feat: install expost from prebuilt release tarball#762
Merged
Conversation
Switch expost from a git dependency (which runs its `tsc` prepare at install time) to the prebuilt release-asset tarball, and drop it from onlyBuiltDependencies. No install-time build means cold builds (Render PR previews) stop failing, and no token is needed since public release assets download anonymously. Blocked on: bsoule/expost cutting the v1.0.0 release (see PR there). Lockfile regen + verification happen once that asset exists. Closes #656. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The expost release workflow auto-bumps from a v1.0.0 fallback, so the first release cut on merge is v1.0.1. Adjust here if the actual tag differs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The expost release workflow self-bootstraps to v1.0.0 on the tagless first run, so the first asset is expost-1.0.0.tgz. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
pnpm <10.10 (blog was on 10.6.1) has a bug where it bakes GitHub release assets' expiring signed CDN URL into the lockfile with no integrity (pnpm/pnpm#9531), so frozen installs 403 once the URL expires. Pinning packageManager to 10.34.5 and regenerating stores the stable releases/download URL plus an integrity hash, which re-redirects to a fresh signed URL on every fetch. The newer pnpm also enforces build-script approval by full spec for git-hosted deps, so pixelteer's onlyBuiltDependencies entry is pinned to its resolved commit. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Accessibility IssuesSummaryNo baseline issues found.
Issue Breakdown
|
Contributor
Build Performance⚡ +0.02s (+0.4%) average build time
|
pnpm/action-setup errors when both `version:` and package.json's
`packageManager` are set. Drop the `version: ${{ env.PNPM_VERSION }}`
inputs (and the now-unused PNPM_VERSION env) so every workflow — and
Render, via corepack — uses the pinned pnpm@10.34.5 from a single
source. This also moves CI off pnpm 9, matching the lockfile and
onlyBuiltDependencies shaping regenerated under 10.34.5.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dreeves
temporarily deployed
to
feat/expost-from-release - beeblog PR #762
July 15, 2026 13:45 — with
Render
Destroyed
build-perf checks base/ and head/ into subdirs, so action-setup runs at the repo root with no package.json to read packageManager from. Give it an explicit PNPM_VERSION (10.34.5, kept in sync with packageManager) so future PRs — whose base is post-fix master — pass. This PR's own build-perf stays red because it builds pre-fix master, which the newer pnpm can't install; the check is informational. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dreeves
temporarily deployed
to
feat/expost-from-release - beeblog PR #762
July 15, 2026 13:50 — with
Render
Destroyed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
expostdependency at the prebuilt release-asset tarball instead of the git ref (github:bsoule/expost#<sha>).expostfromonlyBuiltDependenciesinpnpm-workspace.yaml— no install-time build to approve anymore.Why
As a git dependency, expost runs its
prepare(tsc) at install time. That build needs expost's devDeps, so it dies under production-mode installs and cold caches — which is why Render PR previews fail on it while the warm prod cache silently reuses a previously-built copy. See #656.The release tarball already contains built
dist/, so consumers never runtsc: cold-safe, prod-safe, and token-free (public release assets download anonymously, unlike GitHub Packages).Depends on expost's auto-release workflow producing the first release. The initial merge crashed (semver-action 404'd on the tagless repo); bsoule/expost#21 fixes that so the workflow self-bootstraps to
v1.0.0and attachesexpost-1.0.0.tgz. Unblock steps:v1.0.0withexpost-1.0.0.tgzpackage.jsonpnpm installto regeneratepnpm-lock.yaml, push, confirm CI green (esp.build+check:secrets)Closes #656.
🤖 Generated with Claude Code