Repository infrastructure setup

[scalvert]

This PR adds initial repository setup, including

• A workspaces architecture for multi-package support
• A workspaces typescript configuration
• Basic top-level setup
  • npm scripts
  • repo-wide devDependencies
  • root-level eslint/prettier setup to keep packages consistent
  • volta to manage tool dependencies
• A skeleton of the sarif-builder package

All infrastructure choices and naming conventions are open to feedback and changes.

[scalvert]

cc/ @jeffersonking - you don't seem to be added as a contributor to the repo yet.

[jeffersonking]

@scalvert Re yarn vs npm, it sounds like release-it will be the deciding factor. Will try to test it out sometime.

[scalvert]

@jeffersonking correct. The current plugin operates on yarn workspaces, and hasn't been tested with npm. That said, we own that plugin and can update/adjust it to work with both.

[jeffersonking]

@scalvert If all else is equal, the path with one less installation wins? So npm?

[scalvert]

Yep, we can certainly explore either making that plugin work for npm, or make a similar plugin for npm.

[scalvert]

Looking at our plugin, I think it will work out-of-the-box, as it's not doing anything yarn specific. It likely could use a rename though...

[scalvert]

OK I've updated to use npm vs. yarn. I also pinned tool dependencies with volta. If you aren't familiar with it, it's a tool that manages your project's tool dependencies.

[jeffersonking]

@scalvert Thanks! Not familiar with volta, interested in trying it out.

I think the there's still the big question of if the sarif-builder goes in it's own repo (and if anything ends up in this repo). But, signing off on this PR nevertheless.

[scalvert]

Ya I think the question of 'what else goes here' is for sure up for debate, but I can imagine the following:

• Moving the types from @types/sarif to this repository, effectively making them first-party types vs. third-party
• A SARIF log validator utility
• A partial fingerprint utility to enable SARIF log authors to generate consistent fingerprints
• Any additional documentation or reference material related specifically to using SARIF in JavaScript.

Happy to defer these discussions until they present themselves later.

[scalvert]

@jeffersonking volta is pretty great. It was developed at LinkedIn by folks from my team. It is gaining a lot of traction as a replacement to nvm, mainly due to speed since it's written in Rust.

[michaelcfanning]

Wahoo! Every GitHub open source journey starts with a single merge!