Gathering detailed insights and metrics for semantic-release-with-github-actions
Gathering detailed insights and metrics for semantic-release-with-github-actions
Installations
npm install semantic-release-with-github-actionsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
12.16.1
NPM Version
6.14.3
Score
58.4
Supply Chain
72.9
Quality
74.9
Maintenance
100
Vulnerability
99.6
License
Contributors
2
Unable to fetch Contributors
Languages
1
JavaScript
JavaScript (100%)
Love this project? Help keep it running — sponsor us today! 🚀
Developer
zeke
Download Statistics
Total Downloads
648
Last Day
1
Last Week
2
Last Month
15
Last Year
95
GitHub Statistics
40 Stars
7 Commits
24 Forks
3 Watchers
11 Branches
2 Contributors
Updated on Oct 20, 2023
Bundle Size
177.00 B
Minified
145.00 B
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
1.1.0
Package Id
semantic-release-with-github-actions@1.1.0
Unpacked Size
3.24 kB
Size
1.52 kB
File Count
6
NPM Version
6.14.3
Node Version
12.16.1
Total Downloads
Cumulative downloads
Total Downloads
648
Last Day
0%
1
Compared to previous day
Last Week
-50%
2
Compared to previous week
Last Month
87.5%
15
Compared to previous month
Last Year
21.8%
95
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
2
Using semantic-release with GitHub Actions
This is a demo of how to automatically publish npm packages to the npm registry using GitHub Actions and
semantic-release.
Watch the demo at https://www.youtube.com/watch?v=rCXq86FOlzQ
What is semantic-release?
semantic-release automates the whole package release workflow including: determining the next version number, generating the release notes and publishing the package. This removes the immediate connection between human emotions and version numbers, strictly following the Semantic Versioning specification.
See https://github.com/semantic-release/semantic-release#how-does-it-work
What is GitHub Actions?
GitHub Actions is a code execution platform for doing CI/CD. It's similar to services like Travis CI or Circle CI, but it's built right into GitHub.
Read more at https://github.com/features/actions or what a short demo at https://www.youtube.com/watch?v=TwkAD_yljVw
Steps to set up Semantic Release on your GitHub repo
- Only allow squash merging of pull requests
- Install https://github.com/apps/semantic-pull-requests
- Create npm token using
npm token createor https://www.npmjs.com/settings - Add token to repo secrets as
NPM_TOKEN - Add release workflow file to
.github/workflows/release.yml - Set
versionto0.0.0-developmentin package.json -
npm i -D semantic-release - Use semantic commit messages
- Create a pull request
Example Workflow
1name: Release npm package 2 3on: 4 push: 5 branches: 6 - master 7 8jobs: 9 release: 10 name: Release 11 runs-on: ubuntu-latest 12 steps: 13 - uses: actions/checkout@master 14 - uses: actions/setup-node@v1 15 with: 16 node-version: "12.x" 17 - run: npm ci 18 - run: npm run build --if-present 19 - run: npm test 20 - run: npx semantic-release 21 env: 22 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 23 NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
dependency not pinned by hash detected -- score normalized to 4
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/zeke/semantic-release-with-github-actions/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/zeke/semantic-release-with-github-actions/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/zeke/semantic-release-with-github-actions/test.yml/main?enable=pin
- Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
Found 1/7 approved changesets -- score normalized to 1
Reason
9 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
license file not detected
Details
- Warn: project does not have a license file
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 2 are checked with a SAST tool
Score
2.6
/10
Last Scanned on 2025-02-10
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More