npm - @dk/hipp - Versions diffs - 0.1.21 → 0.1.23 - Mend

@dk/hipp 0.1.21 → 0.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -44,10 +44,27 @@ stays clean, and your registry package is guaranteed to match your Git tag.
 ### Tag and Publish
 ```bash
+git commit -m "Release"
 git tag v1.0.0
+git push origin main --tags
 npx @dk/hipp
 ```
+The tag and commit **must be pushed to origin** before running HIPP. HIPP verifies the
+tag exists on the remote and that HEAD matches the upstream branch.
+Use `-y` to skip confirmation (for CI):
+```bash
+npx @dk/hipp --yes
+```
+Pass npm options via `--`:
+```bash
+npx @dk/hipp -- --access public --tag beta
+```
 HIPP will:
 1. **Key Generation**: Generate Ed25519 signing keys if needed (`hipp.priv`, `hipp.pub`)
@@ -115,7 +132,8 @@ The manifest contains:
   "name": "Jane Developer",
   "email": "jane@example.com",
   "npm": "10.2.4",
-  "node": "v20.11.0"
+  "node": "v20.11.0",
+  "hipp": "0.1.22"
 }
 ```
@@ -220,19 +238,20 @@ PERFORMANCE OF THIS SOFTWARE.
 Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
 ```bash
-npx @dk/hipp verify @dk/hipp@0.1.21
+npx @dk/hipp verify @dk/hipp@0.1.23
 ```
 ```json
 {
-  "origin": "https://github.com/dmytri/hipp.git",
-  "tag": "v0.1.21",
-  "revision": "0a0be44db52e62d425959bda9f640049005c8809",
-  "hash": "50de72f67534fe6d9054c5b0cfab317aa1620d258cb291bd1dc65d60a43d77d8",
-  "signature": "m0+8tk8kM835KJcTeHPZPG20XLh4rEtyISoJB54aV8LknEmJVM5yRG6syq+Kg0AAP6VcJMmNrpMG9jOeDkyoBQ==",
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.23",
+  "revision": "5f94c47e1a6858a6e74ae10c0727cd481e22fb04",
+  "hash": "2945f93a1fb565f0806a4f924cfeb8509e5dd9714f814eaa22e763ac8d3d3935",
+  "signature": "KfyYgmbwMWesEXaTxRydY+9P96rjfCLU+H9B3bVmJ4to3oGsioYeVLDG2B4GYiJRRh49bSwh8MnRoHfpF/s8DA==",
   "name": "Dmytri Kleiner",
   "email": "dev@dmytri.to",
   "npm": "11.12.1",
-  "node": "v25.8.2"
+  "node": "v25.8.2",
+  "hipp": "0.0.0"
 }
 ```

package/hipp.js CHANGED Viewed

@@ -41,6 +41,14 @@ function sshToHttpsUrl(sshUrl) {
   return sshUrl;
 }
+function httpsToSshUrl(httpsUrl) {
+  const match = httpsUrl.match(/^https:\/\/([^/]+)\/(.+)$/);
+  if (match) {
+    return `git@${match[1]}:${match[2]}`;
+  }
+  return httpsUrl;
+}
 function runCmd(cmd, args, options = {}) {
   const result = spawnSync(cmd, args, {
     encoding: 'utf8',
@@ -475,14 +483,25 @@ async function runVerify(packageSpec) {
       fail(`❌ Manifest not found or invalid in README`);
     }
-    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer } = manifest;
+    const { origin: originUrl, tag, revision, signature, name, email, npm: npmVer, node: nodeVer, hipp: hippVer } = manifest;
     log.info(`🌿 Cloning git origin at tag ${tag}...`);
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
     const stageDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-stage-`));
     try {
-      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      let cloneResult;
+      try {
+        cloneResult = git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      } catch (cloneErr) {
+        if (originUrl.startsWith('git@')) {
+          const httpsUrl = sshToHttpsUrl(originUrl);
+          log.info(`🌿 SSH clone failed, trying HTTPS: ${httpsUrl}...`);
+          cloneResult = git(['clone', '--branch', tag, '--depth', '1', httpsUrl, tmpDir], { stdio: 'pipe' });
+        } else {
+          throw cloneErr;
+        }
+      }
       const clonedRevision = git(['rev-parse', 'HEAD'], { cwd: tmpDir });
       if (clonedRevision !== revision) {
@@ -554,8 +573,12 @@ async function runVerify(packageSpec) {
       log.info(`📍 Publisher: ${name} <${email}>`);
       log.info(`📍 Origin: ${originUrl}`);
       log.info(`📍 Tag: ${tag}`);
-      if (npmVer && nodeVer) {
-        log.info(`ℹ️  npm: ${npmVer} | node: ${nodeVer}`);
+      if (npmVer || nodeVer || hippVer) {
+        const parts = [];
+        if (hippVer) parts.push(`hipp: ${hippVer}`);
+        if (npmVer) parts.push(`npm: ${npmVer}`);
+        if (nodeVer) parts.push(`node: ${nodeVer}`);
+        log.info(`ℹ️  ${parts.join(' | ')}`);
       }
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
@@ -658,7 +681,10 @@ async function run() {
     const revision = refInfo.head;
     const npmVersion = runCmd('npm', ['--version']).stdout.trim();
     const nodeVersion = process.version;
-    const originUrl = sshToHttpsUrl(provenance.remoteUrl);
+    const hippPkgPath = path.join(path.dirname(process.argv[1]), 'package.json');
+    const hippPkg = JSON.parse(fs.readFileSync(hippPkgPath, 'utf8'));
+    const hippVersion = hippPkg.version;
+    const originUrl = provenance.remoteUrl;
     const dataToSign = buildSignData(tarballHash, originUrl, rawTag, revision, name, email);
     const signature = signContent(dataToSign, privateKey);
@@ -672,6 +698,7 @@ async function run() {
       email: email,
       npm: npmVersion,
       node: nodeVersion,
+      hipp: hippVersion,
     };
     stagedReadme = stagedReadme.trimEnd() + '\n\n## Verify\n\n' +

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.21",
+  "version": "0.1.23",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {