verify-action-build: handle source-detached orphan release tags#768
Merged
verify-action-build: handle source-detached orphan release tags#768
Conversation
Some actions (e.g. slackapi/slack-github-action with its changesets-driven release flow) publish their version tag as a rootless orphan commit whose tree contains only distributable artifacts — action.yml, dist/, LICENSE, README.md. Consumers pin to that commit SHA, so the verifier clones it and runs npm run build, but there is no src/ and no package.json at the tag and the rebuild silently produces nothing, causing a misleading "DIFFERENCES DETECTED" failure. Detect that pattern and resolve the corresponding default-branch source commit via the GitHub Releases API: find the tag(s) pointing at the commit, read published_at, and pick the most recent default-branch commit at or just before published_at that has a buildable package.json — preferring "chore: release"-style messages (changesets / release-please / Version Packages). The Docker build then captures /original-dist from the orphan tag and git-checkouts to the resolved source commit before building, so the rebuild runs against real source and the diff is against the tag's published dist. The detection is narrow: only top-level tags whose tree has dist/ but no package.json and no src/. Monorepo sub-actions and normal actions are untouched. Verified end-to-end against slackapi/slack-github-action@ v3.0.2 (byte-identical rebuild) and v3.0.1, with regression checks on actions/checkout, astral-sh/setup-uv, and scacap/action-surefire-report (not flagged as detached, normal path preserved).
Member
Author
|
This is apparently common practice that action is released from an Orphan tag that "only" contains compiled javascript - no sources. This change to our verify script should handle it. |
dave2wave
approved these changes
Apr 24, 2026
Member
dave2wave
left a comment
dave2wave
left a comment
There was a problem hiding this comment.
Looks like a necessary new feature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
action.yml,dist/,LICENSE,README.md— nosrc/and nopackage.jsonto rebuild from. Common with changesets-driven release flows (e.g. slackapi/slack-github-action v3.0.x).published_at→ most recent default-branch commit at or just beforepublished_atwith a buildablepackage.json, preferring "chore: release"-style messages./original-distfrom the orphan tag, thengit checkouts to the resolved source commit before building, so the rebuild runs against real source and the diff compares against the tag's publisheddist/.Why
Currently verifier runs on
slackapi/slack-github-action@v3.0.2(PR #762) fail with "JS build verification: DIFFERENCES DETECTED" — but the actual cause is that the tag commit has no source at all, so the rebuild silently produces nothing. The failure message is misleading and blocks auto-approval of an otherwise-valid bump. Verified end-to-end:slackapi/slack-github-action@v3.0.2(03ea5433c137) → resolves to90fee45e5a24(main's "chore: release (gateway: bump sbt/setup-sbt from 1.1.20 to 1.1.22 #593)"), rebuiltdist/index.js+dist/sourcemap-register.cjsare byte-identical to the tag's published artifacts.v3.0.1(same pattern, already approved) also passes cleanly under the new path.actions/checkout,astral-sh/setup-uv,scacap/action-surefire-reportare not flagged as detached — detection is narrow (dist/ present, package.json + src/ absent, top-level only), so the normal build path is unchanged.Test plan
verifynow passes.Generated-by: Claude Opus 4.7 (1M context)