EFI: Publishing packages

[sheplu]

Motivation

By having a simple and unique way to publish package, this would lower the cognitive work needed for captains (and other members) to release and publish a new version of the same package. With a standardized way and GitHub Action, publishing can be done almost automatically.

Expectation

Easy and standardized way to publish the packages or the Express Organization without "specific users" or manual operation

Implementation

Automated way to publish packages (maybe using GitHub Releases)
Build a full automation around it where it is just needed to create a release (or git tag depending on what we want to do)
Limit manual operation
Create a workflow to run all needed tests (quality, performance, security...) before releasing

Status

Part: Organization

Draft

In the past few years, a good number of projects choose to use the organizational scope feature of npm allowing them to publish all packages under a specific scope. By doing so it can help improve the security by limiting attacks based on a package name.
Publishing should also be changed to use the release system of GitHub to simplify contributor life

[wesleytodd]

@dougwilson and @ljharb should be taking care of this sometime this week. Once we get it setup we should document it. Do we have any other todo's related to this one?

[IamLizu]

Hi @wesleytodd 👋

Even though I have been working with Express for not long, I have a practical understanding of automating releases with GitHub Actions. I have done this many times for my personal projects.

I am confident that I can take care of the points in implementation. Since @dougwilson is not here that much, I am willing to take this on with the guidance from @ljharb.

Please let me know if I can engage.

[wesleytodd]

Hey, we need to put together a clear plan on this, I have some very specific goals and will be outlineing them over the next few months. But right now, I would say that we are not yet ready to tackle this. There are administrative things that need to be done for token minting and setting up 2fa for GHA which cannot be done by anyone but a TC member. I would love to be able to enable you to work on this, but it will likely be early next year before anyone is in a position to work on this.