Skip to content

chore(engine): add publish-engine.yml, ready for the npm bootstrap#4148

Merged
JSONbored merged 1 commit into
mainfrom
chore/publish-engine-workflow
Jul 8, 2026
Merged

chore(engine): add publish-engine.yml, ready for the npm bootstrap#4148
JSONbored merged 1 commit into
mainfrom
chore/publish-engine-workflow

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

  • Adds .github/workflows/publish-engine.yml, mirroring npm-publish.yml's already-hardened design exactly: unprivileged validate job (contents: read, runs the package's own test suite, packs + smoke-tests the tarball) → privileged publish job (contents: write, id-token: write, environment: release) that only downloads the pre-built tarball and publishes it. Tags engine-v<version> to match the mcp-v* convention.
  • Cannot actually run successfully yet@jsonbored/gittensory-engine has never been published, and npm's trusted publishing (OIDC) can't bootstrap a brand-new package: the first publish must come from a maintainer's own authenticated npm login session before a Trusted Publisher can be configured in npmjs.com's package settings. This workflow is prepared and ready for the moment that one-time manual step happens (see follow-up conversation for the exact steps).
  • The validate job's "Engine test suite" step (npm run test --workspace @jsonbored/gittensory-engine) is also currently blocked on a separate pre-existing issue (that package's own test suite has stale fixtures unrelated to this PR) — flagged separately as a follow-up task.

Test plan

  • npm run actionlint — clean
  • End-to-end run not possible until both the npm bootstrap and the engine test-suite fix land

Mirrors npm-publish.yml's already-hardened design exactly: unprivileged
validate job (contents: read, runs the package's own test suite, packs +
smoke-tests the tarball) -> privileged publish job (contents: write,
id-token: write, environment: release) that only downloads the pre-built
tarball and publishes it, tagging engine-v<version> to match the mcp-v*
convention.

Cannot run successfully yet: @jsonbored/gittensory-engine has never been
published, and npm's trusted publishing/OIDC can't bootstrap a brand-new
package -- the first publish has to come from a maintainer's own
authenticated `npm login` session before a Trusted Publisher can be
configured in npmjs.com's package settings. This workflow is prepared and
ready for the moment that one-time manual step happens.
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.72%. Comparing base (bd96794) to head (307e9d8).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4148   +/-   ##
=======================================
  Coverage   93.72%   93.72%           
=======================================
  Files         385      385           
  Lines       36243    36243           
  Branches    13281    13281           
=======================================
  Hits        33968    33968           
  Misses       1618     1618           
  Partials      657      657           
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 8, 2026
@loopover-orb

loopover-orb Bot commented Jul 8, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-08 08:03:21 UTC

1 file · 1 AI reviewer · 1 blocker · readiness 100/100 · CI green · clean

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

Review summary
This PR adds .github/workflows/publish-engine.yml, closely mirroring npm-publish.yml's validate → publish → github-release privilege-separated design for the new @​jsonbored/gittensory-engine package, tagging engine-v<version> consistent with the existing mcp-v* convention. The unprivileged validate job (tarball pack, allowlist check, secret scan, smoke-test import) and privileged OIDC publish job gated by environment: release faithfully copy the hardened pattern already used by npm-publish.yml. The PR is upfront that this workflow can't succeed yet — npm's OIDC trusted publishing can't bootstrap a never-published package, and the engine's own test suite currently fails on unrelated stale fixtures — both disclosed and tracked as follow-ups, which is a reasonable way to land infra prep ahead of a manual bootstrap step. One structural gap versus its sibling: unlike npm-publish.yml's explicit 'Build gittensory-engine' step before packing, this workflow has no explicit build step before packing/smoke-testing gittensory-engine's own dist/ output, which is worth confirming rather than assuming away.

Nits — 6 non-blocking
  • publish-engine.yml's validate job packs @​jsonbored/gittensory-engine and smoke-tests dist/index.js and dist/signals/test-evidence.js from the tarball, but has no explicit build step first (unlike npm-publish.yml's 'Build gittensory-engine' step) — confirm packages/gittensory-engine/package.json has a prepack or pretest script that builds dist/, otherwise npm pack will produce a tarball missing dist/ once the disclosed test-suite blocker is fixed.
  • The PR description doesn't link an eligible open issue per this repo's contribution conventions — worth confirming this workflow-infra chore is maintainer-authorized rather than needing an issue linkage.
  • The 'Engine test suite' step (npm run test --workspace @​jsonbored/gittensory-engine) is disclosed as currently broken on stale fixtures; since this workflow is workflow_dispatch-only it doesn't run in this PR's CI, but merging doesn't unblock real publishing until both that fix and the npm bootstrap land, as the PR already states.
  • Add an inline comment linking the follow-up issue/PR tracking the stale-fixture test-suite fix, mirroring how the npm-bootstrap step is already documented inline at the top of the file.
  • Verify packages/gittensory-engine/package.json's build/prepack wiring produces dist/ before npm pack runs, and consider adding an explicit 'Build gittensory-engine' step for symmetry/clarity with npm-publish.yml even if a prepack script technically covers it.
  • Diff looks like trivial or whitespace-only churn — Reduce whitespace-only or formatting-only churn and keep the diff focused on substantive changes.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
Signal Result Evidence
Code review ❌ 1 blocker 1 reviewer
Linked issue ✅ No-issue rationale PR body explains why no issue is linked.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 52 registered-repo PR(s), 43 merged, 496 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 52 PR(s), 496 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, JavaScript, Ruby, Go, Kotlin, MDX, Shell
  • Official Gittensor activity: 52 PR(s), 496 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@loopover-orb loopover-orb Bot added the manual-review Gittensor contributor context label Jul 8, 2026
@JSONbored
JSONbored merged commit 0a5046a into main Jul 8, 2026
10 checks passed
@JSONbored
JSONbored deleted the chore/publish-engine-workflow branch July 8, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Development

Successfully merging this pull request may close these issues.

1 participant