From 8368a5aa8ea1d76f5637f1f8318003deb19a0047 Mon Sep 17 00:00:00 2001 From: brawlaphant <35781613+brawlaphant@users.noreply.github.com> Date: Sat, 11 Apr 2026 12:05:11 -0700 Subject: [PATCH] fix(ci): repair two pre-existing workflow failures (verify-specs + wasm-size) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two pre-existing bugs in the CI workflow YAMLs have been producing red check marks on every PR regardless of the content. This PR fixes both. ## Bug 1: `verify-specs` runs `npm ci` at a root with no lockfile The `Verify Specs` job in `.github/workflows/ci.yml` runs: - name: Install root dependencies run: npm ci The repository root has a `package.json` (declaring only `scripts`, zero dependencies), but **no `package-lock.json`**. `npm ci` strictly requires a lockfile even when there is nothing to install: npm error code EUSAGE npm error The `npm ci` command can only install with an existing npm error package-lock.json or npm-shrinkwrap.json with npm error lockfileVersion >= 1. The `Run verify script` step only calls `node scripts/verify.mjs`, and that script only imports `node:fs`, `node:path`, and `node:child_process`. No external dependencies are involved. **Fix:** remove the `Install root dependencies` step entirely. It was never doing any work, and the job now runs `node scripts/ verify.mjs` directly against the repository. ## Bug 2: `wasm-size` can't substitute multi-line report into JS The `Report WASM Binary Sizes` job in `.github/workflows/ wasm-size.yml` uses `actions/github-script@v7` to post a PR comment. The script is passed the multi-line WASM size report via GitHub Actions template substitution: script: | ... '${{ steps.sizes.outputs.report }}', ... GitHub Actions substitutes the value directly into the JavaScript source text BEFORE execution. The report is a multi-line Markdown table (one line per contract). When the substituted text is dropped into a JavaScript single-quoted string literal, the literal ends at the first newline and the remaining lines become invalid JavaScript: SyntaxError: Invalid or unexpected token at new AsyncFunction () ... **Fix:** pass the report via an environment variable instead. `actions/github-script` exposes the job's `env:` map to the script via `process.env`, so the multi-line string survives as an opaque runtime value. The script reads `process.env.REPORT || '(no report)'` and uses it as-is. This pattern is the one the `actions/github-script` docs recommend for untrusted or multi-line inputs. ## Scope Two YAML files, ~14 line delta total. Does not touch any TypeScript, Rust, or reference-impl code. ## Validation - Bug 1 validated by running `node scripts/verify.mjs` from the repo root — exits 0 with "agentic-tokenomics verify: PASS". The fix removes the broken step; no alternative to test because the script never needed dependencies. - Bug 2 cannot be end-to-end validated locally (it requires a real PR to post a comment), but the JavaScript change is mechanical: `'${{ output }}'` → `process.env.REPORT || '(no report)'`. The env var is set via the `env:` map which `actions/github-script@v7` documents as the canonical way to pass multi-line/rich values. ## Related Part of the CI-repair sweep alongside #90 (contracts clippy + 3 orphaned workspace members) and #91 (`agents/` workspace:* protocol). Together these three PRs should clear every CI failure on every open PR. - Lands in: `.github/workflows/ci.yml`, `.github/workflows/wasm-size.yml` - Changes: remove broken `npm ci` in verify-specs; pass wasm-size report via env var - Validate: `node scripts/verify.mjs` (bug 1); wasm-size bug 2 runs end-to-end on this PR's CI --- .github/workflows/ci.yml | 7 +++++-- .github/workflows/wasm-size.yml | 12 +++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b09c30e..98b64ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,8 +91,11 @@ jobs: with: node-version: 20 - - name: Install root dependencies - run: npm ci + # The root package.json declares zero runtime dependencies — + # the verify scripts only use built-in `node:*` modules — so + # there is nothing to install. Skip `npm ci` (which would + # otherwise fail hard because there is no root + # package-lock.json to consume). - name: Run verify script run: node scripts/verify.mjs diff --git a/.github/workflows/wasm-size.yml b/.github/workflows/wasm-size.yml index 340da42..5f57430 100644 --- a/.github/workflows/wasm-size.yml +++ b/.github/workflows/wasm-size.yml @@ -67,14 +67,24 @@ jobs: - name: Comment on PR uses: actions/github-script@v7 + env: + # Pass the multi-line report through an env var rather than + # via `${{ steps... }}` substitution. Substitution inlines the + # report text directly into the JavaScript source before it + # runs, which breaks single-quoted string literals as soon as + # the report spans more than one line (or contains quotes, + # backticks, or backslashes). Reading from the env var keeps + # the report an opaque string at runtime. + REPORT: ${{ steps.sizes.outputs.report }} with: script: | const marker = ''; + const report = process.env.REPORT || '(no report)'; const body = [ marker, '## WASM Binary Sizes', '', - '${{ steps.sizes.outputs.report }}', + report, '', `_Built from \`${context.sha.slice(0, 8)}\` on \`${context.ref.replace('refs/heads/', '')}\`_`, ].join('\n');