@apollo/rover 0.38.1 → 0.39.1-rc.1

package/README.md

@@ -1,7 +1,9 @@
 # Rover
 
-[![CircleCI Tests](https://circleci.com/gh/apollographql/rover.svg?style=svg)](https://app.circleci.com/pipelines/github/apollographql/rover?branch=main)
 [![GitHub Release Downloads](https://shields.io/github/downloads/apollographql/rover/total.svg)](https://github.com/apollographql/rover/releases/latest)
+[![Unit/Integration Tests](https://github.com/apollographql/rover/actions/workflows/checks.yml/badge.svg)](https://github.com/apollographql/rover/actions/workflows/checks.yml)
+[![E2E Tests](https://github.com/apollographql/rover/actions/workflows/run-smokes-on-pr.yml/badge.svg)](https://github.com/apollographql/rover/actions/workflows/run-smokes-on-pr.yml)
+[![Command E2E Tests](https://github.com/apollographql/rover/actions/workflows/run-commands-e2e.yml/badge.svg)](https://github.com/apollographql/rover/actions/workflows/run-commands-e2e.yml)
 
 This is the home of Rover, the new CLI for Apollo's suite of GraphQL developer productivity tools.
 
@@ -79,6 +81,8 @@ Commands:
           Explain error codes
   license
           Commands for fetching offline licenses
+  client
+          Client workflow commands
   help
           Print this message or the help of the given subcommand(s)
 
@@ -167,6 +171,11 @@ This repo is organized as a [`cargo` workspace], containing several related proj
 
 ## Installation Methods
 
+As of Rover 0.39.0, all the platforms listed below enforce immutable release tags. This means that you can reference a GitHub release, Docker image, or NPM release version directly by SemVer and be
+guaranteed that the artifact will not change. Note that the `curl | sh` method, while ultimately referencing immutable GitHub release binaries, still first downloads a shell script from a webservice
+that does not provide that same guarantee of immutability. Security conscious installers should verify the downloaded shell script matches 
+[the pinned artifact for its respective Rover version](https://github.com/apollographql-gh-actions/install-rover) or use one of the immutable installation methods described below.
+
 #### Linux and MacOS `curl | sh` installer
 
 To install the latest release of Rover:
@@ -177,7 +186,7 @@ curl -sSL https://rover.apollo.dev/nix/latest | sh
 
 To install a specific version of Rover (note the `v` prefixing the version number):
 
-> Note: If you're installing Rover in a CI environment, it's best to target a specific version rather than using the latest URL, since future major breaking changes could affect CI workflows otherwise.
+> Note: If you're installing Rover in a CI environment, we highly recommend using an [immutable Docker image of Rover](#docker-images)). As an alternative for GitHub Actions users, we vend a [GitHub Action](https://github.com/marketplace/actions/install-apollo-rover-cli) which pins an immutable instance of the download script and installs the native binary.
 
 ```bash
 curl -sSL https://rover.apollo.dev/nix/v0.10.0 | sh
@@ -195,27 +204,64 @@ iwr 'https://rover.apollo.dev/win/latest' | iex
 
 To install a specific version of Rover (note the `v` prefixing the version number):
 
-> Note: If you are installing Rover in a CI environment, it's best to target a specific version rather than using the latest URL, since future major breaking changes could affect CI workflows otherwise.
+> Note: If you are installing Rover in a Windows CI environment, you need to put Docker into Linux mode to use the [recommended immutable Docker images](#docker-images)). As an alternative for GitHub Actions users, we vend a [GitHub Action](https://github.com/marketplace/actions/install-apollo-rover-cli) to do so which pins an immutable instance of the download script and installs the native binary.
+
 
 ```bash
 iwr 'https://rover.apollo.dev/win/v0.10.0' | iex
 ```
 
+#### Docker images
+
+Starting with version 0.39.0, Rover vends immutable Linux Docker images that pre-build Rover as an entry point for consumption in CI environments
+or to run Rover on platforms that Rover does not build natively for. Each release verison tag is enforced as immutable at the platform level for
+your convenience so that you can pin to the Rover version you want without needing to deal with the indirection of SHA pinning.
+
+Install directly from Dockerhub:
+
+```bash
+docker pull apollograph/rover:0.39.0
+docker run apollograph/rover:0.39.0 <<args>>
+```
+
+or via ghcr.io:
+
+```bash
+docker pull ghcr.io/apollographql/rover:0.39.0
+docker run ghcr.io/apollographql/rover:0.39.0 <<args>>
+```
+
+All CI platforms that support referencing images from those respective image repositories can do so directly as well.
+
+#### GitHub Actions
+
+Rover vends a number of GitHub actions for convenient invocation of common Rover commands in your CI pipeline. They can be found on
+[GitHub's actions marketplace](https://github.com/marketplace?query=apollographql-gh-actions+Rover&type=actions).
+
+As of Rover 0.39.0, each Rover release corresponds to an immutable action tag of `<action>@rover-<version>`. This allows you to specify
+the exact version of Rover for your CI actions without needing to rely on SHA pinning to guarantee action immutability. These actions
+leverage Rover's Docker image under the hood to sandbox the Rover invocation and only expose it to the `APOLLO_*` environment variable
+surface.
+
+For use cases that need to invoke older versions of Rover or that cannot use Docker (such as Windows runners that aren't in Linux Docker mode),
+the legacy `<action>@v1` tags have been left in place which accept a Rover version as an input.
+
+Their source code is mastered in this repository under the `actions` directory.
+
 #### npm installer
 
 Rover is distributed on npm for easy integration with your JavaScript projects. Rover's Node dependency will follow LTS versions where possible unless security concerns justify an earlier upgrade.
+While this installation method is provided for convenience in projects that are already in the Node ecosystem, we do not recommend it as an installation method otherwise as it exposes your
+installation to NPM's surface area of potential supply-chain attacks. We have attempted to minimize the dependency surface of Rover's NPM installation script, but it still represents nonzero risk.
 
 ##### devDependency install
 
 If you'd like to install `rover` as a `devDependency` in your JavaScript project, you can run `npm i --save-dev @apollo/rover`. You can then call `rover` directly in your `package.json` [scripts](https://docs.npmjs.com/cli/v6/using-npm/scripts), or you can run `npx rover` in your project directory to execute commands.
 
-##### Manual download and install
-
-If you'd like to call `rover` from any directory on your machine, you can run `npm i -g @apollo/rover`.
-
-Note: Unfortunately if you've installed `npm` without a version manager such as `nvm`, you may have trouble with global installs. If you encounter an `EACCES` permission-related error while trying to install globally, DO NOT run the install command with `sudo`. [This support page](https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally) has information that should help to resolve this issue.
+Note that installing rover directly via `npx install` bypasses lockfiles (including Rover's own) and is the highest-risk installation method in terms of potential supply-chain risk as a result.
 
 #### Homebrew
+
 While we recommend using one of the other installation methods above, we do have a homebrew recipe `brew install rover`. The code for this recipe is in the [homebrew-core repo](https://github.com/Homebrew/homebrew-core/blob/master/Formula/r/rover.rb).
 
 #### Manual binary download
@@ -224,11 +270,14 @@ You can also [download the binary for your operating system](https://github.com/
 
 ##### Unsupported architectures
 
-If you don't see your CPU architecture supported as part of our release pipeline, you can build from source with [`cargo`](https://github.com/rust-lang/cargo). Clone this repo, and run `cargo xtask dist --version v0.1.3`. This will compile a released version of Rover for you, and place the binary in your `target` directory.
+If you don't see your CPU architecture supported as part of our release pipeline and cannot utilize the Docker images, you can build from source with [`cargo`](https://github.com/rust-lang/cargo).
+Clone this repo, and run `cargo xtask dist`. This will compile a released version of Rover for you, and place the binary in your `target` directory.
+
+If you want a specific Rover version, check out its respective Git tag before building.
 
 ```
 git clone https://github.com/apollographql/rover
-cargo xtask dist --version v0.1.3
+cargo xtask dist
 ```
 
 From here you can either place the binary in your `PATH` manually, or run `./target/release/{optional_target}/rover install`.

package/binary.js

@@ -103,55 +103,103 @@ const getPlatform = (type = os.type(), architecture = os.arch()) => {
   process.exit(1);
 };
 
-/*! Copyright (c) 2022 Mitchell Alderson - MIT License */
-const getProxyEnv = (requestURL) => {
-  const noProxy = process.env.NO_PROXY || process.env.no_proxy || "";
-
-  // if the noProxy is a wildcard then return null
-  if (noProxy === "*") {
-    return null;
+const DEFAULT_PORTS = { "http:": 80, "https:": 443 };
+
+/*! Copyright (c) 2014-present Matt Zabriskie & Collaborators - MIT License */
+const parseNoProxyEntry = (entry) => {
+  let entryHost = entry;
+  let entryPort = 0;
+
+  if (entryHost.charAt(0) === "[") {
+    const bracketIndex = entryHost.indexOf("]");
+    if (bracketIndex !== -1) {
+      const host = entryHost.slice(1, bracketIndex);
+      const rest = entryHost.slice(bracketIndex + 1);
+      if (rest.charAt(0) === ":" && /^\d+$/.test(rest.slice(1))) {
+        entryPort = Number.parseInt(rest.slice(1), 10);
+      }
+      return [host, entryPort];
+    }
   }
 
-  // if the noProxy is not empty and the uri is found, return null
-  if (noProxy !== "" && urlInNoProxy(requestURL, noProxy)) {
-    return null;
+  const firstColon = entryHost.indexOf(":");
+  const lastColon = entryHost.lastIndexOf(":");
+  if (
+    firstColon !== -1 &&
+    firstColon === lastColon &&
+    /^\d+$/.test(entryHost.slice(lastColon + 1))
+  ) {
+    entryPort = Number.parseInt(entryHost.slice(lastColon + 1), 10);
+    entryHost = entryHost.slice(0, lastColon);
   }
 
-  // get proxy based on request url's protocol
-  if (requestURL.protocol == "http:") {
-    return process.env.HTTP_PROXY || process.env.http_proxy || null;
-  }
+  return [entryHost, entryPort];
+};
 
-  if (requestURL.protocol == "https:") {
-    return process.env.HTTPS_PROXY || process.env.https_proxy || null;
+/*! Copyright (c) 2014-present Matt Zabriskie & Collaborators - MIT License */
+const normalizeNoProxyHost = (hostname) => {
+  if (!hostname) return hostname;
+  if (
+    hostname.charAt(0) === "[" &&
+    hostname.charAt(hostname.length - 1) === "]"
+  ) {
+    hostname = hostname.slice(1, -1);
   }
-
-  // not a supported protocol...
-  return null;
+  return hostname.replace(/\.+$/, "");
 };
 
-/*! Copyright (c) 2022 Mitchell Alderson - MIT License */
-const urlInNoProxy = (requestURL, noProxy) => {
+/*! Copyright (c) 2014-present Matt Zabriskie & Collaborators - MIT License */
+const shouldBypassProxy = (requestURL) => {
+  const noProxy = (
+    process.env.no_proxy ||
+    process.env.NO_PROXY ||
+    ""
+  ).toLowerCase();
+
+  if (!noProxy) return false;
+  if (noProxy === "*") return true;
+
   const port =
-    requestURL.port || (requestURL.protocol === "https:" ? "443" : "80");
-  const hostname = formatHostName(requestURL.hostname);
-  //testing: internal.example.com,internal2.example.com
-  const noProxyList = noProxy.split(",");
-
-  return noProxyList.map(parseNoProxyZone).some((noProxyZone) => {
-    const isMatchedAt = hostname.indexOf(noProxyZone.hostname);
-    const hostnameMatched =
-      isMatchedAt > -1 &&
-      isMatchedAt === hostname.length - noProxyZone.hostname.length;
-
-    if (noProxyZone.hasPort) {
-      return port === noProxyZone.port && hostnameMatched;
+    Number.parseInt(requestURL.port, 10) ||
+    DEFAULT_PORTS[requestURL.protocol] ||
+    0;
+  const hostname = normalizeNoProxyHost(requestURL.hostname.toLowerCase());
+
+  return noProxy.split(/[\s,]+/).some((entry) => {
+    if (!entry) return false;
+
+    let [entryHost, entryPort] = parseNoProxyEntry(entry);
+    entryHost = normalizeNoProxyHost(entryHost);
+    if (!entryHost) return false;
+
+    if (entryPort && entryPort !== port) return false;
+
+    if (entryHost.charAt(0) === "*") {
+      entryHost = entryHost.slice(1);
+    }
+
+    if (entryHost.charAt(0) === ".") {
+      return hostname.endsWith(entryHost);
     }
 
-    return hostnameMatched;
+    return hostname === entryHost;
   });
 };
 
+const getProxyEnv = (requestURL) => {
+  if (shouldBypassProxy(requestURL)) return null;
+
+  if (requestURL.protocol === "http:") {
+    return process.env.HTTP_PROXY || process.env.http_proxy || null;
+  }
+
+  if (requestURL.protocol === "https:") {
+    return process.env.HTTPS_PROXY || process.env.https_proxy || null;
+  }
+
+  return null;
+};
+
 /*! Copyright (c) 2019 Avery Harnish - MIT License */
 class Binary {
   constructor(name, raw_name, url, installDirectory) {
@@ -218,7 +266,7 @@ class Binary {
       console.error(`Downloading release from ${this.url}`);
     }
 
-    const proxyUrl = getProxyEnv(this.url);
+    const proxyUrl = getProxyEnv(new URL(this.url));
 
     const agent = proxyUrl ? new ProxyAgent(proxyUrl) : null;
     const fetchPromise = fetch(this.url, agent ? { dispatcher: agent } : {});
@@ -330,4 +378,6 @@ module.exports = {
   run,
   getBinary,
   getPlatform,
+  getProxyEnv,
+  shouldBypassProxy,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apollo/rover",
-  "version": "0.38.1",
+  "version": "0.39.1-rc.1",
   "description": "The new Apollo CLI",
   "main": "index.js",
   "bin": {
@@ -41,8 +41,8 @@
     "undici": "^7.0.0"
   },
   "devDependencies": {
-    "jest": "30.3.0",
-    "jest-junit": "16.0.0",
+    "jest": "30.4.2",
+    "jest-junit": "17.0.0",
     "prettier": "3.8.3"
   }
 }