Add SRI hashes to Git #40
Labels
Comments
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
This makes the other tasks also usable locally, given they don't use the wordpress config. In prep for fixing issue jquery#40.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
This makes the other tasks also usable locally, given they don't use the wordpress config. In prep for fixing issue jquery#40.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
Changes: * Remove extraneous "type:null" from the output JSON. * Add support for Grunt 1.0 (but still supporting Grunt 0.4.5). * Add a new "pretty" option (false by default). Ref issue jquery#40, the new "pretty" option will make changes easier to view and review in Git.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
* Move 'sri-generate' from deploy/build to a new 'prepare' step. * Add 'npm run prepare' as shortcut for 'grunt prepare' so that grunt-cli does not have to be globally intalled. * Add 'git-status' task for testing that the working copy is clean. * Add 'npm test' (grunt test) that runs prepare + git-status, mainly for CI. Fixes jquery#40.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
This makes changes easier to review in Git, and also has the benefit of securing the SRI directives into Git, per issue jquery#40. I considered commiting the sri-directives.json file to Git, but encountered three issues: - The file is minified (although grunt-sri has a 'pretty' option). - The file is over 3MB, which means GitHub will refuse both viewing and diffing of the file. - The JSON file is not authoritive, because it is not deployed. Instead, it is only using during the build process to stage the hashes whilst building the HTML includes, which is what we do deploy. Comitting these to Git is much easier. The files are much smaller, and thus easy to view and review via GitHub. It also has the benefit of allowing review and testing of much more than just the SRI hashes. * Move 'sri-generate' and 'build-index' from deploy/build to a new 'prepare' step. * Add 'npm run prepare' as shortcut for 'grunt prepare' so that grunt-cli does not have to be globally intalled. * Add 'git-status' task for testing that the working copy is clean. * Add 'npm test' (grunt test) that runs prepare + git-status, mainly for CI. Fixes jquery#40.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 25, 2018
This makes changes easier to review in Git, and also has the benefit of securing the SRI directives into Git, per issue jquery#40. I considered commiting the sri-directives.json file to Git, but encountered three issues: - The file is minified (although grunt-sri has a 'pretty' option). - The file is over 3MB, which means GitHub will refuse both viewing and diffing of the file. - The JSON file is not authoritive, because it is not deployed. Instead, it is only using during the build process to stage the hashes whilst building the HTML includes, which is what we do deploy. Comitting these to Git is much easier. The files are much smaller, and thus easy to view and review via GitHub. It also has the benefit of allowing review and testing of much more than just the SRI hashes. * Move 'sri-generate' and 'build-index' from deploy/build to a new 'prepare' step. * Add 'npm run prepare' as shortcut for 'grunt prepare' so that grunt-cli does not have to be globally intalled. * Add 'git-status' task for testing that the working copy is clean. * Add 'npm test' (grunt test) that runs prepare + git-status, mainly for CI. Fixes jquery#40.
trentmwillis
pushed a commit
that referenced
this issue
Aug 25, 2018
This makes the other tasks also usable locally, given they don't use the wordpress config. In prep for fixing issue #40.
Krinkle
added a commit
to Krinkle/codeorigin.jquery.com
that referenced
this issue
Aug 26, 2018
This makes changes easier to review in Git, and also has the benefit of securing the SRI directives into Git, for improved transparency and security per issue jquery#40. * Move "sri-generate" and "build-index" from deploy/build to a new "generate" step. * Rename "build-index" to "generate-pages" to avoid confusion between "build" and "generate". The "build" task name is reserved by grunt-jquery-content for the step that needs to happen on the server as part of of "deploy". * Add "npm run generate" as shortcut for "grunt prepare" so that contributors do not need to have grunt-cli globally intalled. * Add "git-status" task for testing that the working copy is clean in CI after running the generate step. * Add "npm test" (grunt test) to run generate + git-status, mainly for CI. Fixes jquery#40.
Krinkle
added a commit
that referenced
this issue
Aug 6, 2021
Let "wordpress-deploy" upload this to the site, which the gw-resources plugin exposes via addresses like <https://releases.jquery.com/resources/foo>. See <https://github.com/jquery/api.jquery.com/> for an example of this. Local test plan: ``` nobody$ npm ci nobody$ cp config-sample.json config.json nobody$ ./node_modules/.bin/grunt sri nobody$ less resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ ./node_modules/.bin/grunt build-index build-resources nobody$ less dist/wordpress/resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ less dist/wordpress/resources/cdn.json { "jquery": [ [ "3", { "latestStable": { "filename": "jquery-3.6.0.js", ... ``` Closes #40.
Krinkle
added a commit
that referenced
this issue
Aug 6, 2021
Let "wordpress-deploy" upload this to the site, which the gw-resources plugin exposes via addresses like <https://releases.jquery.com/resources/foo>. See <https://github.com/jquery/api.jquery.com/> for an example of this. Local test plan: ``` nobody$ npm ci nobody$ cp config-sample.json config.json nobody$ ./node_modules/.bin/grunt sri nobody$ less resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ ./node_modules/.bin/grunt build-index build-resources nobody$ less dist/wordpress/resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ less dist/wordpress/resources/cdn.json { "jquery": [ [ "3", { "latestStable": { "filename": "jquery-3.6.0.js", ... ``` Closes #40.
Krinkle
added a commit
that referenced
this issue
Aug 7, 2021
Let "wordpress-deploy" upload this to the site, which the gw-resources plugin exposes via addresses like <https://releases.jquery.com/resources/foo>. See <https://github.com/jquery/api.jquery.com/> for an example of this. Local test plan: ``` nobody$ npm ci nobody$ cp config-sample.json config.json nobody$ ./node_modules/.bin/grunt sri nobody$ less resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ ./node_modules/.bin/grunt build-index build-resources nobody$ less dist/wordpress/resources/sri-directives.json {"@cdn/color/2.2.0/jquery.color.js":{"hashes":{"sha256":"gvMJWDH... nobody$ less dist/wordpress/resources/cdn.json { "jquery": [ [ "3", { "latestStable": { "filename": "jquery-3.6.0.js", ... ``` Closes #40.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given that addition of files is done through Git, perhaps the build step that creates the SRI information should also be committed to Git - instead of happening during deployment?
That would provide more confidence, transparency and verifiability for these values.
The text was updated successfully, but these errors were encountered: