Skip to content

feat: install expost from prebuilt release tarball#762

Merged
narthur merged 7 commits into
masterfrom
feat/expost-from-release
Jul 15, 2026
Merged

feat: install expost from prebuilt release tarball#762
narthur merged 7 commits into
masterfrom
feat/expost-from-release

Conversation

@narthur

@narthur narthur commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

What

  • Point the expost dependency at the prebuilt release-asset tarball instead of the git ref (github:bsoule/expost#<sha>).
  • Drop expost from onlyBuiltDependencies in pnpm-workspace.yaml — no install-time build to approve anymore.

Why

As a git dependency, expost runs its prepare (tsc) at install time. That build needs expost's devDeps, so it dies under production-mode installs and cold caches — which is why Render PR previews fail on it while the warm prod cache silently reuses a previously-built copy. See #656.

The release tarball already contains built dist/, so consumers never run tsc: cold-safe, prod-safe, and token-free (public release assets download anonymously, unlike GitHub Packages).

⚠️ Blocked — draft

Depends on expost's auto-release workflow producing the first release. The initial merge crashed (semver-action 404'd on the tagless repo); bsoule/expost#21 fixes that so the workflow self-bootstraps to v1.0.0 and attaches expost-1.0.0.tgz. Unblock steps:

Note: the URL is version-pinned on purpose. Old release assets are immutable, so a frozen lockfile keeps resolving the exact same bytes — future expost releases won't break this build until we deliberately bump the URL + regen the lockfile.

Closes #656.

🤖 Generated with Claude Code

Switch expost from a git dependency (which runs its `tsc` prepare at
install time) to the prebuilt release-asset tarball, and drop it from
onlyBuiltDependencies. No install-time build means cold builds (Render
PR previews) stop failing, and no token is needed since public release
assets download anonymously.

Blocked on: bsoule/expost cutting the v1.0.0 release (see PR there).
Lockfile regen + verification happen once that asset exists.

Closes #656.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The expost release workflow auto-bumps from a v1.0.0 fallback, so the
first release cut on merge is v1.0.1. Adjust here if the actual tag
differs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The expost release workflow self-bootstraps to v1.0.0 on the tagless
first run, so the first asset is expost-1.0.0.tgz.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
pnpm <10.10 (blog was on 10.6.1) has a bug where it bakes GitHub
release assets' expiring signed CDN URL into the lockfile with no
integrity (pnpm/pnpm#9531), so frozen installs 403 once the URL
expires. Pinning packageManager to 10.34.5 and regenerating stores the
stable releases/download URL plus an integrity hash, which re-redirects
to a fresh signed URL on every fetch.

The newer pnpm also enforces build-script approval by full spec for
git-hosted deps, so pixelteer's onlyBuiltDependencies entry is pinned
to its resolved commit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Accessibility Issues

Summary

No baseline issues found.

BaselineHead
00

Issue Breakdown

CodeBeforeAfterNet Change
View full breakdown

@github-actions

Copy link
Copy Markdown
Contributor

Build Performance

+0.02s (+0.4%) average build time

Base (6c7aa25) Head (521e5d4)
Average 4.45s 4.47s
Runs 4.48,4.46,4.42 4.50,4.46,4.47

3 timed builds after one warm-up build per commit.

pnpm/action-setup errors when both `version:` and package.json's
`packageManager` are set. Drop the `version: ${{ env.PNPM_VERSION }}`
inputs (and the now-unused PNPM_VERSION env) so every workflow — and
Render, via corepack — uses the pinned pnpm@10.34.5 from a single
source. This also moves CI off pnpm 9, matching the lockfile and
onlyBuiltDependencies shaping regenerated under 10.34.5.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dreeves
dreeves temporarily deployed to feat/expost-from-release - beeblog PR #762 July 15, 2026 13:45 — with Render Destroyed
build-perf checks base/ and head/ into subdirs, so action-setup runs
at the repo root with no package.json to read packageManager from.
Give it an explicit PNPM_VERSION (10.34.5, kept in sync with
packageManager) so future PRs — whose base is post-fix master — pass.
This PR's own build-perf stays red because it builds pre-fix master,
which the newer pnpm can't install; the check is informational.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dreeves
dreeves temporarily deployed to feat/expost-from-release - beeblog PR #762 July 15, 2026 13:50 — with Render Destroyed
@narthur
narthur merged commit e6cc458 into master Jul 15, 2026
12 of 13 checks passed
@narthur
narthur deleted the feat/expost-from-release branch July 15, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace git-hosted expost with a published build so --prod installs work

2 participants