Skip to content

Tighten packaging and release hygiene#43

Merged
timriley merged 5 commits intomainfrom
build-and-release-improvements
Apr 18, 2026
Merged

Tighten packaging and release hygiene#43
timriley merged 5 commits intomainfrom
build-and-release-improvements

Conversation

@timriley
Copy link
Copy Markdown
Member

@timriley timriley commented Apr 18, 2026
edited
Loading

Tighten up packaging and release hygiene ahead of adopting the npm trusted publishing workflow (using release-machine to publish this package) . The goal is to move publishing guarantees into package.json itself so the published tarball is correct and reproducible regardless of who runs npm publish — CI, a maintainer, or a consumer installing from a git URL.

Changes

  • package.json prepack script — runs clean && build before any tarball is produced (npm publish, npm pack, or git-URL install). The build guarantee no longer depends on remembering to run a Makefile target or wire a CI step.
  • package.json files allowlist replaces .npmignore — an allowlist makes the published files explicit and will prevent leaking of unrelated local files.
  • dist/ removed from git — now that prepack always rebuilds, the tracked dist/ was redundant noise that produced merge conflicts on every source change. dist/ is now in .gitignore.
  • Makefile deleted — its build target lives in prepack, and test was a thin wrapper around npm test. CI updated to call npm test directly.
  • package.json engines field — declares node: ">=20", matching the current CI floor, so installs on older Node versions get an EBADENGINE warning instead of silently proceeding.

Verification

  • Running npm pack --dry-run produces the expected tarball: dist/, CHANGELOG.md, README.md, package.json — and nothing else.
  • Re-running after rm -rf dist produces an identical file listing, confirming prepack rebuilds from source.
  • npm test passes locally and CI no longer references the removed Makefile.

timriley added 5 commits April 18, 2026 20:03
@timriley
Add prepack script to build cleanly before packaging
4501265 
Ensures every tarball — whether from `npm publish`, `npm pack`, or a consumer installing from a git URL — is built fresh from source, regardless of who runs the command. Moves the build guarantee out of the Makefile and any CI workflow and into package.json itself.
@timriley
Stop tracking dist/ in git
37b2a4f 
Now that prepack guarantees a fresh build for every tarball — whether from `npm publish`, `npm pack`, or a consumer installing from a git URL — a committed `dist/` is redundant. Removing it eliminates noisy diffs and the merge conflicts that come from regenerating build output on every change.
@timriley
Replace .npmignore denylist with package.json files allowlist
256c3d2 
The denylist would allow any new top-level file or directory to be included in published tarballs by default.

Switching to an allowlist makes the published surface explicit and structurally prevents leaks of unrelated local files. The allowlist preserves prior behavior: `dist/`, `CHANGELOG.md`, and the npm-implicit `README.md` and `package.json`.
@timriley
Delete Makefile
6313273 
Its `build` target (`rm -rf dist && npm run build`) now lives in the package.json `prepack` script, and its `test` target was a thin wrapper around `npm test`. The Makefile no longer carries unique behavior.
@timriley
Declare supported Node versions via engines field
821c57c 
Without an `engines` declaration, the package made no claim about runtime support and would install silently on any Node version. CI currently tests against Node 20 and 21, so `>=20` codifies the existing supported floor. Consumers on older Node versions will now get an `EBADENGINE` warning at install time.
@timriley timriley merged commit 3cd52fd into main Apr 18, 2026
9 checks passed
@timriley timriley mentioned this pull request Apr 19, 2026
Merged
@timriley timriley deleted the build-and-release-improvements branch April 19, 2026 02:58
timriley added a commit to hanakai-rb/release-machine that referenced this pull request Apr 19, 2026
@timriley
Release npm packages (#8)
cdaaed3 
Create a new `release-npm.yml` workflow, which we can use for releasing hanami-assets to npm in the same way we release our gems, which includes the automatic GitHub release creation and post to our forum.

This uses npm trusted publishing, which I've already configured for our Hanami-assets package.

Common logic between the existing release.yml and our new release-npm.yml has been extracted into separate shared actions.

This approach is facilitated by the changes in hanami/hanami-assets-js#43, which ensure all the necessary publishing-related steps are encapsulated within hanami-assets' `package.json`, so the release workflow here can just call `npm publish` and nothing else.
cllns added a commit to hanami/hanami that referenced this pull request Apr 19, 2026
@cllns
Build assets in CI
be9deb5 
Fix for: hanami/hanami-assets-js#43

Testing here, then will put in repo-sync once it's correct
This was referenced Apr 19, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timriley