ci: take package-lock into account in devcontainer (#5278)

Consider package-lock.json when building the dev-container so we can enforce a known-working dependency chain. This caused issues in the past when commitlint and release-please had bugs in new versions that impacted our build pipeline.
2024-11-21 13:41:19 -05:00 · 2024-02-13 11:53:48 +01:00 · 2024-02-13 11:53:48 +01:00 · 7a6ab115a6
commit 7a6ab115a6
parent 9b0427ea6c
2 changed files with 18 additions and 7 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -9,6 +9,7 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
+    open-pull-requests-limit: 100

  - package-ecosystem: github-actions
    commit-message:
@ -16,6 +17,7 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "npm"
    commit-message:
@ -23,6 +25,7 @@ updates:
    directory: "/dependencies"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "bundler"
    commit-message:
@ -30,6 +33,7 @@ updates:
    directory: "/dependencies"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "docker"
    commit-message:
@ -37,6 +41,7 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "pip"
    commit-message:
@ -44,6 +49,7 @@ updates:
    directory: "/dependencies/python/"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "gradle"
    commit-message:
@ -51,6 +57,7 @@ updates:
    directory: "/dependencies/checkstyle"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "gradle"
    commit-message:
@ -58,6 +65,7 @@ updates:
    directory: "/dependencies/google-java-format"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "gradle"
    commit-message:
@ -65,6 +73,7 @@ updates:
    directory: "/dependencies/ktlint"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "docker"
    commit-message:
@ -72,6 +81,7 @@ updates:
    directory: "/dev-dependencies"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100

  - package-ecosystem: "npm"
    commit-message:
@ -79,3 +89,4 @@ updates:
    directory: "/dev-dependencies"
    schedule:
      interval: "weekly"
+    open-pull-requests-limit: 100
--- a/dev-dependencies/Dockerfile
+++ b/dev-dependencies/Dockerfile
@ -7,16 +7,16 @@ RUN apt-get update \
  jq \
  && rm -rf /var/lib/apt/lists/*

-WORKDIR /app
+ENV APP_DIR=/app
+WORKDIR "${APP_DIR}"

-COPY package.json ./
+COPY package.json package-lock.json ./

-ENV NPM_PACKAGES_FILE_PATH="npm-packages.txt"
+RUN npm ci \
+  && rm -rf ~/.npm

-RUN jq '.dependencies | to_entries[] | select(.key | startswith("@commitlint/")) | .key + "@" + .value' package.json >> "${NPM_PACKAGES_FILE_PATH}" \
-  && jq '.dependencies | to_entries[] | select(.key | startswith("release-please")) | .key + "@" + .value' package.json >> "${NPM_PACKAGES_FILE_PATH}" \
-  && xargs npm install -g < "${NPM_PACKAGES_FILE_PATH}" \
-  && rm package.json "${NPM_PACKAGES_FILE_PATH}"
+ENV NODE_PATH="${APP_DIR}/node_modules"
+ENV PATH="${NODE_PATH}/.bin:${PATH}"

 # Split this from the previous RUN instruction so we can cache the costly installation step
 # hadolint ignore=DL3059