Skip to content

chore: validate package-lock.json sync in release workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jerome-benoit wants to merge 1 commit into from
+4 −0
Closed

chore: validate package-lock.json sync in release workflow #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/npm-publish-npm-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ jobs:
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Validate lockfile
run: |
npm install --package-lock-only
git diff --exit-code package-lock.json || (echo "package-lock.json is out of sync. Run 'npm install' and commit the changes." && exit 1)
Comment on lines +18 to +21
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lockfile validation step is placed only in the build job but not in the publish-npm job. Since publish-npm runs independently (after checkout), it should also validate the lockfile before running npm ci to ensure consistency at the point of actual publishing.

Consider either:

  1. Adding the same validation step to the publish-npm job before line 43, or
  2. Moving this validation to run in both jobs, or
  3. If the intent is to fail fast in the build job only, add a comment explaining why the publish-npm job doesn't need this validation.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message references npm install, but the recommended command for fixing lockfile sync issues should be npm install --package-lock-only to update only the lockfile without modifying node_modules.

Suggested message:

"package-lock.json is out of sync. Run 'npm install --package-lock-only' and commit the changes."

This is more precise and matches what the validation step itself does to check for sync issues.

Suggested change
git diff --exit-code package-lock.json || (echo "package-lock.json is out of sync. Run 'npm install' and commit the changes." && exit 1)
git diff --exit-code package-lock.json || (echo "package-lock.json is out of sync. Run 'npm install --package-lock-only' and commit the changes." && exit 1)

Copilot uses AI. Check for mistakes.
- run: npm ci
- run: npm run build
- run: npm test
Expand Down