@socketsecurity/lib 6.0.9 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +10 -9
- package/dist/ai/route.js +14 -13
- package/dist/ai/spawn.d.mts +2 -1
- package/dist/ai/spawn.js +25 -2
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +9 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +446 -300
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +10 -33
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +4 -0
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +6 -1
- package/dist/config/layers.d.ts +4 -4
- package/dist/config/layers.js +4 -4
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-resolution.js +7 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -1
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +32 -0
- package/dist/env/rewire.js +55 -23
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/errors/stack.js +2 -1
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +179 -88
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +41 -34
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +1551 -1867
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +4 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +7 -3
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +1 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +1 -1
- package/dist/external-tools/uv/resolve.d.ts +3 -0
- package/dist/external-tools/uv/resolve.js +3 -0
- package/dist/fleet/repo-config.d.ts +8 -6
- package/dist/fleet/repo-config.js +8 -6
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/allowed-dirs-cache.js +5 -3
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +5 -1
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +3 -2
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +3 -1
- package/dist/integrity.js +3 -1
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +9 -3
- package/dist/logger/colors.js +6 -13
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/packages/manifest.js +6 -7
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +8 -0
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +8 -8
- package/dist/paths/socket.js +8 -8
- package/dist/perf/report.js +4 -2
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/find.d.ts +2 -2
- package/dist/secrets/find.js +2 -2
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +2 -0
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +2 -0
- package/dist/sorts/_internal.d.ts +2 -3
- package/dist/sorts/_internal.js +1 -3
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/prompts.d.ts +8 -15
- package/dist/stdio/prompts.js +18 -29
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +1 -1
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +13 -0
- package/dist/themes/context.js +23 -8
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -750
- package/package.json +200 -35
package/dist/fs/find.js
CHANGED
|
@@ -20,7 +20,6 @@ node_process = require_runtime.__toESM(node_process);
|
|
|
20
20
|
* visiting root itself, so a match at e.g. `/.foo` was never found. The
|
|
21
21
|
* current shape visits root, then breaks.
|
|
22
22
|
*/
|
|
23
|
-
const abortSignal = require_process_abort.getAbortSignal();
|
|
24
23
|
/**
|
|
25
24
|
* Find a file or directory by traversing up parent directories. Searches from
|
|
26
25
|
* the starting directory upward to the filesystem root. Useful for finding
|
|
@@ -44,7 +43,7 @@ const abortSignal = require_process_abort.getAbortSignal();
|
|
|
44
43
|
* @returns Normalized absolute path if found, undefined otherwise
|
|
45
44
|
*/
|
|
46
45
|
async function findUp(name, options) {
|
|
47
|
-
const { cwd = node_process.default.cwd(), signal =
|
|
46
|
+
const { cwd = node_process.default.cwd(), signal = require_process_abort.getAbortSignal() } = {
|
|
48
47
|
__proto__: null,
|
|
49
48
|
...options
|
|
50
49
|
};
|
package/dist/fs/inspect.d.ts
CHANGED
|
@@ -94,7 +94,7 @@ export declare function isSymlinkSync(filepath: PathLike): boolean;
|
|
|
94
94
|
*
|
|
95
95
|
* @returns Promise resolving to Stats object, or undefined on error
|
|
96
96
|
*/
|
|
97
|
-
export declare function safeStat(filepath: PathLike): Promise<import("fs").Stats | undefined>;
|
|
97
|
+
export declare function safeStat(filepath: PathLike): Promise<import("node:fs").Stats | undefined>;
|
|
98
98
|
/**
|
|
99
99
|
* Safely get file stats synchronously, returning undefined on error. Useful for
|
|
100
100
|
* checking file existence and properties without error handling. Returns
|
|
@@ -114,4 +114,4 @@ export declare function safeStat(filepath: PathLike): Promise<import("fs").Stats
|
|
|
114
114
|
*
|
|
115
115
|
* @returns Stats object, or undefined on error
|
|
116
116
|
*/
|
|
117
|
-
export declare function safeStatSync(filepath: PathLike): import("fs").BigIntStats | import("fs").Stats | undefined;
|
|
117
|
+
export declare function safeStatSync(filepath: PathLike): import("node:fs").BigIntStats | import("node:fs").Stats | undefined;
|
package/dist/fs/read-file.js
CHANGED
|
@@ -15,7 +15,6 @@ const require_fs_encoding = require('./encoding.js');
|
|
|
15
15
|
* the default and any string encoding return a string. The runtime fast-path
|
|
16
16
|
* normalizes encoding once and forwards untouched options to `node:fs`.
|
|
17
17
|
*/
|
|
18
|
-
const abortSignal = require_process_abort.getAbortSignal();
|
|
19
18
|
/**
|
|
20
19
|
* Read a file as binary data asynchronously. Returns a Buffer without encoding
|
|
21
20
|
* the contents. Useful for reading images, archives, or other binary formats.
|
|
@@ -37,7 +36,7 @@ const abortSignal = require_process_abort.getAbortSignal();
|
|
|
37
36
|
async function readFileBinary(filepath, options) {
|
|
38
37
|
const opts = typeof options === "string" ? { encoding: options } : options;
|
|
39
38
|
return await require_node_fs.getNodeFs().promises.readFile(filepath, {
|
|
40
|
-
signal:
|
|
39
|
+
signal: require_process_abort.getAbortSignal(),
|
|
41
40
|
...opts,
|
|
42
41
|
encoding: void 0
|
|
43
42
|
});
|
|
@@ -88,7 +87,7 @@ function readFileBinarySync(filepath, options) {
|
|
|
88
87
|
async function readFileUtf8(filepath, options) {
|
|
89
88
|
const opts = typeof options === "string" ? { encoding: options } : options;
|
|
90
89
|
return await require_node_fs.getNodeFs().promises.readFile(filepath, {
|
|
91
|
-
signal:
|
|
90
|
+
signal: require_process_abort.getAbortSignal(),
|
|
92
91
|
...opts,
|
|
93
92
|
encoding: "utf8"
|
|
94
93
|
});
|
|
@@ -138,7 +137,7 @@ async function safeReadFile(filepath, options) {
|
|
|
138
137
|
try {
|
|
139
138
|
return await fs.promises.readFile(filepath, {
|
|
140
139
|
__proto__: null,
|
|
141
|
-
signal:
|
|
140
|
+
signal: require_process_abort.getAbortSignal(),
|
|
142
141
|
...readOpts,
|
|
143
142
|
encoding
|
|
144
143
|
});
|
package/dist/fs/safe.js
CHANGED
|
@@ -184,7 +184,7 @@ function safeDeleteSync(filepath, options) {
|
|
|
184
184
|
lastError = e;
|
|
185
185
|
if (attempt < maxRetries) {
|
|
186
186
|
const waitMs = delay;
|
|
187
|
-
require_primordials_array.AtomicsWait(new require_primordials_array.Int32ArrayCtor(new require_primordials_globals.SharedArrayBufferCtor(4)), 0, 0, waitMs);
|
|
187
|
+
if (require_primordials_globals.SharedArrayBufferCtor !== void 0) require_primordials_array.AtomicsWait(new require_primordials_array.Int32ArrayCtor(new require_primordials_globals.SharedArrayBufferCtor(4)), 0, 0, waitMs);
|
|
188
188
|
delay *= 2;
|
|
189
189
|
}
|
|
190
190
|
}
|
package/dist/git/_internal.js
CHANGED
|
@@ -251,7 +251,11 @@ function stableKey(value) {
|
|
|
251
251
|
return require_primordials_json.JSONStringify(value, (_key, val) => {
|
|
252
252
|
if (val && typeof val === "object" && !require_primordials_array.ArrayIsArray(val)) {
|
|
253
253
|
const sorted = {};
|
|
254
|
-
|
|
254
|
+
const sortedKeys = require_primordials_object.ObjectKeys(val).toSorted();
|
|
255
|
+
for (let i = 0, { length } = sortedKeys; i < length; i += 1) {
|
|
256
|
+
const k = sortedKeys[i];
|
|
257
|
+
sorted[k] = val[k];
|
|
258
|
+
}
|
|
255
259
|
return sorted;
|
|
256
260
|
}
|
|
257
261
|
return val;
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Create a SIGNED commit on a branch via the GitHub git-objects API
|
|
3
|
+
* (blob -> tree -> commit -> ref PATCH). Commits created through the API are
|
|
4
|
+
* web-flow-verified ("Verified" / signed) without a local GPG or SSH signing
|
|
5
|
+
* key — the only way CI can land a commit on a branch whose protection
|
|
6
|
+
* requires signed commits. Built on `github/request` (`fetchGitHub`) and the
|
|
7
|
+
* `github/token` resolver for auth/retry/error consistency.
|
|
8
|
+
*/
|
|
9
|
+
/**
|
|
10
|
+
* A single file to include in the signed commit.
|
|
11
|
+
*/
|
|
12
|
+
export interface CommitFile {
|
|
13
|
+
/**
|
|
14
|
+
* UTF-8 text contents to write at `path`.
|
|
15
|
+
*/
|
|
16
|
+
readonly content: string;
|
|
17
|
+
/**
|
|
18
|
+
* Repo-relative path, POSIX separators (e.g. 'package.json').
|
|
19
|
+
*/
|
|
20
|
+
readonly path: string;
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* Options for `createSignedCommit`.
|
|
24
|
+
*/
|
|
25
|
+
export interface CreateSignedCommitOptions {
|
|
26
|
+
/**
|
|
27
|
+
* Override the API origin (GitHub Enterprise or tests). Defaults to
|
|
28
|
+
* https://api.github.com.
|
|
29
|
+
*/
|
|
30
|
+
readonly apiUrl?: string | undefined;
|
|
31
|
+
/**
|
|
32
|
+
* SHA of the tree to layer the new files onto (usually `HEAD^{tree}`).
|
|
33
|
+
*/
|
|
34
|
+
readonly baseTreeSha: string;
|
|
35
|
+
/**
|
|
36
|
+
* Branch to advance (e.g. 'main').
|
|
37
|
+
*/
|
|
38
|
+
readonly branch: string;
|
|
39
|
+
/**
|
|
40
|
+
* Files to write in the commit.
|
|
41
|
+
*/
|
|
42
|
+
readonly files: readonly CommitFile[];
|
|
43
|
+
/**
|
|
44
|
+
* Commit message.
|
|
45
|
+
*/
|
|
46
|
+
readonly message: string;
|
|
47
|
+
/**
|
|
48
|
+
* Parent commit SHA (usually `HEAD`).
|
|
49
|
+
*/
|
|
50
|
+
readonly parentSha: string;
|
|
51
|
+
/**
|
|
52
|
+
* Repo in "owner/name" form.
|
|
53
|
+
*/
|
|
54
|
+
readonly repo: string;
|
|
55
|
+
/**
|
|
56
|
+
* GitHub token. Falls back to env / git config via `getGitHubToken()`.
|
|
57
|
+
*/
|
|
58
|
+
readonly token?: string | undefined;
|
|
59
|
+
}
|
|
60
|
+
export declare function buildHeaders(token: string): Record<string, string>;
|
|
61
|
+
/**
|
|
62
|
+
* Create a signed commit on a branch via the GitHub git-objects API (blob ->
|
|
63
|
+
* tree -> commit -> ref PATCH). Returns the new commit SHA. Commits created
|
|
64
|
+
* through the API are web-flow-verified ("Verified") without a local signing
|
|
65
|
+
* key — the only way CI can land signed commits on protected branches.
|
|
66
|
+
*
|
|
67
|
+
* @example
|
|
68
|
+
* ;```ts
|
|
69
|
+
* const sha = await createSignedCommit({
|
|
70
|
+
* repo: 'owner/repo',
|
|
71
|
+
* branch: 'main',
|
|
72
|
+
* parentSha: 'abc123',
|
|
73
|
+
* baseTreeSha: 'def456',
|
|
74
|
+
* message: 'chore: bump version to 1.2.0',
|
|
75
|
+
* files: [
|
|
76
|
+
* { path: 'package.json', content: '{"version":"1.2.0"}' },
|
|
77
|
+
* { path: 'CHANGELOG.md', content: '# Changelog\n' },
|
|
78
|
+
* ],
|
|
79
|
+
* token: process.env['GITHUB_TOKEN'],
|
|
80
|
+
* })
|
|
81
|
+
* ```
|
|
82
|
+
*
|
|
83
|
+
* @param options - Commit options including repo, branch, parent SHA, base tree
|
|
84
|
+
* SHA, files, message, and optional token/API URL override.
|
|
85
|
+
*
|
|
86
|
+
* @returns The new (verified) commit SHA.
|
|
87
|
+
*
|
|
88
|
+
* @throws {Error} When any GitHub git-objects API call fails.
|
|
89
|
+
*/
|
|
90
|
+
export declare function createSignedCommit(options: CreateSignedCommitOptions): Promise<string>;
|
|
91
|
+
export declare function patch(url: string, headers: Record<string, string>, body: unknown): Promise<void>;
|
|
92
|
+
export declare function post<T>(url: string, headers: Record<string, string>, body: unknown): Promise<T>;
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_json = require('../primordials/json.js');
|
|
5
|
+
const require_http_request_request = require('../http-request/request.js');
|
|
6
|
+
const require_github_token = require('./token.js');
|
|
7
|
+
const require_github_constants = require('./constants.js');
|
|
8
|
+
|
|
9
|
+
//#region src/github/commit.ts
|
|
10
|
+
/**
|
|
11
|
+
* @file Create a SIGNED commit on a branch via the GitHub git-objects API
|
|
12
|
+
* (blob -> tree -> commit -> ref PATCH). Commits created through the API are
|
|
13
|
+
* web-flow-verified ("Verified" / signed) without a local GPG or SSH signing
|
|
14
|
+
* key — the only way CI can land a commit on a branch whose protection
|
|
15
|
+
* requires signed commits. Built on `github/request` (`fetchGitHub`) and the
|
|
16
|
+
* `github/token` resolver for auth/retry/error consistency.
|
|
17
|
+
*/
|
|
18
|
+
function buildHeaders(token) {
|
|
19
|
+
return {
|
|
20
|
+
accept: "application/vnd.github+json",
|
|
21
|
+
authorization: `Bearer ${token}`,
|
|
22
|
+
"content-type": "application/json",
|
|
23
|
+
"x-github-api-version": "2022-11-28"
|
|
24
|
+
};
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Create a signed commit on a branch via the GitHub git-objects API (blob ->
|
|
28
|
+
* tree -> commit -> ref PATCH). Returns the new commit SHA. Commits created
|
|
29
|
+
* through the API are web-flow-verified ("Verified") without a local signing
|
|
30
|
+
* key — the only way CI can land signed commits on protected branches.
|
|
31
|
+
*
|
|
32
|
+
* @example
|
|
33
|
+
* ;```ts
|
|
34
|
+
* const sha = await createSignedCommit({
|
|
35
|
+
* repo: 'owner/repo',
|
|
36
|
+
* branch: 'main',
|
|
37
|
+
* parentSha: 'abc123',
|
|
38
|
+
* baseTreeSha: 'def456',
|
|
39
|
+
* message: 'chore: bump version to 1.2.0',
|
|
40
|
+
* files: [
|
|
41
|
+
* { path: 'package.json', content: '{"version":"1.2.0"}' },
|
|
42
|
+
* { path: 'CHANGELOG.md', content: '# Changelog\n' },
|
|
43
|
+
* ],
|
|
44
|
+
* token: process.env['GITHUB_TOKEN'],
|
|
45
|
+
* })
|
|
46
|
+
* ```
|
|
47
|
+
*
|
|
48
|
+
* @param options - Commit options including repo, branch, parent SHA, base tree
|
|
49
|
+
* SHA, files, message, and optional token/API URL override.
|
|
50
|
+
*
|
|
51
|
+
* @returns The new (verified) commit SHA.
|
|
52
|
+
*
|
|
53
|
+
* @throws {Error} When any GitHub git-objects API call fails.
|
|
54
|
+
*/
|
|
55
|
+
async function createSignedCommit(options) {
|
|
56
|
+
const opts = {
|
|
57
|
+
__proto__: null,
|
|
58
|
+
...options
|
|
59
|
+
};
|
|
60
|
+
const token = opts.token ?? require_github_token.getGitHubToken() ?? "";
|
|
61
|
+
const git = `${opts.apiUrl ?? "https://api.github.com"}/repos/${opts.repo}/git`;
|
|
62
|
+
const headers = buildHeaders(token);
|
|
63
|
+
const treeEntries = [];
|
|
64
|
+
for (let i = 0, { length } = opts.files; i < length; i += 1) {
|
|
65
|
+
const file = opts.files[i];
|
|
66
|
+
const blob = await post(`${git}/blobs`, headers, {
|
|
67
|
+
content: Buffer.from(file.content, "utf8").toString("base64"),
|
|
68
|
+
encoding: "base64"
|
|
69
|
+
});
|
|
70
|
+
treeEntries.push({
|
|
71
|
+
mode: "100644",
|
|
72
|
+
path: file.path,
|
|
73
|
+
sha: blob.sha,
|
|
74
|
+
type: "blob"
|
|
75
|
+
});
|
|
76
|
+
}
|
|
77
|
+
const newTree = await post(`${git}/trees`, headers, {
|
|
78
|
+
base_tree: opts.baseTreeSha,
|
|
79
|
+
tree: treeEntries
|
|
80
|
+
});
|
|
81
|
+
const commit = await post(`${git}/commits`, headers, {
|
|
82
|
+
message: opts.message,
|
|
83
|
+
parents: [opts.parentSha],
|
|
84
|
+
tree: newTree.sha
|
|
85
|
+
});
|
|
86
|
+
await patch(`${git}/refs/heads/${opts.branch}`, headers, { sha: commit.sha });
|
|
87
|
+
return commit.sha;
|
|
88
|
+
}
|
|
89
|
+
async function patch(url, headers, body) {
|
|
90
|
+
const response = await require_http_request_request.httpRequest(url, {
|
|
91
|
+
body: require_primordials_json.JSONStringify(body),
|
|
92
|
+
headers,
|
|
93
|
+
method: "PATCH",
|
|
94
|
+
timeout: 3e4
|
|
95
|
+
});
|
|
96
|
+
if (!response.ok) throw new Error(`GitHub API PATCH ${url} failed — status ${response.status}: ${response.statusText}`);
|
|
97
|
+
}
|
|
98
|
+
async function post(url, headers, body) {
|
|
99
|
+
const response = await require_http_request_request.httpRequest(url, {
|
|
100
|
+
body: require_primordials_json.JSONStringify(body),
|
|
101
|
+
headers,
|
|
102
|
+
method: "POST",
|
|
103
|
+
timeout: 3e4
|
|
104
|
+
});
|
|
105
|
+
if (!response.ok) throw new Error(`GitHub API POST ${url} failed — status ${response.status}: ${response.statusText}`);
|
|
106
|
+
return response.json();
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
//#endregion
|
|
110
|
+
exports.buildHeaders = buildHeaders;
|
|
111
|
+
exports.createSignedCommit = createSignedCommit;
|
|
112
|
+
exports.patch = patch;
|
|
113
|
+
exports.post = post;
|
package/dist/github/ghsa.js
CHANGED
|
@@ -5,9 +5,9 @@ const require_runtime = require('../_virtual/_rolldown/runtime.js');
|
|
|
5
5
|
const require_primordials_error = require('../primordials/error.js');
|
|
6
6
|
const require_primordials_json = require('../primordials/json.js');
|
|
7
7
|
const require_http_request_request = require('../http-request/request.js');
|
|
8
|
+
const require_github_token = require('./token.js');
|
|
8
9
|
const require_github_constants = require('./constants.js');
|
|
9
10
|
const require_github_errors = require('./errors.js');
|
|
10
|
-
const require_github_token = require('./token.js');
|
|
11
11
|
const require_github_request = require('./request.js');
|
|
12
12
|
const require_github_refs_cache = require('./refs-cache.js');
|
|
13
13
|
let node_process = require("node:process");
|
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_primordials_json = require('../primordials/json.js');
|
|
5
5
|
const require_http_request_request = require('../http-request/request.js');
|
|
6
|
-
const require_github_constants = require('./constants.js');
|
|
7
6
|
const require_github_token = require('./token.js');
|
|
7
|
+
const require_github_constants = require('./constants.js');
|
|
8
8
|
|
|
9
9
|
//#region src/github/refs-graphql.ts
|
|
10
10
|
/**
|
package/dist/github/request.js
CHANGED
|
@@ -7,8 +7,8 @@ const require_primordials_json = require('../primordials/json.js');
|
|
|
7
7
|
const require_errors_message = require('../errors/message.js');
|
|
8
8
|
const require_http_request_request = require('../http-request/request.js');
|
|
9
9
|
const require_env_github_status = require('../env/github-status.js');
|
|
10
|
-
const require_github_errors = require('./errors.js');
|
|
11
10
|
const require_github_token = require('./token.js');
|
|
11
|
+
const require_github_errors = require('./errors.js');
|
|
12
12
|
|
|
13
13
|
//#region src/github/request.ts
|
|
14
14
|
/**
|
package/dist/github/token.d.ts
CHANGED
|
@@ -14,7 +14,10 @@ import type { SpawnOptions } from '../process/spawn/types';
|
|
|
14
14
|
*
|
|
15
15
|
* 1. `GITHUB_TOKEN` - Standard GitHub token variable
|
|
16
16
|
* 2. `GH_TOKEN` - Alternative GitHub CLI token variable
|
|
17
|
-
*
|
|
17
|
+
*
|
|
18
|
+
* The Socket-CLI-specific `SOCKET_CLI_GITHUB_TOKEN` is intentionally NOT read
|
|
19
|
+
* here — that variable is the CLI's concern (`getSocketCliGithubToken`), so
|
|
20
|
+
* this generic resolver stays limited to the standard GitHub token names.
|
|
18
21
|
*
|
|
19
22
|
* @example
|
|
20
23
|
* ;```ts
|
|
@@ -60,7 +63,7 @@ export declare function getGitHubTokenFromGitConfig(options?: SpawnOptions | und
|
|
|
60
63
|
*
|
|
61
64
|
* Priority order:
|
|
62
65
|
*
|
|
63
|
-
* 1. Environment variables (GITHUB_TOKEN, GH_TOKEN
|
|
66
|
+
* 1. Environment variables (GITHUB_TOKEN, GH_TOKEN)
|
|
64
67
|
* 2. Git config (github.token)
|
|
65
68
|
*
|
|
66
69
|
* @example
|
package/dist/github/token.js
CHANGED
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
4
|
const require_process_spawn_child = require('../process/spawn/child.js');
|
|
5
5
|
const require_env_github = require('../env/github.js');
|
|
6
|
-
const require_env_socket_cli = require('../env/socket-cli.js');
|
|
7
6
|
|
|
8
7
|
//#region src/github/token.ts
|
|
9
8
|
/**
|
|
@@ -21,7 +20,10 @@ const require_env_socket_cli = require('../env/socket-cli.js');
|
|
|
21
20
|
*
|
|
22
21
|
* 1. `GITHUB_TOKEN` - Standard GitHub token variable
|
|
23
22
|
* 2. `GH_TOKEN` - Alternative GitHub CLI token variable
|
|
24
|
-
*
|
|
23
|
+
*
|
|
24
|
+
* The Socket-CLI-specific `SOCKET_CLI_GITHUB_TOKEN` is intentionally NOT read
|
|
25
|
+
* here — that variable is the CLI's concern (`getSocketCliGithubToken`), so
|
|
26
|
+
* this generic resolver stays limited to the standard GitHub token names.
|
|
25
27
|
*
|
|
26
28
|
* @example
|
|
27
29
|
* ;```ts
|
|
@@ -34,7 +36,7 @@ const require_env_socket_cli = require('../env/socket-cli.js');
|
|
|
34
36
|
* @returns The first available GitHub token, or `undefined` if none found
|
|
35
37
|
*/
|
|
36
38
|
function getGitHubToken() {
|
|
37
|
-
return require_env_github.getGithubToken() || require_env_github.getGhToken() ||
|
|
39
|
+
return require_env_github.getGithubToken() || require_env_github.getGhToken() || void 0;
|
|
38
40
|
}
|
|
39
41
|
/**
|
|
40
42
|
* Get GitHub authentication token from git config. Reads the `github.token`
|
|
@@ -79,7 +81,7 @@ async function getGitHubTokenFromGitConfig(options) {
|
|
|
79
81
|
*
|
|
80
82
|
* Priority order:
|
|
81
83
|
*
|
|
82
|
-
* 1. Environment variables (GITHUB_TOKEN, GH_TOKEN
|
|
84
|
+
* 1. Environment variables (GITHUB_TOKEN, GH_TOKEN)
|
|
83
85
|
* 2. Git config (github.token)
|
|
84
86
|
*
|
|
85
87
|
* @example
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Look up a GitHub Actions workflow run for a commit and classify its
|
|
3
|
+
* verdict — the "is CI green on this SHA?" primitive behind gated releases
|
|
4
|
+
* (bump/tag/publish only after the pre-release commit's CI passes). Built on
|
|
5
|
+
* the shared `fetchGitHub` REST client, so it inherits token resolution +
|
|
6
|
+
* rate-limit handling and needs no `gh` CLI. The pure helpers
|
|
7
|
+
* (`classifyRunVerdict`, `buildWorkflowRunsUrl`, `selectLatestRun`) hold the
|
|
8
|
+
* logic; `getRunForCommit` / `waitForRun` are the thin I/O wrappers.
|
|
9
|
+
*/
|
|
10
|
+
/**
|
|
11
|
+
* Build the GitHub REST URL that lists the runs of `workflow` for `sha`,
|
|
12
|
+
* newest first, capped to one. Pure.
|
|
13
|
+
*/
|
|
14
|
+
export declare function buildWorkflowRunsUrl(query: WorkflowRunQuery): string;
|
|
15
|
+
/**
|
|
16
|
+
* A workflow run's terminal verdict, normalized from GitHub's `status` +
|
|
17
|
+
* `conclusion` pair. `pending` = the run has not completed yet.
|
|
18
|
+
*/
|
|
19
|
+
export type WorkflowRunVerdict = 'green' | 'pending' | 'red';
|
|
20
|
+
/**
|
|
21
|
+
* A GitHub Actions workflow run, narrowed to the fields a release gate needs.
|
|
22
|
+
* `conclusion` is `undefined` until the run reaches `status === 'completed'`.
|
|
23
|
+
*/
|
|
24
|
+
export interface WorkflowRun {
|
|
25
|
+
conclusion: string | undefined;
|
|
26
|
+
htmlUrl: string | undefined;
|
|
27
|
+
id: number;
|
|
28
|
+
status: string;
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* One entry in the `GET .../runs` response, as GitHub returns it (snake_case,
|
|
32
|
+
* `conclusion` nullable until completion).
|
|
33
|
+
*/
|
|
34
|
+
export interface WorkflowRunApiEntry {
|
|
35
|
+
conclusion?: string | null | undefined;
|
|
36
|
+
html_url?: string | undefined;
|
|
37
|
+
id: number;
|
|
38
|
+
status: string;
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* The `GET /repos/{owner}/{repo}/actions/workflows/{workflow}/runs` response
|
|
42
|
+
* shape, narrowed to `workflow_runs`.
|
|
43
|
+
*/
|
|
44
|
+
export interface WorkflowRunsApiResponse {
|
|
45
|
+
workflow_runs?: WorkflowRunApiEntry[] | undefined;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Identifies the workflow run to resolve: a repo, a commit SHA, and the
|
|
49
|
+
* workflow to scope to.
|
|
50
|
+
*/
|
|
51
|
+
export interface WorkflowRunQuery {
|
|
52
|
+
owner: string;
|
|
53
|
+
repo: string;
|
|
54
|
+
sha: string;
|
|
55
|
+
token?: string | undefined;
|
|
56
|
+
/**
|
|
57
|
+
* Workflow file name (e.g. `ci.yml`) or numeric workflow id. Scopes the
|
|
58
|
+
* lookup so a repo with many workflows resolves the intended run.
|
|
59
|
+
*/
|
|
60
|
+
workflow: string;
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Options for `waitForRun`: a `WorkflowRunQuery` plus polling bounds.
|
|
64
|
+
*/
|
|
65
|
+
export interface WaitForRunOptions extends WorkflowRunQuery {
|
|
66
|
+
/**
|
|
67
|
+
* Maximum number of polls before giving up and returning the last verdict
|
|
68
|
+
* (usually `pending`). Default 120 (~10 min at the default interval).
|
|
69
|
+
*/
|
|
70
|
+
maxAttempts?: number | undefined;
|
|
71
|
+
/**
|
|
72
|
+
* Milliseconds between polls. Default 5000. Pass `0` in tests.
|
|
73
|
+
*/
|
|
74
|
+
pollIntervalMs?: number | undefined;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* The result of `waitForRun`: the final verdict and the last run observed
|
|
78
|
+
* (`undefined` when no run ever appeared for the SHA).
|
|
79
|
+
*/
|
|
80
|
+
export interface WaitForRunResult {
|
|
81
|
+
run: WorkflowRun | undefined;
|
|
82
|
+
verdict: WorkflowRunVerdict;
|
|
83
|
+
}
|
|
84
|
+
/**
|
|
85
|
+
* Classify a run's `status` + `conclusion` into a release verdict. Pure — a run
|
|
86
|
+
* that has not `completed` is `pending`; a completed run is `green` only when
|
|
87
|
+
* it `succeeded`, otherwise `red` (failure, cancelled, timed_out, …).
|
|
88
|
+
*/
|
|
89
|
+
export declare function classifyRunVerdict(status: string | undefined, conclusion: string | undefined): WorkflowRunVerdict;
|
|
90
|
+
/**
|
|
91
|
+
* Fetch the newest workflow run for `sha`, or `undefined` when none has been
|
|
92
|
+
* created yet (CI may not have triggered at read time).
|
|
93
|
+
*/
|
|
94
|
+
export declare function getRunForCommit(query: WorkflowRunQuery): Promise<WorkflowRun | undefined>;
|
|
95
|
+
/**
|
|
96
|
+
* Pick the newest run from a `GET .../runs` response and normalize it to a
|
|
97
|
+
* `WorkflowRun` (nullable `conclusion` → `undefined`). Returns `undefined` when
|
|
98
|
+
* no run exists for the SHA. Pure.
|
|
99
|
+
*/
|
|
100
|
+
export declare function selectLatestRun(response: WorkflowRunsApiResponse): WorkflowRun | undefined;
|
|
101
|
+
/**
|
|
102
|
+
* Poll the workflow run for `sha` until it completes (or the attempt budget is
|
|
103
|
+
* spent), returning the final verdict and the last run seen. A `red` or `green`
|
|
104
|
+
* verdict resolves immediately; `pending` (no run yet, or still running) keeps
|
|
105
|
+
* polling every `pollIntervalMs` up to `maxAttempts`.
|
|
106
|
+
*/
|
|
107
|
+
export declare function waitForRun(options: WaitForRunOptions): Promise<WaitForRunResult>;
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_github_request = require('./request.js');
|
|
5
|
+
const require_promises_timers = require('../promises/timers.js');
|
|
6
|
+
|
|
7
|
+
//#region src/github/workflow-runs.ts
|
|
8
|
+
/**
|
|
9
|
+
* @file Look up a GitHub Actions workflow run for a commit and classify its
|
|
10
|
+
* verdict — the "is CI green on this SHA?" primitive behind gated releases
|
|
11
|
+
* (bump/tag/publish only after the pre-release commit's CI passes). Built on
|
|
12
|
+
* the shared `fetchGitHub` REST client, so it inherits token resolution +
|
|
13
|
+
* rate-limit handling and needs no `gh` CLI. The pure helpers
|
|
14
|
+
* (`classifyRunVerdict`, `buildWorkflowRunsUrl`, `selectLatestRun`) hold the
|
|
15
|
+
* logic; `getRunForCommit` / `waitForRun` are the thin I/O wrappers.
|
|
16
|
+
*/
|
|
17
|
+
/**
|
|
18
|
+
* Build the GitHub REST URL that lists the runs of `workflow` for `sha`,
|
|
19
|
+
* newest first, capped to one. Pure.
|
|
20
|
+
*/
|
|
21
|
+
function buildWorkflowRunsUrl(query) {
|
|
22
|
+
const { owner, repo, sha, workflow } = {
|
|
23
|
+
__proto__: null,
|
|
24
|
+
...query
|
|
25
|
+
};
|
|
26
|
+
return `https://api.github.com/repos/${owner}/${repo}/actions/workflows/${workflow}/runs?head_sha=${sha}&per_page=1`;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Classify a run's `status` + `conclusion` into a release verdict. Pure — a run
|
|
30
|
+
* that has not `completed` is `pending`; a completed run is `green` only when
|
|
31
|
+
* it `succeeded`, otherwise `red` (failure, cancelled, timed_out, …).
|
|
32
|
+
*/
|
|
33
|
+
function classifyRunVerdict(status, conclusion) {
|
|
34
|
+
if (status !== "completed") return "pending";
|
|
35
|
+
return conclusion === "success" ? "green" : "red";
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* Fetch the newest workflow run for `sha`, or `undefined` when none has been
|
|
39
|
+
* created yet (CI may not have triggered at read time).
|
|
40
|
+
*/
|
|
41
|
+
async function getRunForCommit(query) {
|
|
42
|
+
const opts = {
|
|
43
|
+
__proto__: null,
|
|
44
|
+
...query
|
|
45
|
+
};
|
|
46
|
+
return selectLatestRun(await require_github_request.fetchGitHub(buildWorkflowRunsUrl(opts), opts.token ? { token: opts.token } : void 0));
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Pick the newest run from a `GET .../runs` response and normalize it to a
|
|
50
|
+
* `WorkflowRun` (nullable `conclusion` → `undefined`). Returns `undefined` when
|
|
51
|
+
* no run exists for the SHA. Pure.
|
|
52
|
+
*/
|
|
53
|
+
function selectLatestRun(response) {
|
|
54
|
+
const raw = {
|
|
55
|
+
__proto__: null,
|
|
56
|
+
...response
|
|
57
|
+
}.workflow_runs?.[0];
|
|
58
|
+
if (!raw) return;
|
|
59
|
+
return {
|
|
60
|
+
conclusion: raw.conclusion ?? void 0,
|
|
61
|
+
htmlUrl: raw.html_url ?? void 0,
|
|
62
|
+
id: raw.id,
|
|
63
|
+
status: raw.status
|
|
64
|
+
};
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Poll the workflow run for `sha` until it completes (or the attempt budget is
|
|
68
|
+
* spent), returning the final verdict and the last run seen. A `red` or `green`
|
|
69
|
+
* verdict resolves immediately; `pending` (no run yet, or still running) keeps
|
|
70
|
+
* polling every `pollIntervalMs` up to `maxAttempts`.
|
|
71
|
+
*/
|
|
72
|
+
async function waitForRun(options) {
|
|
73
|
+
const opts = {
|
|
74
|
+
__proto__: null,
|
|
75
|
+
...options
|
|
76
|
+
};
|
|
77
|
+
const maxAttempts = opts.maxAttempts ?? 120;
|
|
78
|
+
const pollIntervalMs = opts.pollIntervalMs ?? 5e3;
|
|
79
|
+
let run;
|
|
80
|
+
let verdict = "pending";
|
|
81
|
+
for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
|
|
82
|
+
run = await getRunForCommit(opts);
|
|
83
|
+
verdict = classifyRunVerdict(run?.status, run?.conclusion);
|
|
84
|
+
if (verdict !== "pending") break;
|
|
85
|
+
if (attempt < maxAttempts - 1) await require_promises_timers.sleep(pollIntervalMs);
|
|
86
|
+
}
|
|
87
|
+
return {
|
|
88
|
+
run,
|
|
89
|
+
verdict
|
|
90
|
+
};
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
//#endregion
|
|
94
|
+
exports.buildWorkflowRunsUrl = buildWorkflowRunsUrl;
|
|
95
|
+
exports.classifyRunVerdict = classifyRunVerdict;
|
|
96
|
+
exports.getRunForCommit = getRunForCommit;
|
|
97
|
+
exports.selectLatestRun = selectLatestRun;
|
|
98
|
+
exports.waitForRun = waitForRun;
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
* @file Private lazy loaders for the Node.js modules used by the
|
|
3
3
|
* `http-request/*` leaves. The `_` prefix keeps this module out of the
|
|
4
4
|
* generated package.json `exports` map (the `dist/**\/_*` ignore pattern in
|
|
5
|
-
* `scripts/
|
|
5
|
+
* `scripts/fleet/make-package-exports.mts` filters it out), so it is not
|
|
6
6
|
* part of the public surface — it exists only as a re-export shim so existing
|
|
7
7
|
* siblings keep working unchanged. New code should import the canonical
|
|
8
8
|
* helpers directly:
|
|
@@ -110,6 +110,12 @@ export interface BrowserHttpRequestOptions {
|
|
|
110
110
|
* Defaults to 250ms.
|
|
111
111
|
*/
|
|
112
112
|
retryDelay?: number | undefined;
|
|
113
|
+
/**
|
|
114
|
+
* Maximum delay (ms) for a single backoff wait. Caps the exponential growth
|
|
115
|
+
* (`retryDelay` * 2^attempt) so a high `retries` count can't produce
|
|
116
|
+
* multi-minute waits. Defaults to 30000ms.
|
|
117
|
+
*/
|
|
118
|
+
retryDelayMax?: number | undefined;
|
|
113
119
|
/**
|
|
114
120
|
* Abort signal forwarded to fetch. Combined with `timeout` via
|
|
115
121
|
* AbortController when both are present.
|
|
@@ -174,11 +174,12 @@ async function httpRequest(url, options) {
|
|
|
174
174
|
const opts = options ?? {};
|
|
175
175
|
const maxAttempts = (opts.retries ?? 0) + 1;
|
|
176
176
|
const baseDelay = opts.retryDelay ?? 250;
|
|
177
|
+
const maxDelay = opts.retryDelayMax ?? 3e4;
|
|
177
178
|
let lastError;
|
|
178
179
|
for (let i = 0; i < maxAttempts; i++) try {
|
|
179
180
|
const response = await attempt(url, opts);
|
|
180
181
|
if (response.status >= 500 && i + 1 < maxAttempts) {
|
|
181
|
-
await sleep(baseDelay * require_primordials_math.MathPow(2, i));
|
|
182
|
+
await sleep(require_primordials_math.MathMin(baseDelay * require_primordials_math.MathPow(2, i), maxDelay));
|
|
182
183
|
continue;
|
|
183
184
|
}
|
|
184
185
|
if (opts.throwOnError && !response.ok) throw new HttpResponseError(response);
|
|
@@ -187,7 +188,7 @@ async function httpRequest(url, options) {
|
|
|
187
188
|
lastError = err;
|
|
188
189
|
if (err instanceof HttpResponseError) throw err;
|
|
189
190
|
if (i + 1 < maxAttempts) {
|
|
190
|
-
await sleep(baseDelay * require_primordials_math.MathPow(2, i));
|
|
191
|
+
await sleep(require_primordials_math.MathMin(baseDelay * require_primordials_math.MathPow(2, i), maxDelay));
|
|
191
192
|
continue;
|
|
192
193
|
}
|
|
193
194
|
}
|
|
@@ -168,6 +168,8 @@ async function httpDownloadAttempt(url, destPath, options) {
|
|
|
168
168
|
})();
|
|
169
169
|
};
|
|
170
170
|
fileStream.on("error", (error) => {
|
|
171
|
+
res.unpipe(fileStream);
|
|
172
|
+
res.destroy();
|
|
171
173
|
fileStream.destroy();
|
|
172
174
|
cleanupPartial();
|
|
173
175
|
reject(new require_primordials_error.ErrorCtor(`Failed to write file: ${error.message}`, { cause: error }));
|
|
@@ -13,7 +13,7 @@
|
|
|
13
13
|
* Build an HTTP Basic `Authorization` header value from a Socket API token.
|
|
14
14
|
*
|
|
15
15
|
* The Socket API uses the token as the username with an empty password, so the
|
|
16
|
-
* credential pair is `<token>:`. Centralized here so every
|
|
16
|
+
* credential pair is `<token>:`. Centralized here so every Socket caller emits
|
|
17
17
|
* the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
|
|
18
18
|
*
|
|
19
19
|
* @example
|