Build: Add npm-pack verification to reproducible builds job

Switch to Node 16 while at it, as some of the bugs affecting reliable verification where not fixed until npm 7 and later, and Node 12 and Node 14 still came with npm 6, whereas Node 16 comes with npm 8. Fixes #1545.
qunitjs · Apr 24, 2022 · 0bf2d06 · 0bf2d06
1 parent b9eaf4a
commit 0bf2d06
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 16 deletions.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -13,7 +13,7 @@ jobs:
         include:
           - name: "Linux: Node 14"
             # Includes 'firefox', 'chromium', and more.
-            # https://github.com/actions/virtual-environments/blob/ubuntu20/20210302.0/images/linux/Ubuntu2004-README.md
+            # https://github.com/actions/virtual-environments/blob/ubuntu20/20220410.2/images/linux/Ubuntu2004-Readme.md
             os: ubuntu-20.04
             node: 14.x
             # Run the lint step only once because, in March 2022, GitHub began

diff --git a/.github/workflows/reproducible.yaml b/.github/workflows/reproducible.yaml
@@ -18,9 +18,9 @@ jobs:
     steps:
       - uses: actions/checkout@v2
 
-      - name: Use Node.js 12
+      - name: Use Node.js 16
         uses: actions/setup-node@v2
         with:
-          node-version: 12.x
+          node-version: 16.x
 
       - run: node build/reproducible-builds.js
diff --git a/build/reproducible-builds.js b/build/reproducible-builds.js
@@ -1,4 +1,10 @@
 // Helper for the "Reproducible builds" job.
+//
+// Prerequisites:
+// * Node.js 14+
+// * npm 7.7.0+
+// * tar (preinstalled on Linux/macOS)
+// * shasum (preinstalled on Linux/macOS)
 
 const cp = require('child_process');
 const fs = require('fs');
@@ -40,27 +46,36 @@ async function buildRelease (version, cacheDir = null) {
 
   // Use sync for npm-ci to avoid concurrency bugs with shared cache
   console.log(`... ${version}: installing development dependencies from npm`);
+  const npmEnv = {
+    npm_config_cache: cacheDir,
+    npm_config_update_notifier: 'false',
+    PATH: process.env.PATH,
+    PUPPETEER_DOWNLOAD_PATH: path.join(cacheDir, 'puppeteer_download')
+  };
   cp.execFileSync('npm', ['ci'], {
-    env: {
-      npm_config_cache: cacheDir,
-      npm_config_update_notifier: 'false',
-      PATH: process.env.PATH,
-      PUPPETEER_DOWNLOAD_PATH: path.join(cacheDir, 'puppeteer_download')
-    },
+    env: npmEnv,
     cwd: gitDir
   });
 
   console.log(`... ${version}: building release`);
   await execFile('npm', ['run', 'build'], {
-    env: {
-      PATH: process.env.PATH
-    },
+    env: npmEnv,
+    cwd: gitDir
+  });
+
+  console.log(`... ${version}: packing npm package`);
+  await execFile('npm', ['pack'], {
+    env: npmEnv,
     cwd: gitDir
   });
 
   return {
     js: fs.readFileSync(gitDir + '/qunit/qunit.js', 'utf8'),
-    css: fs.readFileSync(gitDir + '/qunit/qunit.css', 'utf8')
+    css: fs.readFileSync(gitDir + '/qunit/qunit.css', 'utf8'),
+    tgz: cp.execFileSync(
+      'shasum', ['-a', '256', '-b', `qunit-${version}.tgz`],
+      { encoding: 'utf8', cwd: gitDir }
+    )
   };
 }
 
@@ -102,7 +117,7 @@ const Reproducible = {
         }
 
         const tarball = data.versions[version].dist.tarball;
-        const tarFile = path.join(tempDir, `npm-${version}${path.extname(tarball)}`);
+        const tarFile = path.join(tempDir, path.basename(tarball));
         await utils.downloadFile(tarball, tarFile);
 
         releases[version].npm = {
@@ -113,6 +128,10 @@ const Reproducible = {
           css: cp.execFileSync(
             'tar', ['-xOf', tarFile, 'package/qunit/qunit.css'],
             { encoding: 'utf8' }
+          ),
+          tgz: cp.execFileSync(
+            'shasum', ['-a', '256', '-b', path.basename(tarball)],
+            { encoding: 'utf8', cwd: tempDir }
           )
         };
       }
@@ -143,8 +162,8 @@ const Reproducible = {
         }
 
         let verified = true;
-        for (const distro of ['cdn', 'npm']) {
-          for (const file of ['js', 'css']) {
+        for (const distro in release) {
+          for (const file in release[distro]) {
             if (release[distro][file] !== build[file]) {
               verified = false;
               console.error(
@@ -163,6 +182,7 @@ const Reproducible = {
             }
           }
         }
+
         if (verified) {
           console.log(`QUnit ${version} is reproducible and matches distributions!`);
         }