electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard
verified publisher icon electron-userland

Don't publish by default on github builds

Open pimterry opened this issue 5 years ago • 20 comments

  • Version: 22.9.1

When setting up a new github actions build, it attempts to publish the result automatically to github by default. I only noticed this because I received an unexpected error at the end of my build:

  ⨯ GitHub Personal Access Token is not set, neither programmatically, nor using env "GH_TOKEN"

This was a normal branch build, not tagged or anything, which I'd never normally want to publish.

This behaviour is pretty surprising, and in many cases it's a serious security risk if you don't expect it when there's github token in the environment for some other reason. Build output even in open source repos could easily contain secrets, especially when you're first setting up a new build - it would be easy for this to accidentally publish your code signing keys, for example.

Also, this surprising behaviour isn't documented - there's no default value for publish listed on the config value or CLI arguments.

There's been quite a few issues discussing this in the past, all now closed due to inactivity, e.g. https://github.com/electron-userland/electron-builder/issues/4546 and https://github.com/electron-userland/electron-builder/issues/1693. I think it's pretty clear that this is causing confusion.

Are you be open to disabling this? I think it's just a matter of making null the default value for publish config (that's the current workaround for this behaviour). I'd be happy to put a PR together for this, if you're open to that.

In general, I'd personally prefer to have electron-builder publish as a separate action, so I can build that into my CI workflow in more complex ways (e.g. testing a built distributable before it's published) but that's a separate question, and being able to opt-in with --publish is fine for now.

pimterry avatar Dec 10 '20 13:12 pimterry

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Feb 13 '21 08:02 stale[bot]

This is still relevant, and AFAIK there's nothing blocking it and it's very easy to do (although it is a breaking change!). It would be great to hear thoughts from the maintainers on this issue.

pimterry avatar Feb 15 '21 10:02 pimterry

Still an issue, I don't know why this behaviour was selected as default.

adityaruplaha avatar Apr 17 '21 11:04 adityaruplaha

Seems like it tries to publish when my package.json script is named "release" and it does not when the name is something else like "dist".

Apak00 avatar May 22 '21 19:05 Apak00

This was working correctly in version 22.11.3, but has regressed in 22.11.7. Can it be fixed please? We are unable to build for non-release builds where we do NOT want to publish the built artifacts.

vraravam avatar Jun 11 '21 17:06 vraravam

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Aug 22 '21 18:08 stale[bot]

This is still relevant, it has a fair few votes now, and AFAIK there's nothing blocking it and it's very easy to do (although it is a breaking change!). It would be great to hear thoughts from the maintainers on this issue.

pimterry avatar Aug 23 '21 18:08 pimterry

I was also surprised by this behavior. (fixed by adding --publish=never)

ferdodo avatar Aug 28 '21 16:08 ferdodo

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Apr 17 '22 17:04 stale[bot]

I haven't touched this myself in a while, but I still have my own workarounds in place for this and the docs haven't been noticeably updated, so AFAICT yes it's still relevant.

I'm very happy to close this if anybody can confirm that it has been resolved though!

pimterry avatar Apr 18 '22 15:04 pimterry

node_modules/.bin/electron-builder --linux snap -c.snap.publish=never is not working for me :(

⨯ Cannot find module 'electron-publisher-never'

hovancik avatar Aug 07 '22 13:08 hovancik

We attempted to put publish: [] into the linux key in our package.json config, and GitHub still tried to publish (and failed, due to the missing token). We needed to move to --publish=never on the command-line, specifically for the linux build.

It would be good to fix this. Or make it more obvious in the first place, then easy to turn off.

This was on electron-builder 24.6.3.

scottnonnenberg-signal avatar Aug 18 '23 20:08 scottnonnenberg-signal