@npmcli/template-oss 4.8.0 → 4.10.0

package/bin/release-manager.js

@@ -10,13 +10,19 @@ const log = (...logs) => console.error('LOG', ...logs)
 const ROOT = process.cwd()
 const pkg = require(join(ROOT, 'package.json'))
 
+const args = process.argv.slice(2).reduce((acc, a) => {
+  const [k, v] = a.replace(/^--/g, '').split('=')
+  acc[k] = v === 'true'
+  return acc
+}, {})
+
 /* eslint-disable max-len */
 const DEFAULT_RELEASE_PROCESS = `
 1. Checkout the release branch and test
 
     \`\`\`sh
     gh pr checkout <PR-NUMBER> --force
-    npm i
+    npm ${args.lockfile ? 'ci' : 'update'}
     npm test
     gh pr checks --watch
     \`\`\`

package/lib/content/SECURITY.md

@@ -1 +1,12 @@
-Please send vulnerability reports through [hackerone](https://hackerone.com/github).
+GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
+
+If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. 
+
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+
+If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Thanks for helping make GitHub safe for everyone.
+

package/lib/content/_step-node.yml

@@ -20,12 +20,12 @@
 - name: Install npm@7
   if: startsWith(matrix.node-version, '10.')
   run: npm i --prefer-online --no-fund --no-audit -g npm@7
-- name: Install npm@latest
+- name: Install npm@{{ npmSpec }}
   if: $\{{ !startsWith(matrix.node-version, '10.') }}
 {{else}}
-- name: Install npm@latest
+- name: Install npm@{{ npmSpec }}
 {{/if}}
-  run: npm i --prefer-online --no-fund --no-audit -g npm@latest
+  run: npm i --prefer-online --no-fund --no-audit -g npm@{{ npmSpec }}
 - name: npm Version
   run: npm -v
 {{/if}}

package/lib/content/index.js

@@ -152,6 +152,7 @@ module.exports = {
   lockfile: false,
   npm: 'npm',
   npx: 'npx',
+  npmSpec: 'latest',
   dependabot: 'increase-if-necessary',
   unwantedPackages: [
     'eslint',

package/lib/content/release.yml

@@ -51,9 +51,9 @@ jobs:
             const comments = await github.paginate(github.rest.issues.listComments, issue)
             let commentId = comments?.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id
 
-            body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Rerun for This Release\n\n`
-            body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. `
-            body += `To force CI to rerun, run this command:\n\n`
+            body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n`
+            body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`{{ defaultBranch }}\`. `
+            body += `To force CI to update this PR, run this command:\n\n`
             body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME}\n\`\`\``
 
             if (commentId) {
@@ -82,7 +82,7 @@ jobs:
           RELEASE_COMMENT_ID: $\{{ needs.release.outputs.comment-id }}
           GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
         run: |
-          {{ rootNpmPath }} exec --offline -- template-oss-release-manager
+          {{ rootNpmPath }} exec --offline -- template-oss-release-manager --lockfile={{ lockfile }}
           {{ rootNpmPath }} run rp-pull-request --ignore-scripts {{~#if allFlags}} {{ allFlags }}{{else}} --if-present{{/if}}
       - name: Commit
         id: commit

package/lib/release-please/index.js

@@ -29,42 +29,47 @@ const main = async ({ repo: fullRepo, token, dryRun, branch, force }) => {
     .filter(([k, v]) => k.startsWith('RELEASE_PLEASE_') && v != null)
     .map(([k, v]) => [k.replace('RELEASE_PLEASE_', ''), v])
 
+  const baseBranch = branch ?? github.repository.defaultBranch
+
   const manifest = await RP.Manifest.fromManifest(
     github,
-    branch ?? github.repository.defaultBranch,
+    baseBranch,
     undefined,
     undefined,
     Object.fromEntries(manifestOverrides)
   )
 
-  let pullRequests = []
-  let allReleases = []
   if (force) {
-    // If we are forcing the release CI to run again, then we get
-    // the release PR from the repo and return it, which will trigger
-    // the rest of the steps in the workflow to run
-    const prNumber = await github.octokit.issues.listForRepo({
+    const { data: releasePrs } = await github.octokit.pulls.list({
       owner,
       repo,
-      labels: 'autorelease: pending',
-      per_page: 1,
-    }).then(res => res.data[0]?.number)
-    if (prNumber) {
-      pullRequests = await github.octokit.pulls.get({
-        owner,
-        repo,
-        pull_number: prNumber,
-      }).then(res => [{
-        ...res.data,
-        headBranchName: res.data.head.ref,
-        updates: [],
-      }])
+      head: `release-please--branches--${baseBranch}`,
+    })
+
+    if (releasePrs.length !== 1) {
+      throw new Error(`Found ${releasePrs.length} matching PRs, expected 1`)
     }
-  } else {
-    pullRequests = await (dryRun ? manifest.buildPullRequests() : manifest.createPullRequests())
-    allReleases = await (dryRun ? manifest.buildReleases() : manifest.createReleases())
+
+    const [releasePr] = releasePrs
+    const id = process.env.GITHUB_RUN_ID
+      ? `by https://github.com/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`
+      : `manually starting at ${new Date().toJSON()}`
+
+    // XXX(hack): to get release please to recreate a pull request it needs
+    // to have a different body string so we append a message a message that CI
+    // is running. This will force release-please to rebase the PR but it
+    // wont update the body again, so we only append to it.
+    await github.octokit.pulls.update({
+      owner,
+      repo,
+      pull_number: releasePr.number,
+      body: `${releasePr.body.trim()}\n- This PR is being recreated ${id}`,
+    })
   }
 
+  const pullRequests = await (dryRun ? manifest.buildPullRequests() : manifest.createPullRequests())
+  const allReleases = await (dryRun ? manifest.buildReleases() : manifest.createReleases())
+
   // We only ever get a single pull request with our current release-please settings
   const rootPr = pullRequests.filter(Boolean)?.[0]
   if (rootPr?.number) {

package/lib/util/parser.js

@@ -5,6 +5,7 @@ const NpmPackageJson = require('@npmcli/package-json')
 const jsonParse = require('json-parse-even-better-errors')
 const Diff = require('diff')
 const { unset } = require('lodash')
+const ini = require('ini')
 const template = require('./template.js')
 const jsonDiff = require('./json-diff')
 const merge = require('./merge.js')
@@ -176,9 +177,33 @@ class Js extends Base {
 }
 
 class Ini extends Base {
-  // XXX: add merge mode for updating ini files
-  static types = ['npmrc']
+  static types = ['ini']
   comment = (c) => `; ${c}`
+
+  toString (s) {
+    return typeof s === 'string' ? s : ini.stringify(s)
+  }
+
+  parse (s) {
+    return typeof s === 'string' ? ini.parse(s) : s
+  }
+
+  prepare (s, t) {
+    let source = s
+    if (typeof this.merge === 'function' && t) {
+      source = this.merge(t, s)
+    }
+    return super.prepare(this.toString(source))
+  }
+
+  diff (t, s) {
+    return jsonDiff(this.parse(t), this.parse(s), this.DELETE)
+  }
+}
+
+class IniMerge extends Ini {
+  static types = ['npmrc']
+  merge = (t, s) => merge(t, s)
 }
 
 class Markdown extends Base {
@@ -314,6 +339,7 @@ const Parsers = {
   Gitignore,
   Js,
   Ini,
+  IniMerge,
   Markdown,
   Yml,
   YmlMerge,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/template-oss",
-  "version": "4.8.0",
+  "version": "4.10.0",
   "description": "templated files used in npm CLI team oss projects",
   "main": "lib/content/index.js",
   "bin": {
@@ -45,6 +45,7 @@
     "glob": "^8.0.1",
     "handlebars": "^4.7.7",
     "hosted-git-info": "^6.0.0",
+    "ini": "^3.0.1",
     "json-parse-even-better-errors": "^3.0.0",
     "just-deep-map-values": "^1.1.1",
     "just-diff": "^5.0.1",
@@ -75,7 +76,8 @@
     "test-ignore": "^(workspace/test-workspace)/"
   },
   "templateOSS": {
-    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten."
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "npmSpec": "8"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"