[Suggestion] Transfer the release process of the new version of the npm package to github action
gespispace opened this issue · 1 comments
I think this will increase the security of the release process. Since now the version in npm and github will always be the same.
It will not be possible to substitute malware into the version that is published in NPM.
I am ready to do this with https://github.com/marketplace/actions/automated-releases-for-npm-packages
You do not have to disclose the npm secret key. Since this key will be in github secrets and only the author will have access to it.
I would like to do this even in the repositories:
Thanks for the input, but I would rather have direct control over when a new version is published.
I don't agree with the security argument. If I had evil intentions, I could just publish an alternate version separately and not commit the code to GitHub.