Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: release binaries #105

Merged
merged 2 commits into from
Mar 19, 2025
Merged

feat: release binaries #105

merged 2 commits into from
Mar 19, 2025

Conversation

marco-ippolito
Copy link
Member

No description provided.

@marco-ippolito marco-ippolito force-pushed the pack-some-bins branch 11 times, most recently from 9878c46 to 52a82e6 Compare March 18, 2025 11:17
@edezekiel
Copy link
Contributor

edezekiel commented Mar 18, 2025

I think the command oclif pack tarballs -t <platform-targets[]> supports targeting multiple platforms without needing multiple package.jsons.[1] This PR just uses oclif pack <target>.

The documentation isn't super clear on how the tarballs command works though.[2] For example it's unclear whether you wind up with multiple node bins in a single package.
[1]https://github.com/oclif/oclif/blob/main/src%2Fcommands%2Fpack%2Ftarballs.ts
[2]https://oclif.io/docs/releasing#standalone-tarballs

@marco-ippolito marco-ippolito force-pushed the pack-some-bins branch 12 times, most recently from 326bb64 to 70b220c Compare March 18, 2025 15:05
@marco-ippolito marco-ippolito changed the base branch from dtw/oclif-rewrite-again to dev March 18, 2025 15:05
@@ -17,7 +16,7 @@ $ npm install -g @herodevs/cli
$ hd COMMAND
running command...
$ hd (--version)
@herodevs/cli/2.0.0 darwin-arm64 node-v22.14.0
@herodevs/cli/2.0.0 darwin-arm64 node-v22.13.0
Copy link
Contributor

@edezekiel edezekiel Mar 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: should this be @herodevs/cli/1.0.0-beta This comment also applies to all other instances of @herodevs/cli/2.0.0 (and "version": "2.0.0") in this PR

* chore: set draft to true while still wip

* chore: fix package versions

* chore: add github token to publish step

* chore: debug publish ci step

* chore: add more debugging

* chore: revert to hd-* for upload artifact

* chore: try different token for npm publish

* chore: add missing registry-url

* chore: moar debug

* chore: add missing --no-xz to win build

* chore: fix files glob in final step
@marco-ippolito marco-ippolito merged commit e53c5a6 into dev Mar 19, 2025
5 checks passed
@marco-ippolito marco-ippolito deleted the pack-some-bins branch March 19, 2025 13:58
edezekiel added a commit that referenced this pull request Mar 21, 2025
* feat: release binaries

* chore: fix package versions and add token  (#107)

* chore: set draft to true while still wip

* chore: fix package versions

* chore: add github token to publish step

* chore: debug publish ci step

* chore: add more debugging

* chore: revert to hd-* for upload artifact

* chore: try different token for npm publish

* chore: add missing registry-url

* chore: moar debug

* chore: add missing --no-xz to win build

* chore: fix files glob in final step

---------

Co-authored-by: Edward Ezekiel <[email protected]>
edezekiel added a commit that referenced this pull request Mar 21, 2025
* feat: release binaries

* chore: fix package versions and add token  (#107)

* chore: set draft to true while still wip

* chore: fix package versions

* chore: add github token to publish step

* chore: debug publish ci step

* chore: add more debugging

* chore: revert to hd-* for upload artifact

* chore: try different token for npm publish

* chore: add missing registry-url

* chore: moar debug

* chore: add missing --no-xz to win build

* chore: fix files glob in final step

---------

Co-authored-by: Edward Ezekiel <[email protected]>
edezekiel added a commit that referenced this pull request Mar 21, 2025
* feat: release binaries

* chore: fix package versions and add token  (#107)

* chore: set draft to true while still wip

* chore: fix package versions

* chore: add github token to publish step

* chore: debug publish ci step

* chore: add more debugging

* chore: revert to hd-* for upload artifact

* chore: try different token for npm publish

* chore: add missing registry-url

* chore: moar debug

* chore: add missing --no-xz to win build

* chore: fix files glob in final step

---------

Co-authored-by: Edward Ezekiel <[email protected]>
marco-ippolito added a commit that referenced this pull request Mar 21, 2025
* chore: delete everything

* feat(sbom): generate sbom with cdxgen
feat(scan): submit scan + parse response

* chore: clean up types and fix linting errors (#85)

- Fix `NesClient.scan.sbom` type
- Remove `any` where feasible.
- Add explicit return types where feasible
- Connect `Line` type with `ScanResultComponent` type

* feat: oclif cleanup

* feat: generate report command

* fix(): update tsconfig to build command works

Previously, running `npm run build` failed to yield a `dist` folder.

Why Does Removing "composite": true" Fix The Issue?

This Oclif CLI project is not a multi-project TypeScript setup, and it doesn’t use project references (references in tsconfig.json). Because of this:
	•	TypeScript was waiting for project references that didn’t exist.
	•	tsc -b behaves differently when "composite": true is enabled, sometimes skipping compilation if it thinks nothing changed.
	•	Removing "composite": true allowed tsc to compile as a normal single-project setup.

* chore: update readme

Update repository setting in package.json, allowing
for programmatic update of README.md.

Ran `npm exec oclif readme`

* chore: delete unused dev.ts file

* chore: update readme

* chore: add dev npm command

* chore: delete references from test tsconfig

Since composite was deleted from the root tsconfig,
references is unused in the test tsconfig.

Interestingly, a freshly generated oclif CLI project does not have
composite in the root tsconfig, but it does have references in the
test/tsconfig.

* chore: drop unused dependencies (#87)

* chore: improve linting and project posture (#89)

* chore: use erasableSyntaxOnly

* chore: use erasableSyntaxOnly and node.js test runner

* chore: improve linting and project posture

* chore: commitlint on ci

* feat: extract line logic into new service (#90)

This commit ensures that if a line is marked as isEol true but the status is somehow not EOL, an error is thrown in the ui.

Additionally, this commit lays the groundwork for more robust parsing.

The eol scanner command (eol.ts), returns ScanResultComponent[] from an sbom.
Then, the eol.svc service transforms ScanResultComponents into Lines.

Something like zod would be useful to actually ensure that we are parsing ScanResultComponents into lines in a type-safe manner.

This commit starts us down that road by extracting Line-related logic into a new service.

* chore: add debug for unknown purls (#91)

* chore: add warning for unknown purls

This commit adds a debug in cases where a generated sbom has a purl,
but the NES/XEOL database does not have any information.

This commit also improves typing in several ways that makes
it easier to trace why scan details might be missing in the first place:

- Use an actual Map when building scan results
- set ScanResultComponent.status to optional to match current api
- create ComponentStatus type union
- replace optional Line properties with defined properties where feasible

* feat: filter from `prepareRows` where not details (#92)

* feat: filter from `prepareRows` where not details

If details don't exist for a given Component (i.e., we don't have XEOL data),
then we'll throw a debug warning and filter out those results from
Lines.

Additionally:
- create getStatusFromComponent method to standardize how a status is derived from component info
- add specs for the same

* chore: refactor getStatusFromComponent

Simplify the return statement to avoid an unnecessary
status variable.

* perf: refactor prepare-rows method to use for loop (#93)

* chore: add specs for eol.svc.ts

This commit is in preparation for refactoring the service
to use a more performant for loop instead of multiple filters and maps.

* perf: refactor prepare-rows method to use for loop

* feat: update src/service/eol/eol.svc.ts

Co-authored-by: Marco Ippolito <[email protected]>

* feat: update src/service/eol/eol.svc.ts

Co-authored-by: Marco Ippolito <[email protected]>

* feat: update src/service/eol/eol.svc.ts

Co-authored-by: Marco Ippolito <[email protected]>

---------

Co-authored-by: Marco Ippolito <[email protected]>

* feat: add --save and --file flags (#94)

* feat: refactor extract-components to just purls

In some cases, cyclonedx attaches metadata in the sbom about where
a purl occurred in the codebase: sbom.components.evidence.occurrences.

Not every component has occurrences.

The CLI currently does not do anything with occurrence data, and it is
not part of the v0 or v1 requirements to display it to the user.

If we can delete occurrences from the final report ui, we can greatly
simplify the data flow into a pipeable set of operations:

=> generate sbom (or load pre-existing sbom)
=> get purls from sbom
=> post purls to monorepo api
=> transform api response (scan) to user report
=> download report and/or send report to herodevs

* chore: alphabetize scripts, add readme script

* chore: add cspell words

* fix: update method that checks for eol status

Only throw error if component status is set to a truthy value.

* feat: add --save and --file flags

The save flag allows a user to save a generated sbom to the project.

The file flag allows a user to load a pre-existing cyclonedx
sbom and use that for the eol scan. Skipping the cli step of
generating a sbom.

* chore: update readme with new flags

* feat: create purls report command

This command generates a report of purls for the user.

* feat: simplify extract-purls method

Input is always valid since its validated by validateIsCycloneDxSbom

* chore: refactor error handling in save method

Duck typing > instance checking

* feat: allow users to save purls in csv format (#102)

* feat: allow purls to be outputted in csv format

* fix: ensure only sbom flags are passed to command

Previously, all flags from the 'parent' commands were getting
passed to the sbom commands. This threw an error if the parent
command, e.g. 'report purls', has a command that doesn't exist
in the sbom command.

* feat: improve csv output formatting

* chore: add purls.svc tests

* fix: fix some more stuff

* chore: add license

* chore: set commitlint config

* chore: fix readme markdown

* feat: setup release please

* chore: simplify tsconfig

* feat: release binaries (#105)

* feat: release binaries

* chore: fix package versions and add token  (#107)

* chore: set draft to true while still wip

* chore: fix package versions

* chore: add github token to publish step

* chore: debug publish ci step

* chore: add more debugging

* chore: revert to hd-* for upload artifact

* chore: try different token for npm publish

* chore: add missing registry-url

* chore: moar debug

* chore: add missing --no-xz to win build

* chore: fix files glob in final step

---------

Co-authored-by: Edward Ezekiel <[email protected]>

* feat: implement report committers command (#106)

* feat: implement report committers command

The new `report committers` command can be used to
generate a report of recent committers to a project.

By default, it will look for contributions over the past 12 months.

The time period can be customized using the `--months` flag.

The command optionally saves the output to file. The output can
be set to text, csv, or json format.

Please note, this command leverages `git log` built-in methods
for handling commits since a certain date. To the extent `git log`
fails to handle edge cases such as Daylight Savings time and/or
timezone issues, this command will also fail to handle those scenarios.

If a more accurate date-parsing feature is necessary it can be
revisited when needed.

* feat: ensure all committers to repo are counted

Including committers on other branches.

* chore: limit release step to workflow_dispatch

* feat: use modern node syntax for object handling

* feat: implement loose module boundaries (#108)

* feat: create and apply cursorrules

* feat: extract api types and queries

* feat: add api-layer rules

* chore: move log.util into services

* feat: add auto-update feature (#109)

* feat: install plugin-update and create updater

* feat: fix typing on update config

* build: update workflows in preparation for release

* feat: prevent eol scan on beta release

* chore: disable spec until eol scan is ready

* chore: fix beta version

* chore: add update hooks to platform packages

* refactor: remove hooks from root package.json

The root package.json's oclif config should not execute hooks directly since it's used when running via npx, which would use the user's Node.js runtime. Instead, hooks should only run in the context of the standalone platform binaries.

- Remove prerun hook (CommandContextHook)
- Remove init hook (update)

This ensures hooks run in the correct context:
- Development: hooks run via platform-specific package.json
- Production: hooks run in standalone binaries
- npx: no hooks run (preventing use of user's Node.js runtime)

* fix: install inquirer package

---------

Co-authored-by: David Welch <[email protected]>
Co-authored-by: Marco Ippolito <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants