From 3e4035e8776e98be1d08c35abf2a2b8002d1479a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Oct 2022 18:01:07 +0000 Subject: [PATCH 01/11] chore: bump @npmcli/eslint-config from 3.1.0 to 4.0.0 Bumps [@npmcli/eslint-config](https://github.com/npm/eslint-config) from 3.1.0 to 4.0.0. - [Release notes](https://github.com/npm/eslint-config/releases) - [Changelog](https://github.com/npm/eslint-config/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/eslint-config/compare/v3.1.0...v4.0.0) --- updated-dependencies: - dependency-name: "@npmcli/eslint-config" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 156d50e..76d9775 100644 --- a/package.json +++ b/package.json @@ -50,7 +50,7 @@ "minipass": "^3.1.1" }, "devDependencies": { - "@npmcli/eslint-config": "^3.0.1", + "@npmcli/eslint-config": "^4.0.0", "@npmcli/template-oss": "4.5.1", "tap": "^16.0.1" }, From 0517555cb245f60cb01160dc040ece27bcb14518 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Oct 2022 18:02:17 +0000 Subject: [PATCH 02/11] chore: bump @npmcli/template-oss from 4.5.1 to 4.6.1 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.5.1 to 4.6.1. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.5.1...v4.6.1) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 76d9775..7aab521 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.5.1", + "@npmcli/template-oss": "4.6.1", "tap": "^16.0.1" }, "engines": { From 989fcb2693bbab49f3b03b4e8f1876fff386509e Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Mon, 17 Oct 2022 14:07:45 -0700 Subject: [PATCH 03/11] chore: postinstall for dependabot template-oss PR --- .github/workflows/ci-release.yml | 80 +++++++++++++++++++---- .github/workflows/post-dependabot.yml | 4 +- .github/workflows/release.yml | 93 ++++++++++++++++++++++----- package.json | 2 +- 4 files changed, 149 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 9cc6b28..6dad88c 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -21,6 +21,39 @@ jobs: run: shell: bash steps: + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Lint All" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -30,12 +63,7 @@ jobs: status: in_progress name: Lint All sha: ${{ inputs.check-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Checkout uses: actions/checkout@v3 with: @@ -94,6 +122,39 @@ jobs: run: shell: ${{ matrix.platform.shell }} steps: + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Test All" + MATRIX_NAME: " - ${{ matrix.platform.name }} - ${{ matrix.node-version }}" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -103,12 +164,7 @@ jobs: status: in_progress name: Test All - ${{ matrix.platform.name }} - ${{ matrix.node-version }} sha: ${{ inputs.check-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Checkout uses: actions/checkout@v3 with: diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 88ac403..4393859 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -66,7 +66,7 @@ jobs: # This only sets the conventional commit prefix. This workflow can't reliably determine # what the breaking change is though. If a BREAKING CHANGE message is required then # this PR check will fail and the commit will be amended with stafftools - if [[ "${{ steps.dependabot-metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then + if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then prefix='feat!' else prefix='chore!' @@ -90,7 +90,7 @@ jobs: # and attempt to commit and push again. This is helpful because we will have a commit # with the correct prefix that we can then --amend with @npmcli/stafftools later. - name: Push All Changes Except Workflows - if: steps.apply.outputs.changes && steps.push-all.outcome == 'failure' + if: steps.apply.outputs.changes && steps.push.outcome == 'failure' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ed3865..2f7dee0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,7 @@ name: Release on: + workflow_dispatch: push: branches: - main @@ -51,17 +52,19 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npx --offline template-oss-release-please ${{ github.ref_name }} + npx --offline template-oss-release-please ${{ github.ref_name }} ${{ github.event_name }} - name: Post Pull Request Comment if: steps.release.outputs.pr-number uses: actions/github-script@v6 id: pr-comment env: PR_NUMBER: ${{ steps.release.outputs.pr-number }} + REF_NAME: ${{ github.ref_name }} with: script: | + const { REF_NAME, PR_NUMBER } = process.env const repo = { owner: context.repo.owner, repo: context.repo.repo } - const issue = { ...repo, issue_number: process.env.PR_NUMBER } + const issue = { ...repo, issue_number: PR_NUMBER } const { data: workflow } = await github.rest.actions.getWorkflowRun({ ...repo, run_id: context.runId }) @@ -70,7 +73,11 @@ jobs: const comments = await github.paginate(github.rest.issues.listComments, issue) let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id - body += `- Release workflow run: ${workflow.html_url}` + body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Rerun for This Release\n\n` + body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` + body += `To force CI to rerun, run this command:\n\n` + body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\`` + if (commentId) { await github.rest.issues.updateComment({ ...repo, comment_id: commentId, body }) } else { @@ -79,6 +86,39 @@ jobs: } return commentId + - name: Get Workflow Job + uses: actions/github-script@v6 + if: steps.release.outputs.pr-number + id: check-output + env: + JOB_NAME: "Release" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ steps.release.outputs.pr-sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -88,12 +128,7 @@ jobs: status: in_progress name: Release sha: ${{ steps.release.outputs.pr-sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} update: needs: release @@ -142,6 +177,39 @@ jobs: git commit --all --amend --no-edit || true git push --force-with-lease echo "::set-output name=sha::$(git rev-parse HEAD)" + - name: Get Workflow Job + uses: actions/github-script@v6 + + id: check-output + env: + JOB_NAME: "Update - Release" + MATRIX_NAME: "" + with: + script: | + const { owner, repo } = context.repo + + const { data } = await github.rest.actions.listJobsForWorkflowRun({ + owner, + repo, + run_id: context.runId, + per_page: 100 + }) + + const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME + const job = data.jobs.find(j => j.name.endsWith(jobName)) + const jobUrl = job?.html_url + + const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ steps.commit.outputs.sha }}` + + let summary = `This check is assosciated with ${shaUrl}\n\n` + + if (jobUrl) { + summary += `For run logs, click here: ${jobUrl}` + } else { + summary += `Run logs could not be found for a job with name: "${jobName}"` + } + + return { summary } - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check @@ -151,12 +219,7 @@ jobs: status: in_progress name: Release sha: ${{ steps.commit.outputs.sha }} - # XXX: this does not work when using the default GITHUB_TOKEN. - # Instead we post the main job url to the PR as a comment which - # will link to all the other checks. To work around this we would - # need to create a GitHub that would create on-demand tokens. - # https://github.com/LouisBrunner/checks-action/issues/18 - # details_url: + output: ${{ steps.check-output.outputs.result }} - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 if: always() diff --git a/package.json b/package.json index 7aab521..e94fee9 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,6 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.5.1" + "version": "4.6.1" } } From 3901abf8ec67184f350abd0dd8a4eb59cf392d1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Oct 2022 18:02:01 +0000 Subject: [PATCH 04/11] chore: bump @npmcli/template-oss from 4.6.1 to 4.6.2 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.6.1 to 4.6.2. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.6.1...v4.6.2) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e94fee9..94b139e 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.6.1", + "@npmcli/template-oss": "4.6.2", "tap": "^16.0.1" }, "engines": { From e768176b1cce2fc8de25d6dc4bbab5b03e768636 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Tue, 18 Oct 2022 23:23:10 -0700 Subject: [PATCH 05/11] chore: postinstall for dependabot template-oss PR --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 94b139e..1fe3cbf 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,6 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.6.1" + "version": "4.6.2" } } From 798e6770d76b3977c85acb67bff40ef6313ca4b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Oct 2022 18:01:46 +0000 Subject: [PATCH 06/11] chore: bump @npmcli/template-oss from 4.6.2 to 4.8.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.6.2 to 4.8.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.6.2...v4.8.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1fe3cbf..71ab5a6 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.6.2", + "@npmcli/template-oss": "4.8.0", "tap": "^16.0.1" }, "engines": { From da1f93f97b66c45f326a5eaf5c4b6b1f955b0900 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Thu, 27 Oct 2022 22:11:57 -0700 Subject: [PATCH 07/11] chore: postinstall for dependabot template-oss PR --- .github/workflows/audit.yml | 6 ++-- .github/workflows/ci-release.yml | 18 ++++++---- .github/workflows/ci.yml | 50 --------------------------- .github/workflows/post-dependabot.yml | 2 +- .github/workflows/release.yml | 13 +++---- package.json | 2 +- 6 files changed, 25 insertions(+), 66 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 60bb334..62892f9 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -33,5 +33,7 @@ jobs: run: npm -v - name: Install Dependencies run: npm i --ignore-scripts --no-audit --no-fund --package-lock - - name: Run Audit - run: npm audit + - name: Run Production Audit + run: npm audit --omit=dev + - name: Run Full Audit + run: npm audit --audit-level=none diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 6dad88c..6e80aa6 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -3,6 +3,12 @@ name: CI - Release on: + workflow_dispatch: + inputs: + ref: + required: true + type: string + default: main workflow_call: inputs: ref: @@ -23,7 +29,7 @@ jobs: steps: - name: Get Workflow Job uses: actions/github-script@v6 - + if: inputs.check-sha id: check-output env: JOB_NAME: "Lint All" @@ -57,7 +63,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: inputs.check-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -88,7 +94,7 @@ jobs: run: npm run postlint --ignore-scripts - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: steps.check.outputs.check_id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} @@ -124,7 +130,7 @@ jobs: steps: - name: Get Workflow Job uses: actions/github-script@v6 - + if: inputs.check-sha id: check-output env: JOB_NAME: "Test All" @@ -158,7 +164,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: inputs.check-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -203,7 +209,7 @@ jobs: run: npm test --ignore-scripts - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: steps.check.outputs.check_id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6c934a..9cc149d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,56 +14,6 @@ on: - cron: "0 9 * * 1" jobs: - engines: - name: Engines - ${{ matrix.platform.name }} - ${{ matrix.node-version }} - if: github.repository_owner == 'npm' - strategy: - fail-fast: false - matrix: - platform: - - name: Linux - os: ubuntu-latest - shell: bash - node-version: - - 14.17.0 - - 16.13.0 - - 18.0.0 - runs-on: ${{ matrix.platform.os }} - defaults: - run: - shell: ${{ matrix.platform.shell }} - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Git User - run: | - git config --global user.email "npm-cli+bot@github.com" - git config --global user.name "npm CLI robot" - - name: Setup Node - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - name: Update Windows npm - # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows - if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.')) - run: | - curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz - tar xf npm-7.5.4.tgz - cd package - node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz - cd .. - rmdir /s /q package - - name: Install npm@7 - if: startsWith(matrix.node-version, '10.') - run: npm i --prefer-online --no-fund --no-audit -g npm@7 - - name: Install npm@latest - if: ${{ !startsWith(matrix.node-version, '10.') }} - run: npm i --prefer-online --no-fund --no-audit -g npm@latest - - name: npm Version - run: npm -v - - name: Install Dependencies - run: npm i --ignore-scripts --no-audit --no-fund --engines-strict - lint: name: Lint if: github.repository_owner == 'npm' diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 4393859..19902bd 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -69,7 +69,7 @@ jobs: if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then prefix='feat!' else - prefix='chore!' + prefix='chore' fi echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f7dee0..15d37cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,7 @@ on: branches: - main - latest + - release/v* permissions: contents: write @@ -88,7 +89,7 @@ jobs: return commentId - name: Get Workflow Job uses: actions/github-script@v6 - if: steps.release.outputs.pr-number + if: steps.release.outputs.pr-sha id: check-output env: JOB_NAME: "Release" @@ -122,7 +123,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - if: steps.release.outputs.pr-number + if: steps.release.outputs.pr-sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -179,7 +180,7 @@ jobs: echo "::set-output name=sha::$(git rev-parse HEAD)" - name: Get Workflow Job uses: actions/github-script@v6 - + if: steps.commit.outputs.sha id: check-output env: JOB_NAME: "Update - Release" @@ -213,7 +214,7 @@ jobs: - name: Create Check uses: LouisBrunner/checks-action@v1.3.1 id: check - + if: steps.commit.outputs.sha with: token: ${{ secrets.GITHUB_TOKEN }} status: in_progress @@ -222,7 +223,7 @@ jobs: output: ${{ steps.check-output.outputs.result }} - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: needs.release.outputs.check-id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ job.status }} @@ -260,7 +261,7 @@ jobs: echo "::set-output name=result::$result" - name: Conclude Check uses: LouisBrunner/checks-action@v1.3.1 - if: always() + if: needs.update.outputs.check-id && always() with: token: ${{ secrets.GITHUB_TOKEN }} conclusion: ${{ steps.needs-result.outputs.result }} diff --git a/package.json b/package.json index 71ab5a6..3a7855a 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,6 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.6.2" + "version": "4.8.0" } } From 6970885a527c3f62cba0c7ca6a0780ac57d6ac40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Nov 2022 18:08:34 +0000 Subject: [PATCH 08/11] chore: bump @npmcli/template-oss from 4.8.0 to 4.10.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.8.0 to 4.10.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/template-oss/compare/v4.8.0...v4.10.0) --- updated-dependencies: - dependency-name: @npmcli/template-oss dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3a7855a..44492b0 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.8.0", + "@npmcli/template-oss": "4.10.0", "tap": "^16.0.1" }, "engines": { From 1dda286f6b6b7e19e70d5eff299b3ee564e16209 Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Sat, 12 Nov 2022 14:30:49 -0700 Subject: [PATCH 09/11] chore: postinstall for dependabot template-oss PR --- .github/workflows/release.yml | 6 +++--- SECURITY.md | 13 ++++++++++++- package.json | 2 +- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15d37cb..264cf3d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,9 +74,9 @@ jobs: const comments = await github.paginate(github.rest.issues.listComments, issue) let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id - body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Rerun for This Release\n\n` + body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n` body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. ` - body += `To force CI to rerun, run this command:\n\n` + body += `To force CI to update this PR, run this command:\n\n` body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\`` if (commentId) { @@ -168,7 +168,7 @@ jobs: RELEASE_COMMENT_ID: ${{ needs.release.outputs.comment-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - npm exec --offline -- template-oss-release-manager + npm exec --offline -- template-oss-release-manager --lockfile=false npm run rp-pull-request --ignore-scripts --if-present - name: Commit id: commit diff --git a/SECURITY.md b/SECURITY.md index a93106d..4e7c26c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,14 @@ -Please send vulnerability reports through [hackerone](https://hackerone.com/github). +GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). + +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. + +If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). + +If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Thanks for helping make GitHub safe for everyone. + diff --git a/package.json b/package.json index 44492b0..9f3ea27 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,6 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.8.0" + "version": "4.10.0" } } From 4f6ba1e5cc30bf4ba564206d4358ee6951e46f87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 18:00:58 +0000 Subject: [PATCH 10/11] deps: bump minipass from 3.3.6 to 4.0.0 Bumps [minipass](https://github.com/isaacs/minipass) from 3.3.6 to 4.0.0. - [Release notes](https://github.com/isaacs/minipass/releases) - [Commits](https://github.com/isaacs/minipass/compare/v3.3.6...v4.0.0) --- updated-dependencies: - dependency-name: minipass dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9f3ea27..c3ca905 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "author": "GitHub Inc.", "license": "ISC", "dependencies": { - "minipass": "^3.1.1" + "minipass": "^4.0.0" }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", From c55e15931e75cec5f52bd011799fce78e95a705c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 7 Dec 2022 13:32:42 -0700 Subject: [PATCH 11/11] chore: release 10.0.1 (#66) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .release-please-manifest.json | 2 +- CHANGELOG.md | 6 ++++++ package.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 8390882..932a782 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "10.0.0" + ".": "10.0.1" } diff --git a/CHANGELOG.md b/CHANGELOG.md index adb6bea..159a92f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [10.0.1](https://github.com/npm/ssri/compare/v10.0.0...v10.0.1) (2022-12-07) + +### Dependencies + +* [`4f6ba1e`](https://github.com/npm/ssri/commit/4f6ba1e5cc30bf4ba564206d4358ee6951e46f87) [#64](https://github.com/npm/ssri/pull/64) bump minipass from 3.3.6 to 4.0.0 + ## [10.0.0](https://github.com/npm/ssri/compare/v9.0.1...v10.0.0) (2022-10-10) ### ⚠️ BREAKING CHANGES diff --git a/package.json b/package.json index c3ca905..65b14bc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ssri", - "version": "10.0.0", + "version": "10.0.1", "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.", "main": "lib/index.js", "files": [