@npmcli/template-oss 4.19.0 → 4.21.0

package/lib/config.js

@@ -1,18 +1,22 @@
-const { relative, dirname, join, extname, posix, win32 } = require('path')
-const { defaults, pick, omit, uniq, isPlainObject } = require('lodash')
+const { relative, dirname, join, extname } = require('path')
+const { defaults, defaultsDeep, pick, omit, uniq, isPlainObject } = require('lodash')
+const semver = require('semver')
 const ciVersions = require('./util/ci-versions.js')
 const parseDependabot = require('./util/dependabot.js')
 const git = require('./util/git.js')
 const gitignore = require('./util/gitignore.js')
 const { mergeWithCustomizers, customizers } = require('./util/merge.js')
 const { FILE_KEYS, parseConfig: parseFiles, getAddedFiles, mergeFiles } = require('./util/files.js')
+const template = require('./util/template.js')
+const getCmdPath = require('./util/get-cmd-path.js')
+const importOrRequire = require('./util/import-or-require.js')
+const { makePosix, deglob, posixDir, posixGlob } = require('./util/path.js')
+const { name: NAME, version: LATEST_VERSION } = require('../package.json')
 
 const CONFIG_KEY = 'templateOSS'
-const getPkgConfig = (pkg) => pkg[CONFIG_KEY] || {}
-
-const { name: NAME, version: LATEST_VERSION } = require('../package.json')
 const MERGE_KEYS = [...FILE_KEYS, 'defaultContent', 'content']
 const DEFAULT_CONTENT = require.resolve(NAME)
+const getPkgConfig = (pkg) => pkg[CONFIG_KEY] || {}
 
 const merge = mergeWithCustomizers(
   customizers.mergeArrays('branches', 'distPaths', 'allowPaths', 'ignorePaths'),
@@ -23,43 +27,6 @@ const merge = mergeWithCustomizers(
   }
 )
 
-const makePosix = (v) => v.split(win32.sep).join(posix.sep)
-const deglob = (v) => makePosix(v).replace(/[/*]+$/, '')
-const posixDir = (v) => `${v === '.' ? '' : deglob(v).replace(/\/$/, '')}${posix.sep}`
-const posixGlob = (str) => `${posixDir(str)}**`
-
-const getCmdPath = (key, { pkgConfig, rootConfig, isRoot, pkg, rootPkg }) => {
-  const result = (local, isRelative) => {
-    let root = local
-    const isLocal = local.startsWith('.') || local.startsWith('/')
-
-    if (isLocal) {
-      if (isRelative) {
-        // Make a path relative from a workspace to the root if we are in a workspace
-        local = makePosix(join(relative(pkg.path, rootPkg.path), local))
-      }
-      local = `node ${local}`
-      root = `node ${root}`
-    }
-
-    return {
-      isLocal,
-      local,
-      root,
-    }
-  }
-
-  if (pkgConfig[key]) {
-    return result(pkgConfig[key])
-  }
-
-  if (rootConfig[key]) {
-    return result(rootConfig[key], !isRoot)
-  }
-
-  return result(key)
-}
-
 const mergeConfigs = (...configs) => {
   const mergedConfig = merge(...configs.map(c => pick(c, MERGE_KEYS)))
   return defaults(mergedConfig, {
@@ -72,37 +39,33 @@ const mergeConfigs = (...configs) => {
   })
 }
 
-const readContentPath = (path) => {
+const readContentPath = async (path) => {
   if (!path) {
     return {}
   }
 
-  let content = {}
   const index = extname(path) === '.js' ? path : join(path, 'index.js')
   const dir = dirname(index)
-
-  try {
-    content = require(index)
-  } catch {
-    // its ok if this fails since the content dir
-    // might only be to provide other files. the
-    // index.js is optional
-  }
+  const content = await importOrRequire(index)
 
   return { content, dir }
 }
 
-const getConfig = (path, rawConfig) => {
-  const config = omit(readContentPath(path).content, FILE_KEYS)
+const getConfig = async (path, rawConfig) => {
+  const { content } = await readContentPath(path)
+  const config = omit(content, FILE_KEYS)
   return merge(config, rawConfig ? omit(rawConfig, FILE_KEYS) : {})
 }
 
-const getFiles = (path, rawConfig) => {
-  const { content, dir } = readContentPath(path)
+const getFiles = async (path, rawConfig, templateSettings) => {
+  const { content, dir } = await readContentPath(path)
   if (!dir) {
     return []
   }
-  return [parseFiles(pick(content, FILE_KEYS), dir, pick(rawConfig, FILE_KEYS)), dir]
+  return [
+    parseFiles(pick(content, FILE_KEYS), dir, pick(rawConfig, FILE_KEYS), templateSettings),
+    dir,
+  ]
 }
 
 const getFullConfig = async ({
@@ -127,39 +90,15 @@ const getFullConfig = async ({
   // These config items are merged betweent the root and child workspaces and only come from
   // the package.json because they can be used to read configs from other the content directories
   const mergedConfig = mergeConfigs(rootPkg.config, pkg.config)
-
-  const defaultConfig = getConfig(DEFAULT_CONTENT)
-  const [defaultFiles, defaultDir] = getFiles(DEFAULT_CONTENT, mergedConfig)
+  const defaultConfig = await getConfig(DEFAULT_CONTENT)
   const useDefault = mergedConfig.defaultContent && defaultConfig
 
-  const rootConfig = getConfig(rootPkg.config.content, rootPkg.config)
-  const [rootFiles, rootDir] = getFiles(rootPkg.config.content, mergedConfig)
+  const rootConfig = await getConfig(rootPkg.config.content, rootPkg.config)
 
   // The content config only gets set from the package we are in, it doesn't inherit
   // anything from the root
   const rootPkgConfig = merge(useDefault, rootConfig)
-  const pkgConfig = merge(useDefault, getConfig(pkg.config.content, pkg.config))
-  const [pkgFiles, pkgDir] = getFiles(mergedConfig.content, mergedConfig)
-
-  // Files get merged in from the default content (that template-oss provides) as well
-  // as any content paths provided from the root or the workspace
-  const fileDirs = uniq([useDefault && defaultDir, rootDir, pkgDir].filter(Boolean))
-  const files = mergeFiles(useDefault && defaultFiles, rootFiles, pkgFiles)
-  const repoFiles = isRoot ? files.rootRepo : files.workspaceRepo
-  const moduleFiles = isRoot ? files.rootModule : files.workspaceModule
-
-  const allowRootDirs = [
-    // Allways allow module files in root or workspaces
-    ...getAddedFiles(moduleFiles),
-    ...isRoot ? [
-      // in the root allow all repo files
-      ...getAddedFiles(repoFiles),
-      // and allow all workspace repo level files in the root
-      ...pkgs
-        .filter(p => p.path !== rootPkg.path && p.config.workspaceRepo !== false)
-        .flatMap(() => getAddedFiles(files.workspaceRepo)),
-    ] : [],
-  ]
+  const pkgConfig = merge(useDefault, await getConfig(pkg.config.content, pkg.config))
 
   const npmPath = getCmdPath('npm', { pkgConfig, rootConfig, isRoot, pkg, rootPkg })
   const npxPath = getCmdPath('npx', { pkgConfig, rootConfig, isRoot, pkg, rootPkg })
@@ -180,11 +119,12 @@ const getFullConfig = async ({
   const gitBranches = await git.getBranches(rootPkg.path, branches)
   const defaultBranch = await git.defaultBranch(rootPkg.path) ?? 'main'
   const isReleaseBranch = !!pkgConfig.backport
-  const publishTag = isReleaseBranch ? `next-${pkgConfig.backport}` : 'latest'
   const releaseBranch = isReleaseBranch
     ? pkgConfig.releaseBranch.replace(/\*/g, pkgConfig.backport)
     : defaultBranch
 
+  const esm = pkg.pkgJson?.type === 'module' || !!pkgConfig.typescript || !!pkgConfig.esm
+
   // all derived keys
   const derived = {
     isRoot,
@@ -207,20 +147,12 @@ const getFullConfig = async ({
     branchPatterns: gitBranches.patterns,
     isReleaseBranch,
     releaseBranch,
-    publishTag,
     dependabot: parseDependabot(pkgConfig, defaultConfig, gitBranches.branches),
-    // repo
+    // paths
     repoDir: rootPkg.path,
-    repoFiles,
-    applyRepo: !!repoFiles,
-    // module
     moduleDir: pkg.path,
-    moduleFiles,
-    applyModule: !!moduleFiles,
-    // package
     pkgName: pkg.pkgJson.name,
     pkgNameFs: pkg.pkgJson.name.replace(/\//g, '-').replace(/@/g, ''),
-    // paths
     pkgPath,
     pkgDir: posixDir(pkgPath),
     pkgGlob: posixGlob(pkgPath),
@@ -228,6 +160,13 @@ const getFullConfig = async ({
     allFlags: isMono ? '-ws -iwr --if-present' : '',
     workspacePaths,
     workspaceGlobs: workspacePaths.map(posixGlob),
+    // type
+    esm,
+    cjsExt: esm ? 'cjs' : 'js',
+    deleteJsExt: esm ? 'js' : 'cjs',
+    // tap
+    tap18: semver.coerce(pkg.pkgJson?.devDependencies?.tap)?.major === 18,
+    tap16: semver.coerce(pkg.pkgJson?.devDependencies?.tap)?.major === 16,
     // booleans to control application of updates
     isForce,
     isDogFood,
@@ -243,20 +182,6 @@ const getFullConfig = async ({
     lockfile: rootPkgConfig.lockfile,
     // ci versions / engines
     ciVersions: ciVersions.get(pkg.pkgJson.engines?.node, pkgConfig),
-    // gitignore
-    ignorePaths: [
-      ...gitignore.sort([
-        ...gitignore.allowRootDir(allowRootDirs),
-        ...isRoot && pkgConfig.lockfile ? ['!/package-lock.json'] : [],
-        ...(pkgConfig.allowPaths || []).map((p) => `!${p}`),
-        ...(pkgConfig.ignorePaths || []),
-      ]),
-      // these cant be sorted since they rely on order
-      // to allow a previously ignored directoy
-      ...isRoot
-        ? gitignore.allowDir(wsPkgs.map((p) => makePosix(relative(rootPkg.path, p.path))))
-        : [],
-    ],
     // needs update if we are dogfooding this repo, with force argv, or its
     // behind the current version
     needsUpdate: isForce || isDogFood || !isLatest,
@@ -264,15 +189,24 @@ const getFullConfig = async ({
     __NAME__: NAME,
     __CONFIG_KEY__: CONFIG_KEY,
     __VERSION__: LATEST_VERSION,
-    __PARTIAL_DIRS__: fileDirs,
   }
 
-  if (!pkgConfig.eslint) {
-    derived.ignorePaths = derived.ignorePaths.filter(p => !p.includes('eslint'))
-    if (Array.isArray(pkgConfig.requiredPackages?.devDependencies)) {
-      pkgConfig.requiredPackages.devDependencies =
-        pkgConfig.requiredPackages.devDependencies.filter(p => !p.includes('eslint'))
-    }
+  if (!pkgConfig.eslint && Array.isArray(pkgConfig.requiredPackages?.devDependencies)) {
+    pkgConfig.requiredPackages.devDependencies =
+      pkgConfig.requiredPackages.devDependencies.filter(p => !p.includes('eslint'))
+  }
+
+  if (pkgConfig.typescript) {
+    defaultsDeep(pkgConfig, { allowPaths: [], requiredPackages: { devDependencies: [] } })
+    pkgConfig.distPaths = ['dist/']
+    pkgConfig.allowDistPaths = false
+    pkgConfig.allowPaths.push('/src/')
+    pkgConfig.requiredPackages.devDependencies.push(
+      'typescript',
+      'tshy',
+      '@typescript-eslint/parser',
+      ...derived.tap16 ? ['c8', 'ts-node'] : []
+    )
   }
 
   const gitUrl = await git.getUrl(rootPkg.path)
@@ -284,10 +218,55 @@ const getFullConfig = async ({
     }
   }
 
-  return {
-    ...pkgConfig,
-    ...derived,
-  }
+  const fullConfig = { ...pkgConfig, ...derived }
+
+  // files, come at the end since file names can be based on config
+  const [defaultFiles, defaultDir] = await getFiles(DEFAULT_CONTENT, mergedConfig, fullConfig)
+  const [rootFiles, rootDir] = await getFiles(rootPkg.config.content, mergedConfig, fullConfig)
+  const [pkgFiles, pkgDir] = await getFiles(mergedConfig.content, mergedConfig, fullConfig)
+
+  // Files get merged in from the default content (that template-oss provides) as well
+  // as any content paths provided from the root or the workspace
+  const fileDirs = uniq([useDefault && defaultDir, rootDir, pkgDir].filter(Boolean))
+  const files = mergeFiles(useDefault && defaultFiles, rootFiles, pkgFiles)
+  const repoFiles = isRoot ? files.rootRepo : files.workspaceRepo
+  const moduleFiles = isRoot ? files.rootModule : files.workspaceModule
+
+  Object.assign(fullConfig, {
+    repoFiles,
+    moduleFiles,
+    applyRepo: !!repoFiles,
+    applyModule: !!moduleFiles,
+    __PARTIAL_DIRS__: fileDirs,
+    // gitignore, these use the full config so need to come at the very end
+    ignorePaths: [
+      ...gitignore.sort([
+        ...gitignore.allowRootDir([
+          // Allways allow module files in root or workspaces
+          ...getAddedFiles(moduleFiles).map(s => template(s, fullConfig)),
+          ...isRoot ? [
+            // in the root allow all repo files
+            ...getAddedFiles(repoFiles).map(s => template(s, fullConfig)),
+            // and allow all workspace repo level files in the root
+            ...pkgs
+              .filter(p => p.path !== rootPkg.path && p.config.workspaceRepo !== false)
+              .flatMap(() => getAddedFiles(files.workspaceRepo)),
+          ] : [],
+        ]),
+        ...isRoot && pkgConfig.lockfile ? ['!/package-lock.json'] : [],
+        ...(pkgConfig.allowPaths || []).map((p) => `!${p}`),
+        ...(pkgConfig.allowDistPaths ? pkgConfig.distPaths : []).map((p) => `!/${p}`),
+        ...(pkgConfig.ignorePaths || []),
+      ]),
+      // these cant be sorted since they rely on order
+      // to allow a previously ignored directoy
+      ...isRoot
+        ? gitignore.allowDir(wsPkgs.map((p) => makePosix(relative(rootPkg.path, p.path))))
+        : [],
+    ].filter(p => !pkgConfig.eslint ? !p.includes('eslint') : true),
+  })
+
+  return fullConfig
 }
 
 module.exports = getFullConfig

package/lib/content/{_job-matrix.yml → _job-matrix-yml.hbs}

@@ -26,4 +26,4 @@ defaults:
   run:
     shell: $\{{ matrix.platform.shell }}
 steps:
-  {{> stepsSetup jobIsMatrix=true }}
+  {{> stepsSetupYml jobIsMatrix=true }}

package/lib/content/_job-release-integration-yml.hbs

@@ -0,0 +1,51 @@
+name: {{#if publish}}Publish{{else}}Check Publish{{/if}}
+runs-on: ubuntu-latest
+defaults:
+  run:
+    shell: bash
+{{#if publish}}
+permissions:
+  id-token: write
+{{/if}}
+steps:
+  {{#if publish}}
+  {{> stepsSetupYml jobCheckout=(obj ref="${{ fromJSON(inputs.releases)[0].tagName }}") }}
+  - name: Set npm authToken
+    run: npm config set '//registry.npmjs.org/:_authToken'=\${PUBLISH_TOKEN}
+  - name: Publish
+    env:
+      PUBLISH_TOKEN: $\{{ secrets.PUBLISH_TOKEN }}
+  {{else}}
+  {{> stepsSetupYml }}
+  - name: Check If Published
+  {{/if}}
+    run: |
+      EXIT_CODE=0
+
+      function each_release {
+        if {{#if publish}}npm publish --provenance --tag="$1"{{else}}npm view "$@" --loglevel=error > /dev/null{{/if}}; then
+          echo 0
+        else
+          echo 1
+        fi
+      }
+
+      for release in $(echo '$\{{ inputs.releases }}' | jq -r '.[] | @base64'); do
+        {{#if publish}}
+        PUBLISH_TAG=$(echo "$release" | base64 --decode | jq -r .publishTag)
+        STATUS=$(each_release "$PUBLISH_TAG")
+        {{else}}
+        SPEC="$(echo "$release" | base64 --decode | jq -r .pkgName)@$(echo "$release" | base64 --decode | jq -r .version)"
+        STATUS=$(each_release "$SPEC")
+        {{/if}}
+        if [[ "$STATUS" -eq 1 ]]; then
+          EXIT_CODE=$STATUS
+        {{#unless publish}}
+          echo "$SPEC ERROR"
+        else
+          echo "$SPEC OK"
+        {{/unless}}       
+        fi
+      done
+
+      exit $EXIT_CODE

package/lib/content/{_job.yml → _job-yml.hbs}

@@ -5,4 +5,4 @@ defaults:
   run:
     shell: bash
 steps:
-  {{> stepsSetup }}
+  {{> stepsSetupYml }}

package/lib/content/_step-node-yml.hbs

@@ -0,0 +1,15 @@
+- name: Setup Node
+  uses: actions/setup-node@v3
+  id: node
+  with:
+    node-version: {{#if jobIsMatrix}}$\{{ matrix.node-version }}{{else}}{{ last ciVersions }}{{/if}}
+    check-latest: contains({{#if jobIsMatrix}}matrix.node-version{{else}}'{{ last ciVersions }}'{{/if}}, '.x')
+    {{#if lockfile}}
+    cache: npm
+    {{/if}}
+{{#if updateNpm}}
+- name: Install Latest npm
+  uses: ./.github/actions/install-latest-npm
+  with:
+    node: $\{{ steps.node.outputs.node-version }}
+{{/if}}

package/lib/content/_steps-setup-yml.hbs

@@ -0,0 +1,15 @@
+{{~#unless jobSkipSetup}}
+{{> stepGitYml }}
+{{~#if jobCreateCheck}}
+- name: Create Check
+  id: create-check
+  if: {{ jobCreateCheck.sha }}
+  uses: ./.github/actions/create-check
+  with:
+    name: "{{ jobName }}{{#if jobIsMatrix}} - $\{{ matrix.platform.name }} - $\{{ matrix.node-version }}{{/if}}"
+    token: $\{{ secrets.GITHUB_TOKEN }}
+    sha: {{ jobCreateCheck.sha }}
+{{/if}}
+{{> stepNodeYml }}
+{{> stepDepsYml }}
+{{/unless}}

package/lib/content/action-create-check-yml.hbs

@@ -0,0 +1,50 @@
+name: 'Create Check'
+inputs:
+  name:
+    required: true
+  token:
+    required: true
+  sha:
+    required: true
+  check-name:
+    default: ''
+outputs:
+  check-id:
+    value: $\{{ steps.create-check.outputs.check_id }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get Workflow Job
+      uses: actions/github-script@v6
+      id: workflow
+      env:
+        JOB_NAME: "$\{{ inputs.name }}"
+        SHA: "$\{{ inputs.sha }}"
+      with:
+        result-encoding: string
+        script: |
+          const { repo: { owner, repo}, runId, serverUrl } = context          
+          const { JOB_NAME, SHA } = process.env
+
+          const job = await github.rest.actions.listJobsForWorkflowRun({
+            owner,
+            repo,
+            run_id: runId,
+            per_page: 100
+          }).then(r => r.data.jobs.find(j => j.name.endsWith(JOB_NAME)))
+
+          return [
+            `This check is assosciated with ${serverUrl}/${owner}/${repo}/commit/${SHA}.`,
+            'Run logs:',
+            job?.html_url || `could not be found for a job ending with: "${JOB_NAME}"`,
+          ].join(' ')
+    - name: Create Check
+      uses: LouisBrunner/checks-action@v1.6.0
+      id: create-check
+      with:
+        token: $\{{ inputs.token }}
+        sha: $\{{ inputs.sha }}
+        status: in_progress
+        name: $\{{ inputs.check-name || inputs.name }}
+        output: |
+          {"summary":"$\{{ steps.workflow.outputs.result }}"}

package/lib/content/action-install-latest-npm-yml.hbs

@@ -0,0 +1,55 @@
+name: 'Install Latest npm'
+description: 'Install the latest version of npm compatible with the Node version'
+inputs:
+  node:
+    description: 'Current Node version'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+    - name: Update Windows npm
+      if: |
+        runner.os == 'Windows' && (
+          startsWith(inputs.node, 'v10.') ||
+          startsWith(inputs.node, 'v12.') ||
+          startsWith(inputs.node, 'v14.')
+        )
+      shell: cmd
+      run: |
+        curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+        tar xf npm-7.5.4.tgz
+        cd package
+        node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+        cd ..
+        rmdir /s /q package
+    - name: Install Latest npm
+      shell: bash
+      env:
+        NODE_VERSION: $\{{ inputs.node }}
+      run: |
+        MATCH=""
+        SPECS=("latest" "next-10" "next-9" "next-8" "next-7" "next-6")
+
+        echo "node@$NODE_VERSION"
+
+        for SPEC in ${SPECS[@]}; do
+          ENGINES=$(npm view npm@$SPEC --json | jq -r '.engines.node')
+          echo "Checking if node@$NODE_VERSION satisfies npm@$SPEC ($ENGINES)"
+
+          if npx semver -r "$ENGINES" "$NODE_VERSION" > /dev/null; then
+            MATCH=$SPEC
+            echo "Found compatible version: npm@$MATCH"
+            break
+          fi  
+        done
+
+        if [ -z $MATCH ]; then
+          echo "Could not find a compatible version of npm for node@$NODE_VERSION"
+          exit 1
+        fi
+
+        npm i --prefer-online --no-fund --no-audit -g npm@$MATCH
+    - name: npm Version
+      shell: bash
+      run: npm -v

package/lib/content/{audit.yml → audit-yml.hbs}

@@ -8,5 +8,5 @@ on:
 
 jobs:
   audit:
-    {{> job jobName="Audit Dependencies" jobDepFlags="--package-lock" }}
-      {{> stepAudit }}
+    {{> jobYml jobName="Audit Dependencies" jobDepFlags="--package-lock" }}
+      {{> stepAuditYml }}

package/lib/content/ci-release-yml.hbs

@@ -0,0 +1,49 @@
+
+name: CI - Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        required: true
+        type: string
+        default: {{ releaseBranch }}
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+      check-sha:
+        required: true
+        type: string
+
+jobs:
+  lint-all:
+    {{> jobYml
+      jobName="Lint All"
+      jobCheckout=(obj ref="${{ inputs.ref }}")
+      jobCreateCheck=(obj sha="${{ inputs.check-sha }}")
+    }}
+      {{> stepLintYml jobRunFlags=allFlags }}
+      - name: Conclude Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        if: always()
+        with:
+          token: $\{{ secrets.GITHUB_TOKEN }}
+          conclusion: $\{{ job.status }}
+          check_id: $\{{ steps.create-check.outputs.check-id }}
+
+  test-all:
+    {{> jobMatrixYml
+      jobName="Test All"
+      jobCheckout=(obj ref="${{ inputs.ref }}")
+      jobCreateCheck=(obj sha="${{ inputs.check-sha }}")
+    }}
+      {{> stepTestYml jobRunFlags=allFlags }}
+      - name: Conclude Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        if: always()
+        with:
+          token: $\{{ secrets.GITHUB_TOKEN }}
+          conclusion: $\{{ job.status }}
+          check_id: $\{{ steps.create-check.outputs.check-id }}

package/lib/content/ci-yml.hbs

@@ -0,0 +1,13 @@
+name: CI {{~#if isWorkspace}} - {{ pkgName }}{{/if}}
+
+on:
+  {{> onCiYml }}
+
+jobs:
+  lint:
+    {{> jobYml jobName="Lint" }}
+      {{> stepLintYml jobRunFlags=pkgFlags }}
+
+  test:
+    {{> jobMatrixYml jobName="Test" }}
+      {{> stepTestYml jobRunFlags=pkgFlags }}

package/lib/content/{codeql-analysis.yml → codeql-analysis-yml.hbs}

@@ -24,7 +24,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-      {{> stepGit }}
+      {{> stepGitYml }}
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:

package/lib/content/{eslintrc.js → eslintrc-js.hbs}

@@ -8,12 +8,22 @@ const localConfigs = readdir(__dirname)
 
 module.exports = {
   root: true,
-  {{#if workspaceGlobs}}
   ignorePatterns: [
+    'tap-testdir*/',
     {{#each workspaceGlobs}}
     '{{ . }}',
     {{/each}}
+    {{#if typescript}}
+    'dist/',
+    {{/if}}
   ],
+  {{#if typescript}}
+  parser: '@typescript-eslint/parser',
+  settings: {
+    'import/resolver': {
+      typescript: {},
+    },
+  },
   {{/if}}
   extends: [
     '@npmcli',

package/lib/content/{gitignore → gitignore.hbs}

@@ -1,5 +1,7 @@
 # ignore everything in the root
 /*
+# transient test directories
+tap-testdir*/
 
 # keep these
 {{#each ignorePaths}}