Build: Add audit script for reviewing changes to build artifacts

* Automate the workflow I have been using for auditing the release
  artefacts prior to publication. This protects against mistakes
  or other accidents that may have gone unnnoticed (e.g. in how
  Rollup is configured, or what files we embed and distribute),
  as well as against any compromise or other malicious activity
  in the build chain (in one of the many unaudited dev dependencies
  we use from npm, or elsewhere).

* No longer recommend `npm run serve`. This can't easily be run
  in an isolated environment as it needs to expose a port. Unlike
  other build scripts, this involves unaudited dev dependencies.
  Recommend use of the built-in and dependency-free HTTP server
  from Python or PHP instead.

* Minor improvements throughout RELEASE.md, especially to simplify
  and consolidate related steps, and make the numbering continuous
  throughout the page (10 steps total, more or less).

Author: Krinkle

Gruntfile.js

@@ -32,16 +32,6 @@ module.exports = function( grunt ) {
 				}
 			},
 
-			// For manual testing.
-			any: {
-				options: {
-					port: connectPort,
-					useAvailablePort: true,
-					keepalive: true,
-					base: "."
-				}
-			},
-
 			// For use by the "watch" task.
 			livereload: {
 				options: {

README.md

@@ -2,8 +2,8 @@
 
 [![Build Status](https://travis-ci.com/qunitjs/qunit.svg?branch=master)](https://travis-ci.com/qunitjs/qunit)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fqunitjs%2Fqunit.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2Fqunitjs%2Fqunit?ref=badge_shield)
-[![Reproducible Builds](https://img.shields.io/badge/Reproducible_Builds-ok-success?labelColor=1e5b96)](https://reproducible-builds.org/)
 [![Coverage Status](https://coveralls.io/repos/qunitjs/qunit/badge.svg)](https://coveralls.io/github/qunitjs/qunit)
+[![Reproducible Builds](https://img.shields.io/badge/Reproducible_Builds-ok-success?labelColor=1e5b96)](https://reproducible-builds.org/)
 [![Chat on Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/qunitjs/qunit?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 [![npm](https://img.shields.io/npm/v/qunit.svg?style=flat)](https://www.npmjs.com/package/qunit)
 

RELEASE.md

@@ -1,28 +1,30 @@
-# Release Process
+# Release process
 
-This guide walks you through a QUnit release.
+This guide walks you through the QUnit release.
 
 ⚠️ **WARNING** ⚠️
 
-> Before attempting the process below, make sure you have:
+> Before starting, make sure you have:
 >
 > * **Permission to publish to the jQuery CDN** via [jquery/codeorigin.jquery.com](https://github.com/jquery/codeorigin.jquery.com).
 > * Permission to publish releases to npm for the [`qunit`](https://www.npmjs.com/package/qunit) npm package.
 > * Permission to publish the website via [qunitjs/qunit.com](https://github.com/qunitjs/qunitjs.com).
-
-Prerequisites:
-
-* Node.js 12, or later.
-* Git 2.11, or later.
+>
+> System prerequisites:
+>
+> * Node.js 12, or later.
+> * Git 2.11, or later.
 
 1. Ensure that all changes for this release have been merged into the main branch. For patch releases, try landing any other bug fixes; for minor releases, ensure new features have been documented and tested. Major releases likely have their own checklist.
 
-2. Ensure that you have a prestine copy of the canonical repo (not a fork), and create a local  `release` branch:
-   * Run `git remote -v` and verify the following:
+2. Create a local  `release` branch, and ensure it is up-to-date:
+   * Verify that the canonical repository is cloned (not a fork):
    ```
-   origin	[email protected]:qunitjs/qunit.git
+   git remote -v
+   # …
+   # origin	[email protected]:qunitjs/qunit.git
    ```
-   * Create or reset your `release` branch:
+   * Create or reset the `release` branch:
    ```
    git remote update && git checkout -B release -t origin/master
    ```
@@ -31,10 +33,13 @@ Prerequisites:
    ```
    npm ci && npm test
    ```
-   Run the tests in various real browsers as well, either locally or via [BrowserStack](https://www.browserstack.com/):
+   Run the tests in various real browsers, either locally or via [BrowserStack](https://www.browserstack.com/):
    ```
-   npm run serve
-   open 'http://localhost:4000/test/'
+   python3 -m http.server 4000
+   # or:
+   # php -S localhost:4000
+
+   open http://localhost:4000/test/
    ```
 
 4. Create and push the release preparation commit:
@@ -43,68 +48,76 @@ Prerequisites:
       ```
       node build/prep-release.js @VERSION
       ```
-      * Review the difference in the `AUTHORS.txt` file. If you see duplicate entries proposed, then use the `.mailmap` file to normamlize those entries to a canonical name or e-mail address, and then re-run the above command.
-      * Edit `History.md` and remove any "Build", "Tests" or other commits not relevant to end-users.
-   2. Commit all of the above with the following message (replace `@VERSION` with the release version):
+      * Use `git add -p` to review the changes.
+      * In `AUTHORS.txt`, if you see duplicate entries, then use the `.mailmap` file to normalize them to a canonical name and e-mail address, and then re-run the above command.
+      * Edit `History.md` to remove change not relevant to end-users (e.g. changes relating to tests, build, internal refactoring, doc fixes, etc.).
+   2. Commit the above changes with the following message (replace `@VERSION` with the release version):
       ```
       Build: Prepare @VERSION release
       ```
-   3. Push your `release` branch to GitHub.
-   4. Create a pull request, approve it, and merge it once Travis CI is passing.
+   3. Push the `release` branch to GitHub.
+   4. Create a pull request, and merge it once Travis CI is passing.
 
 ## Performing the release
 
-1. Create a local  `release` branch, and ensure you're working on the canonical repo (not a fork):
+5. Create a local  `release` branch, and ensure it is up-to-date:
    * Run `git remote -v` and verify the following:
    ```
    origin [email protected]:qunitjs/qunit.git
    ```
-   * Create or reset your `release` branch:
+   * Create or reset the `release` branch:
    ```
    git remote update && git checkout -B release -t origin/master
    ```
-
-2. Ensure that the latest commit is your release preparation commit:
+   * Verify that the latest commit is your release preparation commit:
    ```
    git show
    # Build: Prepare x.y.z release
    # …
    ```
 
-3. Set the release version for npm and Bower metadata, by running the below command (replace `@VERSION` with the release version):
+6. Make changes for the release commit:
+   * Set the release version for npm and Bower metadata (replace `@VERSION` with the release version):
    ```
    node build/set-release.js @VERSION
    ```
-   This script will edit `package.json` and `bower.json` for you. It does not require any credentials or permissions, apart from read-write in the project directory.
+   This script will edit `package.json` and `bower.json`. It does not need any credentials or permissions, apart from read-write in the project directory.
 
-4. Generate the release artifacts:
+   * Generate the release artifacts:
    ```
    export SOURCE_DATE_EPOCH="$(git log -s --format=%at -1)"
    npm run build
    ```
 
-5. Rename `dist/` to `qunit/`:
+   * Rename `dist/` to `qunit/`:
    ```
    mv dist/ qunit/
    ```
 
-6. Create the release commit, tag it, and push the tag to GitHub (replace `@VERSION` with the release version).<br>⚠️ Do not commit or push release artifacts to the main branch!
+   * Review the changes to the package and library files, compared to the previous release.
+   ```
+   node build/review-package.js @LAST_VERSION
+
+   # … reviews package.json, qunit.js, and qunit.css
+   ```
+
+7. Commit and publish the release to GitHub.<br>⚠️ Do not push to the main branch!
    ```
    git add package.json bower.json qunit/
    git commit -m "Release @VERSION"
    git tag -s "@VERSION" -m "Release @VERSION"
    git push --tags
    ```
 
-7. Verify that Bower sees the release, by running `bower info qunit` and checking that the latest
+8. Verify that Bower sees the release, by running `bower info qunit` and checking that the latest
    version is indeed the version we just published.
 
-8. Publish the release to npm:
-   * Use `git status` to confirm once more that your checkout is clean apart from the release artifacts in `qunit/`.
+9. Publish the release to npm:
+   * Use `git status` to confirm once more that you have a clean working copy, apart from release artifacts in `qunit/`.
    * Run `npm publish`, this will bundle the current directory and publish it to npm with the name and version specified in `package.json`.
    * Verify that the release is displayed at <https://www.npmjs.com/package/qunit>.
 
-9. Publish the release to the jQuery CDN:
+10. Publish the release to the jQuery CDN:
    * Prepare the commit locally:
    ```
    node build/auth-cdn-commit.js real @VERSION
@@ -117,34 +130,31 @@ Prerequisites:
    # …
    git push
    ```
-   * Verify via <https://code.jquery.com/qunit/qunit-x.y.z.js>
+   * Verify that the release is listed at <https://code.jquery.com/qunit/> and accessible via <https://code.jquery.com/qunit/qunit-x.y.z.js>
 
 ## Updating the website
 
-Once you have successfully published the new release, we need to update the website.
+After the release is published, we need to update the website.
 
-    git clone [email protected]:qunitjs/qunitjs.com.git
-    cd qunitjs.com
+Check out the main branch of the [qunitjs/qunitjs.com](https://github.com/qunitjs/qunitjs.com) repository, and ensure it is clean and up-to-date. Update release links and demos to use the version we just released, using this script:
 
-Checkout the latest `master` branch of the website repo.
+```
+qunitjs.com$ node build/set-version.js <version>
+```
 
-Do a find and replace of the previous version number and insert the new version number. Commit these changes with the following message:
+Stage the changes it made, and commit with the following message:
 
-	All: Update url and version to @VERSION
+```
+All: Update url and version to <version>
+```
 
-Then push the commit:
-
-	git push
-
-Check the website in a few minutes after a build completes to verify it is updated.
+Push the commit, and check the website in a few minutes to verify the change ([deployment log](https://github.com/qunitjs/qunitjs.com/deployments/activity_log?environment=github-pages)).
 
 ## Final steps
 
 You're almost there! Make sure you update [GitHub releases](https://github.com/qunitjs/qunit/releases) using the changelog from `History.md`.
 
-Finally, make an announcement on the [@qunitjs](https://twitter.com/qunitjs) Twitter account. Mention highlights of the release if possible and feel free to include a second tweet if needed, but be sure to include a link to the release page like so:
-
-	Released @VERSION: https://github.com/qunitjs/qunit/releases/tag/x.y.z
+Finally, make an announcement on the [@qunitjs](https://twitter.com/qunitjs) Twitter account. Mention highlights of the release if possible, andinclude a link to the release page.
 
 That's it! If you made it this far, congratulations you have successfully released a version of QUnit!
 

build/prep-release.js

@@ -36,7 +36,7 @@ const Repo = {
 				"--format=* %s. (%aN)",
 				"--no-merges",
 				`${oldVersion}...HEAD`
-			], { encoding: "utf-8" } );
+			], { encoding: "utf8" } );
 
 			changes = changes
 				.trim()

build/review-package.js

@@ -0,0 +1,116 @@
+// Helper for reviewing build artefacts against a past release.
+//
+// See also RELEASE.md.
+
+/* eslint-env node */
+
+const cp = require( "child_process" );
+const fs = require( "fs" );
+const https = require( "https" );
+const path = require( "path" );
+const readline = require( "readline" );
+
+function getDiff( from, to ) {
+
+	// macOS 10.15+ comes with GNU diff (2.8)
+	// https://unix.stackexchange.com/a/338960/37512
+	// https://stackoverflow.com/a/41770560/319266
+	const gnuDiffVersion = cp.execFileSync( "diff", [ "--version" ], { encoding: "utf8" } );
+	const versionStr = /diff.* (\d+\.\d+)/.exec( gnuDiffVersion );
+	const isOld = ( versionStr && Number( versionStr[ 1 ] ) < 3.4 );
+
+	try {
+		cp.execFileSync( "diff", [
+			"--text",
+			"--unified",
+			...( isOld ? [] : [ "--color=always" ] ),
+			from,
+			to
+		], { encoding: "utf8" } );
+	} catch ( e ) {
+
+		// Expected, `diff` command yields non-zero exit status if files differ
+		return e.stdout;
+	}
+	throw new Error( `Unable to diff between ${from} and ${to}` );
+}
+
+async function confirm( text ) {
+	const rl = readline.createInterface( { input: process.stdin, output: process.stdout } );
+	await new Promise( ( resolve, reject ) => {
+		rl.question( `${text} (y/N)> `, ( answer ) => {
+			rl.close();
+			if ( String( answer ).toLowerCase() === "y" ) {
+				resolve();
+			} else {
+				reject( new Error( "Audit aborted" ) );
+			}
+		} );
+	} );
+}
+
+async function download( url, dest ) {
+	const fileStr = fs.createWriteStream( dest );
+	await new Promise( ( resolve, reject ) => {
+		https.get( url, ( resp ) => {
+			resp.pipe( fileStr );
+			fileStr.on( "finish", () => fileStr.close( resolve ) );
+		} ).on( "error", ( err ) => reject( err ) );
+	} );
+}
+
+const ReleaseAssets = {
+	async audit( prevVersion ) {
+		if ( typeof prevVersion !== "string" || !/^\d+\.\d+\.\d+$/.test( prevVersion ) ) {
+			throw new Error( "Invalid or missing version argument" );
+		}
+		{
+			const file = "package.json";
+			console.log( `Auditing ${file}...` );
+
+			const prevContent = cp.execFileSync( "git", [
+				"show",
+				`${prevVersion}:package.json`
+			], { encoding: "utf8" } );
+			const tempPrevPath = path.join( __dirname, "../temp", file );
+			fs.writeFileSync( tempPrevPath, prevContent );
+
+			const currentPath = path.join( __dirname, "..", file );
+			process.stdout.write( getDiff( tempPrevPath, currentPath ) );
+			await confirm( `Accept ${file}?` );
+		}
+		{
+			const file = "qunit.js";
+			console.log( `Auditing ${file}...` );
+
+			const prevUrl = `https://code.jquery.com/qunit/qunit-${prevVersion}.js`;
+			const tempPrevPath = path.join( __dirname, "../temp", file );
+			await download( prevUrl, tempPrevPath );
+
+			const currentPath = path.join( __dirname, "../qunit", file );
+			process.stdout.write( getDiff( tempPrevPath, currentPath ) );
+			await confirm( `Accept ${file}?` );
+		}
+		{
+			const file = "qunit.css";
+			console.log( `Auditing ${file}...` );
+
+			const prevUrl = `https://code.jquery.com/qunit/qunit-${prevVersion}.css`;
+			const tempPrevPath = path.join( __dirname, "../temp", file );
+			await download( prevUrl, tempPrevPath );
+
+			const currentPath = path.join( __dirname, "../qunit", file );
+			process.stdout.write( getDiff( tempPrevPath, currentPath ) );
+			await confirm( `Accept ${file}?` );
+		}
+	}
+};
+
+const prevVersion = process.argv[ 2 ];
+
+( async function main() {
+	await ReleaseAssets.audit( prevVersion );
+}() ).catch( e => {
+	console.error( e.toString() );
+	process.exit( 1 );
+} );

package.json

@@ -89,7 +89,6 @@
     "test:main": "npm run build && grunt test",
     "test:cli": "npm run build && bin/qunit.js test/cli/*.js",
     "authors": "grunt authors",
-    "serve": "grunt connect:any",
     "coverage": "npm run build:coverage && npm run coverage:_cli && npm run coverage:_main && nyc report",
     "coverage:_cli": "nyc --use-spawn-wrap --silent bin/qunit.js test/cli/*.js",
     "coverage:_main": "nyc instrument --in-place dist/ && grunt connect:nolivereload qunit",

rollup.config.js

@@ -38,7 +38,7 @@ module.exports = {
 			//    variables in an imported file would be).
 			return fs.readFileSync(
 				__dirname + "/src/html-reporter/es6-map.js",
-				"utf-8"
+				"utf8"
 			).toString().trim();
 		},
 

src/cli/utils.js

@@ -16,7 +16,7 @@ function existsStat() {
 function getIgnoreList( baseDir ) {
 	const gitFilePath = path.join( baseDir, ".gitignore" );
 	if ( fs.existsSync( gitFilePath ) ) {
-		const gitIgnore = fs.readFileSync( gitFilePath, "utf-8" );
+		const gitIgnore = fs.readFileSync( gitFilePath, "utf8" );
 		return gitIgnore.trim().split( "\n" );
 	}
 	return [];