Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Publish a lock file as part of GH releases

See original GitHub issue

Reasoning:

lock files are useful for reproducible builds and debugging
some people find lock files annoying, esp. when maintaining libraries

To get the best of both worlds, it would be nice to keep a lock file, but not make it a part of the repo nor a part of the npm published package.

So I’d suggest:

when creating a GH release
if there is a package-lock.json or an npm-shrinkwrap.json (or a yarn.lock?) - back it up
create an npm-shrinkwrap.json (incl. dev deps) and include as an artifact
restore the previous lock file (or delete, if none existed), so that other plugins are unaffected

I think it would be a good default, with an opt-out, but opt-in is probably also better than nothing. Not sure if there’s a way to have this as a recipe (if there is reluctance to have it built in)? Maybe create it in postpack?

Happy to PR, if an approach can be agreed.

Issue Analytics

State:
Created 5 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

pvdlgcommented, Feb 27, 2019

Thanks for the thorough explanations @dominykas!

I think your use case is not common enough to implement it as default behaviour in semantic-release. You can however achieve that with the current plugins:

Use @semantic-release/exec to generate your npm-shrinkwrap.json and move it in a temp folder
Use the the assets option of @semantic-release/github to add it to the GH release

0reactions

dominykascommented, Feb 27, 2019

Thanks, I understand. I was thinking of a wider application for reproducible build tooling, but I guess we’ll have to wait and see.

I’m also reluctant to tinker with plugins defaults (not sure why, just doesn’t feel comfortable, maybe cause so much of default functionality depends on that), but I haven’t looked at shared configs, so maybe there’s scope for easy setup that way.

Top Results From Across the Web

Github actions: Dependencies lock file is not found in runners ...

It seems it broke because the setup step ( Use Node.js ${{ matrix.node-version }} ) looked for those files at the repository root....

gh-release | Yarn - Package Manager

Uses the Github Releases API to create a new GitHub release. Defaults to using information from package.json and CHANGELOG.md . Supports uploading release...

File Locking - GitLab Documentation

When a file or directory is unlocked, the user is said to have “released the lock”. GitLab supports two different modes of file...

Yarn | Code Cookbook - Michael Currin - GitHub Pages

This section covers how to set up one or more target versions of Node and Yarn and ... name: Install dependencies run: yarn...

Release process - Pants build

Add the new file to pants.toml in the release_notes section. 0b. dev ...