fix: address CI workflow audit findings

- Use CARGO_ENCODED_RUSTFLAGS="" to override target-specific rustflags in .cargo/config.toml (RUSTFLAGS env var doesn't override [target.*]) - Fix sync script filename: .cjs not .js - Fail hard when no library found instead of silent exit 0 - Only tolerate "already published" errors, fail on real publish errors - Use --ignore-scripts for main package publish to skip redundant build - Use cd "$GITHUB_WORKSPACE" instead of cd - for reliability Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-13 14:40:49 -06:00 · 2026-03-13 14:40:49 -06:00 · 1a0d5cf740
commit 1a0d5cf740
parent bd8380315c
1 changed files with 18 additions and 6 deletions
--- a/.github/workflows/build-native.yml
+++ b/.github/workflows/build-native.yml
@ -58,7 +58,10 @@ jobs:
      - name: Build native addon
        working-directory: native/crates/engine
        env:
-          RUSTFLAGS: ""
+          # CARGO_ENCODED_RUSTFLAGS overrides target-specific rustflags in
+          # .cargo/config.toml, which sets -C target-cpu=native for dev builds.
+          # CI must produce portable binaries.
+          CARGO_ENCODED_RUSTFLAGS: ""
          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: ${{ matrix.cross && 'aarch64-linux-gnu-gcc' || '' }}
        run: cargo build --release --target ${{ matrix.target }}

@ -68,7 +71,7 @@ jobs:
          mkdir -p artifacts
          cp native/target/${{ matrix.target }}/release/libgsd_engine.dylib artifacts/gsd_engine.node 2>/dev/null || \
          cp native/target/${{ matrix.target }}/release/libgsd_engine.so artifacts/gsd_engine.node 2>/dev/null || \
-          echo "No library found"
+          { echo "::error::No library found for ${{ matrix.platform }}"; exit 1; }
          ls -la artifacts/

      - name: Prepare artifact (Windows)
@ -112,7 +115,7 @@ jobs:
          done

      - name: Sync platform package versions
-        run: node native/scripts/sync-platform-versions.js
+        run: node native/scripts/sync-platform-versions.cjs

      - name: Publish platform packages
        env:
@ -121,8 +124,15 @@ jobs:
          for platform in darwin-arm64 darwin-x64 linux-x64-gnu linux-arm64-gnu win32-x64-msvc; do
            echo "Publishing @gsd/engine-${platform}..."
            cd "native/npm/${platform}"
-            npm publish --access public || echo "Failed to publish ${platform} (may already exist)"
-            cd -
+            OUTPUT=$(npm publish --access public 2>&1) && echo "$OUTPUT" || {
+              if echo "$OUTPUT" | grep -q "cannot publish over the previously published"; then
+                echo "Already published, skipping"
+              else
+                echo "::error::Failed to publish ${platform}: $OUTPUT"
+                exit 1
+              fi
+            }
+            cd "$GITHUB_WORKSPACE"
          done

      - name: Wait for npm registry propagation
@ -131,4 +141,6 @@ jobs:
      - name: Publish main package
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish
+        run: |
+          # Skip prepublishOnly (build already done upstream) — just publish the tarball
+          npm publish --ignore-scripts