Split lint into check and build, switch from npm install to npm ci
#315
Conversation
|
yay... lint and build each only take 14 sec. |
| npm install | ||
| # ci: install exact versions from package-lock.json | ||
| # fast, secure, predictable compared to npm install | ||
| npm ci |
There was a problem hiding this comment.
Should we test both then... npm ci and npm install ?
Or is there no point 🙃 ?
There was a problem hiding this comment.
well, there is no point in doing so... the package-lock.json is basically the solved result of npm install and contains all dependencies + transitive dependencies and their sha512 checksums.... but npm is not the subject under test here... we want to get all the dependencies + dev dependencies installed in a predictable+secure way (the hashes are verified) to then run linters / build checks... thats exactly what npm ci exists for ... dependabot keeps the package.json + package-json.lock updated / in sync for us.
|
Awesome, thanks for working on this 🚀 |
This splits the lint flow into two jobs:
npm run check, which can just reveal some unrelated formatting changes missing. Those findings still have to be fixed, but in most cases have no consequences in regards to if the example workflow runs are all valid or not.npm run buildand checking if there are no updates = all updates in the ./dist folder are committed... If this job fails, then all the examples runs have to be taken with a grain of salt, as they run agains an outdated ./dist folder, thus being invalid!This information was previously not visible / masked as mostly
npm run checkfailed and preventednpm run buildfrom running ... it was then unclear, if that has consequences to the ncc compiled stuff in ./dist or not.Also switching
npm installtonpm cito install the exact versions from package-lock.json (managed by dependabot). This is faster, more secure and 100% predictable. Thus removing the cron triggers as those won't find anything new.