feat: migrate to Craft #1232
feat: migrate to Craft #1232
Conversation
- Remove @changesets/cli and @svitejs/changesets-changelog-github-compact - Remove changeset:add, changeset:consume, changeset:publish scripts - Delete prepare-publish.yml workflow
- Add .craft.yml with auto versioning and changelog generation - Add scripts/bump-version.sh to update package versions - Add .github/release.yml for conventional commit changelog categories Craft will automatically determine version bumps from conventional commits (feat: → minor, fix: → patch, feat!: → major).
- Update build.yml to trigger on release/** branches - Add release.yml using Craft's reusable release workflow - Update publish.yml to trigger on changelog changes - Add changelog-preview.yml for PR changelog comments
- Update changesets.mdx to explain conventional commits - Update releases.mdx to document new Craft release process
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Semver Impact of This PR🟡 Minor (new features) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Bug Fixes 🐛Ui
Other
Documentation 📚Website
Other
Build / dependencies / internal 🔧
Other
🤖 This preview updates automatically when you update the PR. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Preview Changelog | ||
| uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
To fix the problem, add an explicit permissions block that restricts the default GITHUB_TOKEN access for this workflow. Because this workflow is only orchestrating a reusable workflow and does not itself perform any direct repository mutations, a safe and conservative default is contents: read. This adheres to the principle of least privilege while still allowing typical read operations (like fetching code) if needed by the reusable workflow.
The best way to fix this without changing existing functionality is:
- Add a
permissionsblock at the root level of.github/workflows/changelog-preview.yml, alongsidenameandon, so that it applies to all jobs in the workflow (including thechangelog-previewjob). - Set
contents: readas the minimal permission. If the reusable workflow needs additional scopes (for example,pull-requests: write), those should be added there, but we will not assume extra needs beyondcontents: readsince we cannot see the implementation of the reusable workflow and we must avoid altering behavior more than necessary.
Concretely:
- In
.github/workflows/changelog-preview.yml, after thename: Changelog Previewline, insert:
permissions:
contents: readNo imports or additional methods are required, as this is a YAML configuration change only.
| @@ -3,6 +3,8 @@ | ||
| # https://getsentry.github.io/craft/ | ||
|
|
||
| name: Changelog Preview | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, edited, labeled, unlabeled] |
| name: Prepare Release | ||
| uses: getsentry/craft/.github/workflows/release.yml@v2 | ||
| with: | ||
| version: ${{ inputs.version || 'auto' }} | ||
| force: ${{ inputs.force }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 13 hours ago
In general, the fix is to define an explicit permissions: block that limits the GITHUB_TOKEN to the least privileges required. This can be set at the workflow root (applies to all jobs unless overridden) or for the specific job. Since this workflow only defines one job, adding a root-level permissions: block is simple and avoids changing behavior of the reusable workflow beyond constraining the token permissions.
The best minimal, non-breaking change is to add a workflow-level permissions: block immediately after the name: Release line. If we are unsure exactly which fine-grained permissions the reusable workflow needs, a conservative and still significantly safer default is contents: read, which is GitHub’s recommended minimal baseline. If later we discover that the reusable workflow requires additional scopes (e.g., contents: write, pull-requests: write), those can be added explicitly. For now, we will follow the CodeQL suggestion to define an explicit minimal starting point and use contents: read.
Concretely, edit .github/workflows/release.yml and insert:
permissions:
contents: readbetween the existing name: Release line and the on: block. No imports or additional definitions are needed since this is pure YAML configuration.
| @@ -2,6 +2,8 @@ | ||
| # https://getsentry.github.io/craft/ | ||
|
|
||
| name: Release | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Update .craft.yml with proper npm and github targets - Simplify publish.yml to only handle Docker and Electron - NPM publishing and GitHub releases now handled by getsentry/publish - Trigger post-release workflow on release:published event The release flow is now: 1. release.yml -> craft prepare -> creates publish issue 2. getsentry/publish -> craft publish -> npm + GitHub release 3. publish.yml -> Docker tagging + Electron signing
BYK
left a comment
BYK
left a comment
There was a problem hiding this comment.
Nice! Follow up:
- Also remove that annoying PR template please
- Me to do NPM org/token shenenigans
Explains how the Craft + getsentry/publish release flow works, including the Post-Release workflow for Docker and Electron.
- Introduced a new GitHub Actions workflow for building the Electron app on macOS. - Added steps for setting up dependencies, downloading the Electron build, and validating the build files. - Implemented storage of Electron binaries as artifacts for future use. - Updated the .craft.yml to include tagging for Electron binaries in the release process. - Removed the obsolete post-release workflow file.
| uses: getsentry/craft/.github/workflows/release.yml@v2 | ||
| with: | ||
| version: ${{ inputs.version }} | ||
| force: ${{ inputs.force }} | ||
| secrets: inherit |
There was a problem hiding this comment.
We need the release to be done by the release bot and the way to use that is like here: https://github.com/getsentry/sentry-wizard/blob/3c21d283fbfc5ce72cac137022102e911a86a290/.github/workflows/release.yml
| - name: docker | ||
| source: ghcr.io/getsentry/spotlight | ||
| target: ghcr.io/getsentry/spotlight |
There was a problem hiding this comment.
Not sure what this is supposed to do?
|
FYI I added the |
This PR migrates our release management from Changesets to Craft, Sentry's release tool.
Why Craft?
Changes
Removed
@changesets/cliand@svitejs/changesets-changelog-github-compactdependenciespackage.jsonprepare-publish.ymlworkflowAdded
.craft.yml- Craft configuration with auto versioning and npm/github targetsscripts/bump-version.sh- Version bump script called by Craft.github/release.yml- Changelog categories for conventional commits.github/workflows/release.yml- Craft release workflow.github/workflows/changelog-preview.yml- PR changelog previewsUpdated
.github/workflows/build.yml- Trigger on release/** branches.github/workflows/publish.yml- Trigger on changelog changes instead of changeset commit messagesNew Release Flow
Tested locally:
