| Safe Haskell | None |
|---|---|
| Language | GHC2021 |
Ecluse.Core.Registry.Npm.Publish
Description
The npm registry publish-document assembly and request shaping.
This module provides the pure data assembly for an npm publish request: forming
the JSON document from verified bytes and shaping the PUT request. The actual
side-effecting relay and publish operations live in the top-level
Ecluse.Core.Registry.Npm client.
Synopsis
- publishRequest :: Text -> Maybe Secret -> PackageName -> ByteString -> Either UrlFormationError Request
- npmPublishDocument :: PackageName -> Version -> Text -> Maybe Text -> Maybe Text -> ByteString -> ByteString
Documentation
publishRequest :: Text -> Maybe Secret -> PackageName -> ByteString -> Either UrlFormationError Request Source #
Build the publish PUT /{pkg} request: the body is the npm publish
document (a packument carrying the version manifest and the base64 tarball under
_attachments), already serialised by the caller. Carries the bearer token and a
Content-Type: application/json header.
Fails with a UrlFormationError only when the URL cannot be formed; a genuine
write fault (a non-2xx, non-409 status) is the PublishError that
publishArtifact reports.
Arguments
| :: PackageName | The package being published. |
| -> Version | The version being published. |
| -> Text | The tarball's filename: the |
| -> Maybe Text | The |
| -> Maybe Text | The |
| -> ByteString | The verified tarball bytes. |
| -> ByteString |
Assemble the npm publish document for one version from its verified tarball
bytes: the serialised body publishRequest (hence
publishArtifact) PUTs to /{pkg}.
The document is the npm PUT /{pkg} shape: the package name and a single-version
versions map carrying the version manifest (name, version, and a dist with
the integrity digests), dist-tags.latest pointed at that version, and the tarball
itself base64-encoded under _attachments with its byte length. A managed npm
registry (CodeArtifact, Artifact Registry, Verdaccio) recomputes the served
dist.tarball location from the attachment, so the location is not carried.
The integrity digests written into dist are the caller's: the worker passes
the serve-time-admitted digests it has already verified the bytes against: so the
published manifest's integrity matches exactly the bytes attached. The tarball
length is taken from the actual byte count, never a caller-declared size, so the
attachment can never disagree with its own bytes.
This is the inverse of the read-side decode in Ecluse.Core.Registry.Npm.Wire, which
deliberately does not model _attachments: it is constructed only here, for the
write.