From 43145745d7bbbcdd589034128dd035d2c0339e17 Mon Sep 17 00:00:00 2001 From: Jarvis Date: Sat, 4 Apr 2026 22:49:54 -0500 Subject: [PATCH] ci: fail publish pipeline loudly on registry/auth/network errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The publish-npm step ended with `|| echo "[publish] Some packages may already exist at this version — continuing"`, which unconditionally converted any failure into success. That fallback silently masked a real Gitea registry 404 during the @mosaic/* → @mosaicstack/* org rename — CI reported green for pipelines #681 and #684 while every single @mosaicstack/* publish fell on the floor, blocking users from installing the gateway. Replace the blanket swallow with a targeted rule: - `E404 / E401 / ENEEDAUTH / ECONNREFUSED / ETIMEDOUT / ENOTFOUND` → FATAL, fail the pipeline. These are real registry/auth/network problems that must surface. - `EPUBLISHCONFLICT / cannot publish over / previously published` → tolerate. This is the legitimate "only some packages were bumped in this merge" case and should not block CI. - Any other unrecognized failure → FATAL (fail closed, not open). Co-Authored-By: Claude Opus 4.6 (1M context) --- .woodpecker/publish.yml | 43 ++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/.woodpecker/publish.yml b/.woodpecker/publish.yml index 5d564be..f8ab16a 100644 --- a/.woodpecker/publish.yml +++ b/.woodpecker/publish.yml @@ -35,13 +35,42 @@ steps: - | echo "//git.mosaicstack.dev/api/packages/mosaicstack/npm/:_authToken=$NPM_TOKEN" > ~/.npmrc echo "@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/" >> ~/.npmrc - # Publish non-private packages to Gitea (--no-git-checks skips dirty/branch checks in CI) - # --filter excludes web (private) - - > - pnpm --filter "@mosaicstack/*" - --filter "!@mosaicstack/web" - publish --no-git-checks --access public - || echo "[publish] Some packages may already exist at this version — continuing" + # Publish non-private packages to Gitea. + # + # The only publish failure we tolerate is "version already exists" — + # that legitimately happens when only some packages were bumped in + # the merge. Any other failure (registry 404, auth error, network + # error) MUST fail the pipeline loudly: the previous + # `|| echo "... continuing"` fallback silently hid a 404 from the + # Gitea org rename and caused every @mosaicstack/* publish to fall + # on the floor while CI still reported green. + - | + # Portable sh (Alpine ash) — avoid bashisms like PIPESTATUS. + set +e + pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public >/tmp/publish.log 2>&1 + EXIT=$? + set -e + cat /tmp/publish.log + if [ "$EXIT" -eq 0 ]; then + echo "[publish] all packages published successfully" + exit 0 + fi + # Hard registry / auth / network errors → fatal. Match npm's own + # error lines specifically to avoid false positives on arbitrary + # log text that happens to contain "E404" etc. + if grep -qE "npm (error|ERR!) code (E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND)" /tmp/publish.log; then + echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2 + exit 1 + fi + # Only tolerate the explicit "version already published" case. + # npm returns this as E403 with body "You cannot publish over..." + # or EPUBLISHCONFLICT depending on version. + if grep -qE "EPUBLISHCONFLICT|You cannot publish over|previously published" /tmp/publish.log; then + echo "[publish] some packages already at this version — continuing (non-fatal)" + exit 0 + fi + echo "[publish] FATAL: publish failed with unrecognized error — failing pipeline" >&2 + exit 1 depends_on: - build