From c429fd75bbcbca73b7bc75abd907d3633d79bf4f Mon Sep 17 00:00:00 2001 From: jan-kubica Date: Wed, 13 May 2026 18:06:01 +0200 Subject: [PATCH 1/2] fix(actions): emit trailing newline from node-stdout, unblocks read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The diagnostic dispatch (stella/stdnum#run-25810975562, debug branch) finally captured the actual failure path. The script reaches: read -r PACKAGE_NAME PACKAGE_VERSION < <(node -e ' ... process.stdout.write(name + "\t" + version); ' "${PKG_JSON_FILE}") and then exits 1 via the EXIT trap — meaning `read` returned non-zero and `set -e` killed the script. Per `man bash`, `read` "returns 0 unless end-of-file is encountered." The node script wrote `name\tversion` with no trailing newline, so `read` hit EOF before finding a delimiter and returned 1 — even though it correctly assigned both variables. `set -e` then exited the script before reaching the subsequent `[[ -z PACKAGE_NAME ]]` check that would have emitted a meaningful error. A four-byte fix: append "\n" to the node-emitted string. Verified locally — script now reaches the next gate (npm version check) instead of silent-exiting. The diagnostic instrumentation that surfaced this is NOT included in this commit — it lives on a separate `debug/publish-trace` branch and will be cleaned up after this lands. --- .github/actions/npm-publish-hardened/publish.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/actions/npm-publish-hardened/publish.sh b/.github/actions/npm-publish-hardened/publish.sh index 4497f46..e6359ca 100755 --- a/.github/actions/npm-publish-hardened/publish.sh +++ b/.github/actions/npm-publish-hardened/publish.sh @@ -72,9 +72,13 @@ PKG_JSON_FILE="${RUNNER_TEMP:-/tmp}/npm-publish-hardened-pkg-$$.json" trap 'rm -f "${PKG_JSON_FILE}"' EXIT tar -xOf "${TARBALL}" package/package.json > "${PKG_JSON_FILE}" +# shellcheck disable=SC2016 # JS template literals don't need shell expansion read -r PACKAGE_NAME PACKAGE_VERSION < <(node -e ' const j = JSON.parse(require("fs").readFileSync(process.argv[1], "utf8")); - process.stdout.write((j.name ?? "") + "\t" + (j.version ?? "")); + // Trailing newline is required: bash `read` returns non-zero on EOF + // without a delimiter even when the variables were assigned. Under + // `set -e` that non-zero kills the script silently right here. + process.stdout.write((j.name ?? "") + "\t" + (j.version ?? "") + "\n"); ' "${PKG_JSON_FILE}") if [[ -z "${PACKAGE_NAME}" || "${PACKAGE_NAME}" == "null" \ From cfaba98f41b991b798538f51d631966b1b048b05 Mon Sep 17 00:00:00 2001 From: jan-kubica Date: Wed, 13 May 2026 18:09:09 +0200 Subject: [PATCH 2/2] fix(actions): adopt console.log + template literal per gemini MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces `process.stdout.write(... + "\\n")` with `console.log(`${name}\\t${version}`)`. console.log appends the required newline automatically, and the template literal makes the shellcheck disable directive (which mentions template literals) accurate. No functional change. Verified locally — script still reaches the next gate. Addresses gemini medium on PR #29. --- .github/actions/npm-publish-hardened/publish.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/actions/npm-publish-hardened/publish.sh b/.github/actions/npm-publish-hardened/publish.sh index e6359ca..b67d301 100755 --- a/.github/actions/npm-publish-hardened/publish.sh +++ b/.github/actions/npm-publish-hardened/publish.sh @@ -75,10 +75,11 @@ tar -xOf "${TARBALL}" package/package.json > "${PKG_JSON_FILE}" # shellcheck disable=SC2016 # JS template literals don't need shell expansion read -r PACKAGE_NAME PACKAGE_VERSION < <(node -e ' const j = JSON.parse(require("fs").readFileSync(process.argv[1], "utf8")); - // Trailing newline is required: bash `read` returns non-zero on EOF - // without a delimiter even when the variables were assigned. Under - // `set -e` that non-zero kills the script silently right here. - process.stdout.write((j.name ?? "") + "\t" + (j.version ?? "") + "\n"); + // console.log appends a trailing newline. The newline is required: + // bash `read` returns non-zero on EOF without a delimiter even when + // the variables were assigned, and under `set -e` that kills the + // script silently right here. + console.log(`${j.name ?? ""}\t${j.version ?? ""}`); ' "${PKG_JSON_FILE}") if [[ -z "${PACKAGE_NAME}" || "${PACKAGE_NAME}" == "null" \