Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate .env when run shipjs setup #911

Open
tyankatsu0105 opened this issue Jul 15, 2020 · 5 comments
Open

Generate .env when run shipjs setup #911

tyankatsu0105 opened this issue Jul 15, 2020 · 5 comments

Comments

@tyankatsu0105
Copy link
Contributor

tyankatsu0105 commented Jul 15, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
When we run shipjs prepare at local, .env is needed.
But Shipjs's log when run command shipjs setup does not explain that thing.

Describe the solution you'd like
I want to propose two ways.

  • Generate .env when run npx shipjs setup
#======= Attention: Please don't commit this file =======

# Used when using the `shipjs prepare` command
GITHUB_TOKEN=<YOUR_GITHUB_TOKEN>
  • Include this text in log when finished shipjs setup:
    create .env file on project's root. The file used when run shipjs prepare

Describe alternatives you've considered

Additional context
If already exists .env, insert text to the file.
@kazupon
Copy link
Contributor

kazupon commented Jul 3, 2021
edited
Loading

In addition, I think that .npmignore should be mentioned in the docs.
https://community.algolia.com/shipjs/guide/getting-started.html#installation

In fact, I recently had an accidental npm publish of a GPT that I kept in .env.
I was able to revoke it as soon as I could, but the forked repo contained .npmignore, and the package.json.
If we mistakenly perceive files as using package.json, we'll make the same mistake I did.

@Haroenv
Copy link
Contributor

Haroenv commented Jul 5, 2021

I'm actually increasingly convinced that having a .env in the root of a package that you will publish is too risky, we have also published tokens by accident (by doing the publish on a local machine when CI failed), and that's a design we want to avoid! Either shipjs creates it, but also creates all files to be sure it's ignored, or we recommend passing the token as an environment variable only.

Did anyone do research on how other publish scripts solve this?

@eunjae-lee
Copy link
Contributor

having a .env in the root of a package that you will publish is too risky

I agree. Even though .env is excluded by .gitignore and .npmignore, unfortunately there is a chance that it's not excluded if using yarn v1:
yarnpkg/yarn#8332

Is it enough if shipjs setup creates .env and include it in .gitignore and .npmignore? It should be as long as you run shipjs trigger only on CI with all the tokens passed as environment variables (not present in the filesystem on the CI).

Open to hear your thoughts.

@tyankatsu0105
Copy link
Contributor Author

Umm.
If you don't think about generating the .env file, how do you think adding some messages when running shipjs setup, and shipjs prepare?

@eunjae-lee
Copy link
Contributor

Umm.
If you don't think about generating the .env file, how do you think adding some messages when running shipjs setup, and shipjs prepare?

We have this step in shipjs prepare:
https://github.com/algolia/shipjs/blob/12c21cefa20f0f35153c81e9a6fdd2ffdc369bac/packages/shipjs/src/step/checkGitHubToken.js#L6:L6

If I understand your intention correctly, you think it's a bit too late and you'd like to get the information at the time of shipjs setup. Right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kazupon @eunjae-lee @Haroenv @tyankatsu0105