Semantic Release for Elixir

Mix tasks for installing and running semantic-release (and the adapter plugin semantic-release-hex) in Elixir projects.

⚠️ WARNING

This is a pre-release version. As such, anything may change at any time, the public API should not be considered stable, and using a pinned version is recommended.

Disclaimer: Because semantic-release is written in JavaScript, this package will install Node.js in your _build/ folder upon running.

See the nodelix documentation for more information on how Node.js is installed.

Installation

gpg must be available in your PATH to verify the signature of Node.js releases.

The package can be installed by adding semantic_release to your list of dependencies in mix.exs:

def deps do
  [
    {:semantic_release, "1.0.0-alpha.4", only: :dev, runtime: false}
  ]
end

Configuration

You can list additional npm packages to be passed to the npm install command:

config :semantic_release,
  additional_packages: [
    "@semantic-release/changelog",
    "@semantic-release/git",
  ]

This can also be used to override automatically installed package versions:

config :semantic_release,
  additional_packages: [
    "semantic-release-hex@next",
    "@semantic-release/changelog",
    "@semantic-release/git",
  ]

Versioning

This project follows the principles of Semantic Versioning (SemVer).

NPM invalid attestations error

NPM fails to verify the attestations from semantic-release packages, causing the release process to fail.

2024-03-25T15:09:49.9528006Z 15:09:49.951 [debug] Downloading Node.js from https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz
2024-03-25T15:09:50.7355662Z 
2024-03-25T15:09:50.7363780Z 15:09:50.735 [debug] Downloading signed checksums from https://nodejs.org/dist/v20.10.0/SHASUMS256.txt.asc
2024-03-25T15:09:50.7681548Z 
2024-03-25T15:09:50.7682960Z 15:09:50.767 [debug] Downloading signing keys list from https://raw.githubusercontent.com/nodejs/release-keys/main/keys.list
2024-03-25T15:09:50.9979072Z 
2024-03-25T15:09:50.9982070Z 15:09:50.996 [debug] Using GPG to retrieve 25 missing signing keys
2024-03-25T15:10:19.6483008Z 
2024-03-25T15:10:19.6484197Z 15:10:19.648 [debug] Succesfully installed Node.js v20.10.0 in /home/runner/work/talent_ideal/talent_ideal/_build/dev/nodejs/versions/20.10.0
2024-03-25T15:10:19.6553033Z 
2024-03-25T15:10:19.6554193Z 15:10:19.654 [debug] Downloading Node.js from https://nodejs.org/dist/v20.10.0/node-v20.10.0-linux-x64.tar.gz
2024-03-25T15:10:20.1067303Z 
2024-03-25T15:10:20.1068691Z 15:10:20.106 [debug] Downloading signed checksums from https://nodejs.org/dist/v20.10.0/SHASUMS256.txt.asc
2024-03-25T15:10:20.1278833Z 
2024-03-25T15:10:20.1280271Z 15:10:20.127 [debug] Downloading signing keys list from https://raw.githubusercontent.com/nodejs/release-keys/main/keys.list
2024-03-25T15:10:22.9017627Z 
2024-03-25T15:10:22.9018753Z 15:10:22.901 [debug] Succesfully installed Node.js v20.10.0 in /home/runner/work/talent_ideal/talent_ideal/_build/dev/nodejs/versions/20.10.0
2024-03-25T15:10:22.9019791Z 
2024-03-25T15:10:22.9020615Z 15:10:22.901 [debug] Installing dependencies ...
2024-03-25T15:10:33.1896268Z 
2024-03-25T15:10:33.1897166Z 15:10:33.189 [debug] Auditing signatures ...
2024-03-25T15:10:40.0984440Z audited 540 packages in 6s
2024-03-25T15:10:40.0992251Z 
2024-03-25T15:10:40.0993813Z 535 packages have verified registry signatures
2024-03-25T15:10:40.0994556Z 
2024-03-25T15:10:40.0995166Z 55 packages have verified attestations
2024-03-25T15:10:40.0995737Z 
2024-03-25T15:10:40.0998206Z 5 packages have invalid attestations:
2024-03-25T15:10:40.0999032Z 
2024-03-25T15:10:40.1000156Z @semantic-release/[email protected] (https://registry.npmjs.org/)
2024-03-25T15:10:40.1001486Z @semantic-release/[email protected] (https://registry.npmjs.org/)
2024-03-25T15:10:40.1002613Z @semantic-release/[email protected] (https://registry.npmjs.org/)
2024-03-25T15:10:40.1004413Z @semantic-release/[email protected] (https://registry.npmjs.org/)
2024-03-25T15:10:40.1005369Z [email protected] (https://registry.npmjs.org/)
2024-03-25T15:10:40.1029019Z 
2024-03-25T15:10:40.1032537Z Someone might have tampered with these packages since they were published on the registry!
2024-03-25T15:10:40.1035416Z 
2024-03-25T15:10:40.1311908Z ** (Mix) `mix nodelix --version 20.10.0 --profile default /home/runner/work/talent_ideal/talent_ideal/_build/dev/nodejs/versions/20.10.0/bin/npm audit signatures --silent --prefix /home/runner/work/talent_ideal/talent_ideal/_build/dev/semantic_release` exited with 1
2024-03-25T15:10:40.1382914Z ##[error]Process completed with exit code 1.

As indicated on npm's website, updating the npm binary might solve the issue:

To ensure that you're always able to verify attestation signatures check that you're running the latest version of the npm CLI. Please note this often means updating npm beyond the version that ships with Node.js.

talent-ideal / semantic_release Goto Github PK

semantic_release's Introduction

Semantic Release for Elixir

Installation

Configuration

Versioning

semantic_release's People

Contributors

Stargazers

semantic_release's Issues

NPM invalid attestations error

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent