feat: add access, fix provenance if new & unscoped
#305
Conversation
I'm sure it used to do this via Husky?
| @@ -90,15 +100,18 @@ tap.test( | |||
| 'pack', | |||
| '--dry-run', | |||
| ]) | |||
| t.pass('npm pack called') | |||
There was a problem hiding this comment.
I added a lot of these as without at least one test, Tap's output doesn't say which test in a file failed
There was a problem hiding this comment.
mhh interesting, I wasn't aware of that actually and I'm somewhat surprised, but ok tap does have some weird behaviors and I never quite found the output very readable, so I'm good with this change
|
Comments all make sense, I've simplified the options overrides and moved that fixed array to const.js with other constants |
There was a problem hiding this comment.
A few more comments. Would you mind testing the weird tap behavior in isolation to make sure we're not looking at a red herring? I would be surprised if an exception being thrown in a test (and not caused by a failing tap assertion) resulted in tap not printing the test where it occurred.
src/release.js
Outdated
| @@ -100,22 +100,41 @@ module.exports = async function ({ github, context, inputs }) { | |||
| const opticToken = inputs['optic-token'] | |||
| const npmToken = inputs['npm-token'] | |||
| const provenance = /true/i.test(inputs['provenance']) | |||
| const access = inputs['access'] | |||
|
|
|||
| // Can't limit custom action inputs to fixed options like "choice" type in a manual action | |||
There was a problem hiding this comment.
I think this comment is somewhat redundant as it's fairly obvious that you can't restrict what inputs are provided to an action
src/utils/provenance.js
Outdated
| const optionAdjustments = await getAccessAdjustment(publishOptions) | ||
|
|
||
| return optionAdjustments ?? {} |
There was a problem hiding this comment.
can we simplify this logic (no need to return an empty object) and rename the function to reflect better what it's doing (it's returning provenance-related publish options)
src/utils/publishToNpm.js
Outdated
|
|
||
| const packageInfo = await getPublishedInfo() | ||
| const packageName = packageInfo?.name | ||
| // Package has not been published before | ||
| if (!packageName) { |
There was a problem hiding this comment.
nit: can we make this condition depend on packageInfo instead of packageInfo?.name? then, inside this conditional, we can confidently say that packageInfo.name exists
There was a problem hiding this comment.
🤔 it's probably impossible in real life fornpm view --json to return an object that had no name property, but if it did and we did this, further down we'd exec npm --view undefined@x.y.x.
Can simplify it to if (!packageInfo?.name) return true(and ${packageInfo.name}@${version} below) I guess, that'd still be type safe for what the external service returns.
test/packageInfo.test.js
Outdated
| error: new Error('code E418 - unexpected teapot'), | ||
| }) | ||
|
|
||
| t.rejects(mocks.getPublishedInfo, /teapot/) |
There was a problem hiding this comment.
when you make async assertions (such as .rejects or .resolves), you need to either return or (preferably, in my opinion) await the result of the assertion, otherwise the assertion will be a noop
There was a problem hiding this comment.
Makes sense.
While mopping up my own instances of this, I've found a few pre-existing examples where I think tests aren't behaving as intended, e.g. there's several with a pattern like this in the execWithOutput tests from a few months ago:
t.resolves(execWithOutputModule.execWithOutput('ls', ['-al']), output)
execStub.calledWith('ls', ['-al'])I think these are intended to be like this:
await t.resolves(execWithOutputModule.execWithOutput('ls', ['-al']), output)
t.ok(execStub.calledWith('ls', ['-al']))...because as previously written, the execStub.calledWith will fire before the async exec actually happens, and just returns false into the void with no effect? I might fix these in a small separate PR.
There are also quite a lot of preexisting tests that end with unawaited unreturned t.rejects or t.resolves like the one above did.
There was a problem hiding this comment.
yes please, any async tap assertions need to be awaited for them to have any effect
test/provenance.test.js
Outdated
| async t => { | ||
| t.throws( | ||
| () => checkProvenanceViability(), | ||
| t.rejects( |
There was a problem hiding this comment.
same as previous comment. you've turned a sync assertion into an async one, hence you have to await the promise it returns
| @@ -90,15 +100,18 @@ tap.test( | |||
| 'pack', | |||
| '--dry-run', | |||
| ]) | |||
| t.pass('npm pack called') | |||
There was a problem hiding this comment.
mhh interesting, I wasn't aware of that actually and I'm somewhat surprised, but ok tap does have some weird behaviors and I never quite found the output very readable, so I'm good with this change
|
@simoneb I think I responded to all the comments, ready for re-review / merge (I don't have access to merge it myself) |
closes #301
This follows on from #302 (I started a new branch and PR based on that one as we're both on personal forks) and does two related things:
access: publicoraccess: restricted--access: publicif and only if:This would be a minor version bump on the action: the access control is a new feature, there's no breaking change or requirement to use the new feature because the provenance fix only has an affect when the package would have been public anyway.
Here's an example of an unscoped package published for the first time with provenance using this, without explicitly (redundantly) specifying the package to be public: https://www.npmjs.com/package/alansl-new-release-tester-2/v/0.1.0
@simoneb looks like I can't add you via "assign reviews" so I'll ping you here