diff --git a/.changeset/disable-implicit-publish.md b/.changeset/disable-implicit-publish.md new file mode 100644 index 00000000000..ca1cddaf6e7 --- /dev/null +++ b/.changeset/disable-implicit-publish.md @@ -0,0 +1,11 @@ +--- +"app-builder-lib": major +--- + +fix: disable implicit publishing by default + +BREAKING CHANGE: Publishing no longer happens automatically based on CI environment, git tags, or npm lifecycle events. You must now explicitly request publishing using the `--publish` CLI flag (e.g., `--publish always`, `--publish onTag`) or by setting the `publish` option in your configuration. + +This addresses security and usability concerns where unexpected auto-publishing could accidentally expose secrets or publish unfinished work. + +Fixes electron-userland/electron-builder#5463 diff --git a/packages/app-builder-lib/src/publish/PublishManager.ts b/packages/app-builder-lib/src/publish/PublishManager.ts index 76e74b00acb..72929a853c2 100644 --- a/packages/app-builder-lib/src/publish/PublishManager.ts +++ b/packages/app-builder-lib/src/publish/PublishManager.ts @@ -31,7 +31,6 @@ import { } from "electron-publish" import { MultiProgress } from "electron-publish/out/multiProgress" import { writeFile } from "fs/promises" -import { isCI } from "ci-info" import * as path from "path" import { WriteStream as TtyWriteStream } from "tty" import * as url from "url" @@ -84,21 +83,6 @@ export class PublishManager implements PublishContext { const forcePublishForPr = process.env.PUBLISH_FOR_PULL_REQUEST === "true" if (!isPullRequest() || forcePublishForPr) { - if (publishOptions.publish === undefined) { - if (process.env.npm_lifecycle_event === "release") { - publishOptions.publish = "always" - } else { - const tag = getCiTag() - if (tag != null) { - log.info({ reason: "tag is defined", tag }, "artifacts will be published") - publishOptions.publish = "onTag" - } else if (isCI) { - log.info({ reason: "CI detected" }, "artifacts will be published if draft release exists") - publishOptions.publish = "onTagOrDraft" - } - } - } - const publishPolicy = publishOptions.publish this.isPublish = publishPolicy != null && publishOptions.publish !== "never" && (publishPolicy !== "onTag" || getCiTag() != null) if (this.isPublish && forcePublishForPr) { diff --git a/pages/publish.md b/pages/publish.md index d48327c6348..3103ea65683 100644 --- a/pages/publish.md +++ b/pages/publish.md @@ -7,6 +7,9 @@ Note that when using a generic server, you have to upload the built application Travis and AppVeyor support publishing artifacts. But it requires additional configuration for each CI and you need to configure what to publish. `electron-builder` makes publishing dead simple. +!!! important "Publishing Must Be Explicitly Requested" + Publishing is not performed automatically. You must explicitly request publishing using the `--publish` CLI flag (e.g., `--publish always`, `--publish onTag`, `--publish onTagOrDraft`) or by setting the `publish` option in your configuration. + If `GH_TOKEN` or `GITHUB_TOKEN` is defined — defaults to `[{provider: "github"}]`. If `KEYGEN_TOKEN` is defined and `GH_TOKEN` or `GITHUB_TOKEN` is not — defaults to `[{provider: "keygen"}]`.