Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ci): prevent publishing invalid SRIs #2042

Merged
merged 2 commits into from
Feb 12, 2020
Merged

chore(ci): prevent publishing invalid SRIs #2042

merged 2 commits into from
Feb 12, 2020

Conversation

WilcoFiers
Copy link
Contributor

@WilcoFiers WilcoFiers commented Feb 12, 2020
edited by straker
Loading

An SRI is essentially a hash of axe.js. As of version 3.1 (I think) , we are bundling a few external dependencies into axe-core. This hash is created when we create the release branch, and put into sri-history.json. If any of the dependencies is different when we build locally for the release branch, from when we build in CI right before executing npm publish, axe-core will not be identical, and the SRI in sri-history.json will be incorrect.

To fix this, this PR does:

  1. add a package-lock file, and use npm ci to ensure the server build has the dependencies in the lock file
  2. make npm ci part of the npm run release script, to ensure dependencies are in sync with package-lock
  3. Add npm run sri-validate before releasing to test the sri matches what is in sri-history.json

Reviewer checks

Required fields, to be filled out by PR reviewer(s)

  • Follows the commit message policy, appropriate for next version
  • Code is reviewed for security

@WilcoFiers WilcoFiers requested a review from a team as a code owner February 12, 2020 07:57
stephenmathieson
stephenmathieson previously requested changes Feb 12, 2020
View reviewed changes
Copy link
Member

@stephenmathieson stephenmathieson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear why this fixes anything with SRIs. Please include documentation for this change.

@WilcoFiers WilcoFiers mentioned this pull request Feb 12, 2020
Merged
2 tasks
@straker
Copy link
Contributor

straker commented Feb 12, 2020

We should merge #2041 first so the sri-validate can work locally

@straker
Copy link
Contributor

straker commented Feb 12, 2020

Nm, won't work anyway. merge away

@WilcoFiers WilcoFiers merged commit bd58518 into develop Feb 12, 2020
@WilcoFiers WilcoFiers deleted the prevent-sri-bug branch February 12, 2020 17:13
straker pushed a commit that referenced this pull request Feb 12, 2020
@WilcoFiers @straker
chore(ci): prevent publishing invalid SRIs (#2042)
0a99933 
* chore(ci): prevent publishing invalid SRIs

* chore: run npm ci in prebump release hook
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@straker straker straker approved these changes

@stephenmathieson stephenmathieson Awaiting requested review from stephenmathieson

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@WilcoFiers @straker @stephenmathieson