fix!: publish shrinkwrap with production dependencies only (#5547)

netlify · Apr 14, 2023 · fc38644 · fc38644 · github-actions · Apr 14, 2023
1 parent 7215229
commit fc38644
Show file tree

Hide file tree

Showing 16 changed files with 93 additions and 52 deletions.
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -15,10 +15,8 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: '*'
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
-          check-latest: true
+          node-version: lts/*
+          cache: npm
       - name: Install dependencies
         run: npm ci --no-audit && npm prune --production
       - name: Get size

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -31,14 +31,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
+          cache: npm
           check-latest: true
       - name: Cache verdaccio storage
         uses: actions/cache@v3
         with:
           path: ./.verdaccio-storage
-          key: verdaccio-e2e-cli-${{ hashFiles('./npm-shrinkwrap.json') }}
+          key: verdaccio-e2e-cli-${{ hashFiles('./package-lock.json') }}
       - name: Install dependencies
         run: npm ci --no-audit
       - name: Install pnpm

diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -47,8 +47,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
+          cache: npm
           check-latest: true
         if: '${{!steps.release-check.outputs.IS_RELEASE}}'
       - name: Setup Deno

diff --git a/.github/workflows/legacy-tests.yml b/.github/workflows/legacy-tests.yml
@@ -47,8 +47,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
+          cache: npm
           check-latest: true
         if: '${{!steps.release-check.outputs.IS_RELEASE}}'
       - name: Setup Deno

diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -11,15 +11,11 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
-          node-version: '*'
-          cache: 'npm'
-          check-latest: true
-          cache-dependency-path: 'npm-shrinkwrap.json'
+          node-version: lts/*
+          cache: npm
           registry-url: 'https://registry.npmjs.org'
       - name: Install core dependencies
         run: npm ci --no-audit
-      - name: Install site dependencies
-        run: npm run site:build:install
       - name: Extract tag and version
         id: extract
         run: |-
@@ -43,6 +39,6 @@ jobs:
       - name: Push changes
         run: git push --follow-tags
       - name: Run npm publish
-        run: npm publish --tag=${{ steps.extract.outputs.tag }} --ignore-scripts
+        run: npm publish --tag=${{ steps.extract.outputs.tag }}
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -4,41 +4,40 @@ on:
     branches:
       - main
 jobs:
-  release-please:
+  create-release:
     runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
     steps:
       - uses: navikt/github-app-token-generator@a3831f44404199df32d8f39f7c0ad9bb8fa18b1c
         id: get-token
         with:
           private-key: ${{ secrets.TOKENS_PRIVATE_KEY }}
           app-id: ${{ secrets.TOKENS_APP_ID }}
+
       - uses: GoogleCloudPlatform/release-please-action@v3
         id: release
         with:
           token: ${{ steps.get-token.outputs.token }}
           release-type: node
-          package-name: 'netlify-cli'
+          package-name: netlify-cli
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: create-release
+    if: ${{ needs.create-release.outputs.release_created }}
+    steps:
       - uses: actions/checkout@v3
-        if: ${{ steps.release.outputs.release_created }}
+
       - uses: actions/setup-node@v3
         with:
-          node-version: '*'
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
-          check-latest: true
+          node-version: lts/*
+          cache: npm
           registry-url: 'https://registry.npmjs.org'
-        if: ${{ steps.release.outputs.release_created }}
-      # required for linting to pass
-      - name: Install site dependencies
-        run: npm run site:build:install
-        if: ${{ steps.release.outputs.release_created }}
+
       - name: Install core dependencies
         run: npm ci --no-audit
-        if: ${{ steps.release.outputs.release_created }}
+
       - run: npm publish
-        if: ${{ steps.release.outputs.release_created }}
         env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
-          # required for tests to pass
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          NETLIFY_TEST_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -30,8 +30,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
+          cache: npm
           check-latest: true
         if: '${{!steps.release-check.outputs.IS_RELEASE}}'
       - name: Install core dependencies

diff --git a/.github/workflows/verify-docs.yml b/.github/workflows/verify-docs.yml
@@ -16,10 +16,8 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: '*'
-          cache: 'npm'
-          cache-dependency-path: 'npm-shrinkwrap.json'
-          check-latest: true
+          node-version: lts/*
+          cache: npm
       - name: Install core dependencies
         run: npm ci --no-audit
       - name: Install site dependencies

diff --git a/.npmrc b/.npmrc
diff --git a/npm-shrinkwrap.json → package-lock.json b/npm-shrinkwrap.json → package-lock.json
diff --git a/package.json b/package.json
@@ -38,7 +38,7 @@
     "url": "https://github.com/netlify/cli/issues"
   },
   "scripts": {
-    "prepare": "husky install node_modules/@netlify/eslint-config-node/.husky/",
+    "prepare": "is-ci || husky install node_modules/@netlify/eslint-config-node/.husky/",
     "start": "node ./bin/run.mjs",
     "test": "run-s format test:dev",
     "format": "run-s format:check-fix:*",
@@ -68,11 +68,12 @@
     "site:build:install": "cd site && npm ci --no-audit",
     "site:build:assets": "cd site && npm run build",
     "postinstall": "node ./scripts/postinstall.mjs",
+    "prepublishOnly": "node ./scripts/prepare-for-publish.mjs",
     "certs": "openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -nodes -sha256 -subj \"/CN=localhost\" -extensions EXT -config certconf"
   },
   "config": {
     "eslint": "--cache --format=codeframe --max-warnings=0 \"{src,scripts,site,tests,.github}/**/*.{mjs,cjs,js,md,html}\" \"*.{mjs,cjs,js,md,html}\" \".*.{mjs,cjs,js,md,html}\"",
-    "prettier": "--ignore-path .eslintignore --loglevel=warn \"{src,tools,scripts,site,tests,.github}/**/*.{mjs,cjs,js,md,yml,json,html}\" \"*.{mjs,cjs,js,yml,json,html}\" \".*.{mjs,cjs,js,yml,json,html}\" \"!CHANGELOG.md\" \"!npm-shrinkwrap.json\" \"!**/*/package-lock.json\" \"!.github/**/*.md\""
+    "prettier": "--ignore-path .eslintignore --loglevel=warn \"{src,tools,scripts,site,tests,.github}/**/*.{mjs,cjs,js,md,yml,json,html}\" \"*.{mjs,cjs,js,yml,json,html}\" \".*.{mjs,cjs,js,yml,json,html}\" \"!CHANGELOG.md\" \"!**/*/package-lock.json\" \"!.github/**/*.md\""
   },
   "dependencies": {
     "@fastify/static": "^6.6.0",
@@ -198,6 +199,7 @@
     "graphviz": "^0.0.9",
     "husky": "^8.0.0",
     "ini": "^2.0.0",
+    "is-ci": "^3.0.1",
     "mock-fs": "^5.1.2",
     "nock": "^13.2.4",
     "p-timeout": "^4.0.0",

diff --git a/scripts/prepare-for-publish.mjs b/scripts/prepare-for-publish.mjs
@@ -0,0 +1,46 @@
+import { readFile, writeFile } from 'fs/promises'
+import { dirname, join } from 'path'
+import { fileURLToPath } from 'url'
+
+import execa from 'execa'
+import ora from 'ora'
+
+// These scripts from package.json need to be preserved on publish
+const preserveScripts = new Set(['postinstall', 'postpack', 'preinstall', 'prepack', 'prepublish', 'prepublishOnly'])
+
+let spinner = ora({
+  spinner: 'star',
+  text: 'Patching package.json (removing devDependencies, scripts, etc)',
+}).start()
+
+const dir = dirname(fileURLToPath(import.meta.url))
+const packageJsonPath = join(dir, '../package.json')
+
+const pkgJson = JSON.parse(await readFile(packageJsonPath))
+
+delete pkgJson.devDependencies
+delete pkgJson.ava
+delete pkgJson.config
+
+// eslint-disable-next-line fp/no-loops
+for (const scriptName in pkgJson.scripts) {
+  if (preserveScripts.has(scriptName)) continue
+
+  delete pkgJson.scripts[scriptName]
+}
+await writeFile(packageJsonPath, JSON.stringify(pkgJson, null, 2))
+spinner.succeed()
+
+spinner = ora({
+  spinner: 'star',
+  text: 'Running `npm install --no-audit`',
+}).start()
+await execa('npm', ['install', '--no-audit'])
+spinner.succeed()
+
+spinner = ora({
+  spinner: 'star',
+  text: 'Running `npm shrinkwrap`',
+}).start()
+await execa('npm', ['shrinkwrap'])
+spinner.succeed()
diff --git a/tools/affected-test.mjs b/tools/affected-test.mjs
@@ -33,7 +33,7 @@ export const getAffectedFiles = (changedFiles) => {
 
   // in this case all files are affected
   if (
-    changedFiles.includes('npm-shrinkwrap.json') ||
+    changedFiles.includes('package-lock.json') ||
     changedFiles.includes('package.json') ||
     changedFiles.includes(join('.github', 'workflows', 'main.yml'))
   ) {

diff --git a/tools/e2e/setup.mjs b/tools/e2e/setup.mjs
@@ -1,7 +1,7 @@
 import { appendFile, mkdtemp, readFile, rm, writeFile } from 'fs/promises'
 import { tmpdir } from 'os'
 import { dirname, join, normalize, sep } from 'path'
-import { cwd, env } from 'process'
+import { env } from 'process'
 import { fileURLToPath } from 'url'
 
 import execa from 'execa'
@@ -12,6 +12,7 @@ import { runServer } from 'verdaccio'
 import { fileExistsAsync } from '../../src/lib/fs.mjs'
 
 const dir = dirname(fileURLToPath(import.meta.url))
+const rootDir = normalize(join(dir, '../..'))
 
 const VERDACCIO_TIMEOUT_MILLISECONDS = 60 * 1000
 const START_PORT_RANGE = 5000
@@ -24,7 +25,7 @@ const getVerdaccioConfig = () => ({
   // workaround
   // on v5 the `self_path` still exists and will be removed in v6 of verdaccio
   self_path: dir,
-  storage: normalize(join(dir, '../../.verdaccio-storage')),
+  storage: normalize(join(rootDir, '.verdaccio-storage')),
   web: { title: 'Test Registry' },
   max_body_size: '128mb',
   // Disable creation of users this is only meant for integration testing
@@ -104,7 +105,7 @@ export const setup = async () => {
   const { storage, url } = await startRegistry()
   const workspace = await mkdtemp(`${tmpdir()}${sep}e2e-test-`)
 
-  const npmrc = fileURLToPath(new URL('../../.npmrc', import.meta.url))
+  const npmrc = join(rootDir, '.npmrc')
   const registryWithAuth = `//${url.hostname}:${url.port}/:_authToken=dummy`
   let backupNpmrc
 
@@ -125,10 +126,15 @@ export const setup = async () => {
     }
 
     // publish the CLI package to our registry
-    await execa('npm', ['publish', `--registry=${url}`, '--tag=testing', cwd()], {
+    await execa('npm', ['publish', `--registry=${url}`, '--tag=testing'], {
       stdio: env.DEBUG ? 'inherit' : 'ignore',
+      cwd: rootDir,
     })
 
+    // Reset the workspace, as npm publish does patch package.json etc
+    await execa('git', ['checkout', '.'], { cwd: rootDir })
+    await execa('npm', ['install', '--no-audit'], { cwd: rootDir })
+
     console.log(`------------------------------------------
   Published to ${url}
   Verdaccio: ${storage}

diff --git a/tools/tests/affected-files.test.mjs b/tools/tests/affected-files.test.mjs
@@ -44,9 +44,9 @@ test.only('should get all files marked as affected when the package.json is touc
   t.deepEqual(affectedFiles, mockedTestFiles)
 })
 
-test.serial('should get all files marked as affected when the npm-shrinkwrap.json is touched', async (t) => {
+test.serial('should get all files marked as affected when the package-lock.json is touched', async (t) => {
   const consoleStub = t.context.sandbox.stub(console, 'log').callsFake(() => {})
-  const { affectedFiles, mockedTestFiles } = await getAffectedFilesFromMock(['npm-shrinkwrap.json'])
+  const { affectedFiles, mockedTestFiles } = await getAffectedFilesFromMock(['package-lock.json'])
 
   t.truthy(consoleStub.firstCall.calledWith('All files are affected based on the changeset'))
   t.deepEqual(affectedFiles, mockedTestFiles)

diff --git a/tools/tests/utils/file-systems.mjs b/tools/tests/utils/file-systems.mjs
@@ -1,7 +1,7 @@
 import { join } from 'path'
 
 const baseFiles = {
-  'npm-shrinkwrap.json': '',
+  'package-lock.json': '',
   'README.md': '',
 }