Skip to content

dist/ content validation #2483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

dist/ content validation #2483

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
19abc02
add `package-check` ci job
GrantBirki Mar 17, 2025
a4d571e
use yarn instead of npm
GrantBirki Mar 17, 2025
0dc0059
build and package
GrantBirki Mar 17, 2025
013a943
Merge branch 'main' into package-check-ci
GrantBirki Mar 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions .github/workflows/package-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: package-check

on:
push:
branches:
- main
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
package-check:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Use Node.js 20.x
uses: actions/[email protected]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're pinning actions/upload-artifact, should we pin this as well?

Copy link

@parkerbxyz parkerbxyz Mar 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally, v4.3.0 is the latest.

Suggested change
uses: actions/setup-node@v4.2.0
uses: actions/setup-node@v4.3.0
Suggested change
uses: actions/setup-node@v4.2.0
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joshmgross I was going to but rather chose to keep it the same as all other references in this project for now:

changed-files/.github/workflows/test.yml

Lines 47 to 51 in 0fee5fb

- name: Use Node.js 20.x
uses: actions/[email protected]
with:
cache: 'yarn'
node-version: '20.x'

A pretty good follow-up PR to this one would be going through all 3rd party workflows in this project and pinning them to exact commit SHAs IMO.

Copy link

@cw-alexcroteau cw-alexcroteau Mar 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The maintainer seems to have pinned all other actions, I'd suggest pinning here as well.

with:
cache: 'yarn'
node-version: '20.x'

- name: install dependencies
run: yarn install

- name: rebuild the dist/ directory
run: yarn build && yarn package
Copy link

@ViacheslavKudinov ViacheslavKudinov Mar 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if something like it ?
yarn install && yarn build && yarn format && yarn package same as in https://github.com/tj-actions/changed-files/blob/main/package.json#L18C42-L18C51 and it is called there https://github.com/tj-actions/changed-files/blob/main/.github/workflows/test.yml#L72

      - run: yarn install && yarn build && yarn format && yarn package
      - run: git status --porcelain
      - run: git diff --exit-code

Anchore uses this approach in their Actions https://github.com/anchore/scan-action/blob/main/.github/workflows/test.yml#L18-L23
https://github.com/anchore/sbom-action/blob/main/.github/workflows/test.yml#L21-L25

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep that could work as well. I'm pretty much going to leave this PR here "as-is" since it works and this is an implementation I have personally used in the past and it comes right from GitHub's own public template on building Actions. If the maintainers want to adopt it, tweak it, or make modifications that is totally fine and I would expect them to do so.

The extra reasons why I chose this approach was:

  • It provides a way to debug unexpected (or even malicious) changes via the actions/upload-artifact step
  • Calling a yarn format (or similar step) hasn't ever been something that is required when I used this in the past

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good!
It will help to catch the similar issue in the future, no matter which implementation to use.
Thank you for creating the PR @GrantBirki


- name: compare the expected and actual dist/ directories
run: |
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes after build. See status below:"
git diff
exit 1
fi
id: diff

# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # [email protected]
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
path: dist/