ci(publish): id-token for provenance + tolerate publish conflicts#47
Merged
ShawnChen-Sirius merged 2 commits intoJun 15, 2026
Merged
Conversation
The main job published with npm --provenance but the workflow never granted the id-token: write permission OIDC provenance requires, so it failed with EUSAGE once it finally ran (it had only ever been skipped/cancelled before). Grant id-token: write (+ contents: read) on the main job. Also harden both publish steps: when the pre-publish registry read lags behind a version that is actually already published, fall back to treating an npm 'cannot publish over / 403' conflict as success, instead of failing the job. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Root-fix for the intermittent stream.test.ts failure that only struck the slowest runner (macos-15-intel). libchdb allows one active data directory per process and the v3 suite runs all files serially in a single fork, so a test that creates a Session and throws before its own close() leaks the connection and blocks every later `new Session()` at a different temp path — 'only one active data directory per process' — cascading into unrelated files. It was timing-sensitive (a borderline async race losing only on the slow Intel runner), which is why faster platforms and most runs passed. - index.js: export internal _closeAllSessions() that force-closes every open session (close() releases the native connection synchronously). - test/v3/setup.ts + vitest setupFiles: a global afterEach calls it, so a leak is local to the test that caused it instead of poisoning the rest. - add try/finally around the unguarded new Session() sites (async-stress race test, two lifecycle tests) so they release even when an assertion throws. Verified: reproduced the exact CHDB_CONNECTION cascade, confirmed the global teardown clears it; full v3 suite green (118 passed). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Completes the v3.0.0 publish. After #46 fixed the runner + made publishes idempotent, the re-run got all four subpackages built and the
mainjob finally executed for the first time — and failed:mainpublishes withnpm --provenance, which needsid-token: write(OIDC). The workflow never granted it; the bug was latent becausemainhad only ever been skipped/cancelled before.Changes:
id-token: write(+contents: read) on themainjob so--provenanceworks.cannot publish over / 403error as success rather than failing. This de-risks the darwin-x64 subpackage, which is currently in a half-published state on the registry.State on npm right now:
@chdb/lib-{linux-x64,linux-arm64,darwin-arm64}@26.5.0published;@chdb/lib-darwin-x64@26.5.0not yet visible;chdb@3.0.0not published. After this merges, re-pointing thev3.0.0tag re-runs the publish: the three publish steps skip/no-op, darwin-x64 publishes (or tolerates conflict), andmainpublisheschdb@3.0.0with provenance tolatest.