From 1a9d3c1f8249e9d5f30684cca981114cee291e74 Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Thu, 14 May 2026 01:48:14 +0000 Subject: [PATCH] fix bootstrap ETARGET when customer has npm min-release-age policy (#725) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix bootstrap ETARGET when customer has npm min-release-age policy set npm_config_min_release_age=0 in the action runtime env so `npx --yes pullfrog@` doesn't get rejected by a customer-side release-age gate (npm 11.5+'s min-release-age / pnpm's minimumReleaseAge). env vars beat .npmrc in npm config precedence, so this neutralises the policy regardless of where it's defined. pullfrog's npm version is server-stamped from a SHA-pinned action ref customers already vet at the action layer — it isn't a customer-vetted dep, so the release-age policy is the wrong affordance for our bootstrap and would otherwise hard-fail every run while the latest publish ages into the customer's window. closes #713 * also cover pnpm's minimumReleaseAge key for corepack fallback path * correct pnpm env var (pnpm v11+ uses pnpm_config_*, not npm_config_*) the prior commit set `npm_config_minimum_release_age=0` to cover the pnpm corepack-dlx fallback path, but pnpm v11+ only reads env vars prefixed `pnpm_config_*` / `PNPM_CONFIG_*` (the v10→v11 migration explicitly renamed the prefix). swap to the correct env var so the fallback path actually neutralises pnpm's `minimumReleaseAge`. also tighten the comment block, and add an AGENTS.md rule reminding us to fetch top-level reviews AND inline review comments together — they live on different endpoints and the inline set is easy to miss with `gh pr view --json reviews,comments` alone. * add scripts/pr-reviews.ts for one-shot review evaluation dumps top-level reviews + inline review threads (with resolved/outdated state) + PR-level conversation in a single GraphQL round trip, so agents don't miss inline-comment feedback. fixes the trap where `gh pr view --json reviews,comments` silently omits the inline `pulls/{n}/comments` set. borrows `gh auth token` so no env vars are required. registered in `wiki/scripts.md`; AGENTS.md rule updated to point at the script instead of the two-step gh-CLI workaround. * pr-reviews: dump raw JSON for jq piping --- runCli.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/runCli.ts b/runCli.ts index d19d26f..2621a51 100644 --- a/runCli.ts +++ b/runCli.ts @@ -104,6 +104,15 @@ function createRuntimeContext(): RuntimeContext { const env: NodeJS.ProcessEnv = { ...process.env }; env.npm_config_registry = NPM_REGISTRY; env.COREPACK_NPM_REGISTRY = NPM_REGISTRY; + // bypass customer-side release-age gates (npm's `min-release-age`, pnpm's + // `minimumReleaseAge`) so our bootstrap can resolve the latest publish. + // pullfrog's npm version is server-stamped from a SHA-pinned action ref the + // customer already vets at the action layer — not a customer-vetted dep, so + // the gate is the wrong affordance here. env beats .npmrc in both tools. + // npm uses `npm_config_*`; pnpm v11+ requires `pnpm_config_*` (the v10→v11 + // migration renamed the prefix). tracked: #713 + env.npm_config_min_release_age = "0"; + env.pnpm_config_minimum_release_age = "0"; const currentPath = process.env.PATH ?? ""; env.PATH = currentPath ? `${nodeBinDir}${delimiter}${currentPath}` : nodeBinDir;