Install JavaScript dependencies in cloned source

JohT · JohT · commit 18b95c9496b0 · 2025-12-18T08:22:13.000+01:00
diff --git a/.github/workflows/public-analyze-code-graph.yml b/.github/workflows/public-analyze-code-graph.yml
@@ -203,6 +203,11 @@ jobs:
         working-directory: temp/${{ inputs.analysis-name }}
         run: ./../../scripts/cloneGitRepository.sh --url "${{ inputs.source-repository }}" --branch "${{ inputs.source-repository-branch }}" --history-only "${{ inputs.source-repository-history-only }}" --target "source/${{ inputs.analysis-name }}"
 
+      - name: (Code Analysis Setup) Install JavaScript dependencies in cloned source repository if needed
+        if: inputs.source-repository != ''
+        working-directory: temp/${{ inputs.analysis-name }}
+        run: ./../../scripts/installJavaScriptDependencies.sh
+
       - name: (Code Analysis Setup) Download artifacts for analysis
         if: inputs.artifacts-upload-name != ''
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
diff --git a/scripts/installJavaScriptDependencies.sh b/scripts/installJavaScriptDependencies.sh
@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+
+# This script triggers the installation of dependencies for JavaScript projects in the source folder.
+# It supports npm, pnpm and yarn and will skip other projects.
+
+# This script is used inside .github/workflows/public-analyze-code-graph.yml (December 2025)
+# If you want to delete all node_modules directories in the source folder, run:
+# find "./${SOURCE_DIRECTORY}" -type d -name node_modules -prune -exec rm -rf {} +
+
+# Fail on any error ("-e" = exit on first error, "-o pipefail" exist on errors within piped commands)
+set -o errexit -o pipefail
+
+# Overrideable Constants (defaults also defined in sub scripts)
+LOG_GROUP_START=${LOG_GROUP_START:-"::group::"}
+LOG_GROUP_END=${LOG_GROUP_END:-"::endgroup::"}
+SOURCE_DIRECTORY=${SOURCE_DIRECTORY:-"source"}
+
+# Local constants
+SCRIPT_NAME=$(basename "${0}")
+
+fail() {
+    local ERROR_COLOR='\033[0;31m' # red
+    local DEFAULT_COLOR='\033[0m'
+    local errorMessage="${1}"
+    echo -e "${ERROR_COLOR}${SCRIPT_NAME}: Error: ${errorMessage}${DEFAULT_COLOR}" >&2
+    exit 1
+}
+
+dry_run=false
+
+# Input Arguments: Parse the command-line arguments
+while [[ $# -gt 0 ]]; do
+    arg="$1"
+    case $arg in
+        --dry-run)
+            dry_run=true
+            shift
+            ;;
+        *)
+            fail "Unknown argument: ${arg}"
+    esac
+done
+
+if [ ! -d "./${SOURCE_DIRECTORY}" ]; then
+    fail "This script needs to run inside the analysis directory with an already existing source directory in it. Change into that directory or use ./init.sh to set up an analysis."
+fi
+
+dry_run_info=""
+if [ "${dry_run}" = true ] ; then
+    echo "${SCRIPT_NAME}: Info: Dry run mode enabled."
+    dry_run_info=" (dry run)"
+fi
+
+# Returns 0 (success) if "private": true is set in package.json, otherwise 1 (false).
+# Pass the directory of the package.json file as first argument (default=.=current directory).
+is_private_package_json() {
+  directory=${1:-.}
+  node -e "process.exit(require(require('path').resolve('${directory}/package.json')).private ? 0 : 1)"
+}
+
+# Install node package manager (npm) dependencies by finding all directories with package-lock.json files and running "npm ci" in them.
+find "./${SOURCE_DIRECTORY}" -type d -name "node_modules" -prune -o -type f -name "package-lock.json" -print | sort | while read -r lock_file; do
+    lock_file_directory=$(dirname -- "${lock_file}")
+    if is_private_package_json "${lock_file_directory}" ; then
+        echo "${SCRIPT_NAME}: Info: Skipping npm install in private package ${lock_file_directory}."
+        continue
+    fi
+    (
+        cd "${lock_file_directory}"
+        echo "${LOG_GROUP_START}$(date +'%Y-%m-%dT%H:%M:%S') Installing JavaScript dependencies with npm in ${lock_file_directory}${dry_run_info}";
+        if [ "${dry_run}" = true ] ; then
+            echo "${SCRIPT_NAME}: Info: Dry run mode - skipping npm ci in ${lock_file_directory}."
+        else
+            if ! command -v "npm" &> /dev/null ; then
+                fail "Command npm (Node Package Manager) not found. It's needed to install JavaScript dependencies."
+            fi
+            npm ci --no-scripts || true
+        fi
+        echo "${LOG_GROUP_END}";
+    )
+done
+
+# Install pnpm dependencies by finding all directories with pnpm-lock.yaml files and running "pnpm install --frozen-lockfile" in them.
+find "./${SOURCE_DIRECTORY}" -type d -name "node_modules" -prune -o -type f -name "pnpm-lock.yaml" -print | sort | while read -r lock_file; do
+    lock_file_directory=$(dirname -- "${lock_file}")
+    # Run pnpm also in private packages since they might trigger the installation of dependencies in monorepos.
+    (
+        cd "${lock_file_directory}"
+        echo "${LOG_GROUP_START}$(date +'%Y-%m-%dT%H:%M:%S') Installing JavaScript dependencies with pnpm in ${lock_file_directory}${dry_run_info}";
+        if [ "${dry_run}" = true ] ; then
+            echo "${SCRIPT_NAME}: Info: Dry run mode - skipping pnpm install in ${lock_file_directory}."
+        else
+            if ! command -v "pnpm" &> /dev/null ; then
+                fail "Command pnpm (Performant Node.js Package Manager) not found. It's needed to install JavaScript dependencies."
+            fi
+            pnpm install --frozen-lockfile --ignore-scripts || true
+        fi
+        echo "${LOG_GROUP_END}";
+    )
+done
+
+# Install yarn dependencies by finding all directories with yarn.lock files and running "yarn install --frozen-lockfile" in them.
+find "./${SOURCE_DIRECTORY}" -type d -name "node_modules" -prune -o -type f -name "yarn.lock" -print | sort | while read -r lock_file; do
+    lock_file_directory=$(dirname -- "${lock_file}")
+    if is_private_package_json "${lock_file_directory}" ; then
+        echo "${SCRIPT_NAME}: Info: Skipping yarn install in private package ${lock_file_directory}."
+        continue
+    fi
+    (
+        cd "${lock_file_directory}"
+        echo "${LOG_GROUP_START}$(date +'%Y-%m-%dT%H:%M:%S') Installing JavaScript dependencies with yarn in ${lock_file_directory}${dry_run_info}";
+        if [ "${dry_run}" = true ] ; then
+            echo "${SCRIPT_NAME}: Info: Dry run mode - skipping yarn install in ${lock_file_directory}."
+        else
+            if ! command -v "yarn" &> /dev/null ; then
+                fail "Command yarn (Yet Another Resource Negotiator) not found. It's needed to install JavaScript dependencies."
+            fi
+            yarn install --frozen-lockfile --ignore-scripts || true
+        fi
+        echo "${LOG_GROUP_END}";
+    )
+done
diff --git a/scripts/testInstallJavaScriptDependencies.sh b/scripts/testInstallJavaScriptDependencies.sh
@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+# Tests "installJavaScriptDependencies.sh".
+
+# Fail on any error ("-e" = exit on first error, "-o pipefail" exist on errors within piped commands)
+set -o errexit -o pipefail
+
+# Local constants
+SCRIPT_NAME=$(basename "${0}")
+COLOR_ERROR='\033[0;31m' # red
+COLOR_DE_EMPHASIZED='\033[0;90m' # dark gray
+COLOR_SUCCESSFUL="\033[0;32m" # green 
+COLOR_DEFAULT='\033[0m'
+
+## Get this "scripts" directory if not already set
+# Even if $BASH_SOURCE is made for Bourne-like shells it is also supported by others and therefore here the preferred solution. 
+# CDPATH reduces the scope of the cd command to potentially prevent unintended directory changes.
+# This way non-standard tools like readlink aren't needed.
+SCRIPTS_DIR=${SCRIPTS_DIR:-$( CDPATH=. cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P )} # Repository directory containing the shell scripts
+
+tearDown() {
+  # echo "${SCRIPT_NAME}: Tear down tests...."
+  rm -rf "${temporaryTestDirectory}"
+}
+
+successful() {
+  echo ""
+  echo -e "${COLOR_DE_EMPHASIZED}${SCRIPT_NAME}:${COLOR_DEFAULT} ${COLOR_SUCCESSFUL}✅ Tests finished successfully.${COLOR_DEFAULT}"
+  tearDown
+}
+
+info() {
+  local infoMessage="${1}"
+  echo -e "${COLOR_DE_EMPHASIZED}${SCRIPT_NAME}:${COLOR_DEFAULT} ${infoMessage}"
+}
+
+fail() {
+  local errorMessage="${1}"
+  echo -e "${COLOR_DE_EMPHASIZED}${SCRIPT_NAME}: ${COLOR_ERROR}${errorMessage}${COLOR_DEFAULT}"
+  tearDown
+  return 1
+}
+
+printTestLogFileContent() {
+  local logFileContent
+  logFileContent=$( cat "${temporaryTestDirectory}/${SCRIPT_NAME}-${test_case_number}.log" )
+  # Remove color codes from the output for better readability in test logs
+  logFileContent=$(echo -e "${logFileContent}" | sed -r "s/\x1B\[[0-9;]*[mK]//g")
+  echo -e "${COLOR_DE_EMPHASIZED}${logFileContent}${COLOR_DEFAULT}"
+}
+
+installJavaScriptDependenciesExpectingSuccessUnderTest() {
+  local COLOR_DE_EMPHASIZED='\033[0;90m' # dark gray
+  ( 
+    cd "${temporaryTestDirectory}"; 
+    source "${SCRIPTS_DIR}/installJavaScriptDependencies.sh" "$@" >"${temporaryTestDirectory}/${SCRIPT_NAME}-${test_case_number}.log" 2>&1
+  )
+  exitCode=$?
+  if [ ${exitCode} -ne 0 ]; then
+    fail "❌ Test failed: Script exited with non-zero exit code ${exitCode}."
+  fi
+  printTestLogFileContent
+}
+
+installJavaScriptDependenciesExpectingFailureUnderTest() {
+  set +o errexit
+  (
+    cd "${temporaryTestDirectory}"; 
+    source "${SCRIPTS_DIR}/installJavaScriptDependencies.sh" "$@" >"${temporaryTestDirectory}/${SCRIPT_NAME}-${test_case_number}.log" 2>&1
+    exitCode=$?
+    if [ ${exitCode} -eq 0 ]; then
+      fail "❌ Test failed: Script exited with zero exit code but was expected to fail."
+    fi
+  )
+  set -o errexit
+  printTestLogFileContent
+}
+
+info "Starting tests...."
+
+# Create testing resources
+temporaryTestDirectory=$(mktemp -d 2>/dev/null || mktemp -d -t "temporaryTestDirectory_${SCRIPT_NAME}")
+mkdir -p "${temporaryTestDirectory}/source"
+
+# ------- Unit Test Case
+test_case_number=1
+echo ""
+info "${test_case_number}.) Should do nothing if the source folder is empty (dry-run)."
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+echo "${result}"
+if [[ "${result}" == *"Installing"* ]]; then
+  fail "❌ Test failed: Expected no installation attempts, but some were found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=2
+echo ""
+info "${test_case_number}.) Should do nothing when the source folder contains no JavaScript projects (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/non-javascript-project"
+echo "This is a text file." > "${temporaryTestDirectory}/source/non-javascript-project/README.md"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ "${result}" == *"Installing"* ]]; then
+  fail "❌ Test failed: Expected no installation attempts, but some were found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=3
+echo ""
+info "${test_case_number}.) Should do nothing when the source folder contains a private npm project (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/private-npm-project"
+echo "{ \"name\": \"private-npm-project\" }" > "${temporaryTestDirectory}/source/private-npm-project/package-lock.json"
+echo "{ \"name\": \"private-npm-project\", \"private\": true }" > "${temporaryTestDirectory}/source/private-npm-project/package.json"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ "${result}" == *"Installing"* ]]; then
+  fail "❌ Test failed: Expected no installation attempts, but some were found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=4
+echo ""
+info "${test_case_number}.) Should do nothing when the source folder contains a private yarn project (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/private-yarn-project"
+echo "{ \"name\": \"private-yarn-project\" }" > "${temporaryTestDirectory}/source/private-yarn-project/package-lock.json"
+echo "{ \"name\": \"private-yarn-project\", \"private\": true }" > "${temporaryTestDirectory}/source/private-yarn-project/package.json"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ "${result}" == *"Installing"* ]]; then
+  fail "❌ Test failed: Expected no installation attempts, but some were found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=5
+echo ""
+info "${test_case_number}.) Should install npm dependencies for a npm project (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/npm-project"
+echo "{ \"name\": \"npm-project\" }" > "${temporaryTestDirectory}/source/npm-project/package-lock.json"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ ! "${result}" == *"Installing JavaScript dependencies with npm in"* ]]; then
+  fail "❌ Test failed: Expected npm installation attempt, but none was found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=6
+echo ""
+info "${test_case_number}.) Should install pnpm dependencies for a pnpm project (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/pnpm-project"
+echo "name: pnpm-project" > "${temporaryTestDirectory}/source/pnpm-project/pnpm-lock.yaml"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ ! "${result}" == *"Installing JavaScript dependencies with pnpm in"* ]]; then
+  fail "❌ Test failed: Expected pnpm installation attempt, but none was found:\n${result}"
+fi
+
+# ------- Unit Test Case
+test_case_number=7
+echo ""
+info "${test_case_number}.) Should install yarn dependencies for a yarn project (dry-run)."
+mkdir -p "${temporaryTestDirectory}/source/yarn-project"
+echo "name: yarn-project" > "${temporaryTestDirectory}/source/yarn-project/yarn.lock"
+result=$(installJavaScriptDependenciesExpectingSuccessUnderTest "--dry-run")
+if [[ ! "${result}" == *"Installing JavaScript dependencies with yarn in"* ]]; then
+  fail "❌ Test failed: Expected yarn installation attempt, but none was found:\n${result}"
+fi
+
+successful
+return 0
