Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci(release): setup more secure and stable download of JS deps
The initial motivation of this change has been the compliance with OpenSSF. The JavaScript dependencies downloaded through `npm` were not pinned with hash, leading to a potential toolchain security vulnerability. A limitation with the npm CLI has been encountered: it is not possible to pin dependencies with hash value for checksum through commands. The only way to resolve the vulnerability is to rely on a `package-lock.json` file, generated based on the `package.json` one when executing the `npm install` command. In order to ensure clean setup (especially in localdev), the engine & package manager versions has been specified in the `package.json` file (NodeJS v20.11.0 and npm v10.2.4). The `.npmrc` file has been added in order to enforce usage of a supported engine version by setting the `engine-strict` option to `true` (`false` by default). More details about the `.npmrc` file can be found in the npm documentation: https://docs.npmjs.com/cli/v10/configuring-npm/npmrc. The workflows have been adapted accordingly. Moreover, cache mechanism has been activated in order to improve jobs performances. A cache entry will be persisted in GitHub with the following naming convention: `npm-<hash-package-lock-json-file>`, meaning that the cache will be reusable as long as the `package-lock.json` file's content remains unchanged. Always in the GitHub Actions workflows, the calls to the `commitlint` and `semantic-release` CLIs are now done through `npx` one since this is a convenient solution for retrieving and executing the binaries stored in the project's `node_modules` folder. This wasn't required until now since dependencies were installed globally. Dependencies are no longer installed globally since it has been decided to replace the `npm install --global` call to the `npm clean-install` one which doesn't support global installations (unfortunately). Hence the use of `npx` instead. Relying on `npm clean-install` is particularly useful by ensuring a clean setup first, and then checking that the `package.json` and `package-lock.json` files are well aligned. Not having both files aligned can lead to unexpected behaviors not always easy to debug, especially for beginners. More details can be found in the npm documentation about this command: https://docs.npmjs.com/cli/v10/commands/npm-ci. Another interesting page to consult is Renovate about "Should you Pin your JavaScript Dependencies?": https://docs.renovatebot.com/dependency-pinning/. Finally, Renovate configuration, especially regarding the custom matchers definitions, has been reviewed and cleaned-up since we are now relying on a standard way of installing JavaScript dependencies which is well-supported by Renovate out-of-the-box. All the newly added files have been put under the `.github` folder in order to keep the root one as refined as possible (as it is already the case for some other configurations and documentation files). Yarn has been considered as a drop-in replacement of npm (same for pnpm). However, it seems there is no longer real motivations to go toward other solution than npm thanks to the new versions published since the v5 (the latest npm version if `10.4.0`)... At least regarding this project's requirements. So, it has been decided that it's better to rely by default on the most well-known and generic solutions first when no specific requirement encourage us to go toward a more specific one, i.e. npm.
- Loading branch information
