Problem
As a part of my gsoc project Plugin Ecosystem Security, we are transition away from the public NPM registry to our own dedicated Joplin plugin publish ecosystem, we need a way to ensure plugins are actually ready before a developer hits publish. Right now, there isn't any standardized local validation, which makes it easy to accidentally submit broken code or incomplete manifests creating noise for the CI and human reviewer
Solution
The proposed solution is to add a foundational CLI validation scripts right into the generator-joplin template. The idea is that when a developer runs the publish command, the script will first verify that the codebase compiles cleanly and that the manifest contains required metadata like a "valid SemVer" and "GitHub repository URL". If they forgot the URL, the CLI can just pause and ask them for it interactively rather than just failing.
We also need to enforce that the working directory is clean and their local commit perfectly matches the remote origin code on github. This will prevent anyone from publishing uncommitted or unpushed code that reviewers cannot see.
To make this happen, we will add enquirer for the terminal prompts, semver for version checking, and ts-node to run the scripts smoothly.
(This is just a part of the whole GSoC project workflow)
Problem
As a part of my gsoc project Plugin Ecosystem Security, we are transition away from the public NPM registry to our own dedicated Joplin plugin publish ecosystem, we need a way to ensure plugins are actually ready before a developer hits publish. Right now, there isn't any standardized local validation, which makes it easy to accidentally submit broken code or incomplete manifests creating noise for the CI and human reviewer
Solution
The proposed solution is to add a foundational CLI validation scripts right into the generator-joplin template. The idea is that when a developer runs the publish command, the script will first verify that the codebase compiles cleanly and that the manifest contains required metadata like a "valid SemVer" and "GitHub repository URL". If they forgot the URL, the CLI can just pause and ask them for it interactively rather than just failing.
We also need to enforce that the working directory is clean and their local commit perfectly matches the remote origin code on github. This will prevent anyone from publishing uncommitted or unpushed code that reviewers cannot see.
To make this happen, we will add enquirer for the terminal prompts, semver for version checking, and ts-node to run the scripts smoothly.
(This is just a part of the whole GSoC project workflow)