feat: npm fetch/enable action to fetch from npm#3
Merged
jasonsaayman merged 6 commits intoMay 15, 2026
Conversation
There was a problem hiding this comment.
Pull request overview
This PR upgrades the action from a placeholder to a functional “tarball baseline vs local build” gzip-size comparison tool, and adds extensive OpenSpec workflow/skill/prompt documentation to support an experimental spec-driven process around the change.
Changes:
- Implement tarball download +
.tar.gzextraction, file path normalization/validation, gzip measurement, and JSON report generation in the action runtime. - Expand the action contract with new required inputs (
tarball-uri,files), new outputs, and update README + sample workflow accordingly. - Add OpenSpec specs + archived change artifacts, plus multiple command/skill/prompt documents across
.claude/,.opencode/, and.github/.
Reviewed changes
Copilot reviewed 37 out of 38 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
tests/index.test.js |
Adds Node test coverage for path parsing, tarball root stripping, and report deltas. |
src/index.ts |
Implements the tarball gzip comparison logic, config parsing, and action outputs. |
README.md |
Documents the new inputs/outputs and provides updated workflow + local-run examples. |
package.json |
Adds a test script to compile and run Node’s built-in test runner. |
openspec/specs/tarball-gzip-comparison/spec.md |
Defines requirements for the tarball gzip comparison capability. |
openspec/config.yaml |
Adds OpenSpec schema configuration scaffold. |
openspec/changes/archive/2026-05-15-compare-tarball-gzip-sizes/tasks.md |
Archived task list for the implemented change. |
openspec/changes/archive/2026-05-15-compare-tarball-gzip-sizes/specs/tarball-gzip-comparison/spec.md |
Archived delta spec snapshot for the change. |
openspec/changes/archive/2026-05-15-compare-tarball-gzip-sizes/proposal.md |
Archived proposal describing why/what for the change. |
openspec/changes/archive/2026-05-15-compare-tarball-gzip-sizes/design.md |
Archived design decisions and tradeoffs for implementation. |
openspec/changes/archive/2026-05-15-compare-tarball-gzip-sizes/.openspec.yaml |
Archived OpenSpec metadata for the change. |
dist/index.js |
Updated bundled action artifact reflecting new runtime logic. |
action.yml |
Updates action metadata, inputs, and outputs for tarball comparison. |
.opencode/skills/openspec-propose/SKILL.md |
Adds OpenSpec “propose” skill documentation for OpenCode. |
.opencode/skills/openspec-explore/SKILL.md |
Adds OpenSpec “explore” skill documentation for OpenCode. |
.opencode/skills/openspec-archive-change/SKILL.md |
Adds OpenSpec “archive change” skill documentation for OpenCode. |
.opencode/skills/openspec-apply-change/SKILL.md |
Adds OpenSpec “apply change” skill documentation for OpenCode. |
.opencode/command/opsx-propose.md |
Adds OpenCode command doc for proposing a change. |
.opencode/command/opsx-explore.md |
Adds OpenCode command doc for explore mode. |
.opencode/command/opsx-archive.md |
Adds OpenCode command doc for archiving a change. |
.opencode/command/opsx-apply.md |
Adds OpenCode command doc for applying/implementing a change. |
.github/workflows/bundle-size.yml |
Updates example workflow to build and run the action with tarball inputs. |
.github/skills/openspec-propose/SKILL.md |
Adds GitHub skill doc for proposing changes. |
.github/skills/openspec-explore/SKILL.md |
Adds GitHub skill doc for explore mode. |
.github/skills/openspec-archive-change/SKILL.md |
Adds GitHub skill doc for archiving changes. |
.github/skills/openspec-apply-change/SKILL.md |
Adds GitHub skill doc for applying changes. |
.github/prompts/opsx-propose.prompt.md |
Adds GitHub prompt for proposing changes. |
.github/prompts/opsx-explore.prompt.md |
Adds GitHub prompt for explore mode. |
.github/prompts/opsx-archive.prompt.md |
Adds GitHub prompt for archiving. |
.github/prompts/opsx-apply.prompt.md |
Adds GitHub prompt for applying/implementing. |
.claude/skills/openspec-propose/SKILL.md |
Adds Claude skill doc for proposing changes. |
.claude/skills/openspec-explore/SKILL.md |
Adds Claude skill doc for explore mode. |
.claude/skills/openspec-archive-change/SKILL.md |
Adds Claude skill doc for archiving changes. |
.claude/skills/openspec-apply-change/SKILL.md |
Adds Claude skill doc for applying changes. |
.claude/commands/opsx/propose.md |
Adds Claude command doc for propose workflow. |
.claude/commands/opsx/explore.md |
Adds Claude command doc for explore workflow. |
.claude/commands/opsx/archive.md |
Adds Claude command doc for archive workflow. |
.claude/commands/opsx/apply.md |
Adds Claude command doc for apply workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
4 issues found across 38 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/prompts/opsx-archive.prompt.md">
<violation number="1" location=".github/prompts/opsx-archive.prompt.md:59">
P2: Step 4 instructs using the Task tool to delegate to a subagent that then uses the Skill tool, but the Guardrails explicitly say to directly "use the Skill tool to invoke `openspec-sync-specs`". These two instructions contradict each other and will confuse the agent about the correct invocation mechanism.</violation>
</file>
<file name=".claude/commands/opsx/apply.md">
<violation number="1" location=".claude/commands/opsx/apply.md:44">
P2: Reference non-existent `/opsx:continue` command in blocked-state guidance. The repository contains no `continue.md` command definition. Since `/opsx:propose` can resume existing changes (it explicitly handles continuing an existing change), suggest using it to complete missing artifacts instead.</violation>
</file>
<file name=".opencode/skills/openspec-archive-change/SKILL.md">
<violation number="1" location=".opencode/skills/openspec-archive-change/SKILL.md:66">
P2: When delta specs are already synced, the prompt options include "Cancel", but the instruction to "Proceed to archive regardless of choice" does not explicitly handle cancellation. An agent following this may archive the change even when the user explicitly chooses to abort.</violation>
</file>
<file name="package.json">
<violation number="1" location="package.json:11">
P2: Use a directory argument instead of a shell glob for cross-platform `node --test` compatibility. Node.js 20 supports `node --test tests/`, which recursively discovers test files without relying on shell expansion.</violation>
</file>
You're on the cubic free plan with 18 free PR reviews remaining this month. Upgrade for unlimited reviews.
Re-trigger cubic
Member
Author
|
@cubic-dev-ai please review in depth |
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
2 issues found across 24 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/tarball.ts">
<violation number="1" location="src/tarball.ts:39">
P1: Validate parsed tar entry size before using it; malformed size fields currently pass through and can break extraction silently.</violation>
</file>
<file name="src/paths.ts">
<violation number="1" location="src/paths.ts:55">
P2: Traversal detection is over-broad: `startsWith("..")` rejects valid in-root paths like `..foo`. Check only `..` and `..{sep}` prefixes instead.</violation>
</file>
You're on the cubic free plan with 17 free PR reviews remaining this month. Upgrade for unlimited reviews.
Re-trigger cubic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces comprehensive documentation and workflow definitions for experimental OpenSpec-based workflows in the
.claude/commands/opsx/directory, as well as a corresponding skill in.claude/skills/openspec-apply-change/. The changes define and clarify the propose, apply, archive, and explore phases of the workflow, including user prompts, guardrails, and integration with CLI tools. The documentation is detailed and provides step-by-step instructions, output examples, and strict guidelines for each phase.The most important changes are:
Workflow Documentation Additions:
.claude/commands/opsx/propose.mdto define the process for proposing a new change, including artifact creation, dependency management, and user interaction guidelines..claude/commands/opsx/apply.mdto specify the steps and guardrails for implementing tasks from an OpenSpec change, covering context gathering, task execution, and handling of blocked or completed states..claude/commands/opsx/archive.mdto document the archiving process for completed changes, including artifact and task completion checks, delta spec syncing, and user confirmation flows..claude/commands/opsx/explore.mdto describe "explore mode," focusing on investigation, brainstorming, and artifact creation without implementation, with an emphasis on adaptive, visual, and user-driven exploration.Skill Documentation:
.claude/skills/openspec-apply-change/SKILL.md, which formalizes the implementation workflow as a skill, mirroring the logic inapply.mdand providing structured steps, output formats, and guardrails for use with the OpenSpec CLI.These additions provide a clear, robust foundation for experimental, schema-driven development workflows, ensuring consistency and clarity for both users and automation tools.
Summary by cubic
Adds gzip bundle size comparison to the action: compares local build artifacts against files from a tarball baseline and writes a JSON report. Also introduces experimental OpenSpec workflows and skills for propose/apply/archive/explore.
New Features
.tar.gzbaseline.tarball-uri(required),files(required, newline-delimited),path(project root),output-file(JSON report path)..tar.gzentry extraction, clear errors for config, network, and missing files.README,action.yml, and added tests and a CI fixture. Workflow uses Node 20 andpnpmto build before comparing.Migration
tarball-uriandfiles.pathto point at your local project root; omitoutput-fileto use the default JSON report name.Written for commit 425b337. Summary will update on new commits. Review in cubic