You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+19-24Lines changed: 19 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,8 +50,7 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
50
50
51
51
#### Manually testing for vulnerabilities
52
52
53
-
We have a script to scan a given PR for vulnerabilities, this will
54
-
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
53
+
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
55
54
56
55
<imgwidth="480"alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected"src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
57
56
@@ -106,38 +105,34 @@ Here are a few things you can do that will increase the likelihood of your pull
106
105
107
106
_Note: these instructions are for maintainers_
108
107
109
-
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
110
-
1. Update the dist files by running `npm run build` and `npm run package`
1. Make sure that the `Publish this Action to the GitHub Marketplace`
115
-
checkbox is enabled
108
+
- Create a local branch based on the `main` of the upstream repo.
109
+
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
110
+
- Update the dist files by running `npm run build` and `npm run package`
111
+
- Go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
112
+
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled
116
113
117
114
<imgwidth="481"alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked"src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
118
115
119
-
3. Click "Choose a tag" and then "Create new tag", where the tag name
120
-
will be your version prefixed by a `v` (e.g. `v1.2.3`).
121
-
4. Use a version number for the release title (e.g. "1.2.3").
116
+
- Click "Choose a tag" and then "Create new tag", where the tag name
117
+
will be your version prefixed by a `v` (e.g. `v1.2.3`).
118
+
- Use a version number for the release title (e.g. "1.2.3").
122
119
123
120
<imgwidth="700"alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish"src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
124
121
125
-
5. Add your release notes. If this is a major version make sure to
126
-
include a small description of the biggest changes in the new version.
127
-
6. Click "Publish Release".
122
+
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
123
+
- Click "Publish Release".
128
124
129
-
You now have a tag and release using the semver version you used
130
-
above. The last remaining thing to do is to move the dynamic version
131
-
identifier to match the current SHA. This allows users to adopt a
132
-
major version number (e.g. `v1`) in their workflows while
133
-
automatically getting all the
134
-
minor/patch updates.
125
+
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.
135
126
136
-
To do this just checkout `main`, force-create a new annotated tag, and push it:
127
+
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.
0 commit comments