Skip to content

feat: Add create-package-releases and upload-package-sboms- and verify-package#63

Open
Luca Forstner (lforst) wants to merge 7 commits into
mainfrom
lforst/js-changes
Open

feat: Add create-package-releases and upload-package-sboms- and verify-package#63
Luca Forstner (lforst) wants to merge 7 commits into
mainfrom
lforst/js-changes

Conversation

@lforst

Copy link
Copy Markdown
Member

Adds smaller units of work that are usable in the js repo.

Flow for the JS repo would be:

  • Start publish workflow with specific commit SHA as input
  • The sha is checked out
  • An unprivileged job: Finds package versions not on npm yet, writes a manifest with those packages and versions, packs the packages productin .tgz files alongside SBOMs and uploads those as artifacts.
  • The release/packages are posted to Slack and we wait for release gate approval
  • After approval, the publish job downloads the pre-built artifacts, verifies attestations (so that we know they have not been tampered with), publishes the .tgz files to npm, pushes package tags based on changesets, creates a github release per package tag, attaches the SBOMs to the github releases, comments on issues closed by the releases

The JS SDK side of things is tracked in this PR: braintrustdata/braintrust-sdk-javascript#2216

Base automatically changed from release_custom_build_actions to main July 13, 2026 17:44

@delner David Elner (delner) left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding some of these actions are fine, but I recommend we make some structural changes to them before adopting them as a part of the "public API" of our action library.

@@ -0,0 +1,26 @@
name: Verify Release Package Attestations

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't look like this is actually used in braintrustdata/braintrust-sdk-javascript#2216 : can we remove this action?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I must have lost it. We theoretically should, otherwise we cannot guarantee that the artifacts have been tampered with after uploading as artifacts right?

node-version: 'lts/*'
registry-url: https://registry.npmjs.org

- name: Install npm with OIDC trusted publishing support

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we extract this to steps/lang/js/npm/setup? Seems generic enough: don't want to have to manage this version multiple places, and it probably should be configurable.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would quite honestly not use an action as a primitive that sets up npm. That operation has already way too many primitives in the ecosystem. As it stands, I find this is beautifully self-contained.

shell: bash
run: npm install -g "npm@11.6.2"

- name: Publish tarballs in manifest order

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could consider moving this to its own step if you think it's worth readability, but otherwise I think this can stay here.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine, don't wanna unnecessarily make things generic.


<%= render_step('slack/send', text: "${{ steps.message-published.outputs.text }}") %>

- name: Build failure Slack message

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not reuse steps/release/lang/js/on-failure for this?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

steps/release/lang/js/on-failure combines two things: lang/js/env-dump and release/notify-failure

  • env-dump is a bit pointless in a monorepo, and a bit pointless in general I think. The information it prints is irrelevant to publishing.
  • release/notify-failure is problematic for a few reasons:
    • In the flow I came up with, GH releases and tags are done after publishing the tarballs. release/notify-failure wants a tag.
    • release/notify-failure wants one tag while in the monorepo we have multiple tags.

@param clobber [String] whether to overwrite existing assets
@param dry_run [String] whether to only print planned uploads
-%>
- name: Upload package SBOMs to GitHub releases

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we use this in multiple actions or have immediate intent to? If not, I think we should fold this into the upload-package-sboms action as its not reused.

@@ -0,0 +1,55 @@
name: Upload Package SBOMs to GitHub Releases
description: >
Attach package SBOM assets to package GitHub releases from a release manifest. This

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not fold this into create-package-releases? Is SBOM supposed to be severable? (I'd think not.)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly dunno. I haven't played with SBOM too much but if there is a case where SBOM creation is not possible we wouldn't be stuck. But I can do it for now 👍

artifact_base="${name#@}"
artifact_base="${artifact_base//\//-}"
artifact_base="${artifact_base//@/-}"
expected="${sbom_asset:-$artifact_base-$version.sbom.json}"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be better if we explicitly required an SBOM asset here instead of guess at a derivation. The convention is hidden and looks npm-ish which doesn't fit well with making this a language agnostic behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants