Skip to content

fix(ci): make github package artifact writable#53

Merged
Jesssullivan merged 1 commit intomainfrom
fix/github-packages-artifact-perms
Apr 16, 2026
Merged

fix(ci): make github package artifact writable#53
Jesssullivan merged 1 commit intomainfrom
fix/github-packages-artifact-perms

Conversation

@Jesssullivan
Copy link
Copy Markdown
Owner

@Jesssullivan Jesssullivan commented Apr 16, 2026

Summary

  • make the copied pkg-github directory writable after extracting the Bazel artifact
  • avoid EACCES when the GitHub Packages sidecar rewrites package.json on self-hosted runners
  • keep the npmjs.com publish lane and GitHub Packages sidecar consistent

Validation

  • workflow-only change
  • based on the failing self-hosted publish log pattern already seen in the corrected publish lane

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 16, 2026
edited
Loading

Greptile Summary

Adds chmod -R u+w pkg-github to the publish-github job after copying the Bazel artifact, preventing EACCES errors when the GitHub Packages step rewrites package.json on self-hosted runners where Bazel outputs are extracted as read-only. The publish-npm job is unaffected since it never mutates the artifact directory.

Confidence Score: 5/5

Safe to merge — the fix is minimal and targeted, with one pre-existing P2 dry-run inconsistency noted.

The only open finding is a P2: the dry-run path in publish-github doesn't apply the package.json rewrite, so it doesn't fully simulate the real publish. This is a pre-existing gap not introduced by this PR and does not block merge.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/publish.yml Adds chmod -R u+w pkg-github after cp -R pkg pkg-github in the publish-github job to fix EACCES errors when Bazel's read-only artifacts are copied and then mutated on self-hosted runners.

Sequence Diagram

sequenceDiagram
    participant T as test job
    participant A as artifact store
    participant N as publish-npm job
    participant G as publish-github job
    participant NPM as npmjs.com
    participant GHP as GitHub Packages

    T->>T: bazelisk build //:pkg
    T->>T: tar -czf bazel-pkg.tgz -C bazel-bin pkg
    T->>A: upload bazel-pkg artifact

    A->>N: download bazel-pkg
    N->>N: tar -xzf bazel-pkg.tgz
    Note over N: pkg/ files are read-only (Bazel default)
    N->>NPM: npm publish ./pkg

    A->>G: download bazel-pkg
    G->>G: tar -xzf bazel-pkg.tgz
    Note over G: pkg/ files are read-only (Bazel default)
    G->>G: cp -R pkg pkg-github
    G->>G: chmod -R u+w pkg-github (this PR)
    G->>G: node -e rewrite package.json name + publishConfig
    G->>GHP: npm publish ./pkg-github --ignore-scripts
Loading

Comments Outside Diff (1)

  1. .github/workflows/publish.yml, line 157-161 (link)

    P2 Dry-run skips package.json rewrite

    The "Publish dry run" step publishes from pkg-github without the scope/registry override applied in the preceding "Publish to GitHub Packages" step (which is skipped when dry_run == 'true'). The dry run therefore exercises a different package.json than the real publish, so it won't catch a scope or publishConfig mistake. Consider moving the package.json mutation into the prepare step (or a dedicated step with no condition) so both paths use the same artifact.

Reviews (1): Last reviewed commit: "fix(ci): make github package artifact wr..." | Re-trigger Greptile

@Jesssullivan Jesssullivan merged commit 61856b9 into main Apr 16, 2026
4 checks passed
@Jesssullivan Jesssullivan deleted the fix/github-packages-artifact-perms branch April 16, 2026 14:38
Jesssullivan added a commit to tinyland-inc/scheduling-kit that referenced this pull request Apr 16, 2026
@Jesssullivan
chore(repo): normalize fork to mirror-only upstream (#10)
c8f775e 
* refactor!: remove middleware code (belongs in acuity-middleware) (#10)

Removed: src/middleware/ (33 files), modal-app.py, Dockerfile,
live tests, playwright deps. Version 0.3.1 to 0.4.0.

* chore: bump version to 0.5.0

* refactor!: remove acuity-scraper adapter

Scraper belongs in acuity-middleware, not the scheduling library.
Deprecated since extract-business.ts + middleware wizard steps
replaced all scraper functionality.

BREAKING: AcuityScraper, createScraperAdapter, scrapeServicesOnce,
scrapeAvailabilityOnce removed from @tummycrypt/scheduling-kit/adapters.

* build: add Bazel 8 configuration with subpackage targets

- MODULE.bazel: bzlmod config with rules_js 2.9.1, rules_ts 3.8.4, SWC, pnpm 9
- BUILD.bazel: svelte-package build, npm_package, 6 subpackage ts_project
  targets (core, adapters, payments, reconciliation, lib, testing), vitest,
  svelte-check typecheck
- .bazelrc: build/CI/debug/release configs with disk cache
- .bazelversion: pin to 8.1.1
- .npmrc: hoist=false (required by rules_js)

* feat: v0.5.0 - remove acuity-scraper, add Bazel 8 config (#11)

* chore: bump version to 0.5.0

* refactor!: remove acuity-scraper adapter

Scraper belongs in acuity-middleware, not the scheduling library.
Deprecated since extract-business.ts + middleware wizard steps
replaced all scraper functionality.

BREAKING: AcuityScraper, createScraperAdapter, scrapeServicesOnce,
scrapeAvailabilityOnce removed from @tummycrypt/scheduling-kit/adapters.

* build: add Bazel 8 configuration with subpackage targets

- MODULE.bazel: bzlmod config with rules_js 2.9.1, rules_ts 3.8.4, SWC, pnpm 9
- BUILD.bazel: svelte-package build, npm_package, 6 subpackage ts_project
  targets (core, adapters, payments, reconciliation, lib, testing), vitest,
  svelte-check typecheck
- .bazelrc: build/CI/debug/release configs with disk cache
- .bazelversion: pin to 8.1.1
- .npmrc: hoist=false (required by rules_js)

* feat(venmo): add payeeEmail option to route payments to practitioner

When payeeEmail is set in VenmoAdapterConfig, the PayPal order
creation includes payee.email_address in purchase_units. This
routes payments directly to the practitioner's PayPal account
without requiring their API credentials.

Ref: PayPal "Pay another account" docs

* chore: bump version to 0.5.1 (payee-email support)

* fix(ci): use @Jesssullivan scope for GitHub Packages mirror (Jesssullivan#18)

* feat(venmo): add returnUrl/cancelUrl to experience_context (Jesssullivan#19)

* fix(ci): use @Jesssullivan scope for GitHub Packages mirror

* feat(venmo): add returnUrl/cancelUrl to experience_context

PayPal requires return_url and cancel_url in the Venmo payment source
experience_context for proper popup handling. Without them, PayPal may
force additional buyer verification loops or block the popup flow.

New optional fields on VenmoAdapterConfig: returnUrl, cancelUrl.

* chore: bump to 0.5.2 (PayPal return URLs) (Jesssullivan#20)

* fix(ci): use @Jesssullivan scope for GitHub Packages mirror

* feat(venmo): add returnUrl/cancelUrl to experience_context

PayPal requires return_url and cancel_url in the Venmo payment source
experience_context for proper popup handling. Without them, PayPal may
force additional buyer verification loops or block the popup flow.

New optional fields on VenmoAdapterConfig: returnUrl, cancelUrl.

* chore: bump to 0.5.2 (PayPal return URLs)

* feat: onboarding subpackage — provider credential management (Jesssullivan#21-Jesssullivan#27) (Jesssullivan#28)

New @tummycrypt/scheduling-kit/onboarding subpackage:

Interfaces:
- CredentialStore: app-provided key-value storage (PG, Redis, etc.)
- EncryptionProvider: app-provided encryption (AES, Vault, etc.)
- StripeConnectConfig, StripeAccountStatus, WebhookSetupResult types

Stripe:
- buildStripeAuthorizeUrl() + exchangeStripeCode() — Connect OAuth
- getStripeAccountStatus() — account onboarding status
- validateStripeKeys() — key validation against Stripe API
- createStripeWebhook() + deleteStripeWebhooks() — webhook CRUD

PayPal:
- validatePayPalCredentials() — OAuth token validation
- createPayPalWebhook() — webhook creation

Build:
- Bazel //src/onboarding target (deps: :core, :payments, effect)
- Package.json ./onboarding export

Pattern: library defines interfaces + helpers, application provides
CredentialStore implementation. Same pattern as HomegrownAdapter's
getDb callback — scheduling-kit doesn't know about databases.

Closes Jesssullivan#21, Jesssullivan#22, Jesssullivan#23, Jesssullivan#24, Jesssullivan#27. Partial Jesssullivan#25, Jesssullivan#26.

* chore: bump to 0.6.0 (onboarding subpackage) (Jesssullivan#29)

* feat: adapter factory pattern + 21 onboarding tests (Jesssullivan#25, Jesssullivan#26) (Jesssullivan#30)

- createAdapterFactory(): settings-driven singleton with cache,
  promise dedup, reset, and disable lifecycle
- 21 tests: Stripe OAuth URL, key validation, account status,
  PayPal credential validation, factory lifecycle (cache, reset,
  disable, store passthrough)
- Updated vitest.config.ts to include onboarding test glob

Closes Jesssullivan#25, Jesssullivan#26.

* chore: strip sourcemaps from npm package (Jesssullivan#31)

* feat: adapter factory pattern + 21 onboarding tests (Jesssullivan#25, Jesssullivan#26)

- createAdapterFactory(): settings-driven singleton with cache,
  promise dedup, reset, and disable lifecycle
- 21 tests: Stripe OAuth URL, key validation, account status,
  PayPal credential validation, factory lifecycle (cache, reset,
  disable, store passthrough)
- Updated vitest.config.ts to include onboarding test glob

Closes Jesssullivan#25, Jesssullivan#26.

* chore: strip sourcemaps from npm package (2,711 .map files excluded)

* feat: provider status helpers + SetupStep type (Jesssullivan#32) (Jesssullivan#33)

* chore: bump to 0.6.1 (status helpers) (Jesssullivan#34)

* align build truth and package boundaries (Jesssullivan#39)

* ci: enforce Bazel release metadata truth (Jesssullivan#40)

* docs: add agent and llm operating brief (Jesssullivan#42)

* feat(payments)!: converge PaymentCapabilities contract from tinyland-inc (Jesssullivan#45)

* feat(payments)!: converge PaymentCapabilities contract from tinyland-inc

Cherry-pick tinyland-inc/main squash (v0.7.0) onto Jesssullivan/main.
Keeps Jess's CI/publish workflows and Bazel structure.
Bumps all version references to 0.7.0.

- PaymentCapabilities, StripeCapability, VenmoCapability types
- getDefaultCapabilities() factory
- HybridCheckoutDrawer: capabilities prop replaces individual payment props
- Cash at Visit structurally removed (cash: false)

* fix(ci): skip prepublish scripts in gh packages mirror

* docs(release): clarify scheduling-kit authority (Jesssullivan#46)

* ci(publish): validate bazel package artifact (Jesssullivan#47)

* build(bazel): publish scheduling-kit from bazel artifact

* fix(ui): dark-mode skeleton shimmer and border parity (Jesssullivan#49)

Replace hardcoded hex CSS with light-dark() for 8 components:
skeleton loading shimmer, border colors, scrollbar tracks.
Ensures proper dark-mode rendering when consumed by host apps.

* ci: support honey self-hosted runner stopgap (Jesssullivan#50)

* ci: isolate pnpm store on self-hosted runners (Jesssullivan#51)

* fix: make publish workflow self-hosted-safe (Jesssullivan#52)

* fix(ci): make github package artifact writable (Jesssullivan#53)

* perf(components): drop zod from browser client form (Jesssullivan#54)

* fix(ci): ignore npm scripts when publishing bazel pkg (Jesssullivan#55)

* fix(ci): ignore npm scripts when publishing bazel pkg

* fix(ci): clean stale bazel publish artifacts on runners

* fix(ci): partition pnpm caches by runner (Jesssullivan#56)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jesssullivan