Publisher:
- use GITHUB_TOKEN to avoid commit to main triggering next build
- add permissions for writing
- specify explicit registry-url to avoid npm 404 errors
- cd.yaml should check if the current version is alpha and conventional commit is made (fix: or :feat or :refactor)
Consumer:
- dependabot can run daily but not hourly/custom cron
- dependabot can open PR and we can run tests on this PR
- we can automerge dependabot PRs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request)
- we should have branch protection rules so that we don't merge without PR build
- branch protection rules prevent version bump (community/community#13836)
- the version bump may need to go through the PR with auto approval on success
- yarn upgrade unleash-server --latest
- use GH_PUSH_TOKEN or similar to trigger another build
Test:
- build failure should stop the build
- sync should trigger publish
- how to trigger sync?
- publish repo1 -> sync repo2 -> publish repo2