Add published distinction

Author: pvdz

.config/rollup.dist.config.mjs

@@ -29,6 +29,7 @@ import {
   isBuiltin,
   normalizeId
 } from '../scripts/utils/packages.js'
+import { envAsBoolean } from '@socketsecurity/registry/lib/env'
 
 const {
   BABEL_RUNTIME,
@@ -55,6 +56,10 @@ const editablePkgJson = readPackageJsonSync(rootPath, { editable: true })
 
 const processEnvTapRegExp =
   /\bprocess\.env(?:\.TAP|\[['"]TAP['"]\])(\s*\?[^:]+:\s*)?/g
+const processEnvSocketIsPublishedRegExp =
+  /\bprocess\.env(?:\.SOCKET_IS_PUBLISHED|\[['"]SOCKET_IS_PUBLISHED['"]\])/g
+const processEnvSocketCliVersionRegExp =
+  /\bprocess\.env(?:\.SOCKET_CLI_VERSION|\[['"]SOCKET_CLI_VERSION['"]\])/g
 
 function createStubCode(relFilepath) {
   return `'use strict'\n\nmodule.exports = require('${relFilepath}')\n`
@@ -147,6 +152,7 @@ function versionBanner(_chunk) {
     var SOCKET_CLI_GIT_HASH = "${gitHash}"
     var SOCKET_CLI_BUILD_RNG = "${rng}"
     var SOCKET_CLI_VERSION = "${pkgJsonVersion}:${gitHash}:${rng}"
+    var SOCKET_PUB = ${envAsBoolean(process.env['SOCKET_IS_PUBLISHED'])}
   `.trim().split('\n').map(s => s.trim()).join('\n')
 }
 
@@ -231,6 +237,19 @@ export default () => {
         find: processEnvTapRegExp,
         replace: (_match, ternary) => (ternary ? '' : 'false')
       }),
+      // Replace `process.env.SOCKET_IS_PUBLISHED` with a boolean
+      socketModifyPlugin({
+        find: processEnvSocketIsPublishedRegExp,
+        // Note: these are going to be bools in JS, not strings
+        replace: () => (envAsBoolean(process.env['SOCKET_IS_PUBLISHED']) ? 'true' : 'false')
+      }),
+      // Replace `process.env.SOCKET_CLI_VERSION` with var ref that rollup
+      // adds to the top of each file.
+      socketModifyPlugin({
+        find: processEnvSocketCliVersionRegExp,
+        replace: 'SOCKET_CLI_VERSION'
+      }),
+
       {
         generateBundle(_options, bundle) {
           for (const basename of Object.keys(bundle)) {

.github/workflows/provenance.yml

@@ -21,7 +21,7 @@ jobs:
           scope: "@socketsecurity"
       - run: npm install -g npm@latest
       - run: npm ci
-      - run: npm run build:dist
+      - run: SOCKET_IS_PUBLISHED=1 npm run build:dist
       - run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

src/constants.ts

@@ -57,6 +57,7 @@ type Constants = Omit<
   readonly ENV: ENV
   readonly DIST_TYPE: 'module-sync' | 'require'
   readonly IPC: IPC
+  readonly IS_PUBLISHED: boolean
   readonly LOCK_EXT: '.lock'
   readonly MODULE_SYNC: 'module-sync'
   readonly NPM_REGISTRY_URL: 'https://registry.npmjs.org'
@@ -95,6 +96,7 @@ const BUN = 'bun'
 const CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER =
   'firstPatchedVersionIdentifier'
 const CVE_ALERT_PROPS_VULNERABLE_VERSION_RANGE = 'vulnerableVersionRange'
+const IS_PUBLISHED = process.env['SOCKET_IS_PUBLISHED']
 const LOCK_EXT = '.lock'
 const MODULE_SYNC = 'module-sync'
 const NPM_REGISTRY_URL = 'https://registry.npmjs.org'
@@ -178,6 +180,7 @@ const constants = <Constants>createConstantsObject(
     // Lazily defined values are initialized as `undefined` to keep their key order.
     DIST_TYPE: undefined,
     ENV: undefined,
+    IS_PUBLISHED,
     LOCK_EXT,
     MODULE_SYNC,
     NPM_REGISTRY_URL,

src/utils/initialize-sentry.ts

@@ -4,35 +4,39 @@
 // ```
 // (no "from"; this doesn't export anything). That will setup the error hooks.
 
+// Note: KEEP DEPS HERE TO A MINIMUM. Sentry should be first thing to run.
 import * as Sentry from '@sentry/node'
 
-const ENABLE_SENTRY = !(process.env['SOCKET_CLI_SENTRY'] === '0')
-const debugging = process.env['SOCKET_CLI_DEBUG'] === '1'
+// Rollup will inline this as true/false
+const IS_PUB = process.env['SOCKET_IS_PUBLISHED']
+const ENABLE_SENTRY =
+  // Enable unless explicitly disabled
+  (IS_PUB && process.env['SOCKET_ENABLE_SENTRY'] !== '0') ||
+  // Disable unless explicitly enabled
+  (!IS_PUB && process.env['SOCKET_ENABLE_SENTRY'] === '1')
 
-// Note: this should not change the value if set from rollup but if somehow
-// running raw sources, at least it won't cause a runtime error (implicit global)
-// See rollup config.
-// DO NOT ADD INITIALIZER TO THIS VAR!
-// @ts-ignore
-var SOCKET_CLI_VERSION
+const debugging = process.env['SOCKET_CLI_DEBUG'] === '1'
 
 if (ENABLE_SENTRY) {
   if (debugging) {
     console.log('[DEBUG] Setting up Sentry...')
   }
   Sentry.init({
     // debug: true,
-    // onFatalError(error: Error) {
-    //   console.log('[Sentry onFatalError]: oops', error)
-    // },
+    onFatalError(error: Error) {
+      if (debugging) {
+        console.error('[DEBUG] [Sentry onFatalError]:', error)
+      }
+    },
     enabled: ENABLE_SENTRY,
 
     dsn: 'https://66736701db8e4ffac046bd09fa6aaced@o555220.ingest.us.sentry.io/4508846967619585',
     integrations: []
   })
   Sentry.setTag('environment', 'dev') // TBD: how to determine this?
-  Sentry.setTag('version', SOCKET_CLI_VERSION) // Generated by rollup
+  Sentry.setTag('version', process.env['SOCKET_CLI_VERSION']) // Generated by rollup
   Sentry.setTag('debugging', debugging)
+  Sentry.setTag('published', IS_PUB)
 
   if (debugging) {
     console.log('[DEBUG] Set up Sentry.')