Have you ever had a npm package which was basically done and needed no more support? If so, it's very likely your package has dependencies, which might have vulnerabilities and should therefore be kept up to date. Life Machine does that automatically for you, by integrating GitHub Actions, Dependabot and npm.
- 🤖 Based on Dependabot
- 🗄️No own server required
- ✴️ Uses GitHub Actions
- ⚙️ Easy setup
- 🟪 Discord integration
- ✅ Test code before publish
- 👨🏻 Manual review on major version change
Go to your repository and run this command:
npx -y life-machine
This will create a workflow file in the .github/workflows
folder. It will also generate a config file in .github/.life-machine.json
.
To work, life machine will need two to three tokens:
- NPM Token
- GitHub Token (will be generated automatically)
- Discord Webhook URL (optional)
You can set these secrets in your GitHub repo settings, under Security/Secrets and Variables/Dependabot
, accessible under https://github.com/you/your-repo/settings/secrets/dependabot.
First, create a npm access token as shown here. Then go to the repo settings, click New repository secret, and create one with the name LM_NPM_TOKEN
and your generated token as the secret.
Now you are technically done with secrets.
If you want to receive messages when you manually need to review something, or just want to know if a new version of your package was published, you can create an Discord WebHook to send messages for you.
First, follow this guide and copy the generated WebHook URL. Go back to the repo settings and create a new secret with the name LM_DISCORD_TOKEN
and use the WebHook URL as the secret.
If you take a look at the .github/.life-machine.json
file, you'll find the configuration for Life Machine. It will look like this by default:
{
"manualCheckOnMajor": true,
"runTests": true,
"manualOnly": false,
"testCommand": "npm test",
"discordNotifications": {
"onPublish": true,
"onAttentionNeeded": true
},
"versionType": "patch"
}
You can change this options based on your needs. Here is a little explanation for each:
Option | Explanation | Possible values | Recommended value |
---|---|---|---|
manualCheckOnMajor | Defines wether Life Machine should publish the package, even if a dependency has a major version change | true|false | true |
runTests | If set to true, Life Machine will only publish if the given test command exited with code 0 | true|false | true |
manualOnly | If set to true, Life Machine won't ever publish and will just send you a discord message when a dependency can be updated | true|false | false |
discordNotifications.onPublish | Defines wether you want to receive a discord message when your package was published successfully | true|false | true |
discordNotifications.onAttentionNeeded | Defines wether you want to receive a discord message when your package couldn't be published. It's recommended to never touch this | true|false | true |
versionType | Defines what version type should be used to generate the version tag for your package | "major"|"minor"|"patch" | "patch" |
registry | A custom registry url, without protocol | string | "registry.npmjs.org" |
rebaseTries | When Dependabot triggers multiple releases at a time (which happens most of the time), there's a good chance that the calculated version was already published for another package. To prevent this, you can set the number of tries to republish | number | 5 (or number of your dependencies / what you can afford) |
If you receive a message saying your package wasn't published you should first check why:
If your tests failed, this is either because you have a bad test command defined or the new version of the package doesn't integrate well with your code. Now you should do the following steps:
- Install the affected dependency version
- Run the tests on your local machine
- Solve the integration issues
- Run
npm version patch
- Run
npm publish
- Commit & Push to GitHub
If you receive this error message, there was no actual error, but Life Machine just wants to make sure your code really works with the new versions. You should do the following:
- Install the affected dependency version
- Make sure everything works fine
- Run
npm version patch
- Run
npm publish
- Commit & Push to GitHub
If an error occurred, try to read what went wrong from the error message, but this steps should help in general:
- Make sure your secrets are set correctly
- Make sure the config is valid
- Make sure the Discord WebHook url exists
- Make sure dependabot is set up correctly
- Make sure your NPM_SECRET is still valid
If that doesn't help, create an issue to let me know about your problem!