From ee5d922dd7781bad0ba5bb5eecba45a2360dbe57 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Thu, 25 Dec 2025 12:29:48 -0300 Subject: [PATCH 1/7] feat(release): add NPM publishing workflow and prepare for npm release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update package.json with NPM metadata (@flagsmith/backstage-plugin) - Add release workflow with PR previews (@next tag), GitHub Release trigger, and manual dispatch - Add NPM version badge to README - Extract PR comment script to scripts/comment-pr-preview.js Closes #6423 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/release.yml | 185 ++++++++++++++++++++++++++++++++++ README.md | 2 + package.json | 19 +++- scripts/comment-pr-preview.js | 51 ++++++++++ 4 files changed, 255 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/release.yml create mode 100644 scripts/comment-pr-preview.js diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..3245b3f --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,185 @@ +name: Release + +on: + pull_request: + types: [opened, synchronize, reopened] + release: + types: [published] + workflow_dispatch: + inputs: + version: + description: 'Version bump type' + required: true + type: choice + options: + - patch + - minor + - major + +permissions: + contents: write + id-token: write + pull-requests: write + +jobs: + # Preview release on PRs - publishes to @next tag + preview: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + cache: 'yarn' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: yarn install --frozen-lockfile + + - name: Run lint + run: yarn lint + + - name: TypeScript check + run: yarn tsc + + - name: Run tests + run: yarn test --ci + + - name: Build package + run: yarn build + + - name: Set preview version + id: version + run: | + # Get current version and create preview version with PR number and short SHA + CURRENT_VERSION=$(node -p "require('./package.json').version") + SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7) + PREVIEW_VERSION="${CURRENT_VERSION}-pr.${{ github.event.pull_request.number }}.${SHORT_SHA}" + echo "preview_version=$PREVIEW_VERSION" >> $GITHUB_OUTPUT + npm version "$PREVIEW_VERSION" --no-git-tag-version + + - name: Publish preview to NPM + run: npm publish --provenance --access public --tag next + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Comment on PR + uses: actions/github-script@v7 + env: + PREVIEW_VERSION: ${{ steps.version.outputs.preview_version }} + with: + script: | + const script = require('./scripts/comment-pr-preview.js'); + await script({ github, context }); + + # Publish on GitHub Release (manual release via UI) + publish-on-release: + if: github.event_name == 'release' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.release.tag_name }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + cache: 'yarn' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: yarn install --frozen-lockfile + + - name: Run lint + run: yarn lint + + - name: TypeScript check + run: yarn tsc + + - name: Run tests + run: yarn test --ci + + - name: Build package + run: yarn build + + - name: Set version from tag + run: | + # Extract version from tag (removes 'v' prefix if present) + VERSION="${{ github.event.release.tag_name }}" + VERSION="${VERSION#v}" + npm version "$VERSION" --no-git-tag-version --allow-same-version + + - name: Publish to NPM + run: npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + # Production release - manual workflow trigger + release: + if: github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + cache: 'yarn' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: yarn install --frozen-lockfile + + - name: Run lint + run: yarn lint + + - name: TypeScript check + run: yarn tsc + + - name: Run tests + run: yarn test --ci + + - name: Build package + run: yarn build + + - name: Configure Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Bump version + id: version + run: | + NEW_VERSION=$(npm version ${{ inputs.version }} --no-git-tag-version) + echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT + + - name: Commit version bump + run: | + git add package.json + git commit -m "chore(release): ${{ steps.version.outputs.new_version }}" + git tag ${{ steps.version.outputs.new_version }} + + - name: Publish to NPM + run: npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Push changes + run: git push --follow-tags + + - name: Create GitHub Release + uses: softprops/action-gh-release@v2 + with: + tag_name: ${{ steps.version.outputs.new_version }} + generate_release_notes: true diff --git a/README.md b/README.md index a69f164..e53a59b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Flagsmith Plugin for Backstage +[![npm version](https://badge.fury.io/js/%40flagsmith%2Fbackstage-plugin.svg)](https://www.npmjs.com/package/@flagsmith/backstage-plugin) + Integrate [Flagsmith](https://flagsmith.com) feature flags into your Backstage instance. ## Features diff --git a/package.json b/package.json index 5a5a587..8cce6d5 100644 --- a/package.json +++ b/package.json @@ -1,8 +1,23 @@ { - "name": "@internal/plugin-flagsmith", + "name": "@flagsmith/backstage-plugin", "version": "0.1.0", + "description": "Backstage plugin for Flagsmith feature flag management", "license": "Apache-2.0", - "private": true, + "repository": { + "type": "git", + "url": "https://github.com/Flagsmith/flagsmith-backstage-plugin.git" + }, + "homepage": "https://flagsmith.github.io/flagsmith-backstage-plugin/", + "bugs": { + "url": "https://github.com/Flagsmith/flagsmith-backstage-plugin/issues" + }, + "keywords": [ + "backstage", + "backstage-plugin", + "flagsmith", + "feature-flags", + "feature-toggles" + ], "main": "src/index.ts", "types": "src/index.ts", "publishConfig": { diff --git a/scripts/comment-pr-preview.js b/scripts/comment-pr-preview.js new file mode 100644 index 0000000..750bb8a --- /dev/null +++ b/scripts/comment-pr-preview.js @@ -0,0 +1,51 @@ +/** + * Posts or updates a comment on a PR with NPM preview release information. + * Used by the release workflow to notify about preview versions. + * + * Expected environment variables: + * - PREVIEW_VERSION: The preview version that was published + * + * @param {object} github - GitHub API client from actions/github-script + * @param {object} context - GitHub Actions context + */ +module.exports = async ({ github, context }) => { + const version = process.env.PREVIEW_VERSION; + + const body = `## 📦 NPM Preview Release + +A preview version has been published to NPM: + +\`\`\`bash +yarn add @flagsmith/backstage-plugin@${version} +# or +yarn add @flagsmith/backstage-plugin@next +\`\`\` + +This preview will be updated with each new commit to this PR.`; + + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }); + + const botComment = comments.find( + c => c.user.type === 'Bot' && c.body.includes('NPM Preview Release'), + ); + + if (botComment) { + await github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id, + body, + }); + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body, + }); + } +}; From 3135fb9322001d458e651936032f99cd40b0eea3 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Tue, 27 Jan 2026 16:05:11 -0300 Subject: [PATCH 2/7] chore: add LICENSE and CHANGELOG for npm publishing - Add Apache-2.0 LICENSE file - Add CHANGELOG.md with initial 0.1.0 release notes Co-Authored-By: Claude Opus 4.5 --- CHANGELOG.md | 36 ++++++++++ LICENSE | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++ package.json | 5 +- 3 files changed, 230 insertions(+), 1 deletion(-) create mode 100644 CHANGELOG.md create mode 100644 LICENSE diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..69b97fa --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,36 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [0.1.0] - 2025-01-27 + +### Added + +- Initial release of the Flagsmith Backstage plugin +- **FlagsTab** - Full-page feature flags view with: + - Searchable table with pagination (10/25/50/100 items per page) + - Environment status columns with toggle switches (up to 6 environments) + - Tags column with overflow indicator (+N for >3 tags) + - Expandable rows with detailed feature information + - Usage analytics chart per environment (last 30 days) + - Version info, ownership details, and scheduled changes indicators +- **FlagsmithOverviewCard** - Compact card showing flag statistics +- **FlagsmithUsageCard** - Usage metrics chart for the last 30 days +- Proxy-based API architecture for secure Flagsmith API access +- Support for Backstage new frontend system +- Comprehensive test coverage for hooks and utilities + +### Technical + +- `FlagsmithClient` - API client with lazy loading for feature details +- Shared components: `LoadingState`, `ErrorState`, `EmptyState`, `SearchInput`, `FlagsmithLink` +- Utility functions for date formatting, flag type detection, and pagination +- TypeScript strict mode compliance + +[Unreleased]: https://github.com/Flagsmith/flagsmith-backstage-plugin/compare/v0.1.0...HEAD +[0.1.0]: https://github.com/Flagsmith/flagsmith-backstage-plugin/releases/tag/v0.1.0 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..edb2036 --- /dev/null +++ b/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to the Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2024 Flagsmith Ltd + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/package.json b/package.json index 8cce6d5..b374e14 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,10 @@ }, "backstage": { "role": "frontend-plugin", - "pluginId": "flagsmith" + "pluginId": "flagsmith", + "pluginPackages": [ + "@flagsmith/backstage-plugin" + ] }, "sideEffects": false, "scripts": { From 63ef880a2bf4a70c8c078262acd16073f7617633 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Fri, 30 Jan 2026 08:58:44 -0300 Subject: [PATCH 3/7] refactor(ci): rename workflows to publish-preview and publish-release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rename workflow files for better clarity and extract preview publishing into its own workflow. - Rename release.yml → publish-release.yml - Extract preview job into publish-preview.yml - Remove pull_request trigger from publish-release.yml - Update workflow display names to match Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/publish-preview.yml | 64 +++++++++++++++++++ .../{release.yml => publish-release.yml} | 58 +---------------- 2 files changed, 65 insertions(+), 57 deletions(-) create mode 100644 .github/workflows/publish-preview.yml rename .github/workflows/{release.yml => publish-release.yml} (64%) diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml new file mode 100644 index 0000000..9b956d7 --- /dev/null +++ b/.github/workflows/publish-preview.yml @@ -0,0 +1,64 @@ +name: Publish Preview + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: write + id-token: write + pull-requests: write + +jobs: + preview: + name: Publish preview to NPM + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + cache: 'yarn' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: yarn install --frozen-lockfile + + - name: Run lint + run: yarn lint + + - name: TypeScript check + run: yarn tsc + + - name: Run tests + run: yarn test --ci + + - name: Build package + run: yarn build + + - name: Set preview version + id: version + run: | + # Get current version and create preview version with PR number and short SHA + CURRENT_VERSION=$(node -p "require('./package.json').version") + SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7) + PREVIEW_VERSION="${CURRENT_VERSION}-pr.${{ github.event.pull_request.number }}.${SHORT_SHA}" + echo "preview_version=$PREVIEW_VERSION" >> $GITHUB_OUTPUT + npm version "$PREVIEW_VERSION" --no-git-tag-version + + - name: Publish preview to NPM + run: npm publish --provenance --access public --tag next + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Comment on PR + uses: actions/github-script@v7 + env: + PREVIEW_VERSION: ${{ steps.version.outputs.preview_version }} + with: + script: | + const script = require('./scripts/comment-pr-preview.js'); + await script({ github, context }); diff --git a/.github/workflows/release.yml b/.github/workflows/publish-release.yml similarity index 64% rename from .github/workflows/release.yml rename to .github/workflows/publish-release.yml index 3245b3f..57241a6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/publish-release.yml @@ -1,8 +1,6 @@ -name: Release +name: Publish Release on: - pull_request: - types: [opened, synchronize, reopened] release: types: [published] workflow_dispatch: @@ -22,60 +20,6 @@ permissions: pull-requests: write jobs: - # Preview release on PRs - publishes to @next tag - preview: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' - cache: 'yarn' - registry-url: 'https://registry.npmjs.org' - - - name: Install dependencies - run: yarn install --frozen-lockfile - - - name: Run lint - run: yarn lint - - - name: TypeScript check - run: yarn tsc - - - name: Run tests - run: yarn test --ci - - - name: Build package - run: yarn build - - - name: Set preview version - id: version - run: | - # Get current version and create preview version with PR number and short SHA - CURRENT_VERSION=$(node -p "require('./package.json').version") - SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7) - PREVIEW_VERSION="${CURRENT_VERSION}-pr.${{ github.event.pull_request.number }}.${SHORT_SHA}" - echo "preview_version=$PREVIEW_VERSION" >> $GITHUB_OUTPUT - npm version "$PREVIEW_VERSION" --no-git-tag-version - - - name: Publish preview to NPM - run: npm publish --provenance --access public --tag next - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - - name: Comment on PR - uses: actions/github-script@v7 - env: - PREVIEW_VERSION: ${{ steps.version.outputs.preview_version }} - with: - script: | - const script = require('./scripts/comment-pr-preview.js'); - await script({ github, context }); - # Publish on GitHub Release (manual release via UI) publish-on-release: if: github.event_name == 'release' From 7f4000367d61b7e6d767b718d6fd93b9780bdef3 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Tue, 3 Feb 2026 10:54:06 -0300 Subject: [PATCH 4/7] feat(ci): use OIDC trusted publishing for production releases Remove NODE_AUTH_TOKEN from publish-release.yml to use NPM's trusted publishing (OIDC) for secure, tokenless authentication. - publish-release.yml: Uses OIDC (configured by @khvn26 on npmjs.com) - publish-preview.yml: Keeps NPM_TOKEN (OIDC doesn't support pull_request) Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/publish-release.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 57241a6..ba94de2 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -61,8 +61,6 @@ jobs: - name: Publish to NPM run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Production release - manual workflow trigger release: @@ -116,8 +114,6 @@ jobs: - name: Publish to NPM run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Push changes run: git push --follow-tags From 18278f026033ce6340c017d5cc6371fa60dbfd65 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Tue, 3 Feb 2026 10:59:01 -0300 Subject: [PATCH 5/7] chore(ci): remove npm preview publishing Remove PR preview publishing - packages can be installed directly from git sources instead (e.g., yarn add github:Flagsmith/flagsmith-backstage-plugin#branch). This simplifies the CI setup and removes the need for NPM_TOKEN. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/publish-preview.yml | 64 --------------------------- scripts/comment-pr-preview.js | 51 --------------------- 2 files changed, 115 deletions(-) delete mode 100644 .github/workflows/publish-preview.yml delete mode 100644 scripts/comment-pr-preview.js diff --git a/.github/workflows/publish-preview.yml b/.github/workflows/publish-preview.yml deleted file mode 100644 index 9b956d7..0000000 --- a/.github/workflows/publish-preview.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Publish Preview - -on: - pull_request: - types: [opened, synchronize, reopened] - -permissions: - contents: write - id-token: write - pull-requests: write - -jobs: - preview: - name: Publish preview to NPM - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' - cache: 'yarn' - registry-url: 'https://registry.npmjs.org' - - - name: Install dependencies - run: yarn install --frozen-lockfile - - - name: Run lint - run: yarn lint - - - name: TypeScript check - run: yarn tsc - - - name: Run tests - run: yarn test --ci - - - name: Build package - run: yarn build - - - name: Set preview version - id: version - run: | - # Get current version and create preview version with PR number and short SHA - CURRENT_VERSION=$(node -p "require('./package.json').version") - SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7) - PREVIEW_VERSION="${CURRENT_VERSION}-pr.${{ github.event.pull_request.number }}.${SHORT_SHA}" - echo "preview_version=$PREVIEW_VERSION" >> $GITHUB_OUTPUT - npm version "$PREVIEW_VERSION" --no-git-tag-version - - - name: Publish preview to NPM - run: npm publish --provenance --access public --tag next - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - - name: Comment on PR - uses: actions/github-script@v7 - env: - PREVIEW_VERSION: ${{ steps.version.outputs.preview_version }} - with: - script: | - const script = require('./scripts/comment-pr-preview.js'); - await script({ github, context }); diff --git a/scripts/comment-pr-preview.js b/scripts/comment-pr-preview.js deleted file mode 100644 index 750bb8a..0000000 --- a/scripts/comment-pr-preview.js +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Posts or updates a comment on a PR with NPM preview release information. - * Used by the release workflow to notify about preview versions. - * - * Expected environment variables: - * - PREVIEW_VERSION: The preview version that was published - * - * @param {object} github - GitHub API client from actions/github-script - * @param {object} context - GitHub Actions context - */ -module.exports = async ({ github, context }) => { - const version = process.env.PREVIEW_VERSION; - - const body = `## 📦 NPM Preview Release - -A preview version has been published to NPM: - -\`\`\`bash -yarn add @flagsmith/backstage-plugin@${version} -# or -yarn add @flagsmith/backstage-plugin@next -\`\`\` - -This preview will be updated with each new commit to this PR.`; - - const { data: comments } = await github.rest.issues.listComments({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - }); - - const botComment = comments.find( - c => c.user.type === 'Bot' && c.body.includes('NPM Preview Release'), - ); - - if (botComment) { - await github.rest.issues.updateComment({ - owner: context.repo.owner, - repo: context.repo.repo, - comment_id: botComment.id, - body, - }); - } else { - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - body, - }); - } -}; From 454cd76593694052cc2aa20d5cf1c7e8b6168f4d Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Tue, 3 Feb 2026 11:48:41 -0300 Subject: [PATCH 6/7] refactor(ci): adopt release-please pattern with secure publish Add release-please for automated release PR management and refactor publish-release.yml for better security: New: - release-please.yml: Creates/updates release PRs on main branch pushes Changes to publish-release.yml: - Trigger on tag push (v*) instead of release event - Separate build and publish jobs for OIDC security: - build: runs install/lint/test/build (no id-token permission) - publish: only downloads artifact and publishes (has id-token) - Keeps same filename to preserve npm OIDC configuration This follows the established Flagsmith pattern (flagsmith-js-client) and addresses security concerns about running build scripts with OIDC token access. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/publish-release.yml | 102 ++++++-------------------- .github/workflows/release-please.yml | 18 +++++ 2 files changed, 40 insertions(+), 80 deletions(-) create mode 100644 .github/workflows/release-please.yml diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index ba94de2..710c417 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -1,41 +1,23 @@ -name: Publish Release +name: Publish NPM Package on: - release: - types: [published] - workflow_dispatch: - inputs: - version: - description: 'Version bump type' - required: true - type: choice - options: - - patch - - minor - - major - -permissions: - contents: write - id-token: write - pull-requests: write + push: + tags: + - 'v*' jobs: - # Publish on GitHub Release (manual release via UI) - publish-on-release: - if: github.event_name == 'release' + # Build job - no id-token permission (security: isolate build from publish) + build: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - with: - ref: ${{ github.event.release.tag_name }} - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '22' cache: 'yarn' - registry-url: 'https://registry.npmjs.org' - name: Install dependencies run: yarn install --frozen-lockfile @@ -52,74 +34,34 @@ jobs: - name: Build package run: yarn build - - name: Set version from tag - run: | - # Extract version from tag (removes 'v' prefix if present) - VERSION="${{ github.event.release.tag_name }}" - VERSION="${VERSION#v}" - npm version "$VERSION" --no-git-tag-version --allow-same-version - - - name: Publish to NPM - run: npm publish --provenance --access public + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + name: dist + path: dist/ - # Production release - manual workflow trigger - release: - if: github.event_name == 'workflow_dispatch' + # Publish job - has id-token permission (isolated from build scripts) + publish: runs-on: ubuntu-latest + needs: build + permissions: + id-token: write + contents: read steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Download build artifact + uses: actions/download-artifact@v4 with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + name: dist + path: dist/ - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '22' - cache: 'yarn' registry-url: 'https://registry.npmjs.org' - - name: Install dependencies - run: yarn install --frozen-lockfile - - - name: Run lint - run: yarn lint - - - name: TypeScript check - run: yarn tsc - - - name: Run tests - run: yarn test --ci - - - name: Build package - run: yarn build - - - name: Configure Git - run: | - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - - - name: Bump version - id: version - run: | - NEW_VERSION=$(npm version ${{ inputs.version }} --no-git-tag-version) - echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT - - - name: Commit version bump - run: | - git add package.json - git commit -m "chore(release): ${{ steps.version.outputs.new_version }}" - git tag ${{ steps.version.outputs.new_version }} - - name: Publish to NPM run: npm publish --provenance --access public - - - name: Push changes - run: git push --follow-tags - - - name: Create GitHub Release - uses: softprops/action-gh-release@v2 - with: - tag_name: ${{ steps.version.outputs.new_version }} - generate_release_notes: true diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..968c75b --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,18 @@ +name: Update release PR + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: googleapis/release-please-action@v4 + with: + token: ${{ secrets.RELEASE_PLEASE_GITHUB_TOKEN }} From 490206171de0a0f281780db7c220d45867fb2937 Mon Sep 17 00:00:00 2001 From: Talisson Costa Date: Thu, 5 Feb 2026 08:52:31 -0300 Subject: [PATCH 7/7] chore(ci): add release-please config and remove implicit --provenance flag - Add release-please-config.json and .release-please-manifest.json - Remove --provenance flag (implied with trusted publishing) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/publish-release.yml | 2 +- .release-please-manifest.json | 3 ++ release-please-config.json | 62 +++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 .release-please-manifest.json create mode 100644 release-please-config.json diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 710c417..a881f26 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -64,4 +64,4 @@ jobs: registry-url: 'https://registry.npmjs.org' - name: Publish to NPM - run: npm publish --provenance --access public + run: npm publish --access public diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..466df71 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.1.0" +} diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..38b5866 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,62 @@ +{ + "bootstrap-sha": "5dbd2ca2b52c34c3d25192b417d4773360888de5", + "packages": { + ".": { + "release-type": "node", + "changelog-path": "CHANGELOG.md", + "bump-minor-pre-major": false, + "bump-patch-for-minor-pre-major": false, + "draft": false, + "prerelease": false, + "include-component-in-tag": false + } + }, + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "changelog-sections": [ + { + "type": "feat", + "hidden": false, + "section": "Features" + }, + { + "type": "fix", + "hidden": false, + "section": "Bug Fixes" + }, + { + "type": "ci", + "hidden": false, + "section": "CI" + }, + { + "type": "docs", + "hidden": false, + "section": "Docs" + }, + { + "type": "deps", + "hidden": false, + "section": "Dependency Updates" + }, + { + "type": "perf", + "hidden": false, + "section": "Performance Improvements" + }, + { + "type": "refactor", + "hidden": false, + "section": "Refactoring" + }, + { + "type": "test", + "hidden": false, + "section": "Tests" + }, + { + "type": "chore", + "hidden": false, + "section": "Other" + } + ] +}