Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bin/importmap verify compares vendored files with remotes #237

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

martinemde
Copy link
Contributor

@martinemde martinemde commented Jan 27, 2024

In rubygems/rubygems.org#4396 we ran into the problem of verifying the provenance of files in vendor/javascript. This is a blocker for us using importmap-rails at this time.

In this PR, I attempted to add a process that could be run in CI that would download and verify that the files that are vendored are actually what would be downloaded fresh today.

I assume there are some edge-cases, or even really obvious cases, that I didn't handle in this PR. I wanted to start gathering feedback so I know if this is the right solution.

@Caleb-T-Owens
Copy link
Contributor

Heads up - PR will conflict with #235.

I'm happy to resolve the conflicts despite which may get merged first

@martinemde
Copy link
Contributor Author

@Caleb-T-Owens Thanks! I'd be happy to work with you on it assuming this PR is accepted.

@martinemde
Copy link
Contributor Author

martinemde commented Feb 19, 2024

For reference, here is our importmap.rake where I implemented this verify step in rubygems.org.

Current output:

$ rake importmap:verify
Verifying packages in vendor/javascript
Verifying "@rails/ujs" download from https://ga.jspm.io/npm:@rails/ujs@7.1.3/app/assets/javascripts/rails-ujs.esm.js
Verified  "@rails/ujs" at vendor/javascript/@rails--ujs.js
Verifying "clipboard" download from https://ga.jspm.io/npm:clipboard@2.0.11/dist/clipboard.js
Verified  "clipboard" at vendor/javascript/clipboard.js
Verifying "jquery" download from https://ga.jspm.io/npm:jquery@3.7.1/dist/jquery.js
Verified  "jquery" at vendor/javascript/jquery.js
Verifying "stimulus-rails-nested-form" download from https://ga.jspm.io/npm:stimulus-rails-nested-form@4.1.0/dist/stimulus-rails-nested-form.mjs
Verified  "stimulus-rails-nested-form" at vendor/javascript/stimulus-rails-nested-form.js
Verifying "@hotwired/stimulus" download from https://ga.jspm.io/npm:@hotwired/stimulus@3.2.2/dist/stimulus.js
Verified  "@hotwired/stimulus" at vendor/javascript/@hotwired--stimulus.js
All pinned js in vendor/javascript verified.

I think the output could be cleaned up a bit.

@simi
Copy link

simi commented Mar 12, 2024

Is there anything we can do to move this forward? 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants