Generate hash during the build chain to verify content is unchanged

[mi6-577]

Summary

In order to provide some assurance that downloads of the ICDS are 'untampered', we should provide a hash number at the point of releasing a new build.

💬 Description

A hash number is unique to the build and can be used by customers to verify that their download has been untouched.

Why do we need it?

Further reading on why hashes are important for open source code can be found here; https://proprivacy.com/guides/how-why-and-when-you-should-hash-check

[evenstensberg]

Do you need this to be on release/package distribution level? That makes sense.

If you release via github in addition to npm, they do validation.

[evenstensberg]

• https://github.com/nasa/openmct/blob/de122b91c26900dacb4ffa51b2d264c97be9987a/.webpack/webpack.common.mjs#L24-L29
• https://unix.stackexchange.com/a/460547
• https://stackoverflow.com/a/26853049

[evenstensberg]

• If Stencil provides an api to inject environment variables to the main build and the react+nextjs build targets, we can inject the environment variables to each target.
• If that is impossible, we need to write a script and inject the env variables into each bundle ourselves

[evenstensberg]

possible implementation

[evenstensberg]

I've managed to get the needed data available within the scope of the web components, but not added to the window object. It seems like that is removed on build.

@GCHQ-Developer-299 I have a suggestion:

Maybe you should add a stencil component named ic-stats where the customer can import that component to get version number, build time and hash themselves?

If so, I can set up a simple PR that shows you how to access the variables - it's pretty straight forward.