diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b09c30e..98b64ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,8 +91,11 @@ jobs: with: node-version: 20 - - name: Install root dependencies - run: npm ci + # The root package.json declares zero runtime dependencies — + # the verify scripts only use built-in `node:*` modules — so + # there is nothing to install. Skip `npm ci` (which would + # otherwise fail hard because there is no root + # package-lock.json to consume). - name: Run verify script run: node scripts/verify.mjs diff --git a/.github/workflows/wasm-size.yml b/.github/workflows/wasm-size.yml index 340da42..5f57430 100644 --- a/.github/workflows/wasm-size.yml +++ b/.github/workflows/wasm-size.yml @@ -67,14 +67,24 @@ jobs: - name: Comment on PR uses: actions/github-script@v7 + env: + # Pass the multi-line report through an env var rather than + # via `${{ steps... }}` substitution. Substitution inlines the + # report text directly into the JavaScript source before it + # runs, which breaks single-quoted string literals as soon as + # the report spans more than one line (or contains quotes, + # backticks, or backslashes). Reading from the env var keeps + # the report an opaque string at runtime. + REPORT: ${{ steps.sizes.outputs.report }} with: script: | const marker = ''; + const report = process.env.REPORT || '(no report)'; const body = [ marker, '## WASM Binary Sizes', '', - '${{ steps.sizes.outputs.report }}', + report, '', `_Built from \`${context.sha.slice(0, 8)}\` on \`${context.ref.replace('refs/heads/', '')}\`_`, ].join('\n');