Automated vs manual releases

[jankapunkt]

Hey @jorenvandeweyer @jwerre @Uzlopak @HappyZombies with the recent development of what happened with some repos and packages we might want to re-think about the level of automation of publishing.

The current open PR #117 would implement publishing to NPM when creating a new release on Github. This is very handy, since

• it's less error-prone as it's directly reflecting the release/tag/commit of a given branch
• it can be done by project maintainers, without a gatekeeper

on the contrary

• there is no 2FA involved, so if a "malicious" collaborator gets into the project team and has rights to push and create releases, then the ci could automacally pick this up
• restrict permissions on members on who can make releases is the same gatekeeping as with limiting to those who can publish to NPM but also without 2FA/OTP involved for the publishing.

How I see it:

Currently there are two pubslisher in the npm org, @HappyZombies and me, so, we have at least a certain level of redundancy as chances are high that one of us is available when it comes to publishing urgent security fixes.

On top of that our accounts require a second factor for publishing, so no package is published without a TOTP provided, which is a pretty string mechanism imo.

I would therefore propose, that we remove the release.yml workflow, which automates the creation of a release in this repo and manually to the release with the respective tag/commit manually.

However this is just my view on things. What do you think?

Once this is resolved I am moving forward to publish the current state as 4.2.0.

[jankapunkt]

Until we have a decision I will use manual releases to push forwoard to release 4.2.0

[HappyZombies]

@jankapunkt I am with you, especially now that only us two can publish, I think it would be wise to remove release.yml for the 4.2.0 release.