ce7b49e4f1
## Thinking Path > - Paperclip is the open source app people use to manage AI agents for work > - The release workflow publishes canary npm packages on every push to `master` > - The failing canary job built successfully and published several packages before npm failed on `@paperclipai/mcp-server` > - The concrete failure was npm trusted-publishing provenance returning `TLOG_CREATE_ENTRY_ERROR` because an equivalent Sigstore transparency-log entry already existed > - The package version was not visible on npm afterward, so the release script could not safely treat that error as success by itself > - This pull request adds a narrow recovery path for that npm provenance failure and keeps the existing registry verification as the final source of truth > - The benefit is that transient duplicate transparency-log failures do not break canary publication when a package can be republished without provenance or is already visible on npm ## Linked Issues or Issue Description Bug fix, no public GitHub issue found in duplicate search. - What happened: the Release workflow canary publish failed in `publish_canary` after npm returned `TLOG_CREATE_ENTRY_ERROR` while publishing `@paperclipai/mcp-server@2026.609.0-canary.2`. - Expected behavior: canary publishing should either recover from npm's duplicate transparency-log failure when the package can still be published, or fail later in registry verification if the package never appears. - Steps to reproduce: inspect https://github.com/paperclipai/paperclip/actions/runs/27230012891/job/80411422155 from push `05cb18cf28074a6d1074c7575c5a44133146e368`. - Deployment mode: GitHub Actions Release workflow, npm trusted publishing. - Duplicate search: no open PRs or issues found for `canary publish TLOG provenance release` or the failing run/job IDs. ## What Changed - Added `publish_package_to_npm` in `scripts/release-lib.sh` to wrap canary/stable package publishing. - Detects npm's duplicate Sigstore transparency-log error and checks whether the package version is already visible on npm. - Retries that exact package once with `--provenance=false` when npm hit the duplicate tlog error but the version is not visible yet. - Keeps unrelated publish failures as hard failures. - Added shell-helper tests with fake `pnpm` and `npm` commands, and included them in `pnpm test:release-registry`. ## Verification - `node --test scripts/release-lib.test.mjs` - `pnpm test:release-registry` - Confirmed `pnpm publish --dry-run --no-git-checks --tag canary --access public --provenance=false` is accepted by pnpm 9.15.4. ## Risks - Low risk: the recovery only triggers when npm output contains both `TLOG_CREATE_ENTRY_ERROR` and the duplicate transparency-log message. - Publishing without provenance is a fallback for canary continuity; if npm still does not expose the package, the existing registry verification step still fails the release. - The same helper is used by stable publishing too, but only for this exact npm provenance failure path. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. This is a release reliability bug fix. I checked `ROADMAP.md`; it does not duplicate planned core product work. ## Model Used OpenAI Codex coding agent, GPT-5-class model, tool-enabled local shell and GitHub CLI workflow, medium reasoning mode. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have searched GitHub for duplicate or related PRs and linked them above - [x] I have either (a) linked existing issues with `Fixes: #` / `Closes #` / `Refs #` OR (b) described the issue in-PR following the relevant issue template - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [ ] All Paperclip CI gates are green - [x] Greptile is 5/5 with no open P2s, recommendations, or follow-ups - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
164 lines
5.0 KiB
JavaScript
164 lines
5.0 KiB
JavaScript
import assert from "node:assert/strict";
|
|
import { execFileSync } from "node:child_process";
|
|
import { mkdirSync, mkdtempSync, readFileSync, writeFileSync } from "node:fs";
|
|
import { tmpdir } from "node:os";
|
|
import { join } from "node:path";
|
|
import test from "node:test";
|
|
|
|
const repoRoot = new URL("..", import.meta.url).pathname.replace(/\/$/, "");
|
|
|
|
function writeExecutable(path, body) {
|
|
writeFileSync(path, body, { mode: 0o755 });
|
|
}
|
|
|
|
function runPublishHelper({ pnpmMode, npmVersionExists = false, distTag = "canary", callerPipefail = true }) {
|
|
const fixtureDir = mkdtempSync(join(tmpdir(), "paperclip-release-lib-"));
|
|
const binDir = join(fixtureDir, "bin");
|
|
const stateDir = join(fixtureDir, "state");
|
|
const callLog = join(fixtureDir, "calls.log");
|
|
mkdirSync(binDir);
|
|
mkdirSync(stateDir);
|
|
|
|
writeExecutable(
|
|
join(binDir, "pnpm"),
|
|
`#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
printf 'pnpm %s\\n' "$*" >> "$FAKE_CALL_LOG"
|
|
case "$PNPM_MODE" in
|
|
success)
|
|
echo "published"
|
|
exit 0
|
|
;;
|
|
tlog-then-success)
|
|
if [ ! -f "$FAKE_STATE_DIR/pnpm-called" ]; then
|
|
touch "$FAKE_STATE_DIR/pnpm-called"
|
|
echo "npm error code TLOG_CREATE_ENTRY_ERROR"
|
|
echo "npm error error creating tlog entry - (409) an equivalent entry already exists in the transparency log with UUID abc"
|
|
exit 1
|
|
fi
|
|
case " $* " in
|
|
*" --provenance=false "*)
|
|
echo "published without provenance"
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "retry did not disable provenance"
|
|
exit 1
|
|
;;
|
|
esac
|
|
;;
|
|
tlog-always-fails)
|
|
echo "npm error code TLOG_CREATE_ENTRY_ERROR"
|
|
echo "npm error error creating tlog entry - (409) an equivalent entry already exists in the transparency log with UUID abc"
|
|
exit 1
|
|
;;
|
|
non-tlog-failure)
|
|
echo "npm error code E500"
|
|
exit 1
|
|
;;
|
|
esac
|
|
exit 1
|
|
`,
|
|
);
|
|
|
|
writeExecutable(
|
|
join(binDir, "npm"),
|
|
`#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
printf 'npm %s\\n' "$*" >> "$FAKE_CALL_LOG"
|
|
if [ "$1" = "view" ] && [ "$NPM_VERSION_EXISTS" = "true" ]; then
|
|
echo "1.2.3"
|
|
exit 0
|
|
fi
|
|
exit 1
|
|
`,
|
|
);
|
|
|
|
const shellOptions = callerPipefail ? "set -euo pipefail" : "set -eu";
|
|
const script = `
|
|
${shellOptions}
|
|
source "${repoRoot}/scripts/release-lib.sh"
|
|
publish_package_to_npm ${distTag} @paperclipai/example 1.2.3
|
|
`;
|
|
|
|
let status = 0;
|
|
let output = "";
|
|
try {
|
|
output = execFileSync("bash", ["-lc", script], {
|
|
cwd: fixtureDir,
|
|
encoding: "utf8",
|
|
env: {
|
|
...process.env,
|
|
PATH: `${binDir}:${process.env.PATH}`,
|
|
FAKE_CALL_LOG: callLog,
|
|
FAKE_STATE_DIR: stateDir,
|
|
NPM_VERSION_EXISTS: npmVersionExists ? "true" : "false",
|
|
PNPM_MODE: pnpmMode,
|
|
REPO_ROOT: fixtureDir,
|
|
},
|
|
stdio: ["ignore", "pipe", "pipe"],
|
|
});
|
|
} catch (error) {
|
|
status = error.status ?? 1;
|
|
output = `${error.stdout ?? ""}${error.stderr ?? ""}`;
|
|
}
|
|
|
|
return {
|
|
calls: readFileSync(callLog, "utf8"),
|
|
output,
|
|
status,
|
|
};
|
|
}
|
|
|
|
test("publish_package_to_npm returns after a successful pnpm publish", () => {
|
|
const result = runPublishHelper({ pnpmMode: "success" });
|
|
|
|
assert.equal(result.status, 0);
|
|
assert.match(result.calls, /^pnpm publish --no-git-checks --tag canary --access public$/m);
|
|
assert.doesNotMatch(result.calls, /npm view/);
|
|
assert.doesNotMatch(result.calls, /--provenance=false/);
|
|
});
|
|
|
|
test("publish_package_to_npm retries duplicate tlog failures without provenance", () => {
|
|
const result = runPublishHelper({ pnpmMode: "tlog-then-success" });
|
|
|
|
assert.equal(result.status, 0);
|
|
assert.match(result.calls, /^npm view @paperclipai\/example@1\.2\.3 version$/m);
|
|
assert.match(
|
|
result.calls,
|
|
/^pnpm publish --no-git-checks --tag canary --access public --provenance=false$/m,
|
|
);
|
|
});
|
|
|
|
test("publish_package_to_npm treats a duplicate tlog failure as complete when npm exposes the version", () => {
|
|
const result = runPublishHelper({ pnpmMode: "tlog-always-fails", npmVersionExists: true });
|
|
|
|
assert.equal(result.status, 0);
|
|
assert.match(result.calls, /^npm view @paperclipai\/example@1\.2\.3 version$/m);
|
|
assert.doesNotMatch(result.calls, /--provenance=false/);
|
|
});
|
|
|
|
test("publish_package_to_npm does not retry unrelated publish failures", () => {
|
|
const result = runPublishHelper({ pnpmMode: "non-tlog-failure" });
|
|
|
|
assert.notEqual(result.status, 0);
|
|
assert.doesNotMatch(result.calls, /npm view/);
|
|
assert.doesNotMatch(result.calls, /--provenance=false/);
|
|
});
|
|
|
|
test("publish_package_to_npm does not mask failures when caller has no pipefail", () => {
|
|
const result = runPublishHelper({ pnpmMode: "non-tlog-failure", callerPipefail: false });
|
|
|
|
assert.notEqual(result.status, 0);
|
|
assert.doesNotMatch(result.calls, /npm view/);
|
|
assert.doesNotMatch(result.calls, /--provenance=false/);
|
|
});
|
|
|
|
test("publish_package_to_npm does not retry stable publishes without provenance", () => {
|
|
const result = runPublishHelper({ pnpmMode: "tlog-then-success", distTag: "latest" });
|
|
|
|
assert.notEqual(result.status, 0);
|
|
assert.match(result.calls, /^npm view @paperclipai\/example@1\.2\.3 version$/m);
|
|
assert.doesNotMatch(result.calls, /--provenance=false/);
|
|
});
|