Skip to content

ci: run release on Node, not Deno (fix release regression)#96

Merged
KyleJune merged 1 commit into
mainfrom
ci/fix-release-run-on-node
Jun 14, 2026
Merged

ci: run release on Node, not Deno (fix release regression)#96
KyleJune merged 1 commit into
mainfrom
ci/fix-release-run-on-node

Conversation

@KyleJune

Copy link
Copy Markdown
Member

Summary

Fixes the release regression introduced by #95. The Release job failed on the
main push (run):

Command: .../v2.6.7/linux/deno publish --no-check --allow-dirty --dry-run
error: unrecognized subcommand   tip: a similar subcommand exists: 'publish'
(DEP0190) DeprecationWarning: Passing args to a child process with shell option true ...

Root cause: @sebbo2002/semantic-release-jsr downloads its own Deno binary
and shell: true-spawns deno publish. Under Deno's Node child_process
emulation that spawn mangles the args (the subcommand token gets concatenated),
so deno reports a valid subcommand as "unrecognized". #95 had moved
semantic-release from npx (real Node) onto deno run; this plugin is built for
a Node host and only works there. The Deno-native move was right for
semantic-release core but wrong for this one plugin.

Changes

  • Run semantic-release on Node again — restore actions/setup-node + npx.
  • Keep the supply-chain hardening by pinning every npx --package to an
    exact version (jsr plugin stays 3.2.1; npm:semantic-release@25.0.5 etc.).
    npx has no lockfile, so the exact version is the pin.
  • Remove the semantic-release imports ci: harden release pipeline against supply-chain #95 added to deno.json (npx fetches
    the tooling) — minimumDependencyAge, the SHA-pinned actions, cache: false
    on the publish job, and the contents: read token from ci: harden release pipeline against supply-chain #95 all stay.

Testing

Locally on this branch with the exact pinned npx … semantic-release --dry-run
under Node v24.14: all six plugins load with no version/engine conflict. This
restores the exact npx-under-Node configuration that published every release
through 0.8.0; #95's only release-execution change (npx→deno run) is what
broke it, and that's what's reverted.

Follow-up

For full transitive integrity on the npx path, a committed package-lock.json +
npm ci would pin beyond the direct packages. Left as a follow-up to keep this
fix minimal.

@sebbo2002/semantic-release-jsr shell-spawns its own downloaded `deno
publish`, and that spawn's args get mangled by Deno's child_process
Node-compat layer — so after #95 moved semantic-release onto `deno run`,
the publish failed with "unrecognized subcommand". Restore the Node host
(actions/setup-node + npx), keeping the supply-chain hardening by pinning
every npx package to an exact version (jsr plugin stays 3.2.1). The
SHA-pinned actions, contents:read token, and minimumDependencyAge from #95
are unchanged; the semantic-release imports #95 added to deno.json are
removed since npx fetches the tooling again.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@KyleJune KyleJune merged commit 02991db into main Jun 14, 2026
7 checks passed
@KyleJune KyleJune deleted the ci/fix-release-run-on-node branch June 14, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant