fetch-metadata icon indicating copy to clipboard operation
fetch-metadata copied to clipboard

Published 20 hours ago verified publisher icon dependabot

Generate Dist files automatically when there are changes

Open yeikel opened this issue 1 year ago • 7 comments

Updating the dist manually is a hassle. I'd be nice if we had some sort of automation to update the pull request Dist when there are new changes

yeikel avatar Apr 07 '23 16:04 yeikel

We actually do have this automation in place... but I think dist only needs to be rebuilt when a prod npm dep changes?

I'm not super familiar with npm ecosystem, but based on this comment your logic change PR's shouldn't need to rebuild dist: https://github.com/dependabot/fetch-metadata/blob/173b40efb8728f102e2fa292f1a40a351d43554c/.github/workflows/dependabot-build.yml#L34-L35

If I'm wrong let me know, otherwise please close if you agree.

jeffwidman avatar Apr 07 '23 18:04 jeffwidman

I don't think so, because dist is the result of running npm run build and that is the result of running ncc build src/main.ts which will compile the project to a single file index.js

We also have this other workflow to validate the same : https://github.com/dependabot/fetch-metadata/blob/main/.github/workflows/check-dist.yml

But I might be overlooking something. I'll retest that and get back to you

yeikel avatar Apr 07 '23 18:04 yeikel

I reverted my changes to dist https://github.com/dependabot/fetch-metadata/pull/331/commits/808bc0fe866db65fef0ef1053f8a61d2fba8f06 just to test, and that shows what I suspected: The dist file reflects the changes to the main code and if we don't regenerate it users won't see the features

yeikel avatar Apr 09 '23 22:04 yeikel

@jeffwidman One more annoyance is that small differences in the build lead to different dist files (understandable as the compiler changes)

It also seems that there are small differences across platforms as well

See this failure as an example https://github.com/dependabot/fetch-metadata/actions/runs/4652910733/jobs/8251802610?pr=336

yeikel avatar Apr 12 '23 02:04 yeikel

👋🏻 @yeikel, as I recall, we set up the automation to build the dist/ changes for Dependabot PRs just so they were easy to merge and since they were opened by a 'trusted' contributor.

The intent behind this was to avoid running ncc build for contributed code just in case there was potential for an insecure code execution exploit that could exfiltrate secrets, etc. We could have the best of both worlds by requiring the dist/ build to be successful but only running it once a PR has approval from a maintainer?

brrygrdn avatar Apr 17 '23 19:04 brrygrdn

Ah, so the code comment is incorrect then... dist/ is expected to have changes even when deps don't change...

jeffwidman avatar Apr 17 '23 19:04 jeffwidman

👋🏻 @yeikel, as I recall, we set up the automation to build the dist/ changes for Dependabot PRs just so they were easy to merge and since they were opened by a 'trusted' contributor.

The intent behind this was to avoid running ncc build for contributed code just in case there was potential for an insecure code execution exploit that could exfiltrate secrets, etc. We could have the best of both worlds by requiring the dist/ build to be successful but only running it once a PR has approval from a maintainer?

I think that's fair. The concern is valid as dist files are minimized and difficult to read and it would be easy for a malicious user to inject malicious code there.

Provided an automated way would secure it as well as removing that burden from the user

Ah, so the code comment is incorrect then... dist/ is expected to have changes even when deps don't change...

Yep, any source code change should re-generate the dist as the code in dist is what is ultimately executed when the action runs

yeikel avatar Apr 18 '23 14:04 yeikel