Merge remote-tracking branch 'origin/main' into fix/52262

Author: Andarist

.eslintrc.json

@@ -11,7 +11,7 @@
         "es6": true
     },
     "plugins": [
-        "@typescript-eslint", "no-null", "import", "eslint-plugin-local"
+        "@typescript-eslint", "no-null", "import", "eslint-plugin-local", "simple-import-sort"
     ],
     "ignorePatterns": [
         "**/node_modules/**",
@@ -25,11 +25,8 @@
         "/coverage/**"
     ],
     "rules": {
-        "sort-imports": ["error", {
-            "ignoreCase": true,
-            "ignoreDeclarationSort": true,
-            "allowSeparatedGroups": true
-        }],
+        "simple-import-sort/imports": "error",
+        "simple-import-sort/exports": "error",
 
         "@typescript-eslint/adjacent-overload-signatures": "error",
         "@typescript-eslint/array-type": "error",
@@ -180,6 +177,14 @@
                     { "name": "exports" }
                 ]
             }
+        },
+        {
+            // These files contain imports in a specific order that are generally unsafe to modify.
+            "files": ["**/_namespaces/**"],
+            "rules": {
+                "simple-import-sort/imports": "off",
+                "simple-import-sort/exports": "off"
+            }
         }
     ]
 }

.github/workflows/accept-baselines-fix-lints.yaml

@@ -3,10 +3,16 @@ name: Accept Baselines and Fix Lints
 on:
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
@@ -15,8 +21,8 @@ jobs:
       run: |
         git config user.email "[email protected]"
         git config user.name "TypeScript Bot"
-        npm install
-        git rm -r --quiet tests/baselines/reference :^tests/baselines/reference/docker :^tests/baselines/reference/user
+        npm ci
+        git rm -r --quiet tests/baselines/reference
         npx hereby runtests-parallel --ci --fix || true
         npx hereby baseline-accept
         git add ./src

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ on:
       - main
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -39,7 +42,8 @@ jobs:
     - run:  npm ci
 
     - name: Tests
-      run:  npm run test -- --bundle=${{ matrix.bundle }}
+      # run tests, but lint separately
+      run:  npm run test -- --no-lint --bundle=${{ matrix.bundle }}
 
   lint:
     runs-on: ubuntu-latest
@@ -91,65 +95,76 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
+
     - uses: actions/setup-node@v3
       with:
         node-version: "*"
         check-latest: true
+    - run: |
+        corepack enable npm
+        npm --version
+    
     - run:  npm ci
 
     - run: npx hereby lkg
     - run: |
         npm pack
         mv typescript*.tgz typescript.tgz
-        echo "PACKAGE=$PWD/typescript.tgz" >> $GITHUB_ENV
+        echo "package=$PWD/typescript.tgz" >> "$GITHUB_OUTPUT"
+      id: pack
 
     - name: Smoke test
       run: |
         cd "$(mktemp -d)"
         npm init --yes
-        npm install $PACKAGE tslib
+        npm install ${{ steps.pack.outputs.package }}
 
         echo "Testing tsc..."
         npx tsc --version
 
         echo "Testing tsserver..."
         echo '{"seq": 1, "command": "status"}' | npx tsserver
 
-        cat > smoke.js << 'EOF'
-        console.log(`Testing ${process.argv[2]}...`);
-        const { __importDefault, __importStar } = require("tslib");
-        const ts = require(process.argv[2]);
-
-        // See: https://github.com/microsoft/TypeScript/pull/51474#issuecomment-1310871623
-        const fns = [
-          [() => ts.version,                          true],
-          [() => ts.default.version,                  false],
-          [() => __importDefault(ts).version,         false],
-          [() => __importDefault(ts).default.version, true],
-          [() => __importStar(ts).version,            true],
-          [() => __importStar(ts).default.version,    true],
-        ];
-
-        for (const [fn, shouldSucceed] of fns) {
-          let success = false;
-          try {
-            success = !!fn();
-          }
-          catch {}
-          const status = success ? "succeeded" : "failed";
-          if (success === shouldSucceed) {
-            console.log(`${fn.toString()} ${status} as expected.`);
-          }
-          else {
-            console.log(`${fn.toString()} unexpectedly ${status}.`);
-            process.exitCode = 1;
-          }
-        }
-        console.log("ok");
-        EOF
-
-        node ./smoke.js typescript
-        node ./smoke.js typescript/lib/tsserverlibrary
+        node $GITHUB_WORKSPACE/scripts/checkModuleFormat.mjs typescript
+        node $GITHUB_WORKSPACE/scripts/checkModuleFormat.mjs typescript/lib/tsserverlibrary
+
+  package-size:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        path: pr
+
+    - uses: actions/checkout@v3
+      with:
+        path: base
+        ref: ${{ github.base_ref }}
+
+    - uses: actions/setup-node@v3
+      with:
+        node-version: "*"
+        check-latest: true
+    - run: |
+        corepack enable npm
+        npm --version
+
+    - run: npm ci
+      working-directory: ./pr
+
+    - run: npm ci
+      working-directory: ./base
+
+    - run: npx hereby lkg
+      working-directory: ./pr
+      
+    - run: npx hereby lkg
+      working-directory: ./base
+
+    - run: |
+        echo "See $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID for more info."
+        node ./pr/scripts/checkPackageSize.mjs ./base ./pr >> $GITHUB_STEP_SUMMARY
 
   misc:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -21,6 +21,9 @@ on:
     #        *  * * * *
     - cron: '30 1 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest

.github/workflows/ensure-related-repos-run-crons.yml

@@ -11,6 +11,9 @@ on:
         - cron: '0 0 1 * *'
     workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/error-deltas-watchdog.yaml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 0 * * 3' # Every Wednesday
 
+permissions:
+  contents: read
+
 jobs:
   check-for-recent:
     runs-on: ubuntu-latest

.github/workflows/new-release-branch.yaml

@@ -4,12 +4,21 @@ on:
   repository_dispatch:
     types: new-release-branch
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/setup-node@v3
+    - run: |
+        corepack enable npm
+        npm --version
     - uses: actions/checkout@v3
       with:
         fetch-depth: 5

.github/workflows/nightly.yaml

@@ -8,6 +8,9 @@ on:
   repository_dispatch:
     types: publish-nightly
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -19,6 +22,9 @@ jobs:
       with:
         # Use NODE_AUTH_TOKEN environment variable to authenticate to this registry.
         registry-url: https://registry.npmjs.org/
+    - run: |
+        corepack enable npm
+        npm --version
     - name: Setup and publish nightly
       run: |
         npm whoami

.github/workflows/release-branch-artifact.yaml

@@ -5,13 +5,19 @@ on:
     branches:
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
+    - run: |
+        corepack enable npm
+        npm --version
     - name: npm install and test
       run: |
         npm ci

.github/workflows/rich-navigation.yml

@@ -10,6 +10,9 @@ on:
       - main
       - release-*
 
+permissions:
+  contents: read
+
 jobs:
   richnav:
     runs-on: windows-latest

.github/workflows/scorecard.yml

@@ -0,0 +1,60 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '19 15 * * 4'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Publish results to OpenSSF REST API for easy access by consumers
+          # Allows the repository to include the Scorecard badge.
+          # See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
+        with:
+          sarif_file: results.sarif

.github/workflows/set-version.yaml

@@ -4,15 +4,24 @@ on:
   repository_dispatch:
     types: set-version
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - uses: actions/setup-node@v3
     - uses: actions/checkout@v3
       with:
         ref: ${{ github.event.client_payload.branch_name }}
+    - run: |
+        corepack enable npm
+        npm --version
     # notably, this is essentially the same script as `new-release-branch.yaml` (with fewer inputs), but it assumes the branch already exists
     # do note that executing the transform below will prevent the `configurePrerelease` script from running on the source, as it makes the
     # `version` identifier no longer match the regex it uses