feat(hex): use registry v2 for packages rather than hex.pm http API #29756
Conversation
bryannaegele
changed the title
bryannaegele
changed the title
bryannaegele
changed the title
bryannaegele
changed the title
|
Leaving this as a draft until there's an answer for this #29622 (comment) I am no TS expert, so please feel free to jump in and fix up whatever can be done better. |
Is this strictly necessary? The tgz has the registry version of the package wrapped in a signed wrapper. I don't have any way to create a version with less releases in it that would have a valid signature. I can try to find a different package as an example but this is one of the rare ones with retirements. |
|
Mix changes split to #29775 |
bryannaegele
force-pushed
the
feat/29622-hex-registry-support
branch
from
6f0e4ee to
97ceb1d
Compare
rarkins
changed the title
|
Alright. Made the following requested changes:
I have kept the generation script in tools so that if anyone should need to regenerate the files, it's as simple as possible. |
|
@bryannaegele FYI, you have merge conflicts |
Are y'all ready to merge this and the other PR? I'd like to not keep resolving the conflicts unless it's going to get merged. |
# Conflicts: # package.json # pnpm-lock.yaml
| override readonly releaseTimestampSupport = true; | ||
| override readonly releaseTimestampNote = | ||
| 'The release timestamp is determined the `inserted_at` field in the results.'; | ||
| override readonly releaseTimestampSupport = false; |
There was a problem hiding this comment.
that's a bad step back. isn't it possible to still support release time stamps?
this is really a breaking change and a new show stopper
There was a problem hiding this comment.
Timestamps are not a piece of metadata in the registry metadata. They are only a piece of metadata that hex.pm supports via its HTTP API which is not a requirement to run a registry.
inserted_at field is preserved but that field is only available for a package served from hexpm.
Can you explain why it's a showstopper? I understand it's a potentially breaking change but the original implementation was technically incorrect. I'm not sure how the releaseTimestampSupport is used. If we set it to true and the value isn't available for some packages, what would happen?
| function generateProto(protos_path: string, file: string): Promise<string> { | ||
| return new Promise((resolve, reject) => { | ||
| console.log(`Current directory: ${process.cwd()}`); | ||
| fs.readdirSync(process.cwd()).forEach((file) => { |
Co-authored-by: Michael Kriese <[email protected]>
Co-authored-by: Michael Kriese <[email protected]>
|
Handing to Maintainers to Finish I leave this PR and the Mix PR #29775 to the maintainers to complete. My limited time is better spent on my maintainer duties elsewhere. These PRs are required to Elixir/Hex support for companies to adopt Renovate in non-trivial setups. First-order support for the hex registry is necessary to support the Hex package manager. This was unfortunately missed during original implementation in the good faith effort to support Hex/Mix. Reasons for the handoff:
Three months and >100 hours greatly surpasses the level of effort I thought this would take when I volunteered to investigate and take a stab. Renovate is a great project. I hope you can find resources to complete the work @rarkins so we can consider using it for Elixir projects again someday. Thanks |
|
@bryannaegele thanks for your efforts. I've closed this if you're unable to continue and hope someone can pick it up in future. |
|
@viceice should have enough to wrap up. I'd hate to see all this work go to waste. |
|
@bryannaegele Thanks for your effort, it definitely isn't easy one 🤝 I'll take a look if I could reuse it as series of smaller changes. |
Changes
registryAliasesfor private repo/registry mappingmix.repo addin mix manager for private reposContext
#29622
This changes the
hexdatasource to use hex registry v2 for package management. Hex registries are not required to implement an http API likehex.pmhas, so the prior implementation prevented updating of packages in private repos such as oban pro. Additionally, due to the way mix works when updating dependencies,mix.lockfiles could not be updated when such a dependency existed and the mix manager ranmix deps.update <<updated packages>>.In order to keep as much parity with the prior implementation, hex.pm is used for supplemental package metadata where possible.
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: