fix(publish): Pack tarball with --ignore-scripts#416
Merged
Conversation
Removing .npmrc's ignore-scripts=true in #413 had an unintended consequence: `npm pack` now runs the project's own `prepare` script (husky), which dumps lifecycle output to stdout. With TARBALL=$(npm pack), that output gets captured alongside the tarball filename, producing a multi-line value that breaks $GITHUB_OUTPUT's key=value\n format and fails the build job. pnpm's `allowBuilds` whitelist only gates *dependency* install scripts; it doesn't suppress the project's own scripts during `npm pack`. Adding --ignore-scripts to the pack invocation restores clean stdout. Husky's `prepare` doesn't need to run during CI pack anyway — git hooks aren't relevant in the ephemeral runner. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
commit: |
📊 Package size report No changes
Unchanged files
🤖 This report was automatically generated by pkg-size-action |
csandman
added a commit
that referenced
this pull request
May 16, 2026
Without .npmrc's ignore-scripts=true, `npm pack` runs the project's own `prepare` script (husky), which dumps lifecycle output to stdout. TARBALL=$(npm pack) captures that output alongside the tarball filename, producing a multi-line value that breaks $GITHUB_OUTPUT's key=value\n format and fails the build job. pnpm's `allowBuilds` whitelist only gates *dependency* install scripts; it doesn't suppress the project's own scripts during `npm pack`. Adding --ignore-scripts to the pack invocation restores clean stdout. Husky's `prepare` doesn't need to run during CI pack — git hooks aren't relevant in the ephemeral runner. Same fix as #416 on main; included here so the v5 publish flow doesn't regress when .npmrc is dropped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
csandman
added a commit
that referenced
this pull request
May 16, 2026
* chore: Port consistency tweaks from main
Bundle of small, mechanical changes already shipped on main that
apply cleanly to v5:
CI workflows:
- Bump Node 22 → 24 on lint, pkg-pr, package-size-report jobs
(publish was already on 24 for OIDC).
- Name previously-anonymous workflow steps for clearer logs.
- Drop quotes around `cache: pnpm` for consistency with other
workflow inputs.
- Rename zizmor-scan.yml → zizmor.yml.
publish.yml hardening:
- Quote shell variables ("$TAG_NAME", "$GITHUB_OUTPUT",
"$TARBALL") against IFS / glob expansion surprises.
- Move the `env:` block above `run:` to match the convention
on other steps.
Dep-script protection:
- Drop .npmrc (`ignore-scripts=true`). pnpm's `allowBuilds`
whitelist in pnpm-workspace.yaml already gates dependency
install scripts with finer granularity; the publish workflow
passes --ignore-scripts to `pnpm install` explicitly for the
high-stakes path. Removing the blanket flag lets husky's
`prepare` script run automatically on fresh installs.
- Update CONTRIBUTING.md to reflect the model change.
- Drop the now-obsolete `.npmrc` → `ini` files.associations
entry from .vscode/settings.json; add `typescript.tsdk` so
VS Code picks up the workspace TS version.
Lint-staged:
- Move config from package.json to .lintstagedrc.mjs.
- Add an `*.mjs` override to .oxlintrc.json so the new config
file doesn't trip nodejs-modules / unsafe-* rules.
Docs:
- Add SECURITY.md describing the support window and the
GitHub Security Advisories reporting path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(publish): Pack tarball with --ignore-scripts
Without .npmrc's ignore-scripts=true, `npm pack` runs the
project's own `prepare` script (husky), which dumps lifecycle
output to stdout. TARBALL=$(npm pack) captures that output
alongside the tarball filename, producing a multi-line value
that breaks $GITHUB_OUTPUT's key=value\n format and fails the
build job.
pnpm's `allowBuilds` whitelist only gates *dependency* install
scripts; it doesn't suppress the project's own scripts during
`npm pack`. Adding --ignore-scripts to the pack invocation
restores clean stdout. Husky's `prepare` doesn't need to run
during CI pack — git hooks aren't relevant in the ephemeral
runner.
Same fix as #416 on main; included here so the v5 publish flow
doesn't regress when .npmrc is dropped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(actions): Bump upload-artifact v4 → v7 for Node 24
v4.6.2 runs on Node 20, which GitHub deprecated in their
September 2025 changelog. Workflow runs now emit a warning;
Node 20 actions will be force-upgraded to Node 24 by default
on 2026-06-02 and removed entirely on 2026-09-16.
v7.0.1 runs on Node 24 and is otherwise drop-in for our usage
(simple name + path inputs, no merging or advanced features).
Same change as on main; included here so v5 doesn't carry the
deprecation warning forward.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the publish workflow's
buildjob failing with:Root cause
Removing
.npmrc'signore-scripts=truein #413 had an unintended consequence. When.npmrchadignore-scripts=true, all lifecycle scripts were globally suppressed — including the project's ownprepare: "husky". With.npmrcgone,npm packnow runsprepare, which dumps husky's output to stdout:TARBALL=$(npm pack)captures all of that, and the resulting multi-line value breaks$GITHUB_OUTPUT'skey=value\nformat.The reasoning for dropping
.npmrcin #413 still stands — pnpm'sallowBuildshandles the actual supply-chain threat (dependency install scripts) with finer granularity. ButallowBuildsdoesn't touch the project's own lifecycle scripts duringnpm pack, which is what's biting us here.Fix
Add
--ignore-scriptsto thenpm packinvocation. Targeted (only the pack step), matches the convention used bypnpm install --ignore-scriptselsewhere in the workflow, and we genuinely don't need husky'sprepareto run during CI pack — git hooks aren't relevant in the ephemeral runner.Verification
Locally with
.npmrcabsent (same state as CI):Just the filename —
$GITHUB_OUTPUTwill accept it cleanly.Test plan
Publish to npmworkflow run (or wait for the next release). Thebuildjob should pack the tarball, upload the artifact, and hand off topublishwithout erroring.🤖 Generated with Claude Code