From f8d351b2db32bf96083ad6d13ab19839a07bae8a Mon Sep 17 00:00:00 2001 From: Bryant Date: Thu, 25 Jun 2026 14:57:38 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20(ci):=20Fix=20npm=20tree=20check?= =?UTF-8?q?=20in=20release-node.yml=20SBOM=20step?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CycloneDX SBOM step (AAASM-3619) ran bare cyclonedx-npm, which shells out to `npm ls` to walk the dependency tree. This repo installs with `pnpm install --frozen-lockfile`, so node_modules is pnpm's symlinked layout with no package-lock.json; npm ls flags devDependencies of transitive deps (safe-publish-latest req by math-intrinsics, @arethetypeswrong/cli req by dunder-proto) as missing and exits 254, aborting the release before publish. Add --omit dev (production-only tree, the right scope for a release SBOM) and --ignore-npm-errors (tolerate residual pnpm-layout npm-ls noise). SBOM generation is independent of the OIDC trusted-publish / SLSA provenance path, which is untouched. Closes AAASM-3723 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release-node.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-node.yml b/.github/workflows/release-node.yml index dd9b0f22..1f828408 100644 --- a/.github/workflows/release-node.yml +++ b/.github/workflows/release-node.yml @@ -303,8 +303,19 @@ jobs: # provenance (NPM_CONFIG_PROVENANCE above). Runs on every dispatch # (incl. dry-run) so a dry-run validates generation; the real-publish # path attaches it to the GitHub Release below. + # + # AAASM-3723: this repo installs with `pnpm install --frozen-lockfile`, + # so node_modules is pnpm's symlinked layout with no package-lock.json. + # cyclonedx-npm shells out to `npm ls` to walk the tree, which flags + # devDependencies of transitive deps (e.g. safe-publish-latest required + # by math-intrinsics) as "missing" and exits non-zero — aborting the + # release before publish. `--omit dev` builds a production-only tree + # (the right scope for a release SBOM anyway), and `--ignore-npm-errors` + # tolerates the residual npm-ls noise from the pnpm node_modules layout. + # This is purely the dependency-manifest step; it does not touch the + # OIDC trusted-publish / SLSA provenance path below. - name: Generate CycloneDX SBOM - run: pnpm dlx @cyclonedx/cyclonedx-npm --output-format JSON --output-file sbom.cdx.json + run: pnpm dlx @cyclonedx/cyclonedx-npm --omit dev --ignore-npm-errors --output-format JSON --output-file sbom.cdx.json - name: Upload SBOM artifact uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1