts require a second factor for publishing, so no package is published without a TOTP provided, which is a pretty string mechanism imo.
I would therefore propose, that we remove the release.yml workflow, which automates the creation of a release in this repo and manually to the release with the respective tag/commit manually.
However this is just my view on things. What do you think?
Once this is resolved I am moving forward to publish the current state as 4.2.0.