build: drop docker-bake in favor of plain npm (#551)

* build: drop docker-bake in favor of plain npm Every TypeScript action maintained by actions/* (checkout, setup-node, setup-go, cache, upload-artifact) uses plain npm scripts. The bake setup is a docker/* org convention and adds friction for TS work: contributors need Docker, the dev loop is ~10x slower than npm, and Alpine-vs-host byte drift in dist/index.js makes PRs bounce. Replace with the standard pattern: - .node-version pins Node 24 so contributors and CI agree - npm scripts (build, lint, format, test, pre-checkin) replace bake targets one-for-one - validate.yml runs lint + a check-dist diff (mirrors actions/setup-node) and a vendor check that npm install --package-lock-only is a no-op - test.yml uses setup-node + sigstore/cosign-installer, drops bake-action - dependabot-build.yml regenerates dist via npm instead of bake CONTRIBUTING.md and README development section updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: align scripts and workflows with actions/* convention Match the standard layout used by actions/checkout, actions/setup-node, etc.: - package.json scripts: split format/format-check (Prettier) from lint/lint:fix (ESLint), and have pre-checkin run all four (format, lint:fix, build, test) in that order. - validate.yml lint job runs format-check + lint as separate steps. - test.yml drops the redundant --coverage flag (now in the test script). - Drop dependabot-build.yml: actions/* don't auto-rebuild dist on dependabot PRs; the check-dist style validate / build job catches drift and a maintainer rebuilds locally if needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-29 22:37:30 +00:00 · 2026-04-18 15:22:23 -03:00
parent 213ec80f56
commit 4068afa2f0
9 changed files with 129 additions and 267 deletions
@@ -1,78 +1,63 @@
 # Contributing

-Thanks for your interest in contributing! This document covers the development
-workflow needed to get a change ready to commit and push.
+Thanks for your interest in contributing!

 ## Prerequisites

- [Docker](https://docs.docker.com/get-docker/) with [Buildx](https://docs.docker.com/buildx/working-with-buildx/)
- Git
+- [Node.js](https://nodejs.org/) — version pinned in [`.node-version`](./.node-version).
+  Tools like [`nvm`](https://github.com/nvm-sh/nvm), [`fnm`](https://github.com/Schniz/fnm),
+  [`asdf`](https://asdf-vm.com/), or [`mise`](https://mise.jdx.dev/) read this file
+  automatically.
+- [`cosign`](https://docs.sigstore.dev/cosign/installation/) — only required if you
+  want to run the signature-verification integration tests locally.

-That's it. Everything else (Node, npm, linters, the test environment) runs
-inside containers driven by `docker buildx bake`.
+## Setup
+
+```sh
+npm ci
+```

 ## Pre-commit checklist

-Run these commands, in order, before committing any change to `src/`,
-`__tests__/`, `package.json`, `package-lock.json`, or `action.yml`:
+Before committing changes to `src/`, `__tests__/`, `package.json`,
+`package-lock.json`, or `action.yml`:

 ```sh
-# 1. Format source, refresh node_modules, regenerate dist/index.js
-docker buildx bake pre-checkin
-
-# 2. Run the test suite (unit + integration; needs network for release downloads)
-docker buildx bake test
-
-# 3. Validate that everything is committed and reproducible
-docker buildx bake validate
+npm run pre-checkin
 ```

-`validate` is what CI runs. If it passes locally, your PR will pass the
-`validate` job too.
+That runs `format` + `build` + `test` — the same checks CI runs.

-### Why `pre-checkin` matters
+Then commit `dist/` along with your source changes; the action runtime loads
+`dist/index.js` directly, so it must stay in sync.

-The repository ships the compiled action as `dist/index.js`. CI's
-`build-validate` target rebuilds it inside an Alpine container and fails if the
-checked-in bytes don't match. **You must commit the `dist/` output produced by
-`docker buildx bake pre-checkin`** — running `npm run build` on macOS or a
-non-Alpine host produces slightly different bytes and `validate` will reject
-the PR.
+If CI's `validate / build` job fails because `dist/` differs from a fresh
+build, just download the `dist` artifact from the failed run and commit it —
+or rerun `npm run build` locally with the Node version in `.node-version`.

-If you forget and CI complains about a `dist/` diff, just run:
+## npm scripts

-```sh
-docker buildx bake build
-git add dist/
-git commit --amend --no-edit
-git push --force-with-lease
-```
-
-## Available bake targets
-
-| Target          | Purpose                                             |
-| --------------- | --------------------------------------------------- |
-| `build`         | Regenerate `dist/index.js` only                     |
-| `format`        | Run Prettier on `src/` and `__tests__/`             |
-| `vendor`        | Refresh `node_modules` / `package-lock.json`        |
-| `pre-checkin`   | `vendor` + `format` + `build` (run before commits)  |
-| `lint`          | Prettier check + ESLint                             |
-| `build-validate`| Verify `dist/index.js` matches a fresh build        |
-| `vendor-validate`| Verify `package-lock.json` is in sync               |
-| `validate`      | `lint` + `build-validate` + `vendor-validate`       |
-| `test`          | Run Jest with coverage in an Alpine container       |
+| Script              | Purpose                                          |
+| ------------------- | ------------------------------------------------ |
+| `npm run build`     | Bundle `src/` to `dist/index.js` via `ncc`       |
+| `npm run format`    | Run Prettier (write)                             |
+| `npm run format-check` | Run Prettier (check only, used in CI)         |
+| `npm run lint`      | Run ESLint (check only, used in CI)              |
+| `npm run lint:fix`  | Run ESLint with `--fix`                          |
+| `npm test`          | Run Jest with coverage                           |
+| `npm run pre-checkin` | `format` + `lint:fix` + `build` + `test`       |

 ## Tests

-`docker buildx bake test` runs the full Jest suite, including integration
-tests that:
+`npm test` runs the full Jest suite, including integration tests that:

 - Download real GoReleaser releases from GitHub
 - Verify `checksums.txt` against the downloaded archive
- Verify the cosign sigstore bundle (`cosign` is installed in the test image)
+- Verify the cosign sigstore bundle (skipped if `cosign` isn't on `PATH`,
+  but the CI image always has it installed)

-These need outbound network access. If you're behind a restrictive proxy or
-offline, those tests will fail — that's expected.
+These need outbound network access. Offline / restrictive-proxy runs will
+have those tests fail — that's expected.

 ## Commit messages

@@ -82,7 +67,7 @@ Use [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`,
 ## Pull requests

 - Target `master`.
- Make sure `docker buildx bake validate` and `docker buildx bake test` pass.
+- Make sure `npm run pre-checkin` passes.
 - One logical change per PR is easier to review.
 - The `signing` CI job and `goreleaser-pro` matrix entries are skipped on PRs
  from forks because they need repository secrets — that's expected and not