Avoid packaging yarn.lock

code-asher · code-asher · commit 4e7787422f95 · 2023-09-21T17:45:48.000-08:00
Since the shrinkwrap is what we want everything to use.
diff --git a/ci/build/build-release.sh b/ci/build/build-release.sh
@@ -56,7 +56,6 @@ bundle_code_server() {
   }
 EOF
   ) > "$RELEASE_PATH/package.json"
-  rsync yarn.lock "$RELEASE_PATH"
   mv npm-shrinkwrap.json "$RELEASE_PATH"
 
   rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
@@ -106,34 +105,41 @@ bundle_vscode() {
 }
 
 create_shrinkwraps() {
-  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
-  # not packaged when publishing to the NPM registry.
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
-  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
-  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
-  # These will include devDependencies, but those will be ignored when installing globally (for code-server), and
-  # because we use --omit=dev when installing vscode.
-
-  # We first generate the shrinkwrap file for code-server itself - which is the current directory
-  create_shrinkwrap_keeping_yarn_lock
+  # yarn.lock or package-lock.json files (used to ensure deterministic versions
+  # of dependencies) are not packaged when publishing to the NPM registry.
+
+  # To ensure deterministic dependency versions (even when code-server is
+  # installed with NPM), we create an npm-shrinkwrap.json file from the
+  # currently installed node_modules. This ensures the versions used from
+  # development (that the yarn.lock guarantees) are also the ones installed by
+  # end-users.  These will include devDependencies, but those will be ignored
+  # when installing globally (for code-server), and because we use --omit=dev
+  # when installing vscode.
+
+  # We also remove the yarn.lock files once we have done this even though they
+  # are ignored by NPM on publish because we use the artifact uploaded to CI
+  # (which would still include the yarn.lock) to generate the standalone builds
+  # and we want to make sure we are not using yarn accidentally.
+
+  # We first generate the shrinkwrap file for code-server itself---which is the
+  # current directory.
+  create_shrinkwrap
 
   # Then the shrinkwrap files for the bundled VSCode
   pushd "$VSCODE_SRC_PATH/remote/"
-  create_shrinkwrap_keeping_yarn_lock
+  create_shrinkwrap
   popd
 
   pushd "$VSCODE_SRC_PATH/extensions/"
-  create_shrinkwrap_keeping_yarn_lock
+  create_shrinkwrap
   popd
 }
 
-create_shrinkwrap_keeping_yarn_lock() {
-  # HACK@edvincent: Generating a shrinkwrap alters the yarn.lock which we don't want (with NPM URLs rather than the Yarn URLs)
-  # But to generate a valid shrinkwrap, it has to exist... So we copy it to then restore it
-  cp yarn.lock yarn.lock.temp
+create_shrinkwrap() {
   npm shrinkwrap
-  cp yarn.lock.temp yarn.lock
-  rm yarn.lock.temp
+  # Note that npm shrinkwrap alters the yarn.lock, but we are not going to keep
+  # it anyway.
+  rm yarn.lock
 }
 
 main "$@"
