|
| 1 | +#!/usr/bin/env bash |
| 2 | +# Verify that the npm tarball this package would publish includes every |
| 3 | +# vendored sqlite3mc artifact listed in vendor/jswasm/SHA256SUMS. |
| 4 | +# |
| 5 | +# Background: npm honors any `.gitignore` it finds inside directories listed |
| 6 | +# in the `files` allowlist. The `.gitignore` in vendor/jswasm/ excludes |
| 7 | +# everything except an allowlist (SHA256SUMS, the locally-authored .d.mts, |
| 8 | +# and itself), which inadvertently strips the WASM/MJS artifacts from the |
| 9 | +# published tarball even though they're present on disk after vendor.sh ran. |
| 10 | +# |
| 11 | +# vendor/jswasm/.npmignore shadows that .gitignore for npm pack purposes. |
| 12 | +# This script is the guard that catches any future regression. For example: |
| 13 | +# someone deletes the .npmignore, or a new vendored file is added but not |
| 14 | +# captured by whatever inclusion mechanism is in place. Wired into |
| 15 | +# `prepublishOnly` so a broken tarball aborts publish before upload. |
| 16 | +# |
| 17 | +# Exit codes: 0 = all expected files present, 1 = missing files, 2 = setup |
| 18 | +# error (no SHA256SUMS, npm pack failed, etc.). |
| 19 | + |
| 20 | +set -euo pipefail |
| 21 | + |
| 22 | +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) |
| 23 | +PKG_ROOT=$(cd "$SCRIPT_DIR/.." && pwd) |
| 24 | +SHA256SUMS="$PKG_ROOT/vendor/jswasm/SHA256SUMS" |
| 25 | + |
| 26 | +if [[ ! -f "$SHA256SUMS" ]]; then |
| 27 | + echo "verify-pack: SHA256SUMS not found at $SHA256SUMS" >&2 |
| 28 | + echo " Run scripts/vendor.sh first to populate vendor/jswasm/." >&2 |
| 29 | + exit 2 |
| 30 | +fi |
| 31 | + |
| 32 | +# Parse SHA256SUMS for the list of files that MUST appear in the tarball. |
| 33 | +# Each line is "<sha256> <filename>". We want the filename, prefixed with |
| 34 | +# the package-relative path that npm uses inside the tarball. |
| 35 | +expected=() |
| 36 | +while IFS= read -r line; do |
| 37 | + fname=$(awk '{print $2}' <<<"$line") |
| 38 | + [[ -n "$fname" ]] || continue |
| 39 | + expected+=("vendor/jswasm/$fname") |
| 40 | +done < "$SHA256SUMS" |
| 41 | + |
| 42 | +if [[ ${#expected[@]} -eq 0 ]]; then |
| 43 | + echo "verify-pack: SHA256SUMS contained no entries, nothing to verify" >&2 |
| 44 | + exit 2 |
| 45 | +fi |
| 46 | + |
| 47 | +WORK_DIR=$(mktemp -d) |
| 48 | +trap 'rm -rf "$WORK_DIR"' EXIT |
| 49 | + |
| 50 | +# Build the same tarball `npm publish` would upload, then list its contents. |
| 51 | +# `--dry-run --json` output format varies across npm versions; running real |
| 52 | +# `npm pack` and untarring is stable across npm 7+. |
| 53 | +echo "==> Running npm pack to build a candidate tarball" |
| 54 | +(cd "$PKG_ROOT" && npm pack --pack-destination "$WORK_DIR" >/dev/null) |
| 55 | +TARBALL=$(find "$WORK_DIR" -maxdepth 1 -name '*.tgz' | head -n 1) |
| 56 | +if [[ -z "$TARBALL" ]]; then |
| 57 | + echo "verify-pack: npm pack produced no tarball in $WORK_DIR" >&2 |
| 58 | + exit 2 |
| 59 | +fi |
| 60 | + |
| 61 | +# Tarball entries are prefixed with "package/" — strip for comparison. |
| 62 | +tar tzf "$TARBALL" | sed 's|^package/||' > "$WORK_DIR/listing" |
| 63 | + |
| 64 | +missing=0 |
| 65 | +for f in "${expected[@]}"; do |
| 66 | + if ! grep -Fxq "$f" "$WORK_DIR/listing"; then |
| 67 | + echo "verify-pack: missing from tarball: $f" >&2 |
| 68 | + missing=1 |
| 69 | + fi |
| 70 | +done |
| 71 | + |
| 72 | +if [[ "$missing" -eq 1 ]]; then |
| 73 | + cat >&2 <<EOF |
| 74 | +
|
| 75 | +verify-pack: one or more vendored sqlite3mc artifacts were filtered out of |
| 76 | + the npm tarball. Most likely cause: vendor/jswasm/.npmignore is missing, |
| 77 | + letting the sibling .gitignore strip the WASM/MJS artifacts at pack time. |
| 78 | +
|
| 79 | + To diagnose: |
| 80 | + cd $PKG_ROOT |
| 81 | + npm pack --dry-run 2>&1 | grep vendor/jswasm |
| 82 | +
|
| 83 | + Tarball file listing (for reference): $WORK_DIR/listing |
| 84 | +EOF |
| 85 | + # Don't auto-clean WORK_DIR on failure so the operator can inspect. |
| 86 | + trap - EXIT |
| 87 | + echo "verify-pack: leaving $WORK_DIR for inspection" >&2 |
| 88 | + exit 1 |
| 89 | +fi |
| 90 | + |
| 91 | +echo "verify-pack: all ${#expected[@]} vendored files present in tarball" |
0 commit comments