Support calculating integrity hashes for local assets automatically

When `integrity: true` is used with `pin_all_from` or `pin`, the
importmap will automatically calculate integrity hashes for local assets
served by the Rails asset pipeline. This eliminates the need to manually
manage integrity hashes for local files, enhancing security and
simplifying development.

Author: rafaelfranca

Appraisals

@@ -17,7 +17,6 @@ end
 
 appraise "rails_7.0_propshaft" do
   gem "rails", github: "rails/rails", branch: "7-0-stable"
-  gem "propshaft"
   gem "sqlite3", "~> 1.4"
 end
 
@@ -29,7 +28,6 @@ end
 
 appraise "rails_7.1_propshaft" do
   gem "rails", "~> 7.1.0"
-  gem "propshaft"
 end
 
 appraise "rails_7.2_sprockets" do
@@ -40,7 +38,6 @@ end
 
 appraise "rails_7.2_propshaft" do
   gem "rails", "~> 7.2.0"
-  gem "propshaft"
 end
 
 appraise "rails_8.0_sprockets" do
@@ -51,7 +48,6 @@ end
 
 appraise "rails_8.0_propshaft" do
   gem "rails", "~> 8.0.0"
-  gem "propshaft"
 end
 
 appraise "rails_main_sprockets" do
@@ -62,5 +58,4 @@ end
 
 appraise "rails_main_propshaft" do
   gem "rails", github: "rails/rails", branch: "main"
-  gem "propshaft"
 end

Gemfile

@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 gemspec
 
 gem "rails"
-gem "propshaft"
+gem "propshaft", github: "rails/propshaft", branch: "main"
 
 gem "sqlite3"
 

Gemfile.lock

@@ -1,3 +1,13 @@
+GIT
+  remote: https://github.com/rails/propshaft.git
+  revision: 9bcad5fa48efac2f26568e5d019409a1784839d0
+  branch: main
+  specs:
+    propshaft (1.1.0)
+      actionpack (>= 7.0.0)
+      activesupport (>= 7.0.0)
+      rack
+
 PATH
   remote: .
   specs:
@@ -111,7 +121,7 @@ GEM
       activesupport (>= 6.1)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
+    io-console (0.8.1)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
@@ -150,11 +160,6 @@ GEM
     pp (0.6.2)
       prettyprint
     prettyprint (0.2.0)
-    propshaft (1.1.0)
-      actionpack (>= 7.0.0)
-      activesupport (>= 7.0.0)
-      rack
-      railties (>= 7.0.0)
     psych (5.2.6)
       date
       stringio
@@ -257,7 +262,7 @@ DEPENDENCIES
   byebug
   capybara
   importmap-rails!
-  propshaft
+  propshaft!
   rails
   rexml
   selenium-webdriver

README.md

@@ -79,10 +79,15 @@ If you want to import local js module files from `app/javascript/src` or other s
 ```rb
 # config/importmap.rb
 pin_all_from 'app/javascript/src', under: 'src', to: 'src'
+
+# With automatic integrity calculation for enhanced security
+pin_all_from 'app/javascript/controllers', under: 'controllers', integrity: true
 ```
 
 The `:to` parameter is only required if you want to change the destination logical import name. If you drop the :to option, you must place the :under option directly after the first parameter.
 
+The `integrity: true` option automatically calculates integrity hashes for all files in the directory, providing security benefits without manual hash management.
+
 Allows you to:
 
 ```js
@@ -181,6 +186,52 @@ If you have existing pins without integrity hashes, you can add them using the `
 ./bin/importmap integrity --update
 ```
 
+### Automatic integrity for local assets
+
+For local assets served by the Rails asset pipeline (like those created with `pin` or `pin_all_from`), you can use `integrity: true` to automatically calculate integrity hashes from the compiled assets:
+
+```ruby
+# config/importmap.rb
+
+# Automatically calculate integrity from asset pipeline
+pin "application", integrity: true
+pin "admin", to: "admin.js", integrity: true
+
+# Works with pin_all_from too
+pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
+pin_all_from "app/javascript/lib", under: "lib", integrity: true
+
+# Mixed usage
+pin "local_module", integrity: true              # Auto-calculated
+pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated
+pin "no_integrity_package"                       # No integrity (default)
+```
+
+This is particularly useful for:
+* **Local JavaScript files** managed by your Rails asset pipeline
+* **Bulk operations** with `pin_all_from` where calculating hashes manually would be tedious
+* **Development workflow** where asset contents change frequently
+
+The `integrity: true` option:
+* Uses the Rails asset pipeline's built-in integrity calculation
+* Works with both Sprockets and Propshaft
+* Automatically updates when assets are recompiled
+* Gracefully handles missing assets (returns `nil` for non-existent files)
+
+**Example output with `integrity: true`:**
+```json
+{
+  "imports": {
+    "application": "/assets/application-abc123.js",
+    "controllers/hello_controller": "/assets/controllers/hello_controller-def456.js"
+  },
+  "integrity": {
+    "/assets/application-abc123.js": "sha256-xyz789...",
+    "/assets/controllers/hello_controller-def456.js": "sha256-uvw012..."
+  }
+}
+```
+
 ### How integrity works
 
 The integrity hashes are automatically included in your import map and module preload tags:

gemfiles/rails_7.0_propshaft.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", branch: "7-0-stable", git: "https://github.com/rails/rails.git"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3", "~> 1.4"
 
 group :development do

gemfiles/rails_7.1_propshaft.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 7.1.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do

gemfiles/rails_7.2_propshaft.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 7.2.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do

gemfiles/rails_8.0_propshaft.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 8.0.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do

gemfiles/rails_main_propshaft.gemfile

@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", branch: "main", git: "https://github.com/rails/rails.git"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do

lib/importmap/map.rb

@@ -30,9 +30,9 @@ def pin(name, to: nil, preload: true, integrity: nil)
     @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload, integrity: integrity)
   end
 
-  def pin_all_from(dir, under: nil, to: nil, preload: true)
+  def pin_all_from(dir, under: nil, to: nil, preload: true, integrity: nil)
     clear_cache
-    @directories[dir] = MappedDir.new(dir: dir, under: under, path: to, preload: preload)
+    @directories[dir] = MappedDir.new(dir: dir, under: under, path: to, preload: preload, integrity: integrity)
   end
 
   # Returns an array of all the resolved module paths of the pinned packages. The `resolver` must respond to
@@ -92,9 +92,21 @@ def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :pr
   #   packages = importmap.preloaded_module_packages(resolver: helpers, cache_key: "cdn_host")
   def preloaded_module_packages(resolver:, entry_point: "application", cache_key: :preloaded_module_packages)
     cache_as(cache_key) do
-      expanded_preloading_packages_and_directories(entry_point:).to_h do |_, package|
-        [resolve_asset_path(package.path, resolver: resolver), package]
-      end.delete_if { |key| key.nil? }
+      expanded_preloading_packages_and_directories(entry_point:).filter_map do |_, package|
+        resolved_path = resolve_asset_path(package.path, resolver: resolver)
+        next unless resolved_path
+
+        resolved_integrity = resolve_integrity_value(package.integrity, package.path, resolver: resolver)
+
+        package = MappedFile.new(
+          name: package.name,
+          path: package.path,
+          preload: package.preload,
+          integrity: resolved_integrity
+        )
+
+        [resolved_path, package]
+      end.to_h
     end
   end
 
@@ -138,7 +150,7 @@ def cache_sweeper(watches: nil)
   end
 
   private
-    MappedDir  = Struct.new(:dir, :path, :under, :preload, keyword_init: true)
+    MappedDir  = Struct.new(:dir, :path, :under, :preload, :integrity, keyword_init: true)
     MappedFile = Struct.new(:name, :path, :preload, :integrity, keyword_init: true)
 
     def cache_as(name)
@@ -190,10 +202,22 @@ def build_integrity_hash(packages, resolver:)
         resolved_path = resolve_asset_path(mapping.path, resolver: resolver)
         next unless resolved_path
 
-        [resolved_path, mapping.integrity]
+        integrity_value = resolve_integrity_value(mapping.integrity, mapping.path, resolver: resolver)
+        next unless integrity_value
+
+        [resolved_path, integrity_value]
       end.to_h
     end
 
+    def resolve_integrity_value(integrity, path, resolver:)
+      case integrity
+      when true
+        resolver.asset_integrity(path)
+      when String
+        integrity
+      end
+    end
+
     def expanded_preloading_packages_and_directories(entry_point:)
       expanded_packages_and_directories.select { |name, mapping| mapping.preload.in?([true, false]) ? mapping.preload : (Array(mapping.preload) & Array(entry_point)).any? }
     end
@@ -210,7 +234,12 @@ def expand_directories_into(paths)
             module_name     = module_name_from(module_filename, mapping)
             module_path     = module_path_from(module_filename, mapping)
 
-            paths[module_name] = MappedFile.new(name: module_name, path: module_path, preload: mapping.preload)
+            paths[module_name] = MappedFile.new(
+              name: module_name,
+              path: module_path,
+              preload: mapping.preload,
+              integrity: mapping.integrity
+            )
           end
         end
       end