fix(ng-dev/release): run yarn integrity check before performing a release #264
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
josephperrott
added
action: merge
josephperrott
force-pushed
the
integrity-check
branch
from
ce1339c to
a40a49c
Compare
devversion
approved these changes
Oct 13, 2021
| */ | ||
| export async function invokeYarnIntegryCheck(projectDir: string): Promise<void> { | ||
| try { | ||
| await spawn('yarn', ['check', '--integrity'], {cwd: projectDir, mode: 'silent'}); |
There was a problem hiding this comment.
Do we actually need https://classic.yarnpkg.com/en/docs/cli/check/#toc-yarn-check-verify-tree?
seems like the integrity check just checks the package json against the lock file unless I misunderstand the documentation.
There was a problem hiding this comment.
I think we need both, now that I read it closer.
Because we want to make sure that our package.json matches installed deps and we want to make sure that our package.json matches our yarn.lock.
Does that make sense?
There was a problem hiding this comment.
I think that makes sense, yeah 👍
…e performing a release If the ng-dev command is run with an outdate version of the package, a dev may perform a release without the latest changes to the tooling. This can lead to not creating up to date artifacts and general issues. By checking if the installed dependencies match the expected dependencies before performing the action we can instruct the user to update their installed node_modules. An example where this change would have prevented issue: Framework releases from the patch branch which is currently a different version of the package as defined in package.json. Calling them version 1 and version 2, with version 2 being the latest version. A patch release is performed by checking out the latest commit from the upstream next branch, running yarn install and then running ng-dev release publish. This release process will occur using version 2 of the dev-infra package. During the release process, the patch branch is checked out and yarn install is performed, causing version 1 to be installed. Upon completion of the patch release, the next release is attempted unknowingly triggered using version 1 of the package. While generated artifacts are already ensured to built with the correct dependency by the process, the tool itself is already running before this check can occur. Instead version 1 of the package is used to process the release, potentially resulting in an errant or unexpected process. This situation will now be prevented by validating the expected version is being used for the action process, in the situation above the user would be informed that yarn install was needed before performing the second release.
…s before performing a release
josephperrott
force-pushed
the
integrity-check
branch
from
a40a49c to
9393673
Compare
…s before performing a release
|
This PR was merged into the repository by commit f31797a. |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the ng-dev command is run with an outdate version of the package, a dev may perform a release without
the latest changes to the tooling. This can lead to not creating up to date artifacts and general issues.
By checking if the installed dependencies match the expected dependencies before performing the action we
can instruct the user to update their installed node_modules.
An example where this change would have prevented issue:
Framework releases from the patch branch which is currently a different version of the package as defined in
package.json. Calling them version 1 and version 2, with version 2 being the latest version. A patch release
is performed by checking out the latest commit from the upstream next branch, running yarn install and then
running ng-dev release publish. This release process will occur using version 2 of the dev-infra package.
During the release process, the patch branch is checked out and yarn install is performed, causing version 1
to be installed. Upon completion of the patch release, the next release is attempted unknowingly triggered
using version 1 of the package. While generated artifacts are already ensured to built with the correct
dependency by the process, the tool itself is already running before this check can occur. Instead version 1
of the package is used to process the release, potentially resulting in an errant or unexpected process.
This situation will now be prevented by validating the expected version is being used for the action process,
in the situation above the user would be informed that yarn install was needed before performing the second
release.