feat(build): port scripts/build.mts to shared build-pipeline orchestrator#1265
feat(build): port scripts/build.mts to shared build-pipeline orchestrator#1265John-David Dalton (jdalton) wants to merge 3 commits intomainfrom
Conversation
…ator
Fifth copy of the shared build-pipeline system (socket-btm + ultrathink +
socket-tui + sdxgen all use it). API surface is identical across repos —
manifest-of-stages, --force/--clean/--clean-stage/--from-stage/
--cache-key CLI, checkpoint JSONs under build/<mode>/.
What landed
- packages/build-infra/lib: adds checkpoint-manager, constants,
external-tools-schema, platform-mappings, version-helpers,
build-pipeline alongside the existing esbuild/platform-targets/
github-releases helpers. Coexists — no touching the pre-existing files.
- constants.mts: socket-cli's own checkpoint chain
(CLI → SEA → FINALIZED). No wasm verbs — socket-cli consumes pre-built
wasm + node binaries from socket-btm; same orchestrator drives a pure
JS build, the module name 'build-pipeline' reflects that.
- build-pipeline.mts: add `skip?: (ctx) => boolean` dynamic skip
predicate. skipInDev stays for fleet parity; skip is for dynamic
conditions like socket-cli's SEA stage (only runs on --force/--prod).
- scripts/build.mts: replace runSmartBuild's procedural loop with a
runPipelineCli call. Existing buildPackage/buildCurrentPlatformSea
helpers are wrapped as stage workers; the existing BUILD_PACKAGES
signature system still runs inside buildPackage's body, complementing
the orchestrator's own cache-hash layer (the two aren't fighting —
one works on file-glob inputs, the other on content hashes of
sourcePaths + platform metadata).
- Dispatch paths unchanged: --platforms / --targets / --target still
route to runParallelBuilds / runSequentialBuilds / runTargetedBuild
(the orchestrator only replaces the default smart-build path).
- Platform pinned to 'universal' via resolvePlatformArch so the cache
key stays stable across runner OSes (bundled CLI JS is universal).
- Checkpoints at build/<mode>/checkpoints/ matching socket-tui + sdxgen.
Bump @socketsecurity/lib catalog pin 5.21 → 5.24. 5.21's /errors
subpath shipped CJS without named-export interop, so `import
{ errorMessage } from '@socketsecurity/lib/errors'` failed under
Node's ESM-to-CJS resolver. 5.24 ships the interop (already in use
by socket-tui, ultrathink, socket-sdxgen).
Also: add @sinclair/typebox to catalog (needed by
external-tools-schema.mts).
Verified locally: `pnpm build` completes in 16s, CLI Package builds,
SEA correctly skipped (skip predicate), FINALIZED writes checkpoint.
Cached rerun: 0.0s. --help / --target / --platforms paths unchanged.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- loadExternalTools() now inspects validateExternalTools's return value.
The function returns { ok, errors? } per its own JSDoc; the previous
call discarded it, so malformed external-tools.json silently passed
through. Throw on validation failure with the formatted issue list.
- validateCheckpointChain error message now enumerates Object.values
(the actual checkpoint strings like 'cli', 'finalized') instead of
Object.keys (the enum accessors like CLI, FINALIZED) so suggestions
match what callers actually pass.
- runPipelineCli no longer logs the thrown error before re-throwing —
callers already have a top-level catch that formats the failure, so
we were showing the same message twice. Exit code is still set here
so a consumer that forgets the catch still fails the process.
Reported on PR #1265.
|
bugbot run |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 7ac5366. Configure here.
| } | ||
| return {} | ||
| }, | ||
| }, |
There was a problem hiding this comment.
SEA stage missing CLI output dependency causes stale builds
Medium Severity
The SEA stage declares no sourcePaths, so its checkpoint hash only covers external-tools.json and root package.json (added by runStage). It doesn't include the CLI output file (cliOutputPath) that the SEA binary is built from. In --prod mode (the CI default via getCI()), where --force is not set, the SEA skip predicate allows it to run — but shouldRun finds its checkpoint hash unchanged after a CLI rebuild and skips it. The result is a stale SEA binary built from a previous CLI output. Adding sourcePaths: [cliOutputPath] to the SEA stage definition would fix this.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7ac5366. Configure here.
Cursor bugbot flagged the SEA stage as missing sourcePaths: its checkpoint hash only covered external-tools.json + root package.json (the two package-wide inputs runStage always adds). If CLI rebuilt but those files didn't change, shouldRun would find the SEA checkpoint hash unchanged and skip SEA — leaving a stale binary built from the previous dist/index.js. Add cliOutputPath to the SEA stage's sourcePaths so any CLI rebuild invalidates the SEA checkpoint and forces a rebuild of the binary. The other two findings on this PR (validateCheckpointChain wording, runPipelineCli double-log) were cursor re-flagging issues already fixed in commit 7ac5366 — current code uses Object.values and no longer logs in runPipelineCli.
1 participant
Summary
Fifth copy of the shared
build-pipelineorchestrator that socket-btm, ultrathink, socket-tui, and sdxgen already use. API surface (manifest-of-stages,--force/--clean/--clean-stage/--from-stage/--cache-keyCLI, checkpoint JSONs underbuild/<mode>/) is identical to the other four repos.socket-cli doesn't build wasm — it consumes pre-built wasm + node binaries from socket-btm. The orchestrator is build-type-agnostic; the module name reflects the machine, not one category of consumer.
What landed
packages/build-infra/lib/additions:build-pipeline.mts,checkpoint-manager.mts,constants.mts,external-tools-schema.{mts,json},platform-mappings.mts,version-helpers.mts. Coexist with the existing esbuild/platform-targets/github-releases helpers — no touching pre-existing files.constants.mts: socket-cli's own checkpoint chain (CLI → SEA → FINALIZED).build-pipeline.mts: addsskip?: (ctx) => booleandynamic skip predicate (socket-cli's SEA stage needs it — only runs on--force/--prod).skipInDevstays for fleet parity.scripts/build.mts: replacesrunSmartBuild's procedural loop withrunPipelineCli. ExistingbuildPackage/buildCurrentPlatformSeahelpers wrap as stage workers; dispatch paths for--platforms / --targets / --targetunchanged.'universal'viaresolvePlatformArchso the cache key stays stable across runner OSes (bundled CLI JS is universal).build/<mode>/checkpoints/matching socket-tui + sdxgen.Drive-by changes
@socketsecurity/libcatalog pin5.21 → 5.24. 5.21's/errorssubpath shipped CJS without named-export interop, soimport { errorMessage } from '@socketsecurity/lib/errors'failed under Node's ESM-to-CJS resolver. 5.24 ships the interop (already in use by socket-tui, ultrathink, sdxgen).@sinclair/typeboxto catalog (required byexternal-tools-schema.mts).Test plan
pnpm buildcompletes in 16s, CLI Package builds, SEA correctly skippedpnpm buildon cached tree: 0.0s, all stages skipped via checkpoint JSONpnpm build --help/--target/--platformspaths unchangedpnpm build --cache-keyemitsv<node>-universal-<mode>-<hash>-<pkgver>pnpm build --clean-stage=<name>surgically reruns from that stage onNote
Medium Risk
Moderate risk because it replaces the default build orchestration and caching behavior; issues could cause builds to skip incorrectly or clean/rebuild unexpectedly across stages.
Overview
Replaces
scripts/build.mts’s procedural “smart build” flow with a declarativerunPipelineClipipeline, adding stage checkpoints (cli,sea,finalized) plus support for--clean,--clean-stage,--from-stage, and--cache-key(with a fixedplatformArchofuniversal).Adds new
build-inframodules for the orchestrator (build-pipeline.mts), checkpoint hashing/markers (checkpoint-manager.mts), platform/libc mapping helpers, version helpers, andexternal-tools.jsonvalidation (TypeBox schema), and exports them frompackages/build-infra/package.json.Updates dependencies to include
@sinclair/typeboxand bumps@socketsecurity/libto5.24.0in the workspace/lockfile.Reviewed by Cursor Bugbot for commit 7ac5366. Configure here.