npm - @automattic/vip - Versions diffs - 3.25.3-dev.0 → 4.0.0 - Mend

@automattic/vip 3.25.3-dev.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/AGENTS.md +6 -0
package/CLAUDE.md +1 -0
package/dist/bin/vip-dev-env-exec.js +18 -1
package/dist/bin/vip-dev-env-start.js +3 -8
package/dist/bin/vip-sea.js +19 -0
package/dist/bin/vip.js +111 -69
package/dist/lib/cli/command.js +224 -53
package/dist/lib/cli/config.js +13 -5
package/dist/lib/cli/exit.js +2 -1
package/dist/lib/cli/internal-bin-loader.js +81 -0
package/dist/lib/cli/runtime-mode.js +21 -0
package/dist/lib/cli/sea-dispatch.js +88 -0
package/dist/lib/cli/sea-runtime.js +75 -0
package/dist/lib/dev-environment/dev-environment-cli.js +9 -2
package/dist/lib/dev-environment/dev-environment-core.js +64 -6
package/dist/lib/dev-environment/dev-environment-lando.js +53 -95
package/dist/lib/dev-environment/lando-loader.js +48 -0
package/docs/COMMANDER-MIGRATION.md +55 -0
package/docs/SEA-BUILD-SIGNING.md +171 -0
package/helpers/build-sea.js +167 -0
package/npm-shrinkwrap.json +499 -121
package/package.json +6 -3
package/dist/lib/dev-environment/hosts-updater.js +0 -184

package/docs/SEA-BUILD-SIGNING.md ADDED Viewed

@@ -0,0 +1,171 @@
+# SEA Build and Signing Runbook
+Purpose: build and sign the standalone VIP CLI executable (`dist/sea/vip` or `dist/sea/vip.exe`) for each supported platform.
+This repo uses `helpers/build-sea.js` and the `npm run build:sea` script. SEA build is pinned to Node 22.
+## Shared Prerequisites
+- Use Node 22.x exactly for SEA builds.
+- Install dependencies before building: `npm ci`.
+- Build from repo root.
+- The build script embeds:
+  - Node runtime
+  - bundled CLI code (`src/bin/vip-sea.js`)
+  - SEA assets and runtime dependency archive (`sea.node_modules.tgz`)
+- Output paths:
+  - Unix: `dist/sea/vip`
+  - Windows: `dist/sea/vip.exe`
+## Shared Build Steps
+```bash
+npm ci
+npm run build
+npm run build:sea
+```
+Quick smoke checks after every build:
+```bash
+dist/sea/vip --version
+dist/sea/vip whoami --help
+dist/sea/vip dev-env info --help
+```
+## macOS (native)
+Node/tool setup:
+```bash
+export NVM_DIR="$HOME/.nvm"
+. "$NVM_DIR/nvm.sh"
+nvm use 22
+node -v
+```
+Build:
+```bash
+npm ci
+npm run build
+npm run build:sea
+```
+Notes:
+- `helpers/build-sea.js` already does ad-hoc signing (`codesign --sign -`) after blob injection so local execution works.
+- For distribution, replace ad-hoc signature with a real Developer ID certificate.
+Distribution signing:
+```bash
+codesign --remove-signature dist/sea/vip
+codesign --sign "Developer ID Application: <TEAM/ORG>" --force --options runtime dist/sea/vip
+codesign --verify --strict --verbose=2 dist/sea/vip
+spctl -a -t exec -vv dist/sea/vip
+```
+## Linux (native)
+Node/tool setup:
+```bash
+node -v
+```
+(Use Node 22 before build.)
+Build:
+```bash
+npm ci
+npm run build
+npm run build:sea
+chmod +x dist/sea/vip
+```
+Signing guidance:
+- Linux does not have a universal OS-enforced Authenticode-style executable signature.
+- Recommended: publish checksums and detached signatures.
+Checksum + GPG example:
+```bash
+sha256sum dist/sea/vip > dist/sea/vip.sha256
+gpg --armor --detach-sign dist/sea/vip
+```
+Cosign blob example:
+```bash
+cosign sign-blob --yes --output-signature dist/sea/vip.sig dist/sea/vip
+cosign verify-blob --signature dist/sea/vip.sig dist/sea/vip
+```
+## Windows (native)
+Use PowerShell or `cmd.exe` on Windows (not WSL) when producing Windows artifacts.
+Build:
+```powershell
+npm ci
+npm run build
+npm run build:sea
+.\dist\sea\vip.exe --version
+```
+Authenticode signing (SignTool):
+```powershell
+signtool sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /a .\dist\sea\vip.exe
+signtool verify /pa /v .\dist\sea\vip.exe
+```
+If your cert is in a PFX file:
+```powershell
+signtool sign /f C:\path\cert.pfx /p <PFX_PASSWORD> /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com .\dist\sea\vip.exe
+```
+## Windows from WSL
+Important: WSL builds Linux binaries by default.
+- If target is Linux binary: build/sign inside WSL using the Linux flow.
+- If target is Windows `.exe`: run the build and signing commands in Windows context.
+From WSL, invoke Windows PowerShell for a Windows-target build:
+```bash
+WIN_REPO_PATH="$(wslpath -w "$PWD")"
+powershell.exe -NoProfile -Command "Set-Location '$WIN_REPO_PATH'; npm ci; npm run build; npm run build:sea"
+```
+Then sign in Windows context:
+```bash
+powershell.exe -NoProfile -Command "Set-Location '$WIN_REPO_PATH'; signtool sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /a .\\dist\\sea\\vip.exe; signtool verify /pa /v .\\dist\\sea\\vip.exe"
+```
+## Release Checklist for Agents
+- Confirm Node 22 before SEA build.
+- Confirm artifact type matches target OS (`vip` vs `vip.exe`).
+- Run smoke checks on the produced executable.
+- Apply platform-appropriate signature method.
+- Verify signature/checksum before publishing.
+- Record signing method and timestamp authority in release notes.
+## GitHub Actions Automation
+- Workflow: `.github/workflows/sea-build-sign.yml`
+- Trigger: manual `workflow_dispatch`
+- Jobs: native macOS/Linux/Windows SEA builds plus a Windows WSL SEA build
+- Optional signing: set `sign_artifacts=true` and provide signing secrets/vars:
+  - macOS: `MACOS_CERTIFICATE_P12_BASE64`, `MACOS_CERTIFICATE_PASSWORD`, `MACOS_SIGNING_IDENTITY`
+  - Windows: `WINDOWS_CERTIFICATE_PFX_BASE64`, `WINDOWS_CERTIFICATE_PASSWORD`
+  - optional variable: `WINDOWS_TIMESTAMP_URL`
+- Output: uploaded SEA binary + SHA256 artifact per job

package/helpers/build-sea.js ADDED Viewed

@@ -0,0 +1,167 @@
+#!/usr/bin/env node
+const { buildSync } = require( 'esbuild' );
+const { spawnSync } = require( 'node:child_process' );
+const { chmodSync, copyFileSync, mkdirSync, readFileSync, writeFileSync } = require( 'node:fs' );
+const path = require( 'node:path' );
+const tar = require( 'tar' );
+const SEA_FUSE = 'NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2';
+const projectRoot = path.resolve( __dirname, '..' );
+const seaDir = path.join( projectRoot, 'dist', 'sea' );
+const bundlePath = path.join( seaDir, 'vip.bundle.cjs' );
+const blobPath = path.join( seaDir, 'vip.blob' );
+const seaConfigPath = path.join( seaDir, 'sea-config.json' );
+const executablePath = path.join( seaDir, process.platform === 'win32' ? 'vip.exe' : 'vip' );
+const nodeModulesArchivePath = path.join( seaDir, 'node_modules.tgz' );
+function run( command, args, options = {} ) {
+	const result = spawnSync( command, args, {
+		cwd: projectRoot,
+		stdio: 'inherit',
+		...options,
+	} );
+	if ( result.status !== 0 ) {
+		process.exit( result.status || 1 );
+	}
+}
+function ensureNode22() {
+	const major = Number( process.versions.node.split( '.' )[ 0 ] );
+	if ( major !== 22 ) {
+		console.error(
+			`Error: SEA build requires Node 22.x. Current version is ${ process.versions.node }.`
+		);
+		process.exit( 1 );
+	}
+}
+async function createRuntimeArchive() {
+	await tar.c(
+		{
+			cwd: projectRoot,
+			file: nodeModulesArchivePath,
+			gzip: true,
+			portable: true,
+			noMtime: true,
+		},
+		[ 'node_modules' ]
+	);
+}
+function writeSeaConfig() {
+	const config = {
+		main: bundlePath,
+		output: blobPath,
+		disableExperimentalSEAWarning: true,
+		assets: {
+			'dev-env.lando.template.yml.ejs': path.join(
+				projectRoot,
+				'assets',
+				'dev-env.lando.template.yml.ejs'
+			),
+			'dev-env.nginx.template.conf.ejs': path.join(
+				projectRoot,
+				'assets',
+				'dev-env.nginx.template.conf.ejs'
+			),
+			'sea.node_modules.tgz': nodeModulesArchivePath,
+		},
+	};
+	writeFileSync( seaConfigPath, `${ JSON.stringify( config, null, 2 ) }\n`, 'utf8' );
+}
+function buildBundle() {
+	buildSync( {
+		entryPoints: [ path.join( projectRoot, 'src', 'bin', 'vip-sea.js' ) ],
+		bundle: true,
+		platform: 'node',
+		target: 'node22',
+		format: 'cjs',
+		outfile: bundlePath,
+		external: [
+			'@postman/node-keytar',
+			'@postman/node-keytar/*',
+			'cpu-features',
+			'cpu-features/*',
+			'lando',
+			'lando/*',
+			'ssh2',
+			'ssh2/*',
+			'*.node',
+		],
+	} );
+}
+function stripBundleShebang() {
+	const bundleContent = readFileSync( bundlePath, 'utf8' );
+	if ( ! bundleContent.startsWith( '#!' ) ) {
+		return;
+	}
+	writeFileSync( bundlePath, bundleContent.replace( /^#![^\n]*\n/, '' ), 'utf8' );
+}
+function buildBlob() {
+	run( process.execPath, [ '--experimental-sea-config', seaConfigPath ] );
+}
+function prepareExecutable() {
+	copyFileSync( process.execPath, executablePath );
+	if ( process.platform === 'darwin' ) {
+		run( 'codesign', [ '--remove-signature', executablePath ] );
+	}
+}
+function injectBlob() {
+	const postjectCli = require.resolve( 'postject/dist/cli.js' );
+	const args = [
+		postjectCli,
+		executablePath,
+		'NODE_SEA_BLOB',
+		blobPath,
+		'--sentinel-fuse',
+		SEA_FUSE,
+	];
+	if ( process.platform === 'darwin' ) {
+		args.push( '--macho-segment-name', 'NODE_SEA' );
+	}
+	if ( process.platform === 'win32' ) {
+		args.push( '--overwrite' );
+	}
+	run( process.execPath, args );
+}
+function finalizeExecutable() {
+	if ( process.platform === 'darwin' ) {
+		run( 'codesign', [ '--sign', '-', '--force', executablePath ] );
+	}
+	if ( process.platform !== 'win32' ) {
+		chmodSync( executablePath, 0o755 );
+	}
+}
+async function main() {
+	ensureNode22();
+	mkdirSync( seaDir, { recursive: true } );
+	await createRuntimeArchive();
+	writeSeaConfig();
+	buildBundle();
+	stripBundleShebang();
+	buildBlob();
+	prepareExecutable();
+	injectBlob();
+	finalizeExecutable();
+	console.log( `SEA executable written to ${ executablePath }` );
+}
+void main();