From 1a0d5cf7409fdc127cedf00f85fd7ae86ebc89c6 Mon Sep 17 00:00:00 2001 From: Lex Christopherson Date: Fri, 13 Mar 2026 14:40:49 -0600 Subject: [PATCH] fix: address CI workflow audit findings - Use CARGO_ENCODED_RUSTFLAGS="" to override target-specific rustflags in .cargo/config.toml (RUSTFLAGS env var doesn't override [target.*]) - Fix sync script filename: .cjs not .js - Fail hard when no library found instead of silent exit 0 - Only tolerate "already published" errors, fail on real publish errors - Use --ignore-scripts for main package publish to skip redundant build - Use cd "$GITHUB_WORKSPACE" instead of cd - for reliability Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build-native.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-native.yml b/.github/workflows/build-native.yml index 5da69b0c0..984f2374d 100644 --- a/.github/workflows/build-native.yml +++ b/.github/workflows/build-native.yml @@ -58,7 +58,10 @@ jobs: - name: Build native addon working-directory: native/crates/engine env: - RUSTFLAGS: "" + # CARGO_ENCODED_RUSTFLAGS overrides target-specific rustflags in + # .cargo/config.toml, which sets -C target-cpu=native for dev builds. + # CI must produce portable binaries. + CARGO_ENCODED_RUSTFLAGS: "" CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: ${{ matrix.cross && 'aarch64-linux-gnu-gcc' || '' }} run: cargo build --release --target ${{ matrix.target }} @@ -68,7 +71,7 @@ jobs: mkdir -p artifacts cp native/target/${{ matrix.target }}/release/libgsd_engine.dylib artifacts/gsd_engine.node 2>/dev/null || \ cp native/target/${{ matrix.target }}/release/libgsd_engine.so artifacts/gsd_engine.node 2>/dev/null || \ - echo "No library found" + { echo "::error::No library found for ${{ matrix.platform }}"; exit 1; } ls -la artifacts/ - name: Prepare artifact (Windows) @@ -112,7 +115,7 @@ jobs: done - name: Sync platform package versions - run: node native/scripts/sync-platform-versions.js + run: node native/scripts/sync-platform-versions.cjs - name: Publish platform packages env: @@ -121,8 +124,15 @@ jobs: for platform in darwin-arm64 darwin-x64 linux-x64-gnu linux-arm64-gnu win32-x64-msvc; do echo "Publishing @gsd/engine-${platform}..." cd "native/npm/${platform}" - npm publish --access public || echo "Failed to publish ${platform} (may already exist)" - cd - + OUTPUT=$(npm publish --access public 2>&1) && echo "$OUTPUT" || { + if echo "$OUTPUT" | grep -q "cannot publish over the previously published"; then + echo "Already published, skipping" + else + echo "::error::Failed to publish ${platform}: $OUTPUT" + exit 1 + fi + } + cd "$GITHUB_WORKSPACE" done - name: Wait for npm registry propagation @@ -131,4 +141,6 @@ jobs: - name: Publish main package env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: npm publish + run: | + # Skip prepublishOnly (build already done upstream) — just publish the tarball + npm publish --ignore-scripts