From 681db78ff88c34cd7882c892c4c65d86b2857644 Mon Sep 17 00:00:00 2001 From: Mark Stacey Date: Wed, 24 Feb 2021 12:22:28 -0330 Subject: [PATCH] Add CI check to ensure LavaMoat policy is updated (#10493) A CI job has been added to ensure the `allow-scripts` config and the LavaMoat auto-generated policy is up-to-date. This will only run on release branches and the `master` branch, because it's too difficult a requirement to meet for each PR for contributors on macOS, due to differences in the dependency graph caused by optional dependencies. The `allow-scripts` and LavaMoat policy have both been updated using `yarn allow-scripts auto` and `yarn lavamoat:auto`. --- .circleci/config.yml | 23 ++ .circleci/scripts/validate-allow-scripts.sh | 15 ++ .circleci/scripts/validate-lavamoat-policy.sh | 15 ++ lavamoat/node/policy.json | 201 ------------------ package.json | 3 +- 5 files changed, 54 insertions(+), 203 deletions(-) create mode 100755 .circleci/scripts/validate-allow-scripts.sh create mode 100755 .circleci/scripts/validate-lavamoat-policy.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index cdd42aafc..908ef7722 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -26,6 +26,13 @@ workflows: - /^Version-v(\d+)[.](\d+)[.](\d+)/ - prep-deps - test-deps + - validate-lavamoat-config: + filters: + branches: + only: + - /^Version-v(\d+)[.](\d+)[.](\d+)|master/ + requires: + - prep-deps - prep-build: requires: - prep-deps @@ -72,6 +79,7 @@ workflows: - prep-build - all-tests-pass: requires: + - validate-lavamoat-config - test-lint - test-lint-shellcheck - test-lint-lockfile @@ -143,6 +151,21 @@ jobs: - node_modules - build-artifacts + validate-lavamoat-config: + executor: node-browsers + steps: + - checkout + - attach_workspace: + at: . + - run: + name: Validate allow-scripts config + command: | + .circleci/scripts/validate-allow-scripts.sh + - run: + name: Validate LavaMoat policy + command: | + .circleci/scripts/validate-lavamoat-policy.sh + prep-build: executor: node-browsers-medium-plus steps: diff --git a/.circleci/scripts/validate-allow-scripts.sh b/.circleci/scripts/validate-allow-scripts.sh new file mode 100755 index 000000000..6e9f95051 --- /dev/null +++ b/.circleci/scripts/validate-allow-scripts.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -e +set -u +set -o pipefail + +yarn allow-scripts auto + +if git diff-index --quiet HEAD +then + echo "allow-scripts configuration is up-to-date" +else + echo "allow-scripts configuration requires updates" + exit 1 +fi diff --git a/.circleci/scripts/validate-lavamoat-policy.sh b/.circleci/scripts/validate-lavamoat-policy.sh new file mode 100755 index 000000000..65295c777 --- /dev/null +++ b/.circleci/scripts/validate-lavamoat-policy.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -e +set -u +set -o pipefail + +yarn lavamoat:auto + +if git diff-index --quiet HEAD +then + echo "LavaMoat policy is up-to-date" +else + echo "LavaMoat policy requires updates" + exit 1 +fi diff --git a/lavamoat/node/policy.json b/lavamoat/node/policy.json index 3b4abd6b8..123dee86c 100644 --- a/lavamoat/node/policy.json +++ b/lavamoat/node/policy.json @@ -959,16 +959,6 @@ "buffer-equal": true } }, - "are-we-there-yet": { - "builtin": { - "events.EventEmitter": true, - "util.inherits": true - }, - "packages": { - "delegates": true, - "readable-stream": true - } - }, "arr-diff": { "packages": { "arr-flatten": true, @@ -1321,7 +1311,6 @@ "anymatch": true, "async-each": true, "braces": true, - "fsevents": true, "glob-parent": true, "inherits": true, "is-binary-path": true, @@ -1573,16 +1562,6 @@ "through2": true } }, - "detect-libc": { - "builtin": { - "child_process.spawnSync": true, - "fs.readdirSync": true, - "os.platform": true - }, - "globals": { - "process.env": true - } - }, "detective": { "packages": { "acorn-node": true, @@ -2026,45 +2005,6 @@ "process.version": true } }, - "fsevents": { - "builtin": { - "events.EventEmitter": true, - "fs.stat": true, - "path.join": true, - "util.inherits": true - }, - "globals": { - "__dirname": true, - "process.nextTick": true, - "process.platform": true, - "setImmediate": true - }, - "native": true, - "packages": { - "node-pre-gyp": true - } - }, - "gauge": { - "builtin": { - "util.format": true - }, - "globals": { - "clearInterval": true, - "process": true, - "setImmediate": true, - "setInterval": true - }, - "packages": { - "aproba": true, - "console-control-strings": true, - "has-unicode": true, - "object-assign": true, - "signal-exit": true, - "string-width": true, - "strip-ansi": true, - "wide-align": true - } - }, "get-assigned-identifiers": { "builtin": { "assert.equal": true @@ -2447,16 +2387,6 @@ "process.argv": true } }, - "has-unicode": { - "builtin": { - "os.type": true - }, - "globals": { - "process.env.LANG": true, - "process.env.LC_ALL": true, - "process.env.LC_CTYPE": true - } - }, "has-value": { "packages": { "get-value": true, @@ -2610,11 +2540,6 @@ "is-plain-object": true } }, - "is-fullwidth-code-point": { - "packages": { - "number-is-nan": true - } - }, "is-glob": { "packages": { "is-extglob": true @@ -2999,38 +2924,6 @@ "setTimeout": true } }, - "node-pre-gyp": { - "builtin": { - "events.EventEmitter": true, - "fs.existsSync": true, - "fs.readFileSync": true, - "fs.renameSync": true, - "path.dirname": true, - "path.existsSync": true, - "path.join": true, - "path.resolve": true, - "url.parse": true, - "url.resolve": true, - "util.inherits": true - }, - "globals": { - "__dirname": true, - "console.log": true, - "process.arch": true, - "process.cwd": true, - "process.env": true, - "process.platform": true, - "process.version.substr": true, - "process.versions": true - }, - "packages": { - "detect-libc": true, - "nopt": true, - "npmlog": true, - "rimraf": true, - "semver": true - } - }, "node-sass": { "builtin": { "fs.existsSync": true, @@ -3070,24 +2963,6 @@ "true-case-path": true } }, - "nopt": { - "builtin": { - "path": true, - "stream.Stream": true, - "url": true - }, - "globals": { - "console": true, - "process.argv": true, - "process.env.DEBUG_NOPT": true, - "process.env.NOPT_DEBUG": true, - "process.platform": true - }, - "packages": { - "abbrev": true, - "osenv": true - } - }, "normalize-path": { "packages": { "remove-trailing-separator": true @@ -3103,22 +2978,6 @@ "once": true } }, - "npmlog": { - "builtin": { - "events.EventEmitter": true, - "util": true - }, - "globals": { - "process.nextTick": true, - "process.stderr": true - }, - "packages": { - "are-we-there-yet": true, - "console-control-strings": true, - "gauge": true, - "set-blocking": true - } - }, "object-copy": { "packages": { "copy-descriptor": true, @@ -3186,54 +3045,6 @@ "readable-stream": true } }, - "os-homedir": { - "builtin": { - "os.homedir": true - }, - "globals": { - "process.env": true, - "process.getuid": true, - "process.platform": true - } - }, - "os-tmpdir": { - "globals": { - "process.env.SystemRoot": true, - "process.env.TEMP": true, - "process.env.TMP": true, - "process.env.TMPDIR": true, - "process.env.windir": true, - "process.platform": true - } - }, - "osenv": { - "builtin": { - "child_process.exec": true, - "path": true - }, - "globals": { - "process.env.COMPUTERNAME": true, - "process.env.ComSpec": true, - "process.env.EDITOR": true, - "process.env.HOSTNAME": true, - "process.env.PATH": true, - "process.env.PROMPT": true, - "process.env.PS1": true, - "process.env.Path": true, - "process.env.SHELL": true, - "process.env.USER": true, - "process.env.USERDOMAIN": true, - "process.env.USERNAME": true, - "process.env.VISUAL": true, - "process.env.path": true, - "process.nextTick": true, - "process.platform": true - }, - "packages": { - "os-homedir": true, - "os-tmpdir": true - } - }, "parent-module": { "packages": { "callsites": true @@ -3814,12 +3625,6 @@ "process": true } }, - "set-blocking": { - "globals": { - "process.stderr": true, - "process.stdout": true - } - }, "set-value": { "packages": { "extend-shallow": true, @@ -4013,7 +3818,6 @@ }, "string-width": { "packages": { - "code-point-at": true, "emoji-regex": true, "is-fullwidth-code-point": true, "strip-ansi": true @@ -4582,11 +4386,6 @@ "isexe": true } }, - "wide-align": { - "packages": { - "string-width": true - } - }, "write": { "builtin": { "fs.createWriteStream": true, diff --git a/package.json b/package.json index 01d69b02e..3edcb0656 100644 --- a/package.json +++ b/package.json @@ -314,8 +314,7 @@ "gc-stats": false, "github:assemblyscript/assemblyscript": false, "tiny-secp256k1": false, - "@lavamoat/preinstall-always-fail": false, - "fsevents": false + "@lavamoat/preinstall-always-fail": false } } }