diff --git a/.github/workflows/reproducible.yaml b/.github/workflows/reproducible.yaml index 01b58d1d2..20498d370 100644 --- a/.github/workflows/reproducible.yaml +++ b/.github/workflows/reproducible.yaml @@ -5,10 +5,6 @@ on: - cron: '30 0 * * 1' # Or manually workflow_dispatch: - # Or when developing this workflow - push: - paths: - - .github/workflows/reproducible.yaml jobs: run: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 47113c211..6e985b67f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -32,7 +32,7 @@ Foundation's [CLA for QUnit](https://cla.js.foundation/qunitjs/qunit). For code changes, you'll need to have [Node.js](https://nodejs.org/en/) installed. -Install dependencies in the repository via `npm ci`. Make your code +Install dependencies in the repository via `npm install`. Make your code changes and run `npm test` which will validate the syntax and coding style, and run unit and integration tests. diff --git a/RELEASE.md b/RELEASE.md index 70b08127a..414639d52 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -34,7 +34,7 @@ Ensure that all changes for this release have been merged into the main branch. 1. Install dev dependencies: ``` - npm ci + npm install ``` 1. Prepare for the release commit, and build release artefacts: diff --git a/build/reproducible-builds.js b/build/reproducible-builds.js index aad8809dd..a529824be 100644 --- a/build/reproducible-builds.js +++ b/build/reproducible-builds.js @@ -17,25 +17,34 @@ const tempDir = path.join(__dirname, '../temp', 'reproducible-builds'); const SRC_REPO = 'https://github.com/qunitjs/qunit.git'; /** - * Known caveats prior to QUnit 2.17.0: + * QUnit 2.17.0 and later are fully reproducible with this script. * - * - Prior to QUnit 2.14.1, file headers included an uncontrolled "current" timestamp. - * This would have to be ignored or replaced prior to comparison. - * - Prior to QUnit 2.14.1, the build wrote files to "/dist" instead of "/qunit". - * - QUnit 2.15.0 contained some CR (\r) characters in comments from fuzzysort.js, - * which get normalized to LF (\n) by Git and npm, but not in the actual builds - * and in what we publish to the CDN. This was fixed in qunit@2.16.0 and qunit@2.17.0. + * Known caveats: * - * QUnit 2.17.0 and later are fully reproducible with this script. Notes: + * QUnit 2.14.1 - 2.16.0: + * - File headers included an uncontrolled "current" timestamp. + * This would have to be ignored or replaced prior to comparison. + * - The build wrote files to "/dist" instead of "/qunit". * - * - qunit@2.17.0 to 2.21.0 were built and published using npm 8 or npm 9. + * QUnit 2.15.0: + * - Contained some CR (\r) characters in comments from fuzzysort.js, + * which get normalized to LF (\n) by Git and npm, but not in the actual builds + * and in what we publish to the CDN. This was fixed in qunit@2.16.0 and qunit@2.17.0. * + * QUnit 2.17.0 - 2.21.0: + * - These were built and published using npm 8 or npm 9. * In npm 10, upstream changed gzip encoding slightly for the npm-pack tarball (.tgz). This * means a tarball from npm 10+ is not byte-for-byte identical to ones generated by npm 8 or 9. * After gzip-decompression, however, the tar stream is byte-for-byte identical. * Either use npm 8 or 9 to verify these, or verify the tarball after gzip decompression. + * + * QUnit 3.0.0-alpha.3: + * - The package-lock.json file was a few commits behind what was actually released, + * thus reproducing it uees a slightly Rollup/Babel version that outputs with slightly + * different code formatting. */ -const VERIFY_COUNT = 3; +const VERIFY_COUNT = 5; +const EXCLUDE = ['3.0.0-alpha.3']; async function buildRelease (version, cacheDir = null) { console.log(`... ${version}: checking out the source`); @@ -56,8 +65,7 @@ async function buildRelease (version, cacheDir = null) { QUNIT_BUILD_RELEASE: '1', PUPPETEER_CACHE_DIR: path.join(cacheDir, 'puppeteer_download') }; - // Use sync for npm-ci to avoid concurrency bugs with shared cache - cp.execFileSync('npm', ['ci'], { + cp.execFileSync('npm', ['install'], { env: npmEnv, cwd: gitDir }); @@ -110,6 +118,9 @@ const Reproducible = { const data = JSON.parse(await utils.download(cdnIndexUrl)); for (const release of data.qunit.all.slice(0, VERIFY_COUNT)) { + if (EXCLUDE.includes(release.version)) { + continue; + } releases[release.version] = { cdn: { js: { diff --git a/package.json b/package.json index 8b4388be9..0602eec1d 100644 --- a/package.json +++ b/package.json @@ -60,14 +60,14 @@ "tiny-glob": "0.2.9" }, "devDependencies": { - "@babel/core": "^7.24.6", - "@babel/plugin-external-helpers": "^7.24.6", - "@babel/preset-env": "^7.24.6", + "@babel/core": "7.25.2", + "@babel/plugin-external-helpers": "7.25.9", + "@babel/preset-env": "7.25.4", "@qunitjs/browserstack-runner": "0.9.5-qunitjs.2", - "@rollup/plugin-babel": "^6.0.4", - "@rollup/plugin-commonjs": "^26.0.1", - "@rollup/plugin-node-resolve": "^15.2.3", - "@rollup/plugin-replace": "^5.0.5", + "@rollup/plugin-babel": "6.0.4", + "@rollup/plugin-commonjs": "26.0.1", + "@rollup/plugin-node-resolve": "15.2.3", + "@rollup/plugin-replace": "5.0.7", "benchmark": "2.1.4", "eslint": "^8.57.0", "eslint-config-semistandard": "^17.0.0", @@ -82,18 +82,18 @@ "eslint-plugin-qunit": "^8.1.1", "fixturify": "^3.0.0", "fuzzysort": "1.2.1", - "grunt": "^1.6.1", - "grunt-contrib-connect": "^5.0.0", - "grunt-contrib-copy": "^1.0.0", + "grunt": "1.6.1", + "grunt-contrib-connect": "5.0.0", + "grunt-contrib-copy": "1.0.0", "grunt-contrib-qunit": "^10.1.1", - "grunt-search": "^0.1.8", + "grunt-search": "0.1.8", "kleur": "4.1.5", "npm-reporter": "file:./test/cli/fixtures/npm-reporter", "nyc": "^17.0.0", - "proxyquire": "^2.0.0", - "requirejs": "^2.3.6", - "rollup": "^4.18.0", - "tap-min": "^3.0.0" + "proxyquire": "2.1.3", + "requirejs": "2.3.7", + "rollup": "4.21.3", + "tap-min": "3.0.0" }, "scripts": { "build": "rollup -c && grunt copy", diff --git a/test/benchmark/README.md b/test/benchmark/README.md index fbb38921f..c9b25e30a 100644 --- a/test/benchmark/README.md +++ b/test/benchmark/README.md @@ -6,7 +6,7 @@ The default is to benchmark the local development version of QUnit. * Install QUnit for development and generate the release artefact: ``` - qunit$ npm ci + qunit$ npm install qunit$ npm run build ``` * Link benchmark to local artefact.