From 7a6ab115a6366deadb6b20223f3d331bb0d4da76 Mon Sep 17 00:00:00 2001 From: Marco Ferrari Date: Tue, 13 Feb 2024 11:53:48 +0100 Subject: [PATCH] ci: take package-lock into account in devcontainer (#5278) Consider package-lock.json when building the dev-container so we can enforce a known-working dependency chain. This caused issues in the past when commitlint and release-please had bugs in new versions that impacted our build pipeline. --- .github/dependabot.yml | 11 +++++++++++ dev-dependencies/Dockerfile | 14 +++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b866f63a..84955b6b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,7 @@ updates: directory: "/" schedule: interval: weekly + open-pull-requests-limit: 100 - package-ecosystem: github-actions commit-message: @@ -16,6 +17,7 @@ updates: directory: "/" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "npm" commit-message: @@ -23,6 +25,7 @@ updates: directory: "/dependencies" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "bundler" commit-message: @@ -30,6 +33,7 @@ updates: directory: "/dependencies" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "docker" commit-message: @@ -37,6 +41,7 @@ updates: directory: "/" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "pip" commit-message: @@ -44,6 +49,7 @@ updates: directory: "/dependencies/python/" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "gradle" commit-message: @@ -51,6 +57,7 @@ updates: directory: "/dependencies/checkstyle" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "gradle" commit-message: @@ -58,6 +65,7 @@ updates: directory: "/dependencies/google-java-format" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "gradle" commit-message: @@ -65,6 +73,7 @@ updates: directory: "/dependencies/ktlint" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "docker" commit-message: @@ -72,6 +81,7 @@ updates: directory: "/dev-dependencies" schedule: interval: "weekly" + open-pull-requests-limit: 100 - package-ecosystem: "npm" commit-message: @@ -79,3 +89,4 @@ updates: directory: "/dev-dependencies" schedule: interval: "weekly" + open-pull-requests-limit: 100 diff --git a/dev-dependencies/Dockerfile b/dev-dependencies/Dockerfile index a0760be7..7ae9b52a 100644 --- a/dev-dependencies/Dockerfile +++ b/dev-dependencies/Dockerfile @@ -7,16 +7,16 @@ RUN apt-get update \ jq \ && rm -rf /var/lib/apt/lists/* -WORKDIR /app +ENV APP_DIR=/app +WORKDIR "${APP_DIR}" -COPY package.json ./ +COPY package.json package-lock.json ./ -ENV NPM_PACKAGES_FILE_PATH="npm-packages.txt" +RUN npm ci \ + && rm -rf ~/.npm -RUN jq '.dependencies | to_entries[] | select(.key | startswith("@commitlint/")) | .key + "@" + .value' package.json >> "${NPM_PACKAGES_FILE_PATH}" \ - && jq '.dependencies | to_entries[] | select(.key | startswith("release-please")) | .key + "@" + .value' package.json >> "${NPM_PACKAGES_FILE_PATH}" \ - && xargs npm install -g < "${NPM_PACKAGES_FILE_PATH}" \ - && rm package.json "${NPM_PACKAGES_FILE_PATH}" +ENV NODE_PATH="${APP_DIR}/node_modules" +ENV PATH="${NODE_PATH}/.bin:${PATH}" # Split this from the previous RUN instruction so we can cache the costly installation step # hadolint ignore=DL3059