Add v0.18 changelog (#585)

CHANGELOG.md

@@ -2,6 +2,46 @@
 
 ## v0.18.0-dev
 
+### API keys
+
+When authenticating with `mix hex.user auth` two API keys are generated instead of single one. One key is unencrypted with read access and the other is encrypted with your local password and has full read/write access to the API. Now commands that don't make any changes will not require a password.
+
+Additionally, we generate a single key that gives access to all your organization repositories, instead of one key for each repository. It also has the added benefit that you don't have to reauthenticate if you are added to a new organization.
+
+We have also added support for keys owned directly by an organization instead of a specific user, these keys can be accessed through `mix hex.organization`. This is useful when generating keys for a CI environment, previously when personal keys were used, a person leaving an organization or revoking the key could negatively affect CI workflow.
+
+### Improvements to continuous integration workflows
+
+The `HEX_API_KEY` environment variable has been introduced to be able run commands that require an authentication without having to authenticate manually with `mix hex.user auth` which has user input prompts. The key set with `HEX_API_KEY` can be generated with `mix hex.user key generate` or `mix hex.organization key ORGANIZATION generate`. It also makes it possible to run commands such as `mix hex.publish` without being prompted for a password.
+
+By passing the `--yes` flag to `mix hex.publish` you can publish your package (together with `HEX_API_KEY`) without any confirmation prompts. This allows you to publish your package as part of your CI build process.
+
+### Ignoring `:maintainers` field
+
+In previous Hex versions we required `:maintainers` key to be present when publishing package. At the same time, on hex.pm we are also showing package owners (controlled by the `mix hex.owner` task). It was confusing to show both maintainers and owners and figure out which really control the package, so we've dropped showing maintainers on hex.pm and the field will no longer be added to package's metadata.
+
+If maintainers field was used to give credit to current and/or past contributors we encourage to mention that in project's README instead.
+
+### Enhancements
+
+* Add `--yes` flag to `hex.publish` for publishing without any confirmation prompts
+* Add `HEX_API_KEY` environment variable for setting and overriding the key used when authenticating against the API
+* Generate a single key for all organization repositories when authenticating a new user
+* Return a non-zero exit code from `hex.outdated` when dependencies are outdated
+* Generate two API keys when authenticating, one encrypted with write access, and one unencrypted with only read access
+* Add ownership levels to `hex.owner` task
+* When resolving, try all possible backtrack branches and select the best solution
+* Improve formatting of multi-line validation errors
+* Do not use `:maintainers` package configuration field
+* Change `hex.organization` to generate keys owned by organization instead of the user generating them
+* Add options to `hex.organization key` for revoking and listing keys owned by organization
+* Improve interface for `hex.user key` and `hex.organization key`, the following commands have changed:
+  * `hex.user key --generate` => `hex.user key generate`
+  * `hex.user key --list` => `hex.user key list`
+  * `hex.user key --revoke KEY_NAME` => `hex.user key revoke KEY_NAME`
+  * `hex.user key --revoke-all` => `hex.user key revoke --all`
+  * `hex.organization key ORGANIZATION` => `hex.organization key ORGANIZATION generate`
+
 ## v0.17.8 (2018-07-01)
 
 ### Bug fixes