Skip to content

fix(cli): version from package.json + npm-publish guard; bump 0.1.1#418

Merged
pallakatos merged 2 commits into
mainfrom
fix/cli-version-and-npm-publish-guard
Jun 23, 2026
Merged

fix(cli): version from package.json + npm-publish guard; bump 0.1.1#418
pallakatos merged 2 commits into
mainfrom
fix/cli-version-and-npm-publish-guard

Conversation

@pallakatos

Copy link
Copy Markdown
Collaborator

Why

  • kars --version printed a hardcoded 0.1.0-alpha.1 (drifted from the actual package version).
  • The manually-published @kars-runtime/cli@0.1.0 lacks a README and provenance, and npm forbids overwriting it — so the CI OIDC publish silently no-op'd under continue-on-error.

Changes

  1. cli/src/cli.ts — read the version from package.json via createRequire so it never drifts (works in dist/ and src/).
  2. Bump @kars-runtime/cli → 0.1.1 so CI can publish a clean, README-included, provenance-signed version.
  3. release-public-interim.yml npm step — pre-check for an existing version (skip cleanly) and emit a loud ::warning:: annotation on a real publish failure, so a 'green but didn't publish' outcome is visible instead of silently swallowed.

Verify

  • npm run build && node dist/index.js --version0.1.1
  • typecheck + lint clean (0 errors)
  • tarball includes package.json at the path the built CLI resolves.

…ublish failures

- kars --version was hardcoded to 0.1.0-alpha.1 and drifted from the
  published package version. Read it from package.json via createRequire
  so it can never drift again (works in both dist/ and src/).
- Bump @kars-runtime/cli to 0.1.1. The manually-published 0.1.0 lacked a
  README and provenance and npm forbids overwriting it; 0.1.1 lets CI
  publish a complete, provenance-signed version via OIDC.
- Harden the release workflow npm-publish step: pre-check for an existing
  version (skip cleanly) and emit a loud ::warning:: annotation on a
  genuine publish failure, so a 'green but did not publish' outcome is
  visible in the run summary instead of being silently swallowed by
  continue-on-error.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

… v* tags

Both legacy workflows triggered on the same clean v[0-9]+.[0-9]+.[0-9]+
tags as the new release-public-interim.yml (the single public release
pipeline), causing guaranteed failures on every public tag:

- image-sign-sbom.yml targets karsacr.azurecr.io and fails on
  azure/docker-login with 'Input required: username' because the
  ACR_USERNAME/ACR_PASSWORD secrets don't exist (MCR not onboarded yet).
- release.yml creates a bare GitHub Release for the tag, colliding with
  the richer signed release that release-public-interim.yml creates for
  the same tag.

Make both dispatch-only so they no longer auto-fire on v* tags. Public
release images are signed via keyless cosign on GHCR in the canonical
pipeline; image-sign-sbom.yml can be dispatched manually once ACR creds
are provisioned.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@pallakatos pallakatos merged commit a48f374 into main Jun 23, 2026
35 checks passed
@pallakatos pallakatos deleted the fix/cli-version-and-npm-publish-guard branch June 23, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant