fix(release): restore win32-x64 binary (Socket Firewall breaks pnpm install on Windows)#29
Conversation
📝 WalkthroughWalkthroughThis PR updates CODEOWNERS ownership for ChangesCODEOWNERS ownership
Release workflow install
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
220-226: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winGate the Socket setup step on the same platform check. The Windows leg still invokes
socketdev/actionand receivesSOCKET_SECURITY_API_KEY; addif: matrix.platform != 'win32'here too so Socket Firewall stays Unix-only.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 220 - 226, The Socket Firewall setup is still running on the Windows job, so update the Socket-related workflow step in the release pipeline to use the same platform guard as the Unix install path. Add the matrix.platform != 'win32' condition to the step that invokes socketdev/action and consumes SOCKET_SECURITY_API_KEY, keeping the Socket setup Unix-only and aligned with the existing install steps.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 220-226: The Socket Firewall setup is still running on the Windows
job, so update the Socket-related workflow step in the release pipeline to use
the same platform guard as the Unix install path. Add the matrix.platform !=
'win32' condition to the step that invokes socketdev/action and consumes
SOCKET_SECURITY_API_KEY, keeping the Socket setup Unix-only and aligned with the
existing install steps.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d4ea42b1-e8e3-4db3-92ec-8a96c84389b7
📒 Files selected for processing (2)
.github/CODEOWNERS.github/workflows/release.yml
Summary by CodeRabbit
The
win32-x64leg ofbuild-binariesfailed atpnpm buildwith'rslib' is not recognized as an internal or external command.Root cause:
sfw pnpm install(Socket Firewall) silently no-ops on the Windows runner —node_modulesis never created — so the subsequent build can't findrslib(or any local bin). The 3 Unix legs (linux-x64, darwin-arm64, darwin-x64) are unaffected; Socket Firewall'ssfwwrapper only breakspnpm installon win32.Fix: run Socket Firewall on the Unix legs only; do a plain
pnpm install --frozen-lockfileon win32.QA Proof
Root cause isolated with a throwaway
workflow_dispatch/push debug workflow on Windows, changing exactly one variable (thesfwwrapper):node_modules/.binpnpm buildpnpm exec rslib buildpnpm build(bash)pnpm install(no sfw)rslib.cmdpresentsfw pnpm installnode_modulesabsent)WARN Local package.json exists, but node_modules missing, did you mean to install?— confirmingsfwskipped the install entirely.24.17.0, pnpm10.33.1, corepack0.35.0, default shell (pwsh) — all build fine withoutsfw.rslib@0.0.11on Windows under the pre-hardening workflow, confirming this is a regression from thesfwaddition, not a toolchain issue.Security Tradeoff
--frozen-lockfile⇒ all 4 platforms resolve the identical dependency set, which Socket Firewall already scans on linux + darwin×2 ("Nothing to report").onlyBuiltDependencies: [esbuild]applies on every platform alike.publishjob still runs undersfw, unchanged.productionjobs) — consistent with the monorepo baseline, which uses free-editionsfweverywhere and passes no API key.What Needs to Be QA'd (release re-tag run)
build-binarieslegs green; win32 producesshield-windows-x64.exe+.sha256with attestationcreate-releaseattaches all 4 binaries + checksumssecurity-auditpasses; harden-runner egress shows only expected hostsgh attestation verifyper platform,shasum -c, functional smoke on the released artifactsQA Team Notification
v1.3.0re-tag release run; npmpublishgated behindproductionenvironment approvalFollow-ups (out of scope)
sfw-breaks-pnpm-install-on-Windows to Socketmacos-14/macos-13) instead ofmacos-latestfor release reproducibility