diff --git a/.editorconfig b/.editorconfig index 5e41726..bd929bc 100644 --- a/.editorconfig +++ b/.editorconfig @@ -4,6 +4,7 @@ root = true [*] charset = utf-8 end_of_line = lf -insert_final_newline = true indent_size = 2 indent_style = space +insert_final_newline = true +trim_trailing_whitespace = true diff --git a/.github/workflows/.github_release.yml b/.github/workflows/.github_release.yml index 8956ca9..6e13e9d 100644 --- a/.github/workflows/.github_release.yml +++ b/.github/workflows/.github_release.yml @@ -9,9 +9,7 @@ jobs: uses: ./.github/workflows/release.yml with: { homebrew: false, npm: false } permissions: { contents: write, id-token: write } - secrets: inherit sync: uses: ./.github/workflows/sync-major-version.yml permissions: { contents: write } - secrets: inherit diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml index c7199eb..631ad10 100644 --- a/.github/workflows/.github_test.yml +++ b/.github/workflows/.github_test.yml @@ -1,7 +1,7 @@ name: Test on: pull_request: - push: { branches: main } + push: schedule: [{ cron: "0 0 10 * *" }] # monthly https://crontab.guru/#0_0_10_*_* workflow_dispatch: permissions: {} @@ -16,3 +16,50 @@ jobs: id-token: write security-events: write statuses: write + + super-lint: + permissions: { contents: read, packages: read, statuses: write } + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + repo: + - actions + - homebrew-nodenv + - jetbrains-npm + # - node-build + - node-build-prerelease + - node-build-update-defs + # - nodenv + # - nodenv-aliases + - nodenv-default-packages + - nodenv-each + - nodenv-env + - nodenv-installer + - nodenv-man + - nodenv-npm-migrate + - nodenv-nvmrc + # - nodenv-package-json-engine + - nodenv-package-rehash + # - nodenv-update + - nodenv-vars + steps: + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: { egress-policy: audit } + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: nodenv/${{ matrix.repo }} + persist-credentials: false + - uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 + env: + USE_FIND_ALGORITHM: true # workaround superlinter + ### below here should match our reusable test workflow config + GITHUB_TOKEN: ${{ github.token }} + BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug #5731 + FILTER_REGEX_EXCLUDE: node_modules + VALIDATE_BIOME_FORMAT: false # conflicts with prettier + VALIDATE_BIOME_LINT: false # conflicts with prettier + VALIDATE_GIT_COMMITLINT: false # commitlint is bad + VALIDATE_GITHUB_ACTIONS_ZIZMOR: false + VALIDATE_JSCPD: false # too prone to false-positives + VALIDATE_SPELL_CODESPELL: false # TODO diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a951f86..abb6de2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,6 @@ on: required: false type: string secrets: - NPMJS_TOKEN: { required: true } # required for npm job BOT_TOKEN: { required: false } # required for homebrew job permissions: {} @@ -29,9 +28,10 @@ jobs: permissions: { contents: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } # TODO exit this job differently than success if release already exists - name: gh release create run: | @@ -47,9 +47,9 @@ jobs: permissions: { contents: read } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: mislav/bump-homebrew-formula-action@8e2baa47daaa8db10fcdeb04105dfa6850eb0d68 # v3.4 + - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6 with: homebrew-tap: ${{ contains(fromJSON('["nodenv","node-build"]'), github.event.repository.name) @@ -62,14 +62,14 @@ jobs: permissions: { id-token: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } + - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: # FIXME https://github.com/actions/setup-node/pull/129 scope: ${{ inputs.npm_scope }} registry-url: https://registry.npmjs.org + node-version: 24 # Trusted Publishing requires npm v11.5.1+; node 24 bundles a sufficient version - run: npm ci - - run: npm publish --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }} + - run: npm publish diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml index bd18ffc..3aaa2fb 100644 --- a/.github/workflows/sync-default-branch.yml +++ b/.github/workflows/sync-default-branch.yml @@ -8,7 +8,10 @@ jobs: permissions: { contents: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true # need creds for subsequent git ops + - run: git push --force origin HEAD:refs/heads/master diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml index efa7a9e..a8bc684 100644 --- a/.github/workflows/sync-major-version.yml +++ b/.github/workflows/sync-major-version.yml @@ -9,9 +9,12 @@ jobs: permissions: { contents: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true # need creds for subsequent git ops + # FIXME pushes branch instead of tag because github bug: # https://github.com/orgs/community/discussions/163366 - run: git push -f origin "HEAD:refs/heads/${GITHUB_REF_NAME%%.*}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 897daf7..b0ebdc4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,9 +22,10 @@ jobs: fail-fast: false matrix: { os: [ubuntu-latest, macOS-latest] } steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } - run: npm cit env: GITHUB_TOKEN: ${{ github.token }} @@ -34,42 +35,56 @@ jobs: permissions: { contents: read, packages: read, statuses: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: { fetch-depth: 0 } - - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { fetch-depth: 0, persist-credentials: false } + - uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 env: GITHUB_TOKEN: ${{ github.token }} BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug - VALIDATE_JSCPD: false # jscpd is false-positive prone and generally not useful + FILTER_REGEX_EXCLUDE: node_modules + VALIDATE_BIOME_FORMAT: false # conflicts with prettier + VALIDATE_BIOME_LINT: false # conflicts with prettier + VALIDATE_GIT_COMMITLINT: false # commitlint is bad + VALIDATE_GITHUB_ACTIONS_ZIZMOR: false + VALIDATE_JSCPD: false # too prone to false-positives + VALIDATE_SPELL_CODESPELL: false # TODO dependency-review: if: startsWith('pull_request', github.event_name) runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } + - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 ossf-scorecard: if: github.ref_name == github.event.repository.default_branch permissions: { id-token: write, security-events: write } runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: { egress-policy: audit } - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: { persist-credentials: false } + - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: ossf-scorecard-results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ossf-scorecard-results.sarif path: ossf-scorecard-results.sarif - - uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3 + - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: sarif_file: ossf-scorecard-results.sarif diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md index 05699e2..a8c4666 100644 --- a/docs/CODE_OF_CONDUCT.md +++ b/docs/CODE_OF_CONDUCT.md @@ -136,3 +136,9 @@ at [https://www.contributor-covenant.org/translations][translations]. [Mozilla CoC]: https://github.com/mozilla/diversity [FAQ]: https://www.contributor-covenant.org/faq [translations]: https://www.contributor-covenant.org/translations + +## Project Maintainers + +- Will McKenzie <> +- Jason Karns <> +- Josh Hagins <> diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 7b8ee11..b617b01 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -6,8 +6,64 @@ https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contr # Contributing +## Rbenv Tags Git Configuration + +Many repositories in the nodenv organization are forks from the rbenv +ecosystem. To support pulling changes from the upstream rbenv repository into +nodenv, it is necessary to add rbenv as a Git remote. However, this adds some +complication because (by default), Git tags for nodenv and rbenv will collide. +(ie, rbenv's `v1.0.0` tag conflicts with nodenv's `v1.0.0`) Additionally, +having rbenv's tags exist locally introduces complications to the release +process: `git push --follow-tags` would push rbenv's tags to nodenv's `origin` +remote. + +The following special Git configuration avoids these and other headaches while +still allowing `origin` to be pushed using `--tags` or `--follow-tags` +options—without the risk of pushing rbenv's tags into nodenv's tagspace. The +configuration assumes nodenv's remote is `origin`, and rbenv's remote is +`rbenv`. + +1. Configure rbenv to not fetch tags by default: + +```console +git config remote.rbenv.tagOpt --no-tags +``` + +2. Fetch rbenv's tags to their own refspec namespace (`rbtags`, in this case): + +```console +git config --add remote.rbenv.fetch '+refs/tags/*:refs/rbtags/*' +``` + +> [!WARNING] +> The `--tags` option to `fetch` et. al. will override this setting. + +Resulting snippet in `.git/config`: + +```gitconfig +[remote "origin"] + url = git@github.com:nodenv/nodenv.git + fetch = +refs/heads/*:refs/remotes/origin/* +[remote "rbenv"] + url = git@github.com:rbenv/rbenv.git + fetch = +refs/heads/*:refs/remotes/rbenv/* + fetch = +refs/tags/*:refs/rbtags/* + tagopt = --no-tags +``` + +To reference rbenv's tags, use the fully qualified refspec: `refs/rbtags/vX.Y.Z` + +```console +git show refs/rbtags/v1.1.2 +git checkout refs/rbtags/v1.1.2 +git merge refs/rbtags/v1.1.2 +``` + ## Releasing From a clean working copy, run `npm version major|minor|patch|VERSION`. This will bump the package version, commit, tag, and push. -The tag-push event triggers the release workflow on GitHub. + +The tag-push event triggers the release workflow on GitHub, which creates a +GitHub Release for the tag. It also (when applicable) publishes to npm and +opens a pull request to bump the corresponding formula in its Homebrew tap. diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 313764e..57fb30b 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -4,14 +4,14 @@ It may be overridden by a repo-specific security policy. https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file --> -# Security Policy +# Security Policy 🛡️ -## Supported Versions ✅ +## ✅ Supported Versions Only the greatest published version (according to SemVer) will be supported. This version will be indicated as the "Latest Release" on GitHub Releases. :octocat: -## Reporting a Vulnerability ⚠️ +## ⚠️ Reporting a Vulnerability Use GitHub's built-in reporting mechanism for disclosure. -Go to the repository's Security tab -> Advisories -> New draft security advisory. +Go to the Security tab -> Report a vulnerability.