@contentful/npm-poc v1.0.18

JIRA Stories

Migrate existing packages

• Find all @contentful packages in npm:

curl -H "Authorization: Bearer $NPM_TOKEN" "https://registry.npmjs.org/-/user/contentful/package"

• Find all versions for each package.

curl -H "Authorization: Bearer $NPM_TOKEN" "https://registry.npmjs.org/@contentful/rich-text-types"

OR

npm view @contentful/rich-text-types versions

For each version run:

npm pack "<NAME>@VERSION" // e.g npm pack "@contentful/npm-poc@1.63.0"
npm access get status @contentful/locomotove // to get the package access to pubish with
npm publish npm publish ./<THE_PACKAGE_FROM_PACK_STEP> --access public // e.g npm publish contentful-npm-poc-1.63.0.tgz

This will require switching .npmrc files to read and publish packages.

There's a different approach taken here in a POC. It downloads the .tgz for each tag in a repository and runs npm publish with the downloaded file. The approach above maybe be better than this.

AC:

All packages and versions in NPM exist in GH packages with the same access (public/private) set. Script should be idempotent so we can re-run it and it will only add new versions.

Update Vault policies

The npm-read, semantic-release and semantic-release-ecosystem policies will need to be updated or if we want to keep these ones for NPM, new ones created that provide GH_TOKEN with packages:read for installing packages and packages:write for publishing packages.

AC:

Vault provides tokens with permissions to read and publish packages to GH packages. We still have a policy with permissions publish NPM packages

Migrate #team-mechagodzilla to use GH packages.

Start by migtrating #team-mechagodzilla to use GH packages for development.

• Update CI pipelines to publish to GH packages. Example of publishing to GH packages.
• Update .npmrc for all engineers locally.
• Document all changes that need to happen so we can provide a path to other teams.
• Can we use sourcegraph or repo-migrator to update pipelines or any other configuration If yes we will have another ticket for this.

AC:

team-mechagodzilla do not use NPM anymore. We have documentation on the changes that need to happen for other teams.

Documentation

Write complete documentation, migration guide and instructions for other teams to migrate to GH packages.

AC:

We have docs to give to other devs on the changes to make. Confluence/Roadie.

GH Action for public packages.

Provide a GH action that maintainers of public @contentful packages can include in their workflows to mirror the package to npmjs when a new version is published.

POC

AC:

public @contentful packages are mirrored to npmjs when a new version is release.

Monitor NPM Possible?

Can we monitor how many tokens the NPM API is generating? Maybe show in Grafana. Then as teams migrate to GH packages we will know when NPM is not being used anymore and can start removing users and service accounts.