rails
bin/importmap verify compares vendored files with remotes
In rubygems/rubygems.org#4396 we ran into the problem of verifying the provenance of files in vendor/javascript. This is a blocker for us using importmap-rails at this time.
In this PR, I attempted to add a process that could be run in CI that would download and verify that the files that are vendored are actually what would be downloaded fresh today.
I assume there are some edge-cases, or even really obvious cases, that I didn't handle in this PR. I wanted to start gathering feedback so I know if this is the right solution.
Heads up - PR will conflict with https://github.com/rails/importmap-rails/pull/235.
I'm happy to resolve the conflicts despite which may get merged first
@Caleb-T-Owens Thanks! I'd be happy to work with you on it assuming this PR is accepted.
For reference, here is our importmap.rake where I implemented this verify step in rubygems.org.
Current output:
$ rake importmap:verify
Verifying packages in vendor/javascript
Verifying "@rails/ujs" download from https://ga.jspm.io/npm:@rails/[email protected]/app/assets/javascripts/rails-ujs.esm.js
Verified "@rails/ujs" at vendor/javascript/@rails--ujs.js
Verifying "clipboard" download from https://ga.jspm.io/npm:[email protected]/dist/clipboard.js
Verified "clipboard" at vendor/javascript/clipboard.js
Verifying "jquery" download from https://ga.jspm.io/npm:[email protected]/dist/jquery.js
Verified "jquery" at vendor/javascript/jquery.js
Verifying "stimulus-rails-nested-form" download from https://ga.jspm.io/npm:[email protected]/dist/stimulus-rails-nested-form.mjs
Verified "stimulus-rails-nested-form" at vendor/javascript/stimulus-rails-nested-form.js
Verifying "@hotwired/stimulus" download from https://ga.jspm.io/npm:@hotwired/[email protected]/dist/stimulus.js
Verified "@hotwired/stimulus" at vendor/javascript/@hotwired--stimulus.js
All pinned js in vendor/javascript verified.
I think the output could be cleaned up a bit.
