Gathering detailed insights and metrics for @semantic-release/git
Gathering detailed insights and metrics for @semantic-release/git
Gathering detailed insights and metrics for @semantic-release/git
Gathering detailed insights and metrics for @semantic-release/git
semantic-release-git-branches
A fork of @semantic-release/git that uses a more gitflow approach for releases
@semantic-release/changelog
semantic-release plugin to create or update a changelog file
cypress-wait-until
A waiting plugin for Cypress
semantic-release
Automated semver compliant package publishing
🔀 semantic-release plugin to commit release assets to the project's git repository
npm install @semantic-release/git
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
304 Stars
337 Commits
68 Forks
6 Watching
20 Branches
21 Contributors
Updated on 17 Nov 2024
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
9.6%
234,223
Compared to previous day
Last week
8%
1,226,930
Compared to previous week
Last month
24%
4,698,415
Compared to previous month
Last year
24.5%
41,961,031
Compared to previous year
1
semantic-release plugin to commit release assets to the project's git repository.
[!WARNING] You likely do not need this plugin to accomplish your goals with semantic-release.
Please consider our recommendation against making commits during your release to avoid unnecessary headaches.
Step | Description |
---|---|
verifyConditions | Verify the access to the remote Git repository, the commit message and the assets option configuration. |
prepare | Create a release commit, including configurable file assets. |
1$ npm install @semantic-release/git -D
The plugin can be configured in the semantic-release configuration file:
1{ 2 "plugins": [ 3 "@semantic-release/commit-analyzer", 4 "@semantic-release/release-notes-generator", 5 ["@semantic-release/git", { 6 "assets": ["dist/**/*.{js,css}", "docs", "package.json"], 7 "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" 8 }] 9 ] 10}
With this example, for each release a release commit will be pushed to the remote Git repository with:
chore(release): <version> [skip ci]\n\n<release notes>
.js
and .css
files in the dist
directory, the files in the docs
directory and the package.json
This plugin will, by default, create commit messages with the keyword [skip ci]
, so they won't trigger a new unnecessary CI build. If you are using semantic-release with multiple branches, when merging a branch with a head being a release commit, a CI job will be triggered on the target branch. Depending on the CI service that might create an unexpected behavior as the head of the target branch might be ignored by the build due to the [skip ci]
keyword.
To avoid any unexpected behavior we recommend to use the --no-ff
option when merging branches used by semantic-release.
Note: This concerns only merges done between two branches configured in the branches
option.
The Git user associated with the Git credentials has to be able to push commit to the release branch.
When configuring branches permission on a Git hosting service (e.g. GitHub protected branches, GitLab protected branches or Bitbucket branch permissions) it might be necessary to create a specific configuration in order to allow the semantic-release user to bypass global restrictions. For example on GitHub you can uncheck "Include administrators" and configure semantic-release to use an administrator user, so the plugin can push the release commit without requiring status checks and pull request reviews.
Variable | Description | Default |
---|---|---|
GIT_AUTHOR_NAME | The author name associated with the release commit. See Git environment variables. | @semantic-release-bot. |
GIT_AUTHOR_EMAIL | The author email associated with the release commit. See Git environment variables. | @semantic-release-bot email address. |
GIT_COMMITTER_NAME | The committer name associated with the release commit. See Git environment variables. | @semantic-release-bot. |
GIT_COMMITTER_EMAIL | The committer email associated with the release commit. See Git environment variables. | @semantic-release-bot email address. |
Options | Description | Default |
---|---|---|
message | The message for the release commit. See message. | chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes} |
assets | Files to include in the release commit. Set to false to disable adding files to the release commit. See assets. | ['CHANGELOG.md', 'package.json', 'package-lock.json', 'npm-shrinkwrap.json'] |
message
The message for the release commit is generated with Lodash template. The following variables are available:
Parameter | Description |
---|---|
branch | The branch from which the release is done. |
branch.name | The branch name. |
branch.type | The type of branch. |
branch.channel | The distribution channel on which to publish releases from this branch. |
branch.range | The range of semantic versions to support on this branch. |
branch.prerelease | The pre-release detonation to append to semantic versions released from this branch. |
lastRelease | Object with version , gitTag and gitHead of the last release. |
nextRelease | Object with version , gitTag , gitHead and notes of the release being done. |
Note: It is recommended to include [skip ci]
in the commit message to not trigger a new build. Some CI service support the [skip ci]
keyword only in the subject of the message.
message
examplesThe message
Release <%= nextRelease.version %> - <%= new Date().toLocaleDateString('en-US', {year: 'numeric', month: 'short', day: 'numeric', hour: 'numeric', minute: 'numeric' }) %> [skip ci]\n\n<%= nextRelease.notes %>
will generate the commit message:
Release v1.0.0 - Oct. 21, 2015 1:24 AM [skip ci]
## 1.0.0
### Features
* Generate 1.21 gigawatts of electricity
...
assets
Can be an Array
or a single entry. Each entry can be either:
Each entry in the assets
Array
is globbed individually. A glob can be a String
("dist/**/*.js"
or "dist/mylib.js"
) or an Array
of String
s that will be globbed together (["dist/**", "!**/*.css"]
).
If a directory is configured, all the files under this directory and its children will be included.
Note: If a file has a match in assets
it will be included even if it also has a match in .gitignore
.
assets
examples'dist/*.js'
: include all js
files in the dist
directory, but not in its sub-directories.
'dist/**/*.js'
: include all js
files in the dist
directory and its sub-directories.
[['dist', '!**/*.css']]
: include all files in the dist
directory and its sub-directories excluding the css
files.
[['dist', '!**/*.css'], 'package.json']
: include package.json
and all files in the dist
directory and its sub-directories excluding the css
files.
[['dist/**/*.{js,css}', '!**/*.min.*']]
: include all js
and css
files in the dist
directory and its sub-directories excluding the minified version.
When used with the @semantic-release/changelog or @semantic-release/npm plugins:
@semantic-release/git
and @semantic-release/npm plugins can include it in the release.package.json
file so the @semantic-release/git
plugin can include it in the release commit.1{ 2 "plugins": [ 3 "@semantic-release/commit-analyzer", 4 "@semantic-release/release-notes-generator", 5 "@semantic-release/changelog", 6 "@semantic-release/npm", 7 "@semantic-release/git" 8 ], 9}
Using GPG, you can sign and verify tags and commits. With GPG keys, the release tags and commits made by Semantic-release are verified and other people can trust that they were really were made by your account.
If you already have a GPG public and private key you can skip this step and go to the Get the GPG keys ID and the public key content step.
Download and install the GPG command line tools for your operating system.
Create a GPG key
1$ gpg --full-generate-key
At the prompt select the RSA and RSA
king of key, enter 4096
for the keysize, specify how long the key should be valid, enter yout name, the email associated with your Git hosted account and finally set a long and hard to guess passphrase.
Use the gpg --list-secret-keys --keyid-format LONG
command to list your GPG keys. From the list, copy the GPG key ID you just created.
1$ gpg --list-secret-keys --keyid-format LONG 2/Users/<user_home>/.gnupg/pubring.gpg 3--------------------------------------- 4sec rsa4096/XXXXXXXXXXXXXXXX 2017-12-01 [SC] 5uid <your_name> <your_email> 6ssb rsa4096/YYYYYYYYYYYYYYYY 2017-12-01 [E]
the GPG key ID is the 16 character string, on the sec
line, after rsa4096
. In this example, the GPG key ID is XXXXXXXXXXXXXXXX
.
Export the public key (replace XXXXXXXXXXXXXXXX with your key ID):
1$ gpg --armor --export XXXXXXXXXXXXXXXX
Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----
In GitHub Settings, click on SSH and GPG keys in the sidebar, then on the New GPG Key button.
Paste the entire GPG key export previously and click the Add GPG Key button.
See Adding a new GPG key to your GitHub account for more details.
If you want to use this GPG to also sign the commits and tags you create on your local machine you can follow the instruction at Git Tools - Signing Your Work This step is optional and unrelated to Semantic-release.
Make the public and private GPG key available on the CI environment. Encrypt the keys, commit it to your repository and configure the CI environment to decrypt it.
Install the Travis CLI:
1$ gem install travis
Login to Travis with the CLI:
1$ travis login
Add the following environment variables to Travis:
GPG_PASSPHRASE
to Travis with the value set during the GPG keys generation stepGPG_KEY_ID
to Travis with the value of your GPG key ID retrieved during the GPG keys generation (replace XXXXXXXXXXXXXXXX with your key ID)GIT_EMAIL
with the email address you set during the GPG keys generation stepGIT_USERNAME
with the name you set during the GPG keys generation step1$ travis env set GPG_PASSPHRASE <gpg_passphrase> 2$ travis env set GPG_KEY_ID XXXXXXXXXXXXXXXX 3$ travis env set GIT_EMAIL <your_email> 4$ travis env set GIT_USERNAME <your_name>
From your repository root export your public and private GPG keys in the git_gpg_keys.asc
(replace XXXXXXXXXXXXXXXX with your key ID):
1$ gpg --export -a XXXXXXXXXXXXXXXX > git_gpg_keys.asc 2$ gpg --export-secret-key -a XXXXXXXXXXXXXXXX >> git_gpg_keys.asc
Encrypt the git_gpg_keys.asc
(public and private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:
1$ travis encrypt-file git_gpg_keys.asc
The travis encrypt-file
will encrypt the keys into the git_gpg_keys.asc.enc
file and output in the console the command to add to your .travis.yml
file. It should look like openssl aes-256-cbc -K $encrypted_AAAAAAAAAAAA_key -iv $encrypted_BBBBBBBBBBBB_iv -in git_gpg_keys.asc.enc -out git_gpg_keys.asc -d
.
Copy this command to your .travis.yml
file in the before_install
step. Change the output path to write the unencrypted key in /tmp
: -out git_gpg_keys.asc
=> /tmp/git_gpg_keys.asc
. This will avoid to commit / modify / delete the unencrypted keys by mistake on the CI. Then add the commands to decrypt the GPG keys and make it available to git
:
1before_install: 2 # Decrypt the git_gpg_keys.asc.enc key into /tmp/git_gpg_keys.asc 3 - openssl aes-256-cbc -K $encrypted_AAAAAAAAAAAA_key -iv $encrypted_BBBBBBBBBBBB_iv -in git_gpg_keys.asc.enc -out /tmp/git_gpg_keys.asc -d 4 # Make sure only the current user can read the keys 5 - chmod 600 /tmp/git_gpg_keys.asc 6 # Import the gpg key 7 - gpg --batch --yes --import /tmp/git_gpg_keys.asc 8 # Create a script to pass the passphrase to the gpg CLI called by git 9 - echo '/usr/bin/gpg2 --passphrase ${GPG_PASSPHRASE} --batch --no-tty "$@"' > /tmp/gpg-with-passphrase && chmod +x /tmp/gpg-with-passphrase 10 # Configure git to use the script that passes the passphrase 11 - git config gpg.program "/tmp/gpg-with-passphrase" 12 # Configure git to sign the commits and tags 13 - git config commit.gpgsign true 14 # Configure git to use your GPG key 15 - git config --global user.signingkey ${GPG_KEY_ID}
See Encrypting Files for more details.
Delete the local keys as it won't be used anymore:
1$ rm git_gpg_keys.asc
Commit the encrypted keys and the .travis.yml
file to your repository:
1$ git add git_gpg_keys.asc.enc .travis.yml 2$ git commit -m "ci(travis): Add the encrypted GPG keys" 3$ git push
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
all dependencies are pinned
Details
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
packaging workflow detected
Details
Reason
Found 1/3 approved changesets -- score normalized to 3
Reason
0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1
Reason
9 existing vulnerabilities detected
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More