@node-core/utils 5.16.0 → 5.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +18 -10
  2. package/lib/config.js +1 -0
  3. package/lib/promote_release.js +1 -1
  4. package/npm-shrinkwrap.json +11595 -0
  5. package/package.json +9 -8
package/README.md CHANGED
@@ -89,14 +89,6 @@ After the token is generated, create an rc file with the following content:
89
89
  Note: you could use `ncu-config` to configure these variables, but it's not
90
90
  recommended to leave your tokens in your command line history.
91
91
 
92
- If you have `gpg` installed and setup on your local machine, it is recommended
93
- to store an encrypted version of this file:
94
-
95
- ```console
96
- $ gpg --default-recipient-self --encrypt ~/.ncurc
97
- $ rm ~/.ncurc
98
- ```
99
-
100
92
  ### Setting up Jenkins credentials
101
93
 
102
94
  The `git-node` and `ncu-ci` commands need to query the Node.js Jenkins API for
@@ -124,14 +116,30 @@ To obtain the Jenkins API token
124
116
  }
125
117
  ```
126
118
 
119
+ ### Protecting your credentials
127
120
 
128
- ### Make sure your credentials won't be committed
121
+ If you have `gpg` installed and setup on your local machine, it is strongly recommended
122
+ to store an encrypted version of this file:
123
+
124
+ ```console
125
+ $ gpg --default-recipient-self --encrypt ~/.ncurc
126
+ $ rm ~/.ncurc
127
+ ```
128
+
129
+ The credentials are now encrypted in `~/.ncurc.gpg` and everytime it's needed,
130
+ node-core-utils will invoke `gpg` that may ask you to decrypt it using
131
+ your default key via pinentry.
129
132
 
130
133
  Put the following entries into your
131
134
  [global `gitignore` file](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coreexcludesFile)
132
- (`$XDG_CONFIG_HOME/git/ignore` or a file specified by `core.excludesFile`):
135
+ (`$XDG_CONFIG_HOME/git/ignore` or a file specified by `core.excludesFile`). For example:
136
+
137
+ ```console
138
+ $ git config --global core.excludesfile ~/.gitignore_global
139
+ ```
133
140
 
134
141
  ```
142
+ # In ~/.gitignore_global
135
143
  # node-core-utils configuration file
136
144
  .ncurc
137
145
  .ncurc.gpg
package/lib/config.js CHANGED
@@ -29,6 +29,7 @@ export function getConfig(configType, dir) {
29
29
  const configPath = getConfigPath(configType, dir);
30
30
  const encryptedConfigPath = configPath + '.gpg';
31
31
  if (existsSync(encryptedConfigPath)) {
32
+ console.warn('Encrypted config detected, spawning gpg to decrypt it...');
32
33
  const { status, stdout } =
33
34
  spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
34
35
  if (status === 0) {
package/lib/promote_release.js CHANGED
@@ -196,7 +196,7 @@ export default class ReleasePromotion extends Session {
196
196
 
197
197
  async verifyTagSignature(version) {
198
198
  const { cli } = this;
199
- const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using RSA key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from "([^<]+) <\2>"/;
199
+ const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using \w+ key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from (?:"[^"]+"(?: \[ultimate\])?\ngpg:\s+aka )*"([^<]+) <\2>"/;
200
200
  const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
201
201
  'git', ['--no-pager',
202
202
  'verify-tag',