feat: scaffold @socketaddon/iocraft publish pipeline#1
Merged
John-David Dalton (jdalton) merged 1 commit intoMay 2, 2026
Merged
Conversation
- packages/iocraft: umbrella with optionalDependencies + platform loader
(index.mjs / index.d.ts). The loader uses raw process.platform names,
so @socketaddon/iocraft-win32-{arm64,x64} now match (previous shim
remapped win32 -> 'win' to match the old win-* package names).
- packages/iocraft-{darwin-arm64,darwin-x64,linux-arm64,linux-arm64-musl,
linux-x64,linux-x64-musl,win32-arm64,win32-x64}: per-platform shims.
Each declares os/cpu/libc constraints so npm only installs the
matching one. iocraft.node is NOT in the working tree — the publish
script downloads + verifies it at publish time.
- scripts/publish.mts: download-verify-publish orchestrator.
- Reads release-assets.json for the iocraft tag + checksums.
- For each per-platform package: stages to tmpdir, downloads
iocraft-<tag>-<asset-suffix>.node from socket-btm GH Releases,
verifyReleaseChecksum (fail loudly on mismatch), copies into the
stage as iocraft.node, runs `pnpm publish` from the stage with
--access public --no-git-checks --ignore-scripts (+ --provenance
in CI). Working tree never receives the binary.
- Umbrella publishes last (its optionalDependencies must resolve).
- Skip-if-already-published, --dry-run, --force, --platforms=,
--skip-umbrella all supported.
- .github/workflows/provenance.yml: delegates to
socket-registry/.github/workflows/provenance.yml@<sha> reusable
with publish-script: 'publish:ci' and use-trusted-publishing: true.
No setup-script — packages are static; binaries arrive at publish.
- docs/trusted-publisher-migration.md: step-by-step npm UI checklist
for moving the trusted-publisher binding from SocketDev/socket-cli
to SocketDev/socket-addon (one-time migration).
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Scaffolds the publish boundary for
@socketaddon/iocraft*packages.packages/iocraft— umbrella withoptionalDependencies+ platform loader (index.mjs/index.d.ts)packages/iocraft-{darwin,linux,win32}-{arm64,x64}(+ linux musl variants) — 8 per-platform shimsscripts/publish.mts— download.nodefrom socket-btm GH Releases, verify SHA-256, stage to tmpdir,pnpm publish. Fails loudly on checksum mismatch..github/workflows/provenance.yml— delegates to the sharedsocket-registry/.github/workflows/provenance.yml@<sha>reusable withuse-trusted-publishing: truedocs/trusted-publisher-migration.md— checklist for migrating npm trusted-publisher ownership fromSocketDev/socket-clitoSocketDev/socket-addonWhy a separate repo
Trusted publishing on npm requires the OIDC-issuing GitHub repo to match the publish boundary. Splitting build (
socket-btm) from publish (socket-addon) means btm's publish credentials don't have npm scope, andsocket-clistops re-publishing iocraft as a side effect of CLI releases.Verification chain
iocraft-<date>-<sha>Release with 8.nodefiles +checksums.txttag+checksumsinpackages/build-infra/release-assets.jsonscripts/publish.mtsdownloads each.node, runsverifyReleaseChecksumagainst the embedded SHA-256, copies into staged tmpdir, publishesIf a checksum mismatches, the run aborts before any package is published. No silent fallthrough.
Test plan
pnpm installsucceedspnpm run publish:drystages all 9 packages, downloads + verifies all 8 binaries, reports--- 9 packages will be publisheddist-tag = pre, confirm 9 packages publishednpm install @socketaddon/iocraft@preresolves the matching per-platform package andimport iocraft from '@socketaddon/iocraft'worksdocs/trusted-publisher-migration.mdto removeSocketDev/socket-clias a trusted publisher