Gathering detailed insights and metrics for semantic-release-npm-github
Gathering detailed insights and metrics for semantic-release-npm-github
Shareable configuration automated package publication to NPM and GitHub using semantic-release
Installations
npm install semantic-release-npm-githubDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
18.16.1
NPM Version
9.8.1
Developer
sinedied
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
1 Stars
29 Commits
2 Watchers
2 Branches
2 Contributors
Updated on Jul 21, 2023
Maintainers
1
Package Meta Information
Latest Version
5.0.0
Package Id
semantic-release-npm-github@5.0.0
Unpacked Size
8.10 kB
Size
3.12 kB
File Count
4
NPM Version
9.8.1
Node Version
18.16.1
Published on
Jul 21, 2023
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
:robot: semantic-release-npm-github
Shareable configuration automated package publication to NPM and GitHub using semantic-release, tailored for OSS projects.
Release workflow
- Analyzes commits following the conventional commits spec
- Follows the default angular preset
- Includes
chore,docs,refactorandstylechanges in PATCH releases
- Generates or updates changelog
- Bumps the version in
package.json - Publishes package to NPM
- Commits the changes made and creates a git tag with the release version
- Creates a GitHub release with the package
Install
- Install
semantic-release
1npm install --save-dev semantic-release
- Install this package:
1npm install --save-dev semantic-release-npm-github
- Add a semantic release config in your
package.jsonfile:
1{ 2 "extends": "semantic-release-npm-github", 3 "branch": "main" 4}
Usage
Once everything is installed, you can test your config with a dry run:
1npx semantic-release --dry-run
What you'll probably want to do next is configure a GitHub workflow to run your tests and publish new versions automatically.
Here's a example workflow configuration that runs your tests and publishes a new version for new commits on main branch:
1name: release 2on: 3 push: 4 branches: 5 - main 6 7jobs: 8 test: 9 name: Run tests 10 runs-on: ubuntu-latest 11 steps: 12 - uses: actions/checkout@v2 13 - uses: actions/setup-node@v1 14 with: 15 node-version: '>=14' 16 - run: | 17 npm ci 18 npm test 19 env: 20 CI: true 21 22 release: 23 name: Publish release 24 needs: test 25 runs-on: ubuntu-latest 26 steps: 27 - uses: actions/checkout@v2 28 - uses: actions/setup-node@v1 29 with: 30 node-version: '>=14' 31 - run: | 32 npm ci 33 npm build --if-present 34 env: 35 CI: true 36 - run: npx semantic-release 37 if: success() 38 env: 39 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 40 NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
In addition, for this workflow to work correctly you have to generate an NPM authentication token and set it to the NPM_TOKEN secret in your GitHub repository.
Note on GitHub protected branches
If you're releasing a GitHub protected branch you need to change the git commiter to an owner/admin and allow repo admins to bypass the branch protection (make sure "include administrators" is disabled in the branch protection rules.)
If your repo is under an organisation, you can create a bot account and give it admin rights on the repo. If your repo is under a personal account, you have no choice to make the repo owner the commiter for the release.
Either way, you have to create a GitHub personal access token for the commiter account and give it the "repo" access rights. Then set it to the GH_TOKEN secret in your GitHub repository.
Finally, make these two changes to your workflow:
1... 2 - uses: actions/checkout@v2 3 # Add this to commit with a different account than the one 4 # used for checkout 5 with: 6 persist-credentials: false 7... 8 - run: npx semantic-release 9 if: success() 10 env: 11 # Change the secret used here 12 GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 13 NPM_TOKEN: ${{ secrets.NPM_TOKEN }} 14 # Add this to set the new commiter for the release 15 GIT_COMMITTER_NAME: admin-or-owner 16 GIT_COMMITTER_EMAIL: associated-email@address.com
Note: GitHub secrets not shared with forks and pull requests, so no one that doesn't have write access to your repo can use of them.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/sinedied/semantic-release-npm-github/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/sinedied/semantic-release-npm-github/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/sinedied/semantic-release-npm-github/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/sinedied/semantic-release-npm-github/release.yml/main?enable=pin
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
Found 0/29 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact 5.0.0 not signed: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/113073087
- Warn: release artifact 4.0.0 not signed: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/94111195
- Warn: release artifact 3.0.0 not signed: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/60349714
- Warn: release artifact 2.0.0 not signed: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/50534978
- Warn: release artifact 1.0.6 not signed: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/48877152
- Warn: release artifact 5.0.0 does not have provenance: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/113073087
- Warn: release artifact 4.0.0 does not have provenance: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/94111195
- Warn: release artifact 3.0.0 does not have provenance: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/60349714
- Warn: release artifact 2.0.0 does not have provenance: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/50534978
- Warn: release artifact 1.0.6 does not have provenance: https://api.github.com/repos/sinedied/semantic-release-npm-github/releases/48877152
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
12 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Score
2.5
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More