@dreamhorizonorg/sentinel
Version:
Open-source, zero-dependency tool that blocks compromised packages BEFORE download. Built to counter supply chain and credential theft attacks like Shai-Hulud.
427 lines (331 loc) β’ 15.7 kB
Markdown
# Release Process Guide
This document explains how to release a new version of Sentinel Package Manager.
## π Pre-Release Checklist
Before releasing, ensure:
- [ ] All changes are committed and pushed to the main branch
- [ ] `CHANGELOG.md` has an "Unreleased" section with your changes (the script will auto-update it)
- [ ] `NPM_TOKEN` secret is configured in GitHub repository settings (Settings β Secrets β Actions)
- [ ] You're on the main branch and have latest changes pulled
## π Release Process
### Option 1: Using the Release Script (Recommended)
The easiest way to release:
```bash
# For patch release (1.0.0 β 1.0.1)
./scripts/release.sh patch
# For minor release (1.0.0 β 1.1.0)
./scripts/release.sh minor
# For major release (1.0.0 β 2.0.0)
./scripts/release.sh major
# For specific version
./scripts/release.sh 1.2.3
```
**What the script does automatically:**
1. Shows current version from package.json
2. Calculates new version (or uses specified version)
3. **Auto-updates CHANGELOG.md** (replaces "Unreleased" with dated version)
4. Asks for confirmation
5. Updates `package.json` version
6. Runs smoke tests locally
7. Commits both `package.json` and `CHANGELOG.md`
8. Creates an annotated git tag
9. Shows you the push commands
**Then push:**
```bash
git push && git push origin v1.0.0
```
### Option 2: Manual Release Process
If you prefer to do it manually (not recommended - script is easier):
#### Step 1: Update CHANGELOG.md
Move "Unreleased" section to a dated version:
```markdown
## [1.0.0] - 2024-12-02
### Added
- Your changes here
```
#### Step 2: Update package.json
```bash
# Edit package.json and change version to "1.0.0"
```
#### Step 3: Run Tests
```bash
npm run test:smoke
```
#### Step 4: Commit Changes
```bash
git add package.json CHANGELOG.md
git commit -m "chore: release v1.0.0"
```
#### Step 5: Create and Push Tag
```bash
# Create annotated tag
git tag -a v1.0.0 -m "Release v1.0.0"
# Push commit and tag
git push && git push origin v1.0.0
```
**Note**: The script automates all of this, so manual process is rarely needed.
## βοΈ What Happens Automatically
Once you push the tag, GitHub Actions workflow (`release.yml`) automatically:
1. **Security Checks**
- β
Verifies no package installations in workflows
- β
Confirms zero dependencies in package.json
- β
Checks no node_modules directory exists
- β
Validates package.json integrity
- β
Verifies npm token is valid
2. **Version Verification**
- β
Extracts version from tag
- β
Verifies version matches package.json
3. **Testing**
- β
Runs smoke tests
4. **Publishing**
- β
Runs npm publish dry-run (verifies package contents)
- β
Publishes to npm as `@dreamhorizonorg/sentinel@1.0.0`
5. **GitHub Release**
- β
Extracts changelog from CHANGELOG.md
- β
Creates GitHub release with:
- Release notes from changelog
- npm package link
- Installation instructions
- Links to documentation
## π Complete Release Flow
### Step-by-Step Process
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. PREPARE (Before Release) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ Add changes to CHANGELOG.md under "Unreleased" section β
β β’ Commit and push your code changes to main branch β
β β’ Ensure NPM_TOKEN is set in GitHub Secrets β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. RUN RELEASE SCRIPT (Local) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β $ ./scripts/release.sh patch β
β β
β Script automatically: β
β β
Calculates version (1.0.0 β 1.0.1) β
β β
Updates CHANGELOG.md (Unreleased β [1.0.1] - date) β
β β
Updates package.json version β
β β
Runs tests locally β
β β
Creates commit β
β β
Creates tag: v1.0.1 β
β β
β Output: "git push && git push origin v1.0.1" β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. PUSH TAG (Developer) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β $ git push && git push origin v1.0.1 β
β β
β This triggers release.yml workflow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 4. GITHUB ACTIONS (Automatic) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β release.yml workflow runs: β
β β
β Security Checks: β
β β
No package installations in workflows β
β β
Zero dependencies verified β
β β
No node_modules directory β
β β
Package.json integrity check β
β β
β Verification: β
β β
Version matches package.json β
β β
β Testing: β
β β
Runs smoke tests β
β β
β Publishing: β
β β
Validates npm token β
β β
Dry-run publish (verifies contents) β
β β
Publishes to npm: @dreamhorizonorg/sentinel@1.0.1 β
β β
β Release: β
β β
Extracts changelog from CHANGELOG.md β
β β
Creates GitHub release with notes β
β β
Links npm package β GitHub release β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 5. DONE! β
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ Package published to npm β
β β’ GitHub release created β
β β’ Both are linked together β
β β’ Users can install: npm install -g @dreamhorizonorg/sentinelβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
## π Verifying the Release
After the workflow completes:
1. **Check npm**: https://www.npmjs.com/package/@dreamhorizonorg/sentinel
- Verify the new version is published
- Check package contents
2. **Check GitHub Release**: https://github.com/dream-horizon-org/sentinel/releases
- Verify release is created
- Check release notes are correct
- Verify npm link works
3. **Test Installation**:
```bash
npm install -g @dreamhorizonorg/sentinel@1.0.0
sentinel --version
```
## π Troubleshooting
### Workflow Fails at Security Check
**Issue**: "Dependencies detected in package.json"
- **Solution**: Ensure package.json has no `dependencies` or `devDependencies` fields
**Issue**: "NPM_TOKEN is missing or invalid"
- **Solution**: Add `NPM_TOKEN` secret in GitHub repository settings (Settings β Secrets β Actions)
### Workflow Fails at Version Check
**Issue**: "Version mismatch"
- **Solution**: Ensure tag version (e.g., `v1.0.0`) matches package.json version (`1.0.0`)
### npm Publish Fails
**Issue**: "Package already exists"
- **Solution**: Version already published. Use a new version number.
**Issue**: "Authentication failed"
- **Solution**: Verify `NPM_TOKEN` has publish permissions for `@dreamhorizonorg` scope
## π Complete Example: Releasing v1.0.1
### Before Release
```bash
# 1. Make sure you're on main branch with latest changes
git checkout main
git pull origin main
# 2. Add your changes to CHANGELOG.md under "Unreleased"
# Edit CHANGELOG.md:
# ## [Unreleased]
#
# ### Added
# - New feature X
# - Bug fix Y
```
### Release Process
```bash
# 3. Run the release script
./scripts/release.sh patch
# Output you'll see:
# π¦ Current version: 1.0.0
# π New version: 1.0.1
# π Auto-updating CHANGELOG.md...
# β
Updated CHANGELOG.md: '## [1.0.1] - 2024-12-02'
# Continue with release? [y/N]: y
# π Updating package.json...
# π§ͺ Running tests...
# β
Tests passed
# π Committing version bump...
# π·οΈ Creating tag: v1.0.1
# β
Release prepared!
#
# Next steps:
# git push && git push origin v1.0.1
# 4. Push the tag (triggers GitHub Actions)
git push && git push origin v1.0.1
```
### After Push
```bash
# 5. Watch the workflow run (takes 2-5 minutes)
# Go to: https://github.com/dream-horizon-org/sentinel/actions
# Click on the latest "Release" workflow run
# 6. Verify the release completed:
# β
All security checks passed
# β
Tests passed
# β
Published to npm
# β
GitHub release created
# 7. Check the results:
# - npm: https://www.npmjs.com/package/@dreamhorizonorg/sentinel/v/1.0.1
# - GitHub: https://github.com/dream-horizon-org/sentinel/releases/tag/v1.0.1
# 8. Test installation:
npm install -g @dreamhorizonorg/sentinel@1.0.1
sentinel --version # Should show v1.0.1
```
## π Security Notes
- **Zero Dependencies**: The workflow verifies package.json has no dependencies
- **No Installations**: No `npm install`, `yarn install`, etc. ever runs
- **Multiple Checks**: Security checks run before every publish
- **Fail Fast**: Workflow stops immediately if any security check fails
- **Dry Run**: npm publish is tested with `--dry-run` before actual publish
- **Token Validation**: npm token is verified before publishing
## π― Key Points to Remember
1. **CHANGELOG.md**: Add your changes under "Unreleased" section BEFORE running the script
- The script will automatically replace "Unreleased" with the version and date
- You only need to write WHAT changed, not the version/date
2. **Version Format**:
- Tag format: `v1.0.1` (with 'v' prefix)
- package.json format: `1.0.1` (no 'v' prefix)
- Script handles this automatically
3. **Two-Step Process**:
- Step 1: Run script locally (prepares release)
- Step 2: Push tag (triggers GitHub Actions to publish)
4. **What's Automated**:
- β
Version calculation
- β
CHANGELOG.md date update
- β
package.json version update
- β
Test execution
- β
Commit creation
- β
Tag creation
- β
npm publishing
- β
GitHub release creation
5. **What's Manual**:
- Writing changelog content (what changed)
- Running the script
- Pushing the tag
## π§ͺ Testing the Release Process
### Option 1: Local Test Script (Recommended)
Test everything locally without creating tags or publishing:
```bash
# Test the release process locally
./scripts/release-test.sh patch
# This will:
# β
Test CHANGELOG.md update logic
# β
Test package.json version update
# β
Run all security checks
# β
Test npm publish dry run
# β
Verify version matching
# β Does NOT create commits or tags
# β Does NOT publish anything
```
### Option 2: GitHub Actions Test Workflow
Test the full workflow in GitHub Actions without publishing:
```bash
# 1. Create a test tag (starts with "test-v")
git tag -a test-v1.0.1 -m "Test release v1.0.1"
git push origin test-v1.0.1
# 2. Watch the "Release Test (Dry Run)" workflow run
# Go to: https://github.com/dream-horizon-org/sentinel/actions
# This will:
# β
Run all security checks
# β
Run tests
# β
Test npm publish dry run
# β
Generate release notes
# β Does NOT publish to npm
# β Does NOT create GitHub release
```
### Option 3: Manual Workflow Dispatch
Test via GitHub Actions UI:
1. Go to: Actions β "Release Test (Dry Run)" β "Run workflow"
2. Enter version: `1.0.1`
3. Click "Run workflow"
4. Watch it execute all checks without publishing
### What Gets Tested
- β
All security checks (zero dependencies, no node_modules, etc.)
- β
Version verification
- β
Package integrity
- β
Tests execution
- β
npm publish dry run (shows what would be published)
- β
Release notes generation
- β
Workflow logic
### Cleanup After Testing
```bash
# Delete test tag locally
git tag -d test-v1.0.1
# Delete test tag from remote
git push origin :refs/tags/test-v1.0.1
```
## π Related Files
- `.github/workflows/release.yml` - Release workflow definition
- `.github/workflows/release-test.yml` - Test workflow (no publish)
- `scripts/release.sh` - Release helper script
- `scripts/release-test.sh` - Test script (local, no publish)
- `CHANGELOG.md` - Changelog format
- `package.json` - Package metadata and version