From af3521f4d9b9ae01aee1f1be902686beb1a7d816 Mon Sep 17 00:00:00 2001 From: Ben Williams Date: Tue, 30 Dec 2025 20:02:21 -0800 Subject: [PATCH 1/2] deprecate: warn about implicit publishing in CI Add deprecation warnings when electron-builder automatically triggers publishing based on CI environment conditions (npm lifecycle event, git tags, or CI detection). This behavior will be disabled by default in v27 to prevent unexpected publishes and security risks. Updated documentation to explain the deprecation and how to explicitly opt-in to publishing. Addresses #5463 --- .context/notes.md | 0 .../app-builder-lib/src/publish/PublishManager.ts | 5 +++-- pages/publish.md | 11 +++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 .context/notes.md diff --git a/.context/notes.md b/.context/notes.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/app-builder-lib/src/publish/PublishManager.ts b/packages/app-builder-lib/src/publish/PublishManager.ts index 76e74b00acb..37885faaf01 100644 --- a/packages/app-builder-lib/src/publish/PublishManager.ts +++ b/packages/app-builder-lib/src/publish/PublishManager.ts @@ -86,14 +86,15 @@ export class PublishManager implements PublishContext { if (!isPullRequest() || forcePublishForPr) { if (publishOptions.publish === undefined) { if (process.env.npm_lifecycle_event === "release") { + log.warn("Implicit publishing triggered by npm lifecycle event 'release'. This behavior will be disabled in electron-builder v27. Please use --publish explicitly.") publishOptions.publish = "always" } else { const tag = getCiTag() if (tag != null) { - log.info({ reason: "tag is defined", tag }, "artifacts will be published") + log.warn({ tag }, "Implicit publishing triggered by git tag. This behavior will be disabled in electron-builder v27. Please use --publish explicitly.") publishOptions.publish = "onTag" } else if (isCI) { - log.info({ reason: "CI detected" }, "artifacts will be published if draft release exists") + log.warn("Implicit publishing triggered by CI detection. This behavior will be disabled in electron-builder v27. Please use --publish explicitly.") publishOptions.publish = "onTagOrDraft" } } diff --git a/pages/publish.md b/pages/publish.md index d48327c6348..61a82244fff 100644 --- a/pages/publish.md +++ b/pages/publish.md @@ -17,6 +17,17 @@ If `GITHUB_RELEASE_TOKEN` is defined, it will be used instead of (`GH_TOKEN` or - you could make your `GITHUB_TOKEN` "Read-only" when creating a fine-grained personal access token, and "Read and write" for the `GITHUB_RELEASE_TOKEN`. - "Contents" fine-grained permission was sufficient. (at time of writing - Apr 2024) +!!! warning "Deprecation Notice: Implicit Publishing" + electron-builder currently auto-detects when to publish based on CI environment conditions: + + - Running via `npm run release` → publishes always + - Git tag detected in CI → publishes on tag + - CI environment detected → publishes to draft releases + + **This implicit publishing behavior is deprecated and will be disabled in electron-builder v27.** + + To prepare for this change, please explicitly specify your publish intent using the `--publish` CLI flag (e.g., `--publish always`, `--publish onTag`) or set the `publish` configuration in your `package.json` or `electron-builder.yml`. + !!! info "Snap store" `snap` target by default publishes to snap store (the app store for Linux). To force publishing to another providers, explicitly specify publish configuration for `snap`. From da48adf6371e1b7df81b21cd702442179b616acf Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Wed, 31 Dec 2025 16:35:18 -0800 Subject: [PATCH 2/2] Add deprecation warning for implicit publishing Add a deprecation warning for implicit publishing in CI. --- .changeset/pretty-hats-appear.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/pretty-hats-appear.md diff --git a/.changeset/pretty-hats-appear.md b/.changeset/pretty-hats-appear.md new file mode 100644 index 00000000000..e2b7c043856 --- /dev/null +++ b/.changeset/pretty-hats-appear.md @@ -0,0 +1,5 @@ +--- +"app-builder-lib": patch +--- + +deprecate: warn about implicit publishing in CI