feat: get last release with git tags

- Remove the `getLastRelease` plugin type
- Retrieve the last release based on Git tags
- Create the next release Git tag before calling the `publish` plugins

BREAKING CHANGE: Remove the `getLastRelease` plugin type

The `getLastRelease` plugins will not be called anymore.

BREAKING CHANGE: Git repository authentication is now mandatory

The Git authentication is now mandatory and must be set via `GH_TOKEN`, `GITHUB_TOKEN`,  `GL_TOKEN`, `GITLAB_TOKEN` or `GIT_CREDENTIALS` as described in [CI configuration](https://github.com/semantic-release/semantic-release/blob/caribou/docs/usage/ci-configuration.md#authentication).

Author: pvdlg

README.md

@@ -80,10 +80,11 @@ After running the tests the command `semantic-release` will execute the followin
 | Step              | Description                                                                                                                                                           |
 |-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Verify Conditions | Verify all the conditions to proceed with the release with the [verify conditions plugins](docs/usage/plugins.md#verifyconditions-plugin).                            |
-| Get last release  | Obtain last release with the [get last release plugin](docs/usage/plugins.md#getlastrelease-plugin).                                                                  |
+| Get last release  | Obtain the commit corresponding to the last release by analyzing [Git tags](https://git-scm.com/book/en/v2/Git-Basics-Tagging).                                       |
 | Analyze commits   | Determine the type of release to do with the [analyze commits plugin](docs/usage/plugins.md#analyzecommits-plugin) based on the commits added since the last release. |
 | Verify release    | Verify the release conformity with the [verify release plugins](docs/usage/plugins.md#verifyrelease-plugin).                                                          |
 | Generate notes    | Generate release notes with the [generate notes plugin](docs/usage/plugins.md#generatenotes-plugin) for the commits added since the last release.                     |
+| Create Git tag    | Create a Git tag corresponding the new release version                                                                                                                |
 | Publish           | Publish the release with the [publish plugins](docs/usage/plugins.md#publish-plugin).                                                                                 |
 
 ## Documentation

cli.js

@@ -17,7 +17,6 @@ module.exports = async () => {
       'Comma separated list of paths or packages name for the verifyConditions plugin(s)',
       list
     )
-    .option('--get-last-release <path>', 'Path or package name for the getLastRelease plugin')
     .option('--analyze-commits <path>', 'Path or package name for the analyzeCommits plugin')
     .option(
       '--verify-release <paths>',

docs/extending/plugins-list.md

@@ -7,7 +7,6 @@
   - [publish](https://github.com/semantic-release/github#publish): Publish a [GitHub release](https://help.github.com/articles/about-releases)
 - [@semantic-release/npm](https://github.com/semantic-release/npm)
   - [verifyConditions](https://github.com/semantic-release/npm#verifyconditions): Verify the presence and the validity of the npm authentication and release configuration
-  - [getLastRelease](https://github.com/semantic-release/npm#getlastrelease): Determine the last release of the package on the npm registry
   - [publish](https://github.com/semantic-release/npm#publish): Publish the package on the npm registry
 
 ## Official plugins
@@ -17,14 +16,12 @@
   - [publish](https://github.com/semantic-release/gitlab#publish): Publish a [GitLab release](https://docs.gitlab.com/ce/workflow/releases.html)
 - [@semantic-release/git](https://github.com/semantic-release/git)
   - [verifyConditions](https://github.com/semantic-release/git#verifyconditions): Verify the presence and the validity of the Git authentication and release configuration
-  - [getLastRelease](https://github.com/semantic-release/git#getlastrelease): Determine the last release via Git tags on the repository
   - [publish](https://github.com/semantic-release/git#publish): Push a release commit and tag, including configurable files
 - [@semantic-release/changelog](https://github.com/semantic-release/changelog)
   - [verifyConditions](https://github.com/semantic-release/changelog#verifyconditions): Verify the presence and the validity of the configuration
   - [publish](https://github.com/semantic-release/changelog#publish): Create or update the changelog file in the local project repository
 - [@semantic-release/exec](https://github.com/semantic-release/exec)
   - [verifyConditions](https://github.com/semantic-release/exec#verifyconditions): Execute a shell command to verify if the release should happen
-  - [getLastRelease](https://github.com/semantic-release/exec#getlastrelease): Execute a shell command to determine the last release
   - [analyzeCommits](https://github.com/semantic-release/exec#analyzecommits): Execute a shell command to determine the type of release
   - [verifyRelease](https://github.com/semantic-release/exec#verifyrelease): Execute a shell command to verifying a release that was determined before and is about to be published.
   - [generateNotes](https://github.com/semantic-release/exec#analyzecommits): Execute a shell command to generate the release note

docs/recipes/README.md

@@ -6,4 +6,7 @@
 - [Travis CI with build stages](travis-build-stages.md)
 - [GitLab CI](gitlab-ci.md)
 
+## Git hosted services
+- [Git authentication with SSH keys](git-auth-ssh-keys.md)
+
 ## Package managers and languages

docs/recipes/git-auth-ssh-keys.md

@@ -0,0 +1,161 @@
+# Git authentication with SSH keys
+
+When using [environment variables](../usage/ci-configuration.md#authentication) to set up the Git authentication, the remote Git repository will automatically be accessed via [https](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_http_protocols), independently of the [`repositoryUrl`](../usage/configuration.md#repositoryurl) format configured in the **semantic-release** [Configuration](../usage/configuration.md#configuration) (the format will be automatically converted as needed).
+
+Alternatively the Git repository can be accessed via [SSH](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol) by creating SSH keys, adding the public one to your Git hosted account and making the private one available on the CI environment.
+
+## Generating the SSH keys
+
+In your local repository root:
+
+```bash
+$ ssh-keygen -t rsa -b 4096 -C "<your_email>" -f git_deploy_key -N "<ssh_passphrase>"
+```
+
+`your_email` must be the email associated with your Git hosted account. `ssh_passphrase` must be a long and hard to guess string. It will be used later.
+
+This will generate a public key in `git_deploy_key.pub` and a private key in `git_deploy_key`.
+
+## Adding the SSH public key to the Git hosted account
+
+Step by step instructions are provided for the following Git hosted services:
+- [GitHub](#adding-the-ssh-public-key-to-github)
+
+### Adding the SSH public key to GitHub
+
+Open the `git_deploy_key.pub` file (public key) and copy the entire content.
+
+In GitHub **Settings**, click on **SSH and GPG keys** in the sidebar, then on the **New SSH Key** button.
+
+Paste the entire content of `git_deploy_key.pub` file (public key) and click the **Add SSH Key** button.
+
+Delete the `git_deploy_key.pub` file:
+
+```bash
+$ rm git_deploy_key.pub
+```
+
+See [Adding a new SSH key to your GitHub account](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/) for more details.
+
+## Adding the SSH private key to the CI environment
+
+In order to be available on the CI environment, the SSH private key must be encrypted, committed to the Git repository and decrypted by the CI service.
+
+Step by step instructions are provided for the following environments:
+- [Travis CI](#adding-the-ssh-private-key-to-travis-ci)
+- [Circle CI](#adding-the-ssh-private-key-to-circle-ci)
+
+### Adding the SSH private key to Travis CI
+
+Install the [Travis CLI](https://github.com/travis-ci/travis.rb#installation):
+
+```bash
+$ gem install travis
+```
+
+[Login](https://github.com/travis-ci/travis.rb#login) to Travis with the CLI:
+
+```bash
+$ travis login
+```
+
+Add the [environment](https://github.com/travis-ci/travis.rb#env) variable `SSH_PASSPHRASE` to Travis with the value set during the [SSH keys generation](#generating-the-ssh-keys) step:
+
+```bash
+$ travis env set SSH_PASSPHRASE <ssh_passphrase>
+```
+
+[Encrypt](https://github.com/travis-ci/travis.rb#encrypt) the `git_deploy_key` (private key) using a symmetric encryption (AES-256), and store the secret in a secure environment variable in the Travis environment:
+
+```bash
+$ travis encrypt-file git_deploy_key
+```
+
+The `travis encrypt-file` will encrypt the private key into the `git_deploy_key.enc` file and output in the console the command to add to your `.travis.yml` file. It should look like `openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out git_deploy_key -d`.
+
+Copy this command to your `.travis.yml` file in the `before_install` step. Change the output path to write the unencrypted key in `/tmp`: `-out git_deploy_key` => `/tmp/git_deploy_key`. This will avoid to commit / modify / delete the unencrypted key by mistake on the CI. Then add the commands to decrypt the ssh private key and make it available to `git`:
+
+```yaml
+before_install:
+  # Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
+  - openssl aes-256-cbc -K $encrypted_KKKKKKKKKKKK_key -iv $encrypted_VVVVVVVVVVVV_iv -in git_deploy_key.enc -out /tmp/git_deploy_key -d
+  # Make sure only the current user can read the private key
+  - chmod 600 /tmp/git_deploy_key
+  # Create a script to return the passphrase environment variable to ssh-add
+  - echo 'echo ${SSH_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
+  # Start the authentication agent
+  - eval "$(ssh-agent -s)"
+  # Add the key to the authentication agent
+  - DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null
+```
+
+See [Encrypting Files](https://docs.travis-ci.com/user/encrypting-files) for more details.
+
+Delete the local private key as it won't be used anymore:
+
+```bash
+$ rm git_deploy_key
+```
+
+Commit the encrypted private key and the `.travis.yml` file to your repository:
+
+```bash
+$ git add git_deploy_key.enc .travis.yml
+$ git commit -m "ci(travis): Add the encrypted private ssh key"
+$ git push
+```
+
+### Adding the SSH private key to Circle CI
+
+First we encrypt the `git_deploy_key` (private key) using a symmetric encryption (AES-256).  Run the following `openssl` command and *make sure to note the output which we'll need later*:
+
+```bash
+$ openssl aes-256-cbc -e -p -in git_deploy_key -out git_deploy_key.enc -K `openssl rand -hex 32` -iv `openssl rand -hex 16`
+salt=SSSSSSSSSSSSSSSS
+key=KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
+iv =VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+```
+
+Add the following [environment variables](https://circleci.com/docs/2.0/env-vars/#adding-environment-variables-in-the-app) to Circle CI:
+- `SSL_PASSPHRASE` - the value set during the [SSH keys generation](#generating-the-ssh-keys) step.
+- `REPO_ENC_KEY` - the `key` (KKK) value from the `openssl` step above.
+- `REPO_ENC_IV` - the `iv` (VVV) value from the `openssl` step above.
+
+Then add to your `.circleci/config.yml` the commands to decrypt the ssh private key and make it available to `git`:
+
+```yaml
+version: 2
+jobs:
+  coverage_test_publish:
+    # docker, working_dir, etc
+    steps:
+      - run:
+          # Decrypt the git_deploy_key.enc key into /tmp/git_deploy_key
+          - openssl aes-256-cbc -d -K $REPO_ENC_KEY -iv $REPO_ENC_IV -in git_deploy_key.enc -out /tmp/git_deploy_key
+          # Make sure only the current user can read the private key
+          - chmod 600 /tmp/git_deploy_key
+          # Create a script to return the passphrase environment variable to ssh-add
+          - echo 'echo ${SSH_PASSPHRASE}' > /tmp/askpass && chmod +x /tmp/askpass
+          # Start the authentication agent
+          - eval "$(ssh-agent -s)"
+          # Add the key to the authentication agent
+          - DISPLAY=":0.0" SSH_ASKPASS="/tmp/askpass" setsid ssh-add /tmp/git_deploy_key </dev/null
+      # checkout, restore_cache, run: yarn install, save_cache, etc.
+      # Run semantic-release after all the above is set.
+```
+
+The unencrypted key is written to `/tmp` to avoid to commit / modify / delete the unencrypted key by mistake on the CI environment.
+
+Delete the local private key as it won't be used anymore:
+
+```bash
+$ rm git_deploy_key
+```
+
+Commit the encrypted private key and the `.circleci/config.yml` file to your repository:
+
+```bash
+$ git add git_deploy_key.enc .circleci/config.yml
+$ git commit -m "ci(cicle): Add the encrypted private ssh key"
+$ git push
+```

docs/usage/ci-configuration.md

@@ -8,17 +8,29 @@ See [CI configuration recipes](../recipes/README.md#ci-configurations) for more
 
 ## Authentication
 
-Most **semantic-release** [plugins](plugins.md) require to set up authentication in order to publish to your package manager's registry or to access your project's Git hosted service. The authentication token/credentials have to be made available in the CI serice via environment variables.
+**semantic-release** requires push access to the project Git repository in order to create [Git tags](https://git-scm.com/book/en/v2/Git-Basics-Tagging). The Git authentication can be set with one of the following environment variables:
 
-See each plugin documentation for the environment variable to set up.
+| Variable                     | Description                                                                                                                   |
+|------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| `GH_TOKEN` or `GITHUB_TOKEN` | A GitHub [personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line).     |
+| `GL_TOKEN` or `GITLAB_TOKEN` | A GitLab [personal access token](https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html).                        |
+| `GIT_CREDENTIALS`            | [URL encoded basic HTTP Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication#URL_encoding) credentials). |
 
-The default [npm](https://github.com/semantic-release/npm#environment-variables) and [github](https://github.com/semantic-release/github#environment-variables) plugins require the following environment variables:
+`GIT_CREDENTIALS` can be the Git username and password in the format `<username>:<password>` or a token for certain Git providers like [Bitbucket](https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html).
+
+Alternatively the Git authentication can be set up via [SSH keys](../recipes/git-auth-ssh-keys.md).
+
+Most **semantic-release** [plugins](plugins.md) require to set up authentication in order to publish to a package manager registry. The default [npm](https://github.com/semantic-release/npm#environment-variables) and [github](https://github.com/semantic-release/github#environment-variables) plugins require the following environment variables:
 
 | Variable    | Description                                                                                                                                                                                                                                                                                                               |
 |-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `NPM_TOKEN` | npm token created via [npm token create](https://docs.npmjs.com/getting-started/working_with_tokens#how-to-create-new-tokens).<br/>**Note**: Only the `auth-only` [level of npm two-factor authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication#levels-of-authentication) is supported. |
 | `GH_TOKEN`  | GitHub authentication token.<br/>**Note**: Only the [personal token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line) authentication is supported.                                                                                                                                 |
 
+See each plugin documentation for the environment variables to set up.
+
+The authentication token/credentials have to be made available in the CI service via environment variables.
+
 See [CI configuration recipes](../recipes/README.md#ci-configurations) for more details on how to configure environment variables in your CI service.
 
 ## Automatic setup with `semantic-release-cli`

docs/usage/configuration.md

@@ -107,18 +107,6 @@ Define the list of [verify conditions plugins](plugins.md#verifyconditions-plugi
 
 See [Plugins configuration](plugins.md#configuration) for more details.
 
-### getLastRelease
-
-Type: `String`, `Object`
-
-Default: `['@semantic-release/npm']`
-
-CLI argument: `--get-last-release`
-
-Define the [get last release plugin](plugins.md#getlastrelease-plugin).
-
-See [Plugins configuration](plugins.md#configuration) for more details.
-
 ### analyzeCommits
 
 Type: `String`, `Object`

docs/usage/plugins.md

@@ -10,12 +10,6 @@ Plugin responsible for verifying all the conditions to proceed with the release:
 
 Default implementation: [npm](https://github.com/semantic-release/npm#verifyconditions) and [github](https://github.com/semantic-release/github#verifyconditions).
 
-### getLastRelease plugin
-
-Plugin responsible for determining the version of the package last release.
-
-Default implementation: [@semantic-release/npm](https://github.com/semantic-release/npm#getlastrelease).
-
 ### analyzeCommits plugin
 
 Plugin responsible for determining the type of the next release (`major`, `minor` or `patch`).