Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Establish a build/exec/deploy system #249

Open
5 of 11 tasks
Martii opened this issue Jul 9, 2014 · 16 comments
Open
5 of 11 tasks

Establish a build/exec/deploy system #249

Martii opened this issue Jul 9, 2014 · 16 comments
Assignees
Labels
feature Something we don't already have implemented to the best of knowledge but would like to see. needs discussion Blah, blah, blah, wahh, wahh, wahh, etc. security Usually relates to something critical. team biz This is similar to a meta discussion. tracking upstream Waiting, watching, wanting.
Milestone

Comments

@Martii
Copy link
Member

Martii commented Jul 9, 2014

Fork a command line minifier for dev tools on the OpenUserJS account

This will be needed in a while to minify what we want to before deploying along with a deploy.sh that is kept with sizzle and maybe here... depends on the secrets that need to be kept.

Dev and GH source should remain unminified at all times... only time minified should be existing is on deployment/testing... this may require some extra time with making sure minification doesn't clobber anything... usually they are quite good at what they do by now but to be safe an extra testing measure should be done.

This is probably a long term issue since it's going to take some time to undo what's been done.


We could also use, instead, a shell script with git directly to a folder and then use some .sh scripts to move things to the appropriate locations... keeping in mind .gitignore . e.g. we really need a build.sh system and exec.sh type system.


This section may change constantly...

  • VPS
  • Initialization system... perpetual tweaking possibly. Invoked via $ npm install or $ node dev/init.js
  • Exec... Invoked via $ npm start or $ node app.js ... process management roughed in.
  • Deploy... $ git pull on VPS
  • Minify CSS on the fly... partial... needs enabling of cache system and placement on the VPS tree with automated cleanup
  • Minify JavaScript on the fly... partial... needs enabling of cache system and placement on the VPS tree with automated cleanup... wants Test and support new option for *express-minify* with keeping comments #432
  • LESS caching (maybe... probable that express-minify is already doing this. Also bootstrap@4.x will use SASS)
  • Minify HTML
  • See if nock is viable for testing requests that aren't normally available in dev
  • ...
@Martii Martii changed the title Fork a command line minifier for dev tools on the OpenUserJS account Establish a build/exec/deploy system Jul 9, 2014
@cletusc
Copy link
Contributor

cletusc commented Jul 9, 2014

This is where something like #97 Grunt or gulp.js would come in. As far as I'm concerned, all tools (including deploy scripts) should be in the repo in some sort of build or deploy folder to store temp files (auth info or other files). Either build tool can concatenate and minify JS, CSS, or precompile mustache templates.

@Martii
Copy link
Member Author

Martii commented Jul 9, 2014

Thanks Cletus... I'll start reading up on these, including grunts repo. We definitely seem to have calls over many CDNs. This really should stop and be centralized. A build system could manage some of this... hopefully without merge conflicts... but I see multiple .css/.js files from different CDNs with the same naming. While I'm sure those sites might be credible it's impending doom if they change something and kill OUJS for some reason.

@cletusc
Copy link
Contributor

cletusc commented Jul 9, 2014

We can also use something along the lines of Bower in conjuction with these. You can set it up to pull a specific URL or repo, e.g. a known working version from a CDN or github, and then the build system can pull from that (just like anything in node_modules from npm install ...). When we need to update a version, it's as simple as changing the Bower info, then testing again. For this particular site, Grunt with Bower is probably the ideal combo.

@joeytwiddle
Copy link
Contributor

CloudFlare seems to be a pretty popular CDN: https://www.cloudflare.com/features-cdn

They have this collection for rarer scripts: http://cdnjs.com/

At least if they go down, many other websites will be broken too. ;)

Obviously Google has their own CDN: https://developers.google.com/speed/libraries/devguide

Some advantages of using a CDN over self-hosting:

  • Faster load for new users, because they may already have the scripts (URLs) in their cache (from visits to previous websites using the CDN).
  • Faster load because the CDNs set huge expiry dates (so we don't have to fiddle with that).

Disadvantages:

  • If the CDN is unreachable by the user for whatever reason, it affects our site. If we self-host all the files, then we are self-contained.
  • Hosting the scripts ourselves might work better for tor users (not sure about that).

@Martii
Copy link
Member Author

Martii commented Jul 9, 2014

I understand the only perk is for speed but with recent experiences these CDNs are more of a pain than a plus.

Disadvantages of a non-owned/managed CDN Advantages of a non-owned/managed CDN
Lack of consistency in the code base. e.g. we are referencing CSS files that have the same name and are just slightly different but presumably the same purpose... this is bad. Occasional and intermittent speed improvement
Lack of security esp. with .js hosted files
Lack of privacy. CDNs have always had this issue
On every machine in my nets the cache is cleared on browser close and open... occasionally during if it's initiated. Setting expiry dates isn't that difficult provided web standards are adhered to. ;)
Cloudflare is where we currently get our icons from and sometimes they never show up.
Ace editor has cross-domain issues when used on dev and occasionally on pro.
Their site goes down... we could be foo'd
Add-on Incompatibility of known blacklists

In general it's a bad practice if we don't own the management rights to the hosting space without some control of versioning. The weight of this merits hosting things ourselves or implementing project build controls. The files are relatively small so I don't think it's going to be much of an issue. The solution currently is to put these on our controlled site and have some sort of management to keep them up to date. I'd much rather we kill the site accidentally than someone else out there.

@Martii
Copy link
Member Author

Martii commented Jul 10, 2014

@cletusc
Hmm grunt requires a CLA to be signed if we ever need to contribute upstream. This is probably not a wise thing to mix with GPL... GPL will always take precedence in our project and usurping that clearly defined authority could be deemed as unsupported. There is also GHs licensing which this can conflict with. I'll still look into it some more but the gulp repo might be more viable but don't know if it's Bower compatible. Do you know off hand? Also if I was grunt I wouldn't be advertising that Adobe is one of their users... imeo they have some of most buggy closed source software around and we all get to pay for it usually. ;)


There's still always the option of doing this as natively as possible with git. Bash shell scripts can do just about anything and has a longer mtbf since it's been around since the dawn of terminal shells.


Related chatter:

Martii referenced this issue in Martii/OpenUserJS.org Jul 18, 2014
* Mostly covered from USO with a few additions/changes

Applies to OpenUserJS#116
Martii pushed a commit to Martii/OpenUserJS.org that referenced this issue Jul 27, 2014
**NOTE** This is currently unminified... whenever OpenUserJS#249 gets implemented we can minimize on deploy... 'till then think big!
@Martii
Copy link
Member Author

Martii commented Jul 27, 2014

@cletusc Cc: @sizzlemctwizzle
Silly question... why would we want to use Bower which has a wrapped package for their system instead of $ npm directly which supports GH repo's? So far jQuery and ACE are on Bower but they are also on GH (jQuery on npm however ACE is not that I can find but I searched on GH for #281)... so couldn't we just use the npm package.json to do the downloading/updating/versioning? Does nodejitsu support GH downloads in package.json? We'll still need something to minify and I'm liking the docs for gulp since it doesn't use intermediate files as much. I assume that we can pull from the node_modules folder anything we want to a build or test folder, and deploy folder. (and/or reuse the dev folder)

$ npm install -h
npm install
npm install <pkg>
npm install <pkg>@<tag>
npm install <pkg>@<version>
npm install <pkg>@<version range>
npm install <folder>
npm install <tarball file>
npm install <tarball url>
npm install <git:// url>
npm install <github username>/<github project>

@cletusc
Copy link
Contributor

cletusc commented Jul 27, 2014

so couldn't we just use the npm package.json to do the downloading/updating/versioning?

We could; the only downside is we wouldn't be able to do single files as with Bower.

I assume that we can pull from the node_modules folder

Or serve directly from the node_modules folder, if we ever wanted to go that route, but yes, npm/bower basically just downloads the package to node_modules/bower_components and you can deal with it just like any other file/folder.

@Martii
Copy link
Member Author

Martii commented Jul 27, 2014

the only downside is we wouldn't be able to do single files as with Bower.

It's unlikely that any dev would want skeleton code I think... deploying and testing could use gulp to scoot individual files around because they should be minified/uglified anyhow. I'd rather not bruise the original source when trying to track down a bug. Loading a minified file in takes FOREVER in any editor (save for VIM which is console based...even UltraEdit under Win has some issues sometimes) and I'm developing on a very new machine with a ton of processing power and memory... not to mention trying to search that. GH has some limitations too when the diff is too big but with smaller steps I think this can be managed. Thanks for your feedback.

Bower also creates a lot of weird hidden files... and somehow it created the same filename on my ext4 filesystem (not a symlink either)... so I'm a bit leery on that part. I also had to fill in the entire project information that is already in package.json and tell Bower that it was private (assume this needed to be done). So I'm leaning towards a -1 for Bower I think.

@cletusc
Copy link
Contributor

cletusc commented Jul 27, 2014

I'd rather not bruise the original source when trying to track down a bug.

I didn't mean we pick and choose files that we need. I meant that some repos out there have their source in a single file, without a package.json; along the same lines as having a userscript in a single file, some projects do the same.

Loading a minified file in takes FOREVER in any editor

Sublime Text 3 on windows opens a 575562 character minified file in way under a second, and prettifies it in < 3 seconds to 731301 characters (I do this once every couple of days). Time to upgrade :P

Bower also creates a lot of weird hidden files

Not on my setup (Win7). I run npm install -g bower, then add a bower.json. Doing a bower install doesn't add any hidden files that I'm seeing.

I also had to fill in the entire project information that is already in package.json and tell Bower that it was private

If you wanted to add "private": true in there, you can, but we aren't publishing to the bower registry; FWIW we don't have private in our package.json, so would could technically publish the project to the npm registry. Our only commands with bower should be bower install though, so it shouldn't be an issue. This is the absolute bare minimum bower.json; just the name is needed and then your deps.

{
  "name": "openuserjs",
  "dependencies": {
    "jquery": "2.0"
  }
}

Whatever we do, we could use npm to manage the packages that will work with it (e.g. packages with a package.json), and Bower for cases where it doesn't.

@Martii
Copy link
Member Author

Martii commented Jul 27, 2014

Little short there for Bower config... bare bones is:

{
  "name": "OpenUserJS.org",
  "version": "0.1.3",
  "homepage": "https://github.com/OpenUserJs/OpenUserJS.org",
  "description": "An open source user scripts repo built using Node.js",
  "main": "./app.js",
  "moduleType": [
    "node"
  ],
  "keywords": [
    "user",
    "script",
    "userscript"
  ],
  "authors": [
    "sizzlemctwizzle"
  ],
  "license": "GPL-3.0+",
  "private": true,
  "ignore": [
    "**/.*",
    "node_modules",
    "bower_components",
    "test",
    "tests"
  ],
  "dependencies": {
    "ace-builds": "~1.1.5",
    "jquery": "~2.1.1"
  }
}

Having to maintain two separate configs is going in the opposite direction of what this issue is intended. I'm also thinking none of them are going to address rereferencing things that get suffixed e.g. filename.min.js vs filename.js in our actual source.

Let's not get into a debate on editors. Besides I have no intention of reading minified code for any reason. ;) :)


I meant that some repos out there have their source in a single file

The only time this currently applies that I've seen is with some CSS that we pull, for no apparent reason. I would think we would want to handle this ourselves. The google fonts were a prime example of what not to do. Fonts almost never change. I'm using some ttf's from the early 90's and they still work like a charm on every system... granted wrappers have changed a bit for open fonts but they still don't change.

@cletusc
Copy link
Contributor

cletusc commented Jul 27, 2014

Little short there for Bower config

Not if we are just consuming deps. Absolute bare minimum is what I posted--see the bower.json spec; all the other stuff is if you are publishing to the Bower registry, of which we are not.

Besides I have no intention of reading minified code for any reason.

Unfortunately, I have to for a userscript; gotta see how the site does certain things to prevent conflicts :D

@Martii
Copy link
Member Author

Martii commented Jul 27, 2014

without a package.json;

There's also this. So the rule would be download whatever is there instead of a versioned item. This seems like a recipe for disaster with multiple file management.

I'm still curious why we have CSS files that are nearly the same but slightly different referenced from cloudflare... I would think that our CSS would be the same and we would want to track changes here on GH instead of blindly following some CDN out there that only has one file on it that may or may not be available at the time of querying.


gotta see how the site does certain things to prevent conflicts

Do you mean if OUJS clobbers something with minification? Those projects that minify are using the same things we could be using. The minified code shouldn't be obfuscated or different. It was not easy determining the Ace version we have locally since those comment headers were stripped out.


Absolute bare minimum is what I posted

Well Bower install started what looked like a TCL/TCK script and starting asking me questions. New devs to the project would need to be instructed on how to use Bower and what not to pick. I think it could be an option chosen by a dev... we could locally ignore those folders but I don't think we should rely on CDNs unless we have to. In most cases it's best to track the changes here on GH and figure things out for ourselves. We can of course preview what others are doing that's why it's called a SCM repo here. :) We're still going to need some accelerator shell scripts too.

@cletusc
Copy link
Contributor

cletusc commented Jul 27, 2014

Do you mean if OUJS clobbers something with minification?

No, I mean I have to dig through this and this on a regular basis for this. Was off-topic.

@Martii Martii added this to the #249 milestone Aug 23, 2014
Martii pushed a commit to Martii/OpenUserJS.org that referenced this issue Aug 24, 2014
Applies to OpenUserJS#321 and the beginnings of OpenUserJS#249

Lightly related to OpenUserJS#262
@Martii Martii self-assigned this Sep 7, 2014
Martii referenced this issue in Zren/OpenUserJS.org Oct 15, 2014
Only validate request ips in production so we can test locally.
Webhook will now return 4xx status codes if something goes wrong.
Seperate github importing logic from the controller.
Move several controllers to their own file.
Moved /user/* routes to /account/*
Add github webhook test.

Broke /account/github/import
@Martii
Copy link
Member Author

Martii commented Oct 23, 2014

UPDATE

As I've been commenting and referencing/alluding galore for this issue this is a huge undertaking as well as a work in progress one step at a time.

With the recent discovery that $ npm currently has issues with GH urls as dependencies I'm tacking on tracking upstream because that portion needs to be fixed in npm

Target test:
$ npm install git://github.com/github/octicons.git That stream added package.json in a PR.

Also bumping the source tree down one level to src is probably what needs to be done in which @sizzlemctwizzle will need to be directly involved with this since deployment is affected as well.

This is where I am at.


Some rambling notes that are probably going to be changing in the comment to reduce the noise level a bit:

  • init or similar like build
  • exec
  • test
  • deploy

Martii pushed a commit to Martii/OpenUserJS.org that referenced this issue Apr 6, 2017
* Save a few bytes in the headers... not huge but some
* Leaving .meta.json full SHA512 for human visual inspection comparison in Admin + UI and with `sha512sum`

Applies to OpenUserJS#432 and OpenUserJS#249.  Possible addition to OpenUserJS#944 down the line.
Martii pushed a commit to Martii/OpenUserJS.org that referenced this issue Apr 6, 2017
Applies to OpenUserJS#432 and OpenUserJS#249.  Possible addition to OpenUserJS#944 down the line.
Martii added a commit that referenced this issue Apr 6, 2017
* Use base62 instead of base36

* Save a few bytes in the headers... not huge but some
* Leaving .meta.json full SHA512 for human visual inspection comparison in Admin + UI and with `sha512sum`

Applies to #432 and #249.  Possible addition to #944 down the line.
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Oct 31, 2017
* This probably won't be utilized much but may be useful for isPro mode for diagnosis

Applies to OpenUserJS#249
Martii added a commit that referenced this issue Oct 31, 2017
* Add environment variable for *morgan* pre-defined format

* This probably won't be utilized much but may be useful for isPro mode for diagnosis

Applies to #249

* White space backout


Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Jun 16, 2018
* `npm run clean` ... clears the caches. This is usually done when *uglify-* *(at some point terser)* needs a refreshing after a dep update *(and what I usually get to do by hand for the last few years)*
* Renamed existing scripts to match their counterpart names e.g.
* `npm run preinstall` ... will get rid of that pesky `package-lock.json` when needed and is run on `npm install` always
* `npm run postinstall`... well probably shouldn't run this directly at all but it's there none-the-less

NOTE:
* Most of these are meant to be very simple scripts. I'd use direct commands but then Windows users would be left out of the mix... so utilizing *node* native APIs

Applies to OpenUserJS#249
Martii added a commit that referenced this issue Jun 16, 2018
* `npm run clean` ... clears the caches. This is usually done when *uglify-* *(at some point terser)* needs a refreshing after a dep update *(and what I usually get to do by hand for the last few years)*
* Renamed existing scripts to match their counterpart names e.g.
* `npm run preinstall` ... will get rid of that pesky `package-lock.json` when needed and is run on `npm install` always
* `npm run postinstall`... well probably shouldn't run this directly at all but it's there none-the-less

NOTE:
* Most of these are meant to be very simple scripts. I'd use direct commands but then Windows users would be left out of the mix... so utilizing *node* native APIs

Applies to #249 

Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Sep 24, 2018
* Move `console` output to dev only for experimental minification

Applies to OpenUserJS#432 OpenUserJS#249 OpenUserJS#430
Martii added a commit that referenced this issue Sep 24, 2018
* Move `console` output to dev only for experimental minification

Applies to #432 #249 #430

Auto-merge
Martii added a commit that referenced this issue Apr 29, 2021
* May still do this manually per policy before triggered or failed.
* If an issue needs to be reopened for some reason reset lock if necessary.
* Adds a layer of security against occasional spamming.

Applies to #249 #1791

Ref:
* https://github.com/dessant/lock-threads

Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Apr 29, 2021
* Adopting a similar system to *@octokit/octokit*
* Since this needs to be spelled out... spelling it out.
* Embedded Unicode is prohibited *(is anyhow in STYLEGUIDE.md) in these files as a potential crash of git-scm can occur on some systems.
* GH discussions are still in Beta but used "Community-driven" for OUJS vs whatever nomenclature we use if we turn that feature on.

Applies to OpenUserJS#249 OpenUserJS#1792

Ref(s):
* https://yaml.org/spec/spec.html
* https://bugs.launchpad.net/ubuntu/+source/git/+bug/1852985#yui_3_10_3_1_1619665759075_313
Martii added a commit that referenced this issue Apr 29, 2021
* Adopting a similar system to *@octokit/octokit*
* Since this needs to be spelled out... spelling it out.
* Embedded Unicode is prohibited *(is anyhow in STYLEGUIDE.md)* in these files as a potential crash of git-scm can occur on some systems.
* GH discussions are still in Beta but used "Community-driven" for OUJS vs whatever nomenclature we use if we turn that feature on.
* z-order indexed for specific itemized list... excluding custom .yml due to GH nature.

Applies to #249 #1792

Ref(s):
* https://yaml.org/spec/spec.html
* https://bugs.launchpad.net/ubuntu/+source/git/+bug/1852985#yui_3_10_3_1_1619665759075_313

Auto-merge
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Jul 21, 2021
* This was already implemented pre W3C recommendation in our form but normalizing to their syntax.
* UI and DB remaining non-base64 encoded... semver limitation with extra characters that violate that spec.
* Change caching mechanism... unfortunately traffic for a while will be increased while syncing with browsers. Also because spec doesn't use hex, which it probably should, the eTag header value will be bigger. Hashes, so far, are always "hex-able" by design of SHA but that could change in the future... who knows.
* Base62 being dropped in favor of Base64 for cache mechanism. Should be okay with extra `+/` in base64 since that falls within ASCII limitations.
* Any .user.js utilizing the .meta.json, or other language, will need to modify to check for the `sha512-` prefix and decode the value appropriately.
* If .meta.json shows empty `hash` clear browser cache *(weird Fx issue perhaps)*
* Bugfix on local copy of metadata script access... non-fatal atm just incorrect live copy referenced.

Post OpenUserJS#1076 and applies to OpenUserJS#432 OpenUserJS#249

Ref(s):
* https://developer.mozilla.org/docs/Web/HTTP/Headers/ETag
* https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* https://w3c.github.io/webappsec-subresource-integrity/
* https://www.srihash.org/
Martii added a commit that referenced this issue Jul 21, 2021
* This was already implemented pre W3C recommendation in our form but normalizing to their syntax.
* UI and DB remaining non-base64 encoded... semver limitation with extra characters that violate that spec.
* Change caching mechanism... unfortunately traffic for a while will be increased while syncing with browsers. Also because spec doesn't use hex, which it probably should, the eTag header value will be bigger. Hashes, so far, are always "hex-able" by design of SHA but that could change in the future... who knows.
* Base62 being dropped in favor of Base64 for cache mechanism. Should be okay with extra `+/` in base64 since that falls within ASCII limitations.
* Any .user.js utilizing the .meta.json, or other language, will need to modify to check for the `sha512-` prefix and decode the value appropriately.
* If .meta.json shows empty `hash` clear browser cache *(weird Fx issue perhaps)*
* Bugfix on local copy of metadata script access... non-fatal atm just incorrect live copy referenced.

Post #1076 and applies to #432 #249

Ref(s):
* https://developer.mozilla.org/docs/Web/HTTP/Headers/ETag
* https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* https://w3c.github.io/webappsec-subresource-integrity/
* https://www.srihash.org/

Auto-merge
Martii added a commit that referenced this issue Sep 29, 2021
Update *Lock threads*

* Some of these options don't appear to be documented yet in the README.md

Applies to #249
Martii added a commit that referenced this issue Sep 29, 2021
Remove possible failure point error reported by Actions

Applies to #249
Martii added a commit to Martii/OpenUserJS.org that referenced this issue Jul 8, 2022
Post OpenUserJS#1076 OpenUserJS#1826 and applies to OpenUserJS#432 OpenUserJS#249

NOTE:
* This increases the server load for more frequent accuracy
Martii added a commit that referenced this issue Jul 8, 2022
Post #1076 #1826 and applies to #432 #249

NOTE:
* This increases the server load for more frequent accuracy

Auto-merge
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature Something we don't already have implemented to the best of knowledge but would like to see. needs discussion Blah, blah, blah, wahh, wahh, wahh, etc. security Usually relates to something critical. team biz This is similar to a meta discussion. tracking upstream Waiting, watching, wanting.
Development

No branches or pull requests

3 participants