Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

bin/importmap verify compares vendored files with remotes #237

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

bin/importmap verify compares vendored files with remotes #237

wants to merge 1 commit into from
+68 −7

Conversation

martinemde
Copy link
Contributor

@martinemde martinemde commented Jan 27, 2024
edited
Loading

In rubygems/rubygems.org#4396 we ran into the problem of verifying the provenance of files in vendor/javascript. This is a blocker for us using importmap-rails at this time.

In this PR, I attempted to add a process that could be run in CI that would download and verify that the files that are vendored are actually what would be downloaded fresh today.

I assume there are some edge-cases, or even really obvious cases, that I didn't handle in this PR. I wanted to start gathering feedback so I know if this is the right solution.

@Caleb-T-Owens
Copy link
Contributor

Heads up - PR will conflict with #235.

I'm happy to resolve the conflicts despite which may get merged first

@martinemde
Copy link
Contributor Author

@Caleb-T-Owens Thanks! I'd be happy to work with you on it assuming this PR is accepted.

@martinemde
Copy link
Contributor Author

martinemde commented Feb 19, 2024
edited
Loading

For reference, here is our importmap.rake where I implemented this verify step in rubygems.org.

Current output:

$ rake importmap:verify
Verifying packages in vendor/javascript
Verifying "@rails/ujs" download from https://ga.jspm.io/npm:@rails/ujs@7.1.3/app/assets/javascripts/rails-ujs.esm.js
Verified  "@rails/ujs" at vendor/javascript/@rails--ujs.js
Verifying "clipboard" download from https://ga.jspm.io/npm:clipboard@2.0.11/dist/clipboard.js
Verified  "clipboard" at vendor/javascript/clipboard.js
Verifying "jquery" download from https://ga.jspm.io/npm:jquery@3.7.1/dist/jquery.js
Verified  "jquery" at vendor/javascript/jquery.js
Verifying "stimulus-rails-nested-form" download from https://ga.jspm.io/npm:stimulus-rails-nested-form@4.1.0/dist/stimulus-rails-nested-form.mjs
Verified  "stimulus-rails-nested-form" at vendor/javascript/stimulus-rails-nested-form.js
Verifying "@hotwired/stimulus" download from https://ga.jspm.io/npm:@hotwired/stimulus@3.2.2/dist/stimulus.js
Verified  "@hotwired/stimulus" at vendor/javascript/@hotwired--stimulus.js
All pinned js in vendor/javascript verified.

I think the output could be cleaned up a bit.

@simi
Copy link

simi commented Mar 12, 2024

Is there anything we can do to move this forward? 🤔

@martinemde martinemde mentioned this pull request Oct 10, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@martinemde @Caleb-T-Owens @simi