fix(release): correct npm storage-record payload (sha256 + bare repo name)#39
Merged
Merged
Conversation
…e repo name) The Artifact Metadata API rejected the original payload with HTTP 422: - digest must be sha256 (algorithm:64-hex); we sent sha512 - github_repository must be the bare repo name, not owner/repo Compute sha256 of the published tarball, pass github_repository as the bare name, retry npm view for registry propagation, and print the response body on non-200 for diagnosability. Verified end-to-end against the live 0.8.4 packages (all 5 returned HTTP 200).
Coverage Report for Unit Tests
File CoverageNo changed files found. |
Coverage Report for Integration Tests
File CoverageNo changed files found. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Register npm storage recordsstep added in #38 failed with HTTP 422 onevery package during the v0.8.4 release (best-effort, so the release still succeeded,
but no linked artifacts were created).
Verified the exact API errors with a throwaway probe workflow:
Two bugs:
sha256digests — we sentsha512.github_repositorymust be the bare repo name (zaps), notowner/repo.Fix
sha256of the published tarball (dist.tarball→sha256sum).github_repositoryas${{ github.event.repository.name }}(bare name).npm view dist.tarballto absorb registry propagation lag (the mainpackage was skipped in v0.8.4 because it queried too early).
Verification
Proven end-to-end against the already-published v0.8.4 packages via the probe:
all 5 POSTs returned HTTP 200, and a read-back GET confirms the records exist.
As a side effect v0.8.4 is now linked on https://github.com/orgs/boshold/artifacts.
Future releases will populate automatically.
No version bump needed — this is a workflow-only fix.