Skip to content

Publish action packs local package dirs instead of downloading from pkg.pr.new#56

Merged
fengmk2 merged 2 commits into
mainfrom
feat/action-local-pack
Jul 4, 2026
Merged

Publish action packs local package dirs instead of downloading from pkg.pr.new#56
fengmk2 merged 2 commits into
mainfrom
feat/action-local-pack

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jul 3, 2026

Copy link
Copy Markdown
Member

The action now packs the same directories pkg.pr.new publishes from, in the same CI job that built them, so the bridge publish no longer depends on the pkg.pr.new upload/download round-trip. First step of the plan: next update install.sh to install PR builds from the bridge, then remove the pkg.pr.new publish from vite-plus.

  • New required packages input (newline/comma-separated dirs, trailing /* globs). Each dir is packed with pnpm pack (resolves workspace:/catalog: specs; needs pnpm on PATH and a prior pnpm install), then goes through the existing rewrite/hash/upload//-/publish flow, with /-/register last as before.
  • Deps between packages of the same batch are pinned to the synthetic commit version via the new optional RewriteEnv.batchPackages, replacing the parsing-back of pkg.pr.new URLs that pkg-pr-new itself injected. The Worker fallback path is unchanged (still rewrites pkg.pr.new URLs, batchPackages unset).
  • A workspace dep missing from the batch (e.g. a platform dir a failed build never produced) fails the run before anything uploads.
  • warm.mjs now needs --repo <built vite-plus checkout> and one sha per run.
  • The action source and its tests are now typechecked (tsconfig.action.json, Node types); vitest gains an action project whose tests pack a real fixture workspace with pnpm.

Verified offline by running the bundled dist/index.mjs against a fake bridge: 3 packages packed (incl. a globbed platform dir), workspace dep pinned to 0.0.0-commit.<sha>, integrity computed over the served bytes, register-last ordering kept, and the incomplete-batch case aborts before any upload.

When bumping the action pin, vite-plus's workflow must add:

packages: |
  packages/cli
  packages/core
  packages/prompts
  packages/cli/npm/*
  packages/cli/cli-npm/*

Listing packages/cli/cli-npm/* also gets @voidzero-dev/vite-plus-cli-* served from the bridge with real integrity (today they 302 to pkg.pr.new with empty integrity), which the install.sh migration needs.

…kg.pr.new

The action now takes a required `packages` input (dir list, trailing /*
globs), packs each directory with `pnpm pack` (resolving workspace:/catalog:
specs; requires pnpm on PATH and a prior `pnpm install`), and pins deps
between batch members to the synthetic commit version via the new optional
RewriteEnv.batchPackages, replacing the round-trip that re-parsed the
pkg.pr.new URLs pkg-pr-new itself injected. A workspace dep missing from the
batch fails the run before anything uploads. The Worker's pkg.pr.new fallback
path is unchanged.

This makes the bridge publish independent of pkg.pr.new (works during its
outages and for commits never published there) and lets the workflow list
packages/cli/cli-npm/*, so the @voidzero-dev/vite-plus-cli-* binaries get
real bridge-served tarballs with integrity instead of a 302 to pkg.pr.new,
which the install.sh bridge migration needs.

Also: warm.mjs now requires --repo <built vite-plus checkout> (one sha per
run), the action source and its tests are typechecked against Node types via
tsconfig.action.json, and vitest is split into worker and action projects
(the action tests spawn pnpm pack on a fixture workspace).
@socket-security

socket-security Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​types/​node@​24.13.21001008196100

View full report

…efaults

- Move the batch off RewriteEnv (per-run caller state, not config): it is now
  an optional arg of rewritePackageJson/buildPreviewTarball, unified with the
  Worker's implicit batch (pinned = batch ?? PREVIEW_PACKAGES). The pkg.pr.new
  fields become optional so the action stops fabricating placeholder values;
  pkgPrNewUrlToVersion returns null without them (Worker still provides them).
- Extract assertValidBatch into localPack.ts, sharing DEPENDENCY_FIELDS with
  the rewrite so the up-front check cannot drift from what gets pinned; the
  error paths (plus empty batch) are now unit-tested.
- Pack one directory ahead while the current package uploads; the
  bridge-visible order (upload -> publish per package, register last) is
  unchanged.
- The packages default lives once in the action code; action.yml documents it
  and warm.mjs omits the input unless --packages overrides. warm.mjs uses
  node:util parseArgs instead of a hand-rolled flag loop.
@fengmk2

fengmk2 commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

@codex review

@fengmk2

fengmk2 commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

@codex review

@fengmk2 fengmk2 merged commit 711e22a into main Jul 4, 2026
4 checks passed
@fengmk2 fengmk2 deleted the feat/action-local-pack branch July 4, 2026 11:19
fengmk2 added a commit to voidzero-dev/vite-plus that referenced this pull request Jul 4, 2026
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep them coming!

Reviewed commit: 72ef590d3d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

fengmk2 added a commit to voidzero-dev/vite-plus that referenced this pull request Jul 4, 2026
fengmk2 added a commit to voidzero-dev/vite-plus that referenced this pull request Jul 6, 2026
)

Moves the PR preview publish fully onto the registry bridge and drops
pkg.pr.new.

- Bumps the bridge action to its local-pack version
(voidzero-dev/pkg-pr-registry-bridge#56, merged as `711e22a2`, pinned
here): it packs the built package directories with `pnpm pack` and
uploads them, instead of downloading them back from pkg.pr.new.
- Removes the `pkg-pr-new publish` step. Nothing in the PR-build install
path uses pkg.pr.new anymore: install.sh, `vp migrate`, and the Docker
preview all resolve commit builds through the bridge. Direct
`https://pkg.pr.new/...` URL installs stop existing for new builds.
- The bridge step now fails the job on error instead of
continue-on-error: a silently missing ref would only surface later as a
broken install.
- The published set now also includes `packages/cli/cli-npm/*`, so
`@voidzero-dev/vite-plus-cli-*` gets real bridge-served tarballs with
integrity (previously they 302'd to pkg.pr.new with empty integrity).
- Renames the workflow file to `publish-preview.yml` (display name
"Publish preview build"; older runs stay under the previous workflow
entry) and the trigger label to `preview-build` (the repo label was
renamed in place, so labeled PRs keep it). The rust cache-key keeps its
name to keep warm caches.
- Updates docs/comments that described pkg.pr.new as the publish
destination (MAINTENANCE.md, upgrade guide, Dockerfile, install scripts,
migrate test harness).

Note: both labels exist during the transition: `pkg.pr.new` still
triggers main's current workflow on other PRs until this merges, and
`preview-build` triggers this PR's workflow. Delete the `pkg.pr.new`
label after the merge.

Verified per head along the way, most recently: publish run green with
no pkg.pr.new step, 19 packages packed locally and served from R2 with
byte-verified integrity, `VP_PR_VERSION=2038` resolving and installing
entirely through the bridge, and the Docker preview building from the
bridge build.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant