feat(install-dynamic-plugins): cli-module variant (alternative to #3246)#3254
Open
gustavolira wants to merge 7 commits into
Open
feat(install-dynamic-plugins): cli-module variant (alternative to #3246)#3254gustavolira wants to merge 7 commits into
gustavolira wants to merge 7 commits into
Conversation
Migrates scripts/install-dynamic-plugins/ from redhat-developer/rhdh#4574 into this repo as @red-hat-developer-hub/install-dynamic-plugins so it can be published to npm and consumed by the RHDH init-container without curl-by-SHA. Runtime contract (CLI args, env vars, plugin-hash format, on-disk layout, tar/OCI security guards) preserved verbatim. Build remains a single self-contained .cjs via esbuild. Tests migrated from vitest to jest to align with the repo's backstage-cli pipeline (14 suites / 166 tests pass). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add bin/install-dynamic-plugins shim and have package.json bin point at it (matches the convention used by extensions-cli, translations-cli, and rhdh-repo-tools). Split src/cli.ts as the esbuild entry so the bundle no longer needs the require.main guard or a shebang banner. - Stop committing dist/install-dynamic-plugins.cjs; the release pipeline rebuilds via the customBuild path, and a new prepack script makes yarn npm publish self-healing for local runs. - Drop the .js suffix from relative imports across src/ so the package matches the rest of the repo and the jest moduleNameMapper workaround is no longer needed. - Consolidate the tsconfigs: the inner package extends the workspace tsconfig and only declares what differs. - Add why-it's-intentional comments to the two eslint-disable lines (PullPolicy const+type pair, tar.x filter inside a sequential loop). - README now leads with the npm/npx usage path; the RHDH init-container section is below. tar/yaml stay in dependencies (not devDependencies as the review suggested) — @backstage/no-undeclared-imports flagged the source imports, and the repo convention treats bundling as opaque. 166/166 tests pass, tsc/lint/prettier clean, bin shim and bundle both exit 0 on the empty-config smoke run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The CI step "check api reports and generate API reference" runs
`backstage-repo-tools api-reports --ci` before the build, and that tool
requires the bin file to introspect the CLI. The previous shim did a
plain `require('../dist/install-dynamic-plugins.cjs')`, which failed
under CI because dist/ is no longer committed and the build hasn't run
yet.
- Switch the bin shim to the local-vs-installed pattern used by every
other CLI in the repo (extensions-cli, translations-cli,
rhdh-repo-tools): when `src/` exists (monorepo), load TS directly via
`@backstage/cli/config/nodeTransform`; otherwise require the built
bundle (npm-installed scenario).
- Add `--help` / `-h` handling to main() so the api-reports tool can
introspect the CLI usage without creating a stray `--help/` directory.
- Commit the generated `cli-report.md`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Use String.raw for strings containing backslash literals so the source
reads with one '\' instead of '\\\\' (catalog-index.ts log message,
extra-catalog-index.test.ts subdirectory fixtures, skopeo.test.ts shell
escape).
- Switch the OCI regex builder to a joined string array — eliminates the
nested template literals SonarCloud was flagging on oci-key.ts (and
reads much better).
- Object.prototype.hasOwnProperty.call -> Object.hasOwn in
merger.test.ts (ES2022, available since Node 16.9).
- String#replace(/'/g, ...) -> String#replaceAll("'", ...) in
skopeo.test.ts (ES2021).
- Hoist test helpers (stageLayer, fakeImageCache) out of their describe
blocks so they aren't re-defined on every test.
- Drop the redundant parseMaxEntrySize(undefined) call in types.test.ts —
the parameter already defaults to process.env.MAX_ENTRY_SIZE.
166/166 tests still pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switches the hand-rolled `process.argv` + USAGE-string handling in main() to `cleye` — the same parser every `@backstage/cli-module-*` package uses (already in our transitive deps). Aligns with the Backstage CLI convention requested during PR review. Existing surface preserved: - positional `<dynamic-plugins-root>` (required, exit 1 if absent) - `--help` / `-h` prints usage and exits 0 - normal run still exits with the installer's status code Bundle grew from 226 kB -> 267 kB (cleye + type-flag minified). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Alternative to redhat-developer#3246 — packages the installer as a Backstage CLI module per review feedback, so it integrates natively with backstage-cli. - Rename to @red-hat-developer-hub/cli-module-install-dynamic-plugins, backstage.role: cli-module. - src/module.ts exports createCliModule registering an `install` command; src/command.ts loads it; src/cli.ts (esbuild entry) runs it via runCliModule. main() now takes explicit argv from the command context. - @backstage/cli-node added as a dependency; cleye is still the argv parser inside the command (same as @backstage/cli-module-lint). Tradeoffs vs redhat-developer#3246: - CLI surface gains an `install` subcommand: `install-dynamic-plugins install <root>` (wrapper + README updated). - Bundle grows 267 KB -> 1.45 MB (~5.4x) from inlining cli-node + deps. - @backstage/cli-node pulls in keytar (native .node). esbuild can't bundle native binaries, so keytar is aliased to no-ops at build time (esbuild-keytar-stub.cjs). Safe today since install never touches credentials, but it's load-bearing on cli-node not lazy-loading keytar elsewhere. 166/166 tests pass; tsc, lint, prettier, api-reports clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Code Review by Qodo
1. Arch forced to amd64
|
Contributor
|
This pull request adds a new top-level directory under |
|
Important This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior. Changed Packages
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3254 +/- ##
==========================================
+ Coverage 53.23% 53.37% +0.13%
==========================================
Files 2413 2436 +23
Lines 86358 87399 +1041
Branches 23897 24154 +257
==========================================
+ Hits 45975 46647 +672
- Misses 40049 40418 +369
Partials 334 334
*This pull request uses carry forward flags. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Review Summary by QodoImplement install-dynamic-plugins as Backstage CLI module with OCI/NPM plugin support and security hardening
WalkthroughsDescription• Implements @red-hat-developer-hub/cli-module-install-dynamic-plugins as a Backstage CLI module (backstage.role: cli-module) for native integration with backstage-cli discovery • Restructures the installer from a standalone CLI to use @backstage/cli-node's createCliModule pattern, registering an install subcommand • Core installation orchestration: loads and merges dynamic plugin configurations from YAML, categorizes plugins (OCI, NPM, skipped), and installs concurrently with worker pooling • Security hardening: implements path-traversal validation, zip-bomb detection, symlink containment, prototype-pollution protection, and SRI integrity verification for NPM packages • OCI plugin support: extracts plugins from OCI images with hash-based change detection, implements pull policies (IfNotPresent, Always), and registry fallback logic (registry.access.redhat.com → quay.io) • NPM plugin support: orchestrates npm pack with integrity verification and secure tarball extraction • Concurrency control: implements Semaphore class and mapConcurrent() for bounded parallel execution with adaptive worker counts • Exclusive locking: prevents concurrent installs via lock file with polling and timeout (default 10 min) • Comprehensive test coverage: 166 tests validating security checks, configuration merging, OCI/NPM parsing, hash computation, and error handling • Trade-off vs alternative #3246: ~5.4x larger bundle (1.45 MB vs 267 KB) due to @backstage/cli-node dependency, adds keytar native dependency (stubbed at build time), but gains native CLI discovery and follows Backstage CLI module convention Diagramflowchart LR
A["CLI Entry<br/>cli.ts"] -->|runCliModule| B["Module Registration<br/>module.ts"]
B -->|createCliModule| C["Command Handler<br/>command.ts"]
C -->|main argv| D["Config Loading<br/>index.ts"]
D -->|merge configs| E["Plugin Merger<br/>merger.ts"]
E -->|categorize| F["OCI Installer<br/>installer-oci.ts"]
E -->|categorize| G["NPM Installer<br/>installer-npm.ts"]
F -->|extract| H["Tar Extraction<br/>tar-extract.ts"]
G -->|verify| I["Integrity Check<br/>integrity.ts"]
H -->|security| J["Path Validation<br/>util.ts"]
I -->|security| J
F -->|image ops| K["Skopeo Wrapper<br/>skopeo.ts"]
G -->|package ops| L["NPM Pack<br/>installer-npm.ts"]
D -->|finalize| M["Lock & Cleanup<br/>lock-file.ts"]
File Changes1. workspaces/install-dynamic-plugins/packages/install-dynamic-plugins/src/index.ts
|
rhdh-qodo-merge
Bot
added
documentation
- bin: switch to object form so the installed command stays `install-dynamic-plugins`. With the string form, npm derived the command name from the renamed scoped package (cli-module-install-dynamic-plugins), contradicting the README, runCliModule name, and the shell wrapper. - keytar stub now throws on every method instead of silently returning null. Install never touches credentials, so a throw only fires if a future @backstage/cli-node release reaches keytar in our path — better a loud failure in CI than a silent wrong credential in an init-container. - Thread the command's `info.usage` into the inner cleye parser so `install-dynamic-plugins install --help` prints the real invocation (`install-dynamic-plugins install <dynamic-plugins-root>`) instead of dropping the subcommand. - main() now requires explicit args (the process.argv default was unreachable in the cli-module path). 166/166 tests pass; tsc, lint, prettier, api-reports clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Alternative to #3246, opened so the trade-offs are reviewable side by side (cc @schultzp2020).
#3246 ships the installer as a standalone CLI (
backstage.role: cli) that goes through backstage-cli'scustomBuildescape hatch. This PR restructures it as a Backstage CLI module (backstage.role: cli-module,@backstage/cli-node'screateCliModule), per review feedback, so it integrates natively withbackstage-clidiscovery.Both keep cleye as the argv parser and both produce a single bundled
.cjsfor the RHDH init-container.What changed vs #3246
@red-hat-developer-hub/cli-module-install-dynamic-plugins,backstage.role: cli-module.src/module.ts→createCliModuleregistering aninstallcommand;src/command.tsloads it;src/cli.ts(esbuild entry) runs it viarunCliModule.main()now takes explicit argv from the command context.@backstage/cli-nodeadded as a dependency. cleye stays as the in-command parser (same as@backstage/cli-module-lint).Trade-offs to weigh
role: cli)role: cli-module)install-dynamic-plugins <root>install-dynamic-plugins install <root>(adds subcommand)@backstage/cli-nodepulls in keytar (native.node)The keytar caveat
@backstage/cli-nodedepends onkeytar(a native credential store, for@backstage/cli-module-auth). esbuild can't bundle.nodebinaries into a single file, so this PR aliases keytar to no-ops at build time (esbuild-keytar-stub.cjs). The install command never touches credentials, so it's safe today — but it's load-bearing on cli-node never lazy-loading keytar in a path our command hits. If a future cli-node release changes that, the init-container would break.Test plan
yarn tsc/lint/prettier:check/build:api-reports:only --cicleaninstall-dynamic-plugins install <dir>exits 0 on an empty configRecommendation
Both work. #3246 is leaner and keeps the init-container artifact small with no native-dep gymnastics; this PR aligns with the cli-module convention at the cost of ~5x bundle size and a keytar stub. Posting both so the maintainers can pick the direction.
🤖 Generated with Claude Code