Skip to content

ci(release): define and smoke-test the exact canonical tarball contract #273

Description

@bearmug

Audit baseline: aa595438650cfbaa6db310792929c6219cc003b2 (origin/main at audit start).

Problem

Release checks run before version rewriting and vendoring, then publish the transformed directory without installing/loading that exact artifact. The packed artifact also exposes raw TypeScript subpaths that plain Node cannot import, includes test sources, and omits the MIT license text.

Pi's TypeScript loader works, so this is not a Pi-install blocker. Related packaging incidents #149 and #235/#236 show why the transformed artifact needs a durable gate.

Acceptance criteria

  • Define the supported package surface: Pi loader only, or compiled JS/declaration exports for generic Node consumers.
  • Add a deliberate pack allowlist and include LICENSE.
  • After transformation run npm pack --json, install the exact tarball in a clean consumer, and assert required exports, skills, and six vendored leaves.
  • Load through the supported Pi host before publish; if generic Node imports remain documented, test them too.
  • Repeat a minimal fresh-cache registry install/load check after publish.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingreleaseRelease-related changes and policy updates

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions