bin/importmap verify compares vendored files with remotes #237
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In rubygems/rubygems.org#4396 we ran into the problem of verifying the provenance of files in vendor/javascript. This is a blocker for us using importmap-rails at this time.
In this PR, I attempted to add a process that could be run in CI that would download and verify that the files that are vendored are actually what would be downloaded fresh today.
I assume there are some edge-cases, or even really obvious cases, that I didn't handle in this PR. I wanted to start gathering feedback so I know if this is the right solution.