From 5431010cad6e2030483fe77b3d0aaad3afd396f6 Mon Sep 17 00:00:00 2001
From: Will Washburn <will.washburn@gmail.com>
Date: Sun, 10 May 2026 15:39:23 -0400
Subject: [PATCH] ci(publish): drop platform packages from workspace + force
 lockfile refresh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The publish workflow's `pnpm install --lockfile-only` step has been
leaving the `packages/sdk-node` importer block pinned to the previous
release after a version bump. The verify step from #413 catches this
and aborts the run with `ERR_PNPM_OUTDATED_LOCKFILE`, but the refresh
itself was unreliable.

Two changes here:

1. Drop `packages/{sdk-node,relayburn}/npm/*` from `pnpm-workspace.yaml`.
   The platform packages have no scripts, no JS deps, and are only
   touched at publish time via direct path operations (npm version,
   npm pack, artifact staging). They were workspace members only by
   reflex, and their presence created same-named local packages for
   each `@relayburn/{sdk,cli}-<platform>` optionalDependency on the
   umbrella — which is the case where pnpm's importer-rewrite
   heuristic in `--lockfile-only` skips work it should be doing.

2. Pass `--force` to the publish refresh so pnpm always re-resolves
   every importer, regardless of what its heuristic thinks.

The verify step stays in place as belt-and-braces. Lockfile only loses
the four empty importer stubs for each removed glob; everything else
is unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 25 ++++++++++++++++---------
 pnpm-lock.yaml                | 16 ----------------
 pnpm-workspace.yaml           |  2 --
 3 files changed, 16 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 65b648b3..1ca6602d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1137,11 +1137,19 @@ jobs:
       # to amend (the version commit step is skipped) and there are no
       # newly-published versions on the registry, so we skip the refresh
       # entirely.
+      #
+      # `--force` makes pnpm re-resolve every importer instead of trusting
+      # its "this importer block already looks fine" heuristic. Without it,
+      # `--lockfile-only` has been observed to leave the `packages/sdk-node`
+      # importer's optionalDependency block pinned to the previous release
+      # (e.g. 2.7.4) even after the version bump rewrote sdk-node's
+      # package.json to 2.7.5 — the verify step below catches that and
+      # aborts the publish, but we want the refresh to actually do its job.
       - name: Refresh pnpm-lock.yaml against published versions
         if: ${{ github.event.inputs.dry_run != 'true' && (github.event.inputs.version != 'none' || github.event.inputs.custom_version != '') }}
         run: |
           set -euo pipefail
-          pnpm install --lockfile-only
+          pnpm install --lockfile-only --force
 
           if git diff --quiet -- pnpm-lock.yaml; then
             echo "pnpm-lock.yaml unchanged after refresh — nothing to amend."
@@ -1166,14 +1174,13 @@ jobs:
           git commit --amend --no-edit
 
       # Sanity-check the refreshed lockfile before pushing. `pnpm install
-      # --lockfile-only` has a known regression where it can silently drop
-      # the host-platform optionalDependency entry for an umbrella that
-      # has a same-named workspace package (e.g. the linux-x64-gnu leg
-      # was dropped from `@relayburn/sdk`'s importer in the 2.7.3 release,
-      # breaking the next `pnpm install --frozen-lockfile` on main and
-      # blocking the napi-build job in the following publish run). Running
-      # `--frozen-lockfile` here surfaces that regression while we still
-      # control the refs — the amended release commit hasn't been pushed
+      # --lockfile-only` has historically had quirks where the importer
+      # block doesn't get rewritten after a version bump (the
+      # `packages/sdk-node` block staying at the previous release was the
+      # symptom that motivated this verify step in PR #413). The `--force`
+      # in the refresh step above should prevent that, but we still run
+      # `--frozen-lockfile` here as a belt-and-braces check while we
+      # control the refs: the amended release commit hasn't been pushed
       # yet, so failing here aborts the tag push and keeps a broken
       # lockfile off `main`. The npm packages are already published at
       # this point, but that's recoverable; a broken lockfile on main
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 13f8200c..aca0884a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -36,14 +36,6 @@ importers:
         specifier: 2.7.5
         version: 2.7.5
 
-  packages/relayburn/npm/darwin-arm64: {}
-
-  packages/relayburn/npm/darwin-x64: {}
-
-  packages/relayburn/npm/linux-arm64-gnu: {}
-
-  packages/relayburn/npm/linux-x64-gnu: {}
-
   packages/sdk-node:
     devDependencies:
       '@napi-rs/cli':
@@ -66,14 +58,6 @@ importers:
         specifier: 2.7.5
         version: 2.7.5
 
-  packages/sdk-node/npm/darwin-arm64: {}
-
-  packages/sdk-node/npm/darwin-x64: {}
-
-  packages/sdk-node/npm/linux-arm64-gnu: {}
-
-  packages/sdk-node/npm/linux-x64-gnu: {}
-
 packages:
 
   '@esbuild/aix-ppc64@0.25.12':
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index ebdcf0eb..9629a27f 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -1,6 +1,4 @@
 packages:
   - packages/sdk-node
-  - packages/sdk-node/npm/*
   - packages/mcp
   - packages/relayburn
-  - packages/relayburn/npm/*