@node-core/utils 5.11.0 → 5.12.1

package/bin/ncu-ci.js

@@ -115,9 +115,9 @@ const args = yargs(hideBin(process.argv))
           type: 'number'
         })
         .positional('certify-safe', {
-          describe: 'If not provided, the command will reject PRs that have ' +
-                    'been pushed since the last review',
-          type: 'boolean'
+          describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
+                    'If not provided, the command will use the SHA of the last approved commit.',
+          type: 'string'
         })
         .option('owner', {
           default: '',

package/components/git/release.js

@@ -112,9 +112,10 @@ function release(state, argv) {
 }
 
 async function main(state, argv, cli, dir) {
-  const prID = /^(?:https:\/\/github\.com\/nodejs\/node\/pull\/)?(\d+)$/.exec(argv.prid);
+  const prID = /^(?:https:\/\/github\.com\/nodejs(-private)?\/node\1\/pull\/)?(\d+)$/.exec(argv.prid);
   if (prID) {
-    argv.prid = Number(prID[1]);
+    if (prID[1]) argv.security = true;
+    argv.prid = Number(prID[2]);
   }
   if (state === PREPARE) {
     const release = new ReleasePreparation(argv, cli, dir);

package/lib/ci/run_ci.js

@@ -27,7 +27,7 @@ export class RunPRJob {
     this.certifySafe =
       certifySafe ||
       Promise.all([this.prData.getReviews(), this.prData.getPR()]).then(() =>
-        new PRChecker(cli, this.prData, request, {}).checkCommitsAfterReviewOrLabel()
+        (this.certifySafe = new PRChecker(cli, this.prData, request, {}).getApprovedTipOfHead())
       );
   }
 
@@ -45,6 +45,7 @@ export class RunPRJob {
     payload.append('json', JSON.stringify({
       parameter: [
         { name: 'CERTIFY_SAFE', value: 'on' },
+        { name: 'COMMIT_SHA_CHECK', value: this.certifySafe },
         { name: 'TARGET_GITHUB_ORG', value: this.owner },
         { name: 'TARGET_REPO_NAME', value: this.repo },
         { name: 'PR_ID', value: this.prid },

package/lib/pr_checker.js

@@ -524,38 +524,17 @@ export default class PRChecker {
     return true;
   }
 
-  async checkCommitsAfterReviewOrLabel() {
-    if (this.checkCommitsAfterReview()) return true;
-
-    await Promise.all([this.data.getLabeledEvents(), this.data.getCollaborators()]);
-
-    const {
-      cli, data, pr
-    } = this;
-
-    const { updatedAt } = pr.timelineItems;
-    const requestCiLabels = data.labeledEvents.findLast(
-      ({ createdAt, label: { name } }) => name === 'request-ci' && createdAt > updatedAt
-    );
-    if (requestCiLabels == null) return false;
-
-    const { actor: { login } } = requestCiLabels;
-    const collaborators = Array.from(data.collaborators.values(),
-      (c) => c.login.toLowerCase());
-    if (collaborators.includes(login.toLowerCase())) {
-      cli.info('request-ci label was added by a Collaborator after the last push event.');
-      return true;
-    }
-
-    return false;
-  }
-
-  checkCommitsAfterReview() {
+  getApprovedTipOfHead() {
     const {
       commits, reviews, cli, argv
     } = this;
     const { maxCommits } = argv;
 
+    if (commits.length === 0) {
+      cli.warn('No commits found');
+      return false;
+    }
+
     const reviewIndex = reviews.findLastIndex(
       review => review.authorCanPushToRepository && review.state === 'APPROVED'
     );
@@ -565,45 +544,32 @@ export default class PRChecker {
       return false;
     }
 
-    const reviewDate = reviews[reviewIndex].publishedAt;
-
-    const afterCommits = [];
-    commits.forEach((commit) => {
-      commit = commit.commit;
-      if (commit.committedDate > reviewDate) {
-        afterCommits.push(commit);
-      }
-    });
-
-    const totalCommits = afterCommits.length;
-    if (totalCommits === 0 && this.pr.timelineItems.updatedAt > reviewDate) {
-      // Some commits were pushed, but all the commits have a commit date prior
-      // to the last review. It means that either that a long time elapsed
-      // between the commit and the push, or that the clock on the dev machine
-      // is wrong, or the commit date was forged.
-      cli.warn('Something was pushed to the Pull Request branch since the last approving review.');
-      return false;
-    }
+    const reviewedCommitIndex = commits
+      .findLastIndex(({ commit }) => commit.oid === reviews[reviewIndex].commit.oid);
 
-    if (totalCommits > 0) {
+    if (reviewedCommitIndex !== commits.length - 1) {
       cli.warn('Commits were pushed since the last approving review:');
-      const sliceLength = maxCommits === 0 ? totalCommits : -maxCommits;
-      afterCommits.slice(sliceLength)
-        .forEach(commit => {
+      commits.slice(Math.max(reviewedCommitIndex + 1, commits.length - maxCommits))
+        .forEach(({ commit }) => {
           cli.warn(`- ${commit.messageHeadline}`);
         });
 
+      const totalCommits = commits.length - reviewedCommitIndex - 1;
       if (totalCommits > maxCommits) {
         const infoMsg = '...(use `' +
-          `--max-commits ${totalCommits}` +
-          '` to see the full list of commits)';
+        `--max-commits ${totalCommits}` +
+        '` to see the full list of commits)';
         cli.warn(infoMsg);
       }
 
       return false;
     }
 
-    return true;
+    return reviews[reviewIndex].commit.oid;
+  }
+
+  checkCommitsAfterReview() {
+    return !!this.getApprovedTipOfHead();
   }
 
   checkMergeableState() {

package/lib/pr_data.js

@@ -5,7 +5,6 @@ import {
 } from './user_status.js';
 
 // lib/queries/*.gql file names
-const LABELED_EVENTS_QUERY = 'PRLabeledEvents';
 const PR_QUERY = 'PR';
 const REVIEWS_QUERY = 'Reviews';
 const COMMENTS_QUERY = 'PRComments';
@@ -34,7 +33,6 @@ export default class PRData {
     this.comments = [];
     this.commits = [];
     this.reviewers = [];
-    this.labeledEvents = [];
   }
 
   getThread() {
@@ -92,14 +90,6 @@ export default class PRData {
     ]);
   }
 
-  async getLabeledEvents() {
-    const { prid, owner, repo, cli, request, prStr } = this;
-    const vars = { prid, owner, repo };
-    cli.updateSpinner(`Getting labels from ${prStr}`);
-    this.labeledEvents = (await request.gql(LABELED_EVENTS_QUERY, vars))
-      .repository.pullRequest.timelineItems.nodes;
-  }
-
   async getComments() {
     const { prid, owner, repo, cli, request, prStr } = this;
     const vars = { prid, owner, repo };

package/lib/prepare_release.js

@@ -92,9 +92,9 @@ export default class ReleasePreparation extends Session {
     } = this;
 
     // Create new proposal branch.
-    cli.startSpinner(`Creating new proposal branch for ${newVersion}`);
+    cli.startSpinner(`Switching to proposal branch for ${newVersion}`);
     const proposalBranch = await this.createProposalBranch(releaseBranch);
-    cli.stopSpinner(`Created new proposal branch for ${newVersion}`);
+    cli.stopSpinner(`Switched to proposal branch for ${newVersion}`);
 
     const success = await this.cherryPickSecurityPRs(filterLabels);
     if (!success) {
@@ -200,9 +200,9 @@ export default class ReleasePreparation extends Session {
     }
 
     // Create new proposal branch.
-    cli.startSpinner(`Creating new proposal branch for ${newVersion}`);
+    cli.startSpinner(`Switching to proposal branch for ${newVersion}`);
     await this.createProposalBranch();
-    cli.stopSpinner(`Created new proposal branch for ${newVersion}`);
+    cli.stopSpinner(`Switched to proposal branch for ${newVersion}`);
 
     if (this.isLTSTransition) {
       // For releases transitioning into LTS, fetch the new code name.
@@ -481,7 +481,10 @@ export default class ReleasePreparation extends Session {
     const data = await fs.readFile(majorChangelogPath, 'utf8');
     const arr = data.split('\n');
     const allCommits = this.getChangelog();
-    const notableChanges = await this.getBranchDiff({ onlyNotableChanges: true });
+    const notableChanges = await this.getBranchDiff({
+      onlyNotableChanges: true,
+      format: isSecurityRelease ? 'messageonly' : 'markdown',
+    });
     let releaseHeader = `## ${date}, Version ${newVersion}` +
                           ` ${releaseInfo}, @${username}\n`;
     if (isSecurityRelease) {
@@ -540,7 +543,7 @@ export default class ReleasePreparation extends Session {
 
     await runAsync('git', [
       'checkout',
-      '-b',
+      '-B',
       proposalBranch,
       base
     ]);
@@ -619,7 +622,7 @@ export default class ReleasePreparation extends Session {
 
     const notableChanges = await this.getBranchDiff({
       onlyNotableChanges: true,
-      format: 'plaintext'
+      format: isSecurityRelease ? 'messageonly' : 'plaintext'
     });
     messageBody.push('Notable changes:\n\n');
     if (isLTSTransition) {

package/lib/promote_release.js

@@ -19,6 +19,10 @@ export default class ReleasePromotion extends Session {
   constructor(argv, req, cli, dir) {
     super(cli, dir, argv.prid);
     this.req = req;
+    if (argv.security) {
+      this.config.owner = 'nodejs-private';
+      this.config.repo = 'node-private';
+    }
     this.dryRun = !argv.run;
     this.isLTS = false;
     this.ltsCodename = '';
@@ -226,20 +230,28 @@ export default class ReleasePromotion extends Session {
 
   async verifyTagSignature() {
     const { cli, version } = this;
-    const [needle, haystack] = await Promise.all([forceRunAsync(
+    const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using RSA key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from "([^<]+) <\2>"/;
+    const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
       'git', ['--no-pager',
-        'log', '-1',
-        `refs/tags/v${version}`,
-        '--format=* **%an** <<%ae>>\n  `%GF`'
-      ], { captureStdout: true }), fs.readFile('README.md')]);
-    if (haystack.includes(needle)) {
-      return;
+        'verify-tag',
+        `v${version}`
+      ], { ignoreFailure: false, captureStderr: true }), fs.readFile('README.md')]);
+    const match = verifyTagPattern.exec(verifyTagOutput);
+    if (match == null) {
+      cli.warn('git was not able to verify the tag:');
+      cli.info(verifyTagOutput);
+    } else {
+      const [, keyID, email, name] = match;
+      const needle = `* **${name}** <<${email}>>\n  ${'`'}${keyID}${'`'}`;
+      if (haystack.includes(needle)) {
+        return;
+      }
+      cli.warn('Tag was signed with an undocumented identity/key pair!');
+      cli.info('Expected to find the following entry in the README:');
+      cli.info(needle);
+      cli.info('If you are using a subkey, it might be OK.');
     }
-    cli.warn('Tag was signed with an undocumented identity/key pair!');
-    cli.info('Expected to find the following entry in the README:');
-    cli.info(needle);
-    cli.info('If you are using a subkey, it might be OK.');
-    cli.info(`Otherwise consider removing the tag (git tag -d v${version
+    cli.info(`If that doesn't sound right, consider removing the tag (git tag -d v${version
              }), check your local config, and start the process over.`);
     if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
       throw new Error('Aborted');
@@ -383,7 +395,6 @@ export default class ReleasePromotion extends Session {
           { cause: err }
         );
       }
-      await forceRunAsync('git', ['tag', '--verify', `v${version}`], { ignoreFailure: false });
       this.cli.info('Using the existing tag');
     }
   }
@@ -391,7 +402,7 @@ export default class ReleasePromotion extends Session {
   // Set up the branch so that nightly builds are produced with the next
   // version number and a pre-release tag.
   async setupForNextRelease() {
-    const { versionComponents, prid } = this;
+    const { versionComponents, prid, owner, repo } = this;
 
     // Update node_version.h for next patch release.
     const filePath = path.resolve('src', 'node_version.h');
@@ -422,7 +433,7 @@ export default class ReleasePromotion extends Session {
       '-m',
       `Working on ${workingOnVersion}`,
       '-m',
-      `PR-URL: https://github.com/nodejs/node/pull/${prid}`
+      `PR-URL: https://github.com/${owner}/${repo}/pull/${prid}`
     ], { ignoreFailure: false });
     const workingOnNewReleaseCommit = await forceRunAsync('git', ['rev-parse', 'HEAD'],
       { ignoreFailure: false, captureStdout: true });

package/lib/queries/PR.gql

@@ -23,9 +23,6 @@ query PR($prid: Int!, $owner: String!, $repo: String!) {
           path
         }
       },
-      timelineItems(itemTypes: [HEAD_REF_FORCE_PUSHED_EVENT, PULL_REQUEST_COMMIT]) {
-        updatedAt
-      },
       title,
       baseRefName,
       headRefName,

package/lib/queries/Reviews.gql

@@ -13,6 +13,9 @@ query Reviews($prid: Int!, $owner: String!, $repo: String!, $after: String) {
           author {
             login
           }
+          commit {
+            oid
+          }
           authorCanPushToRepository
           url
           publishedAt

package/lib/reviews.js

@@ -29,6 +29,7 @@ export class Review {
   * @property {string} bodyText
   * @property {string} state
   * @property {{login: string}} author
+  * @property {{oid:string}} commit
   * @property {string} url
   * @property {string} publishedAt
   *

package/lib/run.js

@@ -12,14 +12,19 @@ function runAsyncBase(cmd, args, {
   ignoreFailure = true,
   spawnArgs,
   input,
+  captureStderr = false,
   captureStdout = false
 } = {}) {
   if (cmd instanceof URL) {
     cmd = fileURLToPath(cmd);
   }
   let stdio = 'inherit';
-  if (captureStdout || input != null) {
-    stdio = [input == null ? 'inherit' : 'pipe', captureStdout ? 'pipe' : 'inherit', 'inherit'];
+  if (captureStderr || captureStdout || input != null) {
+    stdio = [
+      input == null ? 'inherit' : 'pipe',
+      captureStdout ? 'pipe' : 'inherit',
+      captureStderr ? 'pipe' : 'inherit'
+    ];
   }
   return new Promise((resolve, reject) => {
     const opt = Object.assign({
@@ -30,6 +35,12 @@ function runAsyncBase(cmd, args, {
       debuglog('[Spawn]', `${cmd} ${(args || []).join(' ')}`, opt);
     }
     const child = spawn(cmd, args, opt);
+    let stderr;
+    if (!captureStdout && captureStderr) {
+      stderr = '';
+      child.stderr.setEncoding('utf8');
+      child.stderr.on('data', (chunk) => { stderr += chunk; });
+    }
     let stdout;
     if (captureStdout) {
       stdout = '';
@@ -51,7 +62,7 @@ function runAsyncBase(cmd, args, {
         stdout = stdout.split(/\r?\n/g);
         if (stdout[stdout.length - 1] === '') stdout.pop();
       }
-      return resolve(stdout);
+      return resolve(stdout ?? stderr);
     });
     if (input != null) child.stdin.end(input);
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.11.0",
+  "version": "5.12.1",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {

package/lib/queries/PRLabeledEvents.gql

@@ -1,19 +0,0 @@
-query PRLabeledEvents($prid: Int!, $owner: String!, $repo: String!, $after: String) {
-  repository(owner: $owner, name: $repo) {
-    pullRequest(number: $prid) {
-      timelineItems(itemTypes: LABELED_EVENT, after: $after, last: 100) {
-        nodes { 
-          ... on LabeledEvent {
-            actor {
-              login
-            }
-            label {
-              name
-            }
-            createdAt
-          }
-        }
-      }
-    }
-  }
-}