WASM GitHub release artifacts are from non-deterministic build target #23127
Description
Summary
Ruff provides three WASM build targets (web, bundler, nodejs), which produce files with identical names. When release.yml downloads all artifacts with merge-multiple: true, the WASM files silently overwrite each other, and whichever target extracts last wins. The final artifact that's actually released varies between releases.
Cause
build-wasm.yml builds three matrix targets and uploads each as a separate artifact with distinct names (artifacts-wasm-{web, bundler, nodejs}). However, the files inside each artifact have identical names (ruff_wasm.js, ruff_wasm_bg.wasm, package.json`, etc.).
In release.yml, three jobs download artifacts using a glob pattern with merge-multiple: true.
This merges all matching artifacts into a flat directory. Files with the same name silently overwrite each other, with the last extraction winning. Notably, extraction order appears to be inconsistent and non-deterministic (see below).
Affected jobs in release.yml:
build-global-artifacts(checksums computed over indeterminate files)host(artifact upload)announce(GitHub Release creation)
Impact
This has existed since WASM assets were added to GitHub Releases in 0.14.13 (#22476).
WASM assets from all three affected GitHub Releases have been for three different targets:
| Release | package.json name |
|---|---|
| 0.14.13 | @astral-sh/ruff-wasm-bundler |
| 0.14.14 | @astral-sh/ruff-wasm-web |
| 0.15.0 | @astral-sh/ruff-wasm-nodejs |
Crucially, the npm publish workflow is not affected (it downloads each target by exact artifact name and publishes each into their own package @astral-sh/ruff-wasm-{web, bundler, nodejs}). This only affects the WASM builds on GitHub releases (which have negligible downloads, only ~18 for 0.15.0 at the time of writing).
Overall impact seems very low; few people use the WASM builds, and practically nobody from GitHub release artifacts.
Version
N/A; release issue