Publish schema products as npm package with matching version tag
What does this MR do?
Updates the version of the package to match the specified version number in each schema in /dist/**. It is set to v14.0.1 in all schemas and corresponds with the released tag.
Adds an additional release hook that constructs a schemas-only npm package and publishes it to the official npm public registry security-report-schemas project package registry as @gitlab-org/security-report-schemas@${SCHEMA_VERSION}.
The reason for this MR is because I am pulling in 1 of the schemas into a Node.JS module to use as a dependency. My module is published on NPM (@codejedi365/gitlab-npm-audit-parser) for your reference. NPM is having issues monitoring your repository since I'm requesting v14.0.1 since that is the version of your schema and release tag but the top-level package.json does not match.
UPDATE: This is an expected error since the top-level package.json is for the schema-merge@1.0.0 tool and not specific for the schemas.
Furthermore, I would like to request this bump of version number be added into the steps for generating a new release of your repository. It is essential that I am able to run an npm outdated to monitor when the schema changes (ie. a new schema is published by your team) and be notified that my parser must change. If this is an automated process, I did not modify it within this MR but request help in order to do that. This MR now includes modifications to the .gitlab-ci.yml and a new deploy-npm-pkg.sh script to enable an automatic publish to the project's package registry upon a new release of the schemas.
For clarity, my project translates the output from npm audit --json and turns it into an ingestible report for GitLab's dependency_scanning based on this repository's schema definition.
Availability and Testing
I was able to test if this MR resolves the conflict by manually modifying my package-lock.json with this new version. package-lock.json is generated based on installed packages and is originally drawn from your package during installation.
With my modification, I no longer get the NPM error about invalid package version.
With a specific released package with a matching version number to the npm registry, this will resolve any conflicts within package-lock.json of invalid package version errors and also notify me of new schema modifications as new versions will be automatically detected upon use of npm outdated. I have tested the release.sh with my own scoped project and it successfully published to the npm registry @codejedi365/security-report-schemas.