Contrib.social

Automate publishing releases (like packagist with webhooks)

Open on Drupal.org →
Created on 18 February 2024, 4 months ago
Updated 26 February 2024, 4 months ago

Problem/Motivation

Publishing releases of modules or themes requires manual tasks (logging in, clicking through multiple pages). When I use packagist.org instead of git.drupalcode.org, I can automate everything - except some initial setup, but that is only necessary once.

I don't want to login and click just for bumping a release from 0.1.0 to 0.1.1. I want to git push --follow-tags and some webhook magic that takes care of all the rest.

Real world example:

I wrote a minimal base theme named "drinimal". I wrote another theme that requires it via composer.json. Because vcs repositories don't work with nested dependencies, I published drinimal on packagist.org. In a third repository I have my actual Drupal installation with a vcs repo for my child theme.

Now I want to publish drinimal on drupal.org.

For reference:

Steps to reproduce

My normal publishing workflow is the following:

  • develop locally until it feels ready for a first release
  • publish on git host (only once)
    • login on git host (e. g. codeberg.org or github.com)
    • create empty repository
    • if not setup already: add SSH key, configure local ~/.ssh/config and KeePassXC as ssh agent
    • initial git setup:
git remote add origin git@git.drupal.org:project/theme_test_not_sandboxed.git
git push -u origin main
# TODO: use "0.x" and later "1.x" branch instead of "main"
  • publish on packagist.org (only once)
    • login
    • publish new project
    • setup webhook on git host for automatic updates

Now my setup is ready and fully automated (except tests/CI setup).

Publishing a new release is fast and simple:

  • change something
  • tag a new release
  • push it to git host
git add theme_test_not_sandboxed.info.yml
git commit -m "added theme.info.yml"
git tag -a 0.1.1 -m "added theme.info.yml"
git push --follow-tags

Done.

I can run composer update in my website project and the new version is downloaded automatically.

Drupal needs a lot of extra steps. Just tagging with git and publishing doesn't trigger a new release. So it's different from the default composer behaviour. Tagging (or branching) via git and publishing is still required. So all steps from above (except publishing on packagist.org) are neccessary. Afterwards I have to manually do the following steps - for every new release:

  • login on drupal.org
  • go to https://www.drupal.org/project/theme_test_not_sandboxed →
  • click “Edit” in horizontal nav
  • click “Releases” in horizontal sub nav
  • click “Add new release”
  • Select version
    • –> now some info text pops up (with a bad recommendation about re-tagging - see notes section in test theme README)
    • click checkbox “This release will not be covered for security advisories”
  • click “Next” button
  • optional: enter text for “Release notes”, “Short description” and click a checkbox under “Release type”
    • –> Remember: No markdown support! Copy/Paste from CHANGELOG.md may cause broken markup –> requires manual editing of code blocks and links
  • double check after clicking on “Preview” button
  • click “Save” button
  • wait a few minutes until the package is created

I don't like it. Since my Drupal project is already set up with composer, I can skip the whole "publish on drupal.org" step and everything just works.

Proposed resolution

  • Add a public endpoint to drupal.org, that can be targeted via webhooks from Gitlab.
  • That endpoint should check for an access token or app password. Since Gitlab is self hosted and already integrated with drupal.org, maybe it would work without an access token, because my identity is already confirmed by using my ssh key for pushing a change.
  • After user validation start a job to publish a new release (dev or tagged).

Remaining tasks

  • [ ] Add a public endpoint to drupal.org, that can be targeted via webhooks from Gitlab to trigger generating new release.

User interface changes

If it works with internal coupling between drupal.org and git.drupalcode.org: none.

API changes

not sure

Data model changes

not sure

✨ Feature request
Status

Active

Component

Packaging

Created by

raffaelj

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @raffaelj
  • Comment 4 months ago →
    raffaelj

    converted markdown lists in initial post to html lists for better readability

  • Comment 4 months ago →
    raffaelj

    added link to missing notes section, that was mentioned in the initial post

  • Comment 4 months ago →
    🇺🇸United States drumm NY, US

    A big difference from GitHub & Packagist.org is that Drupal.org releases are permanent. Unlike the other services, we do not allow deleting or replacing releases, so you know you will be able to deploy the same code indefinitely.

    We do get occasional support requests for deleting accidental releases, which we do not allow. If everything were more automated, I expect there would be more accidental releases.

    That said, we certainly should make some things nicer. For example, if you push a tag which could be a release, we could have links to directly create that release, rather than relying on maintainers to find the place to add a release.

  • Comment 4 months ago →
    raffaelj

    Unlike the other services, we do not allow deleting or replacing releases, so you know you will be able to deploy the same code indefinitely.

    Just tested it with git push origin :0.1.2 and broke my complete git access. No git push or git clone to any repo was possible anymore. Logging in and accepting the ToS fixed the broken git access. The error message could have been a bit more elaborative.

    git push origin :0.1.2
remote:
remote: ========================================================================
remote:
remote: You (@raffaelj) must accept the Terms of Service in order to perform this action. To accept these terms, please access GitLab from a web browser at https://git.drupalcode.org.
remote:
remote: ========================================================================
remote:
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

    Good to know.

    We do get occasional support requests for deleting accidental releases, which we do not allow. If everything were more automated, I expect there would be more accidental releases.

    I get the point. But configuring the webhook is a decision (with somewhat advanced knowledge) to care about git tags and to automate the release process. With some fine tuning, only tags with version strings on branches with version strings could be released automatically.

    It doesn't have to be fully automated. Running two different commands would be fine too. Any alternative, that doesn't require logging in and filling out a form (without markdown support and with non-conformant html support) would be great.

    git push origin 0.1.3
./deploy.sh
# either with OS key ring integration or
# with manually entering password e. g. via auto type feature from KeePassXC

    Besides calling a curl command to trigger a new release, deploy.sh could also contain some logic to parse CHANGELOG.md with the help of md2drupal.sh → . .gitattributes takes care about removing that file from packages/releases.

    I use the technique above for a WordPress plugin I maintain to convert git tags to SVN branches.

  • Comment 4 months ago →
    🇺🇸United States drumm NY, US

    Just tested it with git push origin :0.1.2 and broke my complete git access. No git push or git clone to any repo was possible anymore. Logging in and accepting the ToS fixed the broken git access. The error message could have been a bit more elaborative.

    This one-time ToS agreement is not related to pushing the tag, it was required of everyone: https://www.drupal.org/drupalorg/blog/updating-how-contributors-accept-t... →

    The error message is not something that we can configure in GitLab.

  • Comment 4 months ago →
    raffaelj

    Today I found some existing REST API functionality: https://www.drupal.org/drupalorg/docs/apis/rest-and-other-apis →

    Only read access is allowed.

    So the docs and #2857160: Allow POST via RestWS API → say, that It's read-only. But even if write access was enabled, this wouldn't solve the password management problem (no access token support).

    But the api is really interesting for debugging and to get a better understanding of the internal field structure.

    Side note: Both api endpoints for a project page contain user ids in the flag_project_star_user field, which should be hidden for privacy reasons:

    https://www.drupal.org/api-d7/node/3419729.json →
    https://www.drupal.org/api-d7/node.json?field_project_machine_name=theme... →

  • Comment 4 months ago →
    🇺🇸United States cmlara

    Access to create release through API has been discussed in Slack in the past.

    From memory I believe the biggest hurdle right now is waiting on D.O. to update to D9+ (D10+ now) before it would be considered.

    I thought there was a another issue besides #2857160: Allow POST via RestWS API → however it was the only one I could find on my quick search as well.

    I probably wouldn't make it an on-commit hook for (most) of my own usage, however I certainly would consider the the possibility of creating a manually executed "publish release" GitLab job that takes a commit ID, runs a final test to ensure the release is passing CI (make sure I don't accidentally publish a broken build), creates the changelog text and than create the release on D.O.

    Its certainly been suggested some projects consider more frequent releases and an API would help in that regards (including as far as per commit or per day releases to allow more rapid bugfix adoption)

    Even the lack of an API isn't actually as big an issue on this, the bigger issue is the policy against Shared Accounts creating new nodes (releases are a node and my understanding are now allowed to be created by Shared Accounts). I could fairly easily create a script that submits the login form, provides an OTP token and iterates through the release creation steps if that were allowed for a shared account that only has D.O. permissions to manage releases.

  • Comment 4 months ago →
    raffaelj

    I thought there was a another issue besides #2857160: Allow POST via RestWS API → however it was the only one I could find on my quick search as well.

    Maybe #3227737: [Meta] GitLab Acceleration Initiative → and #3143620: DrupalSpoons bot → ?

  • Comment 4 months ago →
    🇺🇸United States drumm NY, US

    Side note: Both api endpoints for a project page contain user ids in the flag_project_star_user field, which should be hidden for privacy reasons:

    Who has starred which project is public information, see https://www.drupal.org/user/3064/starred → . Please report any future privacy concerns directly by emailing security@drupal.org.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024