chore(ci): migrate publish step to npm-publish-hardened#95
Conversation
Replaces the inline 50-line publish loop with a call to the shared composite action introduced in stella/.github#23 and refactored to the tarball-input shape in stella/.github#25, pinned to SHA 8dfd1bcbf4b1339b515ed359daa4f62970db2cc0. The composite encodes the same semantics — idempotent npm view check + provenance publish + eventual-consistency retry — and additionally hard-fails if NPM_TOKEN/NODE_AUTH_TOKEN is set in env, since trusted publishing performs auth via OIDC token exchange and any token in env would silently short-circuit that path. Dropped: - the `NPM_TOKEN: ${{ secrets.NPM_TOKEN }}` env line; token mode is no longer supported. Trusted publishing is configured for the package on the npm side. - the inline `.npmrc` token-write step (no longer needed without a token to write) - the inline `publish_tarball()` retry loop (now in the composite) No functional change for a successful publish. The retry cadence inside the composite (1+2+3+4+5s = 15s total) is slightly faster than the previous local one (10+20+30+40+50s = 150s); if npm registry visibility lag exceeds 15s in practice, we can extend the composite.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2803fabe41
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| } | ||
|
|
||
| publish_tarball "${{ steps.pack.outputs.tarball }}" | ||
| uses: stella/.github/.github/actions/npm-publish-hardened@8dfd1bcbf4b1339b515ed359daa4f62970db2cc0 |
There was a problem hiding this comment.
This replacement changes the retry semantics of the release workflow: the removed inline loop retried npm publish up to five times, but the pinned composite action at 8dfd1bcb... runs npm publish only once and then merely polls npm view to see whether that single attempt was accepted. When npm fails before accepting the tarball (for example a transient registry 5xx, network, or TLS failure), this workflow will now fail the release instead of retrying the publish as it did before.
Useful? React with 👍 / 👎.
|
CC on behalf of @jan-kubica Codex P2 is valid and being addressed in stella/.github#26 (retry `npm publish` itself, not just the visibility poll). Once that lands, this PR will be re-pinned to the new composite SHA before merge so the migration carries forward the same publish-retry semantics the inline loop had. |
* fix(actions): retry npm publish, not just the visibility poll The previous loop ran `npm publish` exactly once and then polled `npm view` between sleeps. That handles the eventual-consistency case (publish appeared to fail but actually went through) but does NOT retry a real transient failure — registry 5xx, network blip, TLS error — where the artifact never reached the registry. stdnum's previous inline publish loop did retry the publish itself up to 5 times; that semantic is restored here, with a single `already_published` check inside the loop covering both modes: - publish fails AND artifact landed (eventual consistency) → exit 0 - publish fails AND artifact didn't land → next attempt Backoff lengthened to 5s, 10s, 15s, 20s between attempts (50s total across 5 attempts) to give the registry a real chance to recover from a transient. Addresses codex P2 on stella/stdnum#95. * fix(actions): poll for eventual consistency after the final failed publish If the 5th and final `npm publish` is the first attempt that reaches the registry but exits non-zero before the version is visible, the previous control flow ran one `already_published` check and exited immediately. That collapses the eventual-consistency window to ~0s for the last attempt and reintroduces the exact failure mode the retry loop was meant to avoid. After all publish attempts fail, run an additional 1/2/3/4/5s polling loop (15s) for the version to appear. Worst-case total time across all 5 publish attempts + final poll is ~65s. Addresses codex P2 review on PR #26. * fix(actions): emit `::error::` workflow commands on stdout, not stderr GitHub Actions parses `::error::`/`::warning::`/`::notice::` workflow commands out of the runner's log stream to create UI annotations. Per the docs, those commands must be written to stdout — `>&2` skips the annotation pipeline and the message only shows up in raw logs. Remove `>&2` from every `::error::` printf. The remaining `>&2` on `cat "${PUBLISH_LOG}" >&2` is kept: that's the npm publish failure output, which is genuine stderr content rather than a workflow command. Addresses gemini medium on PR #26.
|
Bumped composite SHA pin to |
1 participant
Replaces the inline 50-line publish loop with a call to `stella/.github/.github/actions/npm-publish-hardened` (pinned to SHA `8dfd1bcbf4`).
The composite encodes the same semantics — idempotent `npm view` early-return + `npm publish --provenance --access public` + eventual-consistency retry — and additionally hard-fails if `NPM_TOKEN` / `NODE_AUTH_TOKEN` is set in env, because trusted publishing performs auth via OIDC token exchange; any token in env would silently short-circuit that.
Dropped
Test plan
This is the pilot for the migration of the 5 publishing repos to the shared composite. After this lands green, the same swap applies to regex-set, aho-corasick, fuzzy-search, text-search; anonymize gets a slightly bigger diff that additionally adds the `npm pack` step to fit the tarball pattern.