feat: SDK update for version 22.2.2#332
Conversation
Greptile SummaryThis PR updates the CLI release metadata and release workflow for version 22.2.2. The main changes are:
Confidence Score: 4/5The release metadata changes are straightforward, but the workflow's native package fetch path needs attention before the release process is safe to rely on. The changed files are mostly version bumps and release packaging updates, with the main risk concentrated in the new workflow step that downloads native bindings outside normal package-manager verification. .github/workflows/publish.yml
What T-Rex did
Reviews (1): Last reviewed commit: "chore: update Command Line SDK to 22.2.2" | Re-trigger Greptile |
| dir="node_modules/@napi-rs/keyring-$triple" | ||
| [ -d "$dir" ] && continue | ||
| mkdir -p "$dir" | ||
| curl -fsSL "https://registry.npmjs.org/@napi-rs/keyring-$triple/-/keyring-$triple-$version.tgz" | tar -xz -C "$dir" --strip-components=1 |
There was a problem hiding this comment.
This step downloads native packages outside the lockfile-verified install path and pipes them directly into tar. If the registry or a proxy returns a corrupted or tampered @napi-rs/keyring-* tarball, the workflow can embed that native code into signed release binaries without checking the integrity already recorded in the lockfiles. Please fetch these packages through the package manager or verify each tarball against lockfile integrity before extraction.
| - name: Fetch keyring native bindings for all targets | ||
| run: | | ||
| version="$(bun -e 'console.log(require("@napi-rs/keyring/package.json").version)')" | ||
| for triple in darwin-arm64 darwin-x64 linux-x64-gnu linux-arm64-gnu win32-x64-msvc win32-arm64-msvc; do | ||
| dir="node_modules/@napi-rs/keyring-$triple" | ||
| [ -d "$dir" ] && continue | ||
| mkdir -p "$dir" | ||
| curl -fsSL "https://registry.npmjs.org/@napi-rs/keyring-$triple/-/keyring-$triple-$version.tgz" | tar -xz -C "$dir" --strip-components=1 | ||
| done |
There was a problem hiding this comment.
The release workflow now fetches non-host keyring packages before compiling, but the CI build path still cross-compiles the same binaries without this step and only checks that output files are non-empty. When keyring embedding breaks for a non-host target, CI can still pass while the release-only path is the first place that exercises the new behavior. Please share this fetch/setup step with CI or add a CI check that confirms the compiled binaries contain the expected native keyring binding for each target.
This PR contains updates to the SDK for version 22.2.2.
What's Changed
@napi-rs/keyringnative bindings for all targets