chore: pin, not lock (#956)

* chore: no lock

Signed-off-by: Jan Kowalleck <[email protected]>

* build: test before publish

Signed-off-by: Jan Kowalleck <[email protected]>

* chore: lock tools

Signed-off-by: Jan Kowalleck <[email protected]>

* ci: carefully skip unneeded dev-deps on tests

Signed-off-by: Jan Kowalleck <[email protected]>

* wording

Signed-off-by: Jan Kowalleck <[email protected]>

* unlock schema-downloader

Signed-off-by: Jan Kowalleck <[email protected]>

* ci: drop npm cache

Signed-off-by: Jan Kowalleck <[email protected]>

* release assets

Signed-off-by: Jan Kowalleck <[email protected]>

* simplify ci

Signed-off-by: Jan Kowalleck <[email protected]>

* wording

Signed-off-by: Jan Kowalleck <[email protected]>

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -8,6 +8,10 @@ on:
     tags: [ "v*" ]  # have tools scan this stable version
   pull_request:
   workflow_dispatch:
+  schedule:
+    # schedule weekly tests, since dependencies are not intended to be locked
+    # this means: at 23:42 on Fridays
+    - cron: '42 23 * * 5'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -40,10 +44,10 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
       - name: setup project
-        run: npm ci --ignore-scripts --include=optional --loglevel=silly
+        run: npm i --ignore-scripts --include=optional --loglevel=silly
       - name: build ${{ matrix.target }}
         run: npm run build:${{ matrix.target }}
       - name: artifact build result
@@ -67,10 +71,10 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
       - name: setup project
-        run: npm ci --ignore-scripts --include=optional  --loglevel=silly
+        run: npm i --ignore-scripts --include=optional  --loglevel=silly
       - name: make reports dir
         run: mkdir -p "$REPORTS_DIR"
       - name: test
@@ -123,15 +127,18 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
       - name: setup project
         shell: bash
         run: |
           set -ex
-          npm ci --ignore-scripts --include=optional --loglevel=silly
+          ## dont install all the dev-packages, especially since some are not runnable on node 14.0.0
+          npm i --ignore-scripts --include=optional --omit=dev --only=prod --loglevel=silly
           ## rebuild deps for which scripts were ignored, or partially installed - since "ignore-scripts" was used
           npm rebuild --loglevel=silly libxmljs2 || npm uninstall --no-save libxmljs2
+          ## install the needed dev-deps
+          npm i --no-save mocha c8 npm-run-all
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@v3
@@ -171,7 +178,12 @@ jobs:
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
       - name: setup library
-        run: npm ci --ignore-scripts --omit=optional --loglevel=silly
+        run: |
+          set -ex
+          ## dont install all the dev-packages, especially since some are not runnable on node 14.0.0
+          npm i --ignore-scripts --omit=optional --omit=dev --loglevel=silly
+          ## install the needed dev-deps
+          npm i --no-save mocha c8 npm-run-all
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@v3
@@ -253,7 +265,7 @@ jobs:
       - name: setup library
         run: |
           set -ex
-          npm ci --ignore-scripts --omit=dev --include=optional --loglevel=silly
+          npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
           ## rebuild deps for which scripts were ignored, or partially installed - since "ignore-scripts" was used
           npm rebuild --loglevel=silly libxmljs2 || npm uninstall --no-save libxmljs2
       - name: setup example project
@@ -306,7 +318,7 @@ jobs:
       - name: setup library
         run: |
           set -ex
-          npm ci --ignore-scripts --omit=dev --include=optional --loglevel=silly
+          npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
           ## rebuild deps for which scripts were ignored, or partially installed - since "ignore-scripts" was used
           npm rebuild --loglevel=silly libxmljs2 || npm uninstall --no-save libxmljs2
       - name: setup example project
@@ -354,7 +366,7 @@ jobs:
           name: dist.web
           path: dist.web
       - name: setup library
-        run: npm ci --ignore-scripts --omit=dev --include=optional --loglevel=silly
+        run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
       - name: setup example project
         run: npm i --no-save --loglevel=silly
         working-directory: ${{ env.EXAMPLE_DIR }}
@@ -381,9 +393,9 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
-          cache: "npm"
-          cache-dependency-path: "**/package-lock.json"
+          # cache: "npm"
+          # cache-dependency-path: "**/package-lock.json"
       - name: setup project
-        run: npm ci --ignore-scripts --loglevel=silly
+        run: npm i --ignore-scripts --loglevel=silly
       - name: api-doc ${{ matrix.target }}
         run: npm run api-doc:${{ matrix.target }}

.github/workflows/release.yml

@@ -23,7 +23,7 @@ on:
         default: rc
         required: false
       prerelease:
-        description: "This a pre-release"
+        description: "This is a pre-release"
         type: boolean
         default: false
         required: false
@@ -32,6 +32,8 @@ permissions: write-all
 
 env:
   REPORTS_DIR: CI_reports
+  PACKED_DIR: CI_packed
+  PACKED_ARTIFACT: packed
   NODE_ACTIVE_LTS: "20"
 
 jobs:
@@ -82,6 +84,8 @@ jobs:
     name: publish NPMJS
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    env:
+      NPMJS_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -94,18 +98,25 @@ jobs:
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
       - name: install build tools
-        run: npm ci --ignore-scripts --include=optional --loglevel=silly
+        run: npm i --ignore-scripts --include=optional --loglevel=silly
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
       - name: login to NPMJS
         run: npm config set "//registry.npmjs.org/:_authToken=$NPMJS_AUTH_TOKEN"
         env:
           NPMJS_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: publish to NPMJS as "latest"
-        if: ${{ github.event.inputs.prerelease != 'true' }}
-        run: npm publish --access public --tag 'latest'
-      - name: publish to NPMJS as "unstable-prerelease"
-        if: ${{ github.event.inputs.prerelease == 'true' }}
-        run: npm publish --access public --tag 'unstable-prerelease'
+      - name: publish to NPMJS as "${{ env.NPMJS_RELEASE_TAG }}"
+        run: npm publish --access public --tag "$NPMJS_RELEASE_TAG"
+      - name: pack release result
+        run: |
+          mkdir -p "$PACKED_DIR"
+          npm pack --pack-destination "$PACKED_DIR"
+      - name: artifact release result
+        # see https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ env.PACKED_ARTIFACT }}
+          path: ${{ env.PACKED_DIR }}/
+          if-no-files-found: error
 
   release-GH:
     needs:
@@ -117,6 +128,12 @@ jobs:
     env:
       ASSETS_DIR: release_assets
     steps:
+      - name: fetch release result
+        # see https://github.com/actions/download-artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ env.PACKED_ARTIFACT }}
+          path: ${{ env.ASSETS_DIR }}
       - name: Create Release
         id: release
         # see https://github.com/softprops/action-gh-release
@@ -127,3 +144,4 @@ jobs:
           tag_name:   ${{ needs.bump.outputs.version }}
           name:       ${{ needs.bump.outputs.version_plain }}
           prerelease: ${{ github.event.inputs.prerelease }}
+          files:      ${{ env.ASSETS_DIR }}/*

.gitignore

@@ -2,10 +2,15 @@
 
 /reports/
 /CI_reports/
+/packed/
+/CI_packed/
 
 /dist/
 /dist.*/
 
+## no lock. pinning of direct dependencies should be enough for a library
+/package-lock.json
+
 ### https://github.com/github/gitignore/blob/main/Node.gitignore
 
 # Logs

.npmignore

@@ -180,3 +180,6 @@ dist
 
 /reports/
 /CI_reports/
+/packed/
+/CI_packed/
+

.npmrc

@@ -0,0 +1,4 @@
+; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+engine-strict=true
+package-lock=false