feat(ci): add tag-triggered tarball release for ghost-drift#45
Merged
nahiyankhan merged 4 commits intomainfrom Apr 21, 2026
Merged
feat(ci): add tag-triggered tarball release for ghost-drift#45nahiyankhan merged 4 commits intomainfrom
nahiyankhan merged 4 commits intomainfrom
Conversation
While npm publishing is blocked on org-side package-name bootstrap, ship ghost-drift as a .tgz attached to a GitHub Release. Consumers install via npm install <release-url>, which works for any tarball URL and doesn't require an npm account or custom registry config. - .github/workflows/release-tarball.yml — runs on pushing a tag matching 'ghost-drift@*' (or workflow_dispatch), builds + pnpm packs the package, creates a GitHub Release with the .tgz attached and auto-generated notes. - packages/ghost-drift/README.md — Install section rewritten to point at the GitHub Release URL pattern, with a note that it'll move to npm once registration is sorted. To cut a release: git tag ghost-drift@0.1.1 git push origin ghost-drift@0.1.1 Triggers the workflow, which lands a release at https://github.com/block/ghost/releases/tag/ghost-drift%400.1.1 with packages/ghost-drift/ghost-drift-0.1.1.tgz attached. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Addresses zizmor cache-poisoning alert (#5). The actions/cache store backing 'cache: pnpm' is shared across the repo — any workflow run on any branch can write to it — so in a publishing workflow a poisoned cache entry could be baked into the shipped tarball without anyone noticing. For a tag-triggered release workflow that runs maybe once a week, the ~30s install-from-scratch cost isn't worth the supply-chain risk. Dropped 'cache: pnpm' and left a comment explaining why so nobody re-adds it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three scanner alerts were still open on PR #45: - zizmor/cache-poisoning (#5): pnpm/action-setup maintains its own cache store even without 'cache: pnpm' on setup-node. Switched to corepack enable instead, which reads the 'packageManager' field from root package.json and has no cache state. - semgrep/run-shell-injection (#6, line 57/60): '${{ github.event_name }}' and '${{ inputs.version }}' were interpolated directly into a run: script. inputs.* is attacker-controlled via workflow_dispatch. Moved both to env: and referenced as '$EVENT_NAME' / '$INPUT_VERSION' so they're passed as environment variables instead of being substituted into shell syntax. - semgrep/run-shell-injection (#7, line 68/69): same fix for '${{ steps.tag.outputs.tag }}' in the gh release create step — now passed via TAG env var. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Zizmor flags any GitHub-official setup action in a publishing workflow — even without caching enabled — on the logic that the action is cache-capable and a future edit could re-enable caching without catching the change. ubuntu-latest ships Node 20 and corepack preinstalled. Our engines.node is >=18, so we can skip actions/setup-node entirely and rely on the runner default. Corepack then picks up the pnpm version from the root package.json 'packageManager' field, so pnpm version pinning is preserved. One less action pinned, one less cache vector, zizmor clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Distribution channel for `ghost-drift` while npm publishing is blocked on the org-side package-name bootstrap. Adds a tag-triggered workflow that packs the package and attaches the `.tgz` to a GitHub Release.
Consumer install
Works with npm, pnpm, yarn. `ghost-drift` binary installs to `node_modules/.bin` exactly as it would from npm. Library imports (`import { parseFingerprint } from "ghost-drift"`) work normally.
How to cut a release
After merge:
That triggers `.github/workflows/release-tarball.yml`, which:
Can also trigger manually via `workflow_dispatch` if needed.
Not changed
Test plan
🤖 Generated with Claude Code