fix: make publish workflow self-hosted-safe#52
Merged
Jesssullivan merged 1 commit intomainfrom Apr 16, 2026
Merged
Conversation
Greptile SummaryThis PR makes the publish workflow compatible with self-hosted runners by: routing all jobs through Confidence Score: 5/5Safe to merge — all three fixes are correct and no P0/P1 issues found. The provenance skip correctly uses No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A([Release / workflow_dispatch]) --> B[test job\nBazel build · unit tests · publint]
B --> C[Upload bazel-pkg artifact]
C --> D[publish-npm]
C --> E[publish-github]
D --> F{dry_run == true?}
F -- Yes --> G[npm publish --dry-run]
F -- No --> H{runner.environment\n== self-hosted?}
H -- Yes --> I[npm publish\n--access public\nno provenance]
H -- No --> J[npm publish\n--access public\n--provenance]
E --> K[cp -R pkg pkg-github]
K --> L{dry_run == true?}
L -- Yes --> M[npm publish ./pkg-github --dry-run\nnote: package.json not yet mutated]
L -- No --> N[Mutate pkg-github/package.json\nscope + registry override]
N --> O[npm publish ./pkg-github]
Reviews (1): Last reviewed commit: "fix: make publish workflow self-hosted-s..." | Re-trigger Greptile |
Jesssullivan
added a commit
to tinyland-inc/scheduling-kit
that referenced
this pull request
Apr 16, 2026
* refactor!: remove middleware code (belongs in acuity-middleware) (#10) Removed: src/middleware/ (33 files), modal-app.py, Dockerfile, live tests, playwright deps. Version 0.3.1 to 0.4.0. * chore: bump version to 0.5.0 * refactor!: remove acuity-scraper adapter Scraper belongs in acuity-middleware, not the scheduling library. Deprecated since extract-business.ts + middleware wizard steps replaced all scraper functionality. BREAKING: AcuityScraper, createScraperAdapter, scrapeServicesOnce, scrapeAvailabilityOnce removed from @tummycrypt/scheduling-kit/adapters. * build: add Bazel 8 configuration with subpackage targets - MODULE.bazel: bzlmod config with rules_js 2.9.1, rules_ts 3.8.4, SWC, pnpm 9 - BUILD.bazel: svelte-package build, npm_package, 6 subpackage ts_project targets (core, adapters, payments, reconciliation, lib, testing), vitest, svelte-check typecheck - .bazelrc: build/CI/debug/release configs with disk cache - .bazelversion: pin to 8.1.1 - .npmrc: hoist=false (required by rules_js) * feat: v0.5.0 - remove acuity-scraper, add Bazel 8 config (#11) * chore: bump version to 0.5.0 * refactor!: remove acuity-scraper adapter Scraper belongs in acuity-middleware, not the scheduling library. Deprecated since extract-business.ts + middleware wizard steps replaced all scraper functionality. BREAKING: AcuityScraper, createScraperAdapter, scrapeServicesOnce, scrapeAvailabilityOnce removed from @tummycrypt/scheduling-kit/adapters. * build: add Bazel 8 configuration with subpackage targets - MODULE.bazel: bzlmod config with rules_js 2.9.1, rules_ts 3.8.4, SWC, pnpm 9 - BUILD.bazel: svelte-package build, npm_package, 6 subpackage ts_project targets (core, adapters, payments, reconciliation, lib, testing), vitest, svelte-check typecheck - .bazelrc: build/CI/debug/release configs with disk cache - .bazelversion: pin to 8.1.1 - .npmrc: hoist=false (required by rules_js) * feat(venmo): add payeeEmail option to route payments to practitioner When payeeEmail is set in VenmoAdapterConfig, the PayPal order creation includes payee.email_address in purchase_units. This routes payments directly to the practitioner's PayPal account without requiring their API credentials. Ref: PayPal "Pay another account" docs * chore: bump version to 0.5.1 (payee-email support) * fix(ci): use @Jesssullivan scope for GitHub Packages mirror (Jesssullivan#18) * feat(venmo): add returnUrl/cancelUrl to experience_context (Jesssullivan#19) * fix(ci): use @Jesssullivan scope for GitHub Packages mirror * feat(venmo): add returnUrl/cancelUrl to experience_context PayPal requires return_url and cancel_url in the Venmo payment source experience_context for proper popup handling. Without them, PayPal may force additional buyer verification loops or block the popup flow. New optional fields on VenmoAdapterConfig: returnUrl, cancelUrl. * chore: bump to 0.5.2 (PayPal return URLs) (Jesssullivan#20) * fix(ci): use @Jesssullivan scope for GitHub Packages mirror * feat(venmo): add returnUrl/cancelUrl to experience_context PayPal requires return_url and cancel_url in the Venmo payment source experience_context for proper popup handling. Without them, PayPal may force additional buyer verification loops or block the popup flow. New optional fields on VenmoAdapterConfig: returnUrl, cancelUrl. * chore: bump to 0.5.2 (PayPal return URLs) * feat: onboarding subpackage — provider credential management (Jesssullivan#21-Jesssullivan#27) (Jesssullivan#28) New @tummycrypt/scheduling-kit/onboarding subpackage: Interfaces: - CredentialStore: app-provided key-value storage (PG, Redis, etc.) - EncryptionProvider: app-provided encryption (AES, Vault, etc.) - StripeConnectConfig, StripeAccountStatus, WebhookSetupResult types Stripe: - buildStripeAuthorizeUrl() + exchangeStripeCode() — Connect OAuth - getStripeAccountStatus() — account onboarding status - validateStripeKeys() — key validation against Stripe API - createStripeWebhook() + deleteStripeWebhooks() — webhook CRUD PayPal: - validatePayPalCredentials() — OAuth token validation - createPayPalWebhook() — webhook creation Build: - Bazel //src/onboarding target (deps: :core, :payments, effect) - Package.json ./onboarding export Pattern: library defines interfaces + helpers, application provides CredentialStore implementation. Same pattern as HomegrownAdapter's getDb callback — scheduling-kit doesn't know about databases. Closes Jesssullivan#21, Jesssullivan#22, Jesssullivan#23, Jesssullivan#24, Jesssullivan#27. Partial Jesssullivan#25, Jesssullivan#26. * chore: bump to 0.6.0 (onboarding subpackage) (Jesssullivan#29) * feat: adapter factory pattern + 21 onboarding tests (Jesssullivan#25, Jesssullivan#26) (Jesssullivan#30) - createAdapterFactory(): settings-driven singleton with cache, promise dedup, reset, and disable lifecycle - 21 tests: Stripe OAuth URL, key validation, account status, PayPal credential validation, factory lifecycle (cache, reset, disable, store passthrough) - Updated vitest.config.ts to include onboarding test glob Closes Jesssullivan#25, Jesssullivan#26. * chore: strip sourcemaps from npm package (Jesssullivan#31) * feat: adapter factory pattern + 21 onboarding tests (Jesssullivan#25, Jesssullivan#26) - createAdapterFactory(): settings-driven singleton with cache, promise dedup, reset, and disable lifecycle - 21 tests: Stripe OAuth URL, key validation, account status, PayPal credential validation, factory lifecycle (cache, reset, disable, store passthrough) - Updated vitest.config.ts to include onboarding test glob Closes Jesssullivan#25, Jesssullivan#26. * chore: strip sourcemaps from npm package (2,711 .map files excluded) * feat: provider status helpers + SetupStep type (Jesssullivan#32) (Jesssullivan#33) * chore: bump to 0.6.1 (status helpers) (Jesssullivan#34) * align build truth and package boundaries (Jesssullivan#39) * ci: enforce Bazel release metadata truth (Jesssullivan#40) * docs: add agent and llm operating brief (Jesssullivan#42) * feat(payments)!: converge PaymentCapabilities contract from tinyland-inc (Jesssullivan#45) * feat(payments)!: converge PaymentCapabilities contract from tinyland-inc Cherry-pick tinyland-inc/main squash (v0.7.0) onto Jesssullivan/main. Keeps Jess's CI/publish workflows and Bazel structure. Bumps all version references to 0.7.0. - PaymentCapabilities, StripeCapability, VenmoCapability types - getDefaultCapabilities() factory - HybridCheckoutDrawer: capabilities prop replaces individual payment props - Cash at Visit structurally removed (cash: false) * fix(ci): skip prepublish scripts in gh packages mirror * docs(release): clarify scheduling-kit authority (Jesssullivan#46) * ci(publish): validate bazel package artifact (Jesssullivan#47) * build(bazel): publish scheduling-kit from bazel artifact * fix(ui): dark-mode skeleton shimmer and border parity (Jesssullivan#49) Replace hardcoded hex CSS with light-dark() for 8 components: skeleton loading shimmer, border colors, scrollbar tracks. Ensures proper dark-mode rendering when consumed by host apps. * ci: support honey self-hosted runner stopgap (Jesssullivan#50) * ci: isolate pnpm store on self-hosted runners (Jesssullivan#51) * fix: make publish workflow self-hosted-safe (Jesssullivan#52) * fix(ci): make github package artifact writable (Jesssullivan#53) * perf(components): drop zod from browser client form (Jesssullivan#54) * fix(ci): ignore npm scripts when publishing bazel pkg (Jesssullivan#55) * fix(ci): ignore npm scripts when publishing bazel pkg * fix(ci): clean stale bazel publish artifacts on runners * fix(ci): partition pnpm caches by runner (Jesssullivan#56)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
The self-hosted honey runner lane cannot use npm provenance, and the current GitHub Packages step mutates a read-only downloaded artifact. This keeps future package publishes truthful instead of reporting false greens or failing on the sidecar path.