From fb25418cc523c11d05774babe2ad1f5347cc1203 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 10 May 2026 13:23:55 +0000 Subject: [PATCH 1/2] ci(publish): repair lockfile and verify --frozen-lockfile after refresh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 2.7.3 release commit dropped `@relayburn/sdk-linux-x64-gnu` from the `@relayburn/sdk` importer entry in `pnpm-lock.yaml`, leaving the lockfile inconsistent with `packages/sdk-node/package.json`. Every subsequent `pnpm install --frozen-lockfile` on `main` fails — including the napi-build matrix the publish workflow gates on, so the next publish run can't even produce its SDK artifacts. Restore the missing `@relayburn/sdk-linux-x64-gnu@2.7.3` entry by re-running `pnpm install --lockfile-only` against the published versions, and add a follow-up `pnpm install --frozen-lockfile` step after the publish workflow's lockfile refresh + amend. If pnpm drops an entry again, the verification fails before the tag push, so the broken lockfile never lands on `main`. https://claude.ai/code/session_01N1uPm9zmHpdGsKgNVJDmAd --- .github/workflows/publish.yml | 17 +++++++++++++++++ pnpm-lock.yaml | 12 ++++++++++++ 2 files changed, 29 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 242d8f9d..efee525e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1165,6 +1165,23 @@ jobs: git add pnpm-lock.yaml git commit --amend --no-edit + # Sanity-check the refreshed lockfile before pushing. `pnpm install + # --lockfile-only` has a known regression where it can silently drop + # the host-platform optionalDependency entry for an umbrella that + # has a same-named workspace package (e.g. the linux-x64-gnu leg + # was dropped from `@relayburn/sdk`'s importer in the 2.7.3 release, + # breaking the next `pnpm install --frozen-lockfile` on main and + # blocking the napi-build job in the following publish run). Running + # `--frozen-lockfile` here surfaces that regression while we still + # control the refs — the amended release commit hasn't been pushed + # yet, so failing here aborts the tag push and keeps a broken + # lockfile off `main`. The npm packages are already published at + # this point, but that's recoverable; a broken lockfile on main + # blocks every downstream PR. + - name: Verify refreshed lockfile is consistent + if: ${{ github.event.inputs.dry_run != 'true' && (github.event.inputs.version != 'none' || github.event.inputs.custom_version != '') }} + run: pnpm install --frozen-lockfile + # Annotated tags (-a) so `git push --follow-tags` actually pushes them; # lightweight tags are skipped by --follow-tags. # diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 988f4481..c89bd26f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -62,6 +62,9 @@ importers: '@relayburn/sdk-linux-arm64-gnu': specifier: 2.7.3 version: 2.7.3 + '@relayburn/sdk-linux-x64-gnu': + specifier: 2.7.3 + version: 2.7.3 packages/sdk-node/npm/darwin-arm64: {} @@ -280,6 +283,12 @@ packages: cpu: [arm64] os: [linux] + '@relayburn/sdk-linux-x64-gnu@2.7.3': + resolution: {integrity: sha512-Yl68EskC7ce0BVStJRpSkuvSjPDQ2kheuuoIMivyChqSVPhPDP/gy8jBKrRMNI7wN528hg8uB93LKjig3ZSnqw==} + engines: {node: '>=22'} + cpu: [x64] + os: [linux] + '@types/node@22.19.18': resolution: {integrity: sha512-9v00a+dn2yWVsYDEunWC4g/TcRKVq3r8N5FuZp7u0SGrPvdN9c2yXI9bBuf5Fl0hNCb+QTIePTn5pJs2pwBOQQ==} @@ -399,6 +408,9 @@ snapshots: '@relayburn/sdk-linux-arm64-gnu@2.7.3': optional: true + '@relayburn/sdk-linux-x64-gnu@2.7.3': + optional: true + '@types/node@22.19.18': dependencies: undici-types: 6.21.0 From aae38af0208bbbe89ff5008254fd56a0a2f1ac5f Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 10 May 2026 13:26:59 +0000 Subject: [PATCH 2/2] ci(publish): retry frozen-lockfile verification on transient registry flakes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The verification step's `pnpm install --frozen-lockfile` does the deterministic lockfile-vs-package.json check first, but then actually hits the npm registry to install. A brief propagation hiccup right after we push 11 fresh packages can fail the install half of the command even though the lockfile is fine, and that would abort the publish workflow before the tag push. Wrap the call in a retry-with-fixed-backoff loop (6 × 10s) matching the sparse-index wait pattern used elsewhere in this job. Suggested by CodeRabbit on PR #413. https://claude.ai/code/session_01N1uPm9zmHpdGsKgNVJDmAd --- .github/workflows/publish.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index efee525e..65b648b3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1180,7 +1180,28 @@ jobs: # blocks every downstream PR. - name: Verify refreshed lockfile is consistent if: ${{ github.event.inputs.dry_run != 'true' && (github.event.inputs.version != 'none' || github.event.inputs.custom_version != '') }} - run: pnpm install --frozen-lockfile + # pnpm's `--frozen-lockfile` first does the deterministic local check + # we care about (lockfile vs package.json specifiers), then proceeds + # to actually install the deps. The install half hits the npm + # registry, which can flake transiently right after we just pushed + # 11 packages to it — retry a handful of times with backoff before + # treating the failure as a real lockfile regression. Mirrors the + # sparse-index wait loop earlier in this job. + run: | + set -euo pipefail + attempts=6 + for i in $(seq 1 "$attempts"); do + if pnpm install --frozen-lockfile; then + echo "frozen-lockfile check passed (attempt $i/$attempts)" + exit 0 + fi + if [ "$i" -eq "$attempts" ]; then + echo "::error title=Frozen lockfile verification failed::pnpm install --frozen-lockfile failed after $attempts attempts." + exit 1 + fi + echo "frozen-lockfile attempt $i/$attempts failed, retrying in 10s..." + sleep 10 + done # Annotated tags (-a) so `git push --follow-tags` actually pushes them; # lightweight tags are skipped by --follow-tags.