fix: use bun shebang and fix pack test#4
Conversation
- Change shebang from node to bun (Bun-only package) - Fix bun pm pack with --ignore-scripts --quiet flags - Add debug output for pack failures
Summary of ChangesHello @namastex888, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical issue where a Bun-only package's binary was incorrectly configured to run with Node.js due to an erroneous shebang. By correcting this, the package will now execute as intended with Bun. Additionally, the PR enhances the reliability of the package's testing process by refining the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request correctly changes the shebang from node to bun for this Bun-only package and improves the bunx test script. The changes to the test script make it more robust by adding flags to bun pm pack and providing better debug output on failure. I have added one comment with a suggestion to further improve the error handling in the shell script by checking the command's exit code directly, which is a more idiomatic and robust pattern.
| if [ -z "$PACK_FILE" ] || [ ! -f "$TEST_DIR/$PACK_FILE" ]; then | ||
| echo "✗ Failed to pack package with bun" | ||
| echo "Pack output: $PACK_PATH" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
While this check for failure is a good improvement, a more robust and idiomatic approach in shell scripting is to check the command's exit code directly. This avoids relying on parsing the command's output or checking for file existence to determine success.
You could capture the exit code immediately after the bun pm pack command and check that in the if condition.
Example:
PACK_PATH=$(bun pm pack --destination "$TEST_DIR" --ignore-scripts --quiet 2>&1)
PACK_STATUS=$?
if [ $PACK_STATUS -ne 0 ]; then
echo "✗ Failed to pack package with bun"
echo "Pack output: $PACK_PATH"
exit 1
fi
PACK_FILE=$(basename "$PACK_PATH")This makes the script's intent clearer and less brittle to potential changes in bun pm pack's output format.
…tation
D5 of pgserve create-app + manifest LOCK 1
(autopg-distribution-cutover-finalize wish G3).
Round-trip integration smoke that exercises the lock-vs-live trust
differential — the WHOLE point of the manifest LOCK 1 design.
Pipeline:
1) Start ephemeral postgres on a high port (mirrors
gc-provision.test.sh setup).
2) `pgserve create-app demo --port $PORT` — registers slug; freezes
live TRUSTED_IDENTITIES into autopg_meta.locked_roots.
3) Direct UPDATE replaces the freshly frozen list with a SYNTHETIC
single-entry locked_roots ({"id":"frozen-test", regex
"^FROZEN-LOCK$"}). This is the test's stand-in for "operator
rotated live; the slug's lock is now divergent". When verify
--slug demo loads locked_roots, it gets THIS list.
4) Stub cosign on PATH succeeds ONLY when --certificate-identity-regexp
is exactly `^FROZEN-LOCK$` AND the binary's first bytes are
`FROZEN-LOCK`. Anything else: exit non-zero.
5) Three verify scenarios:
a) FROZEN-LOCK binary + --slug demo → exit 0 (lock matched)
b) LIVE-IDENTITY binary + --slug demo → exit ≥2 (lock rejected)
c) any binary + --slug nonexistent_slug → exit 3 (loader rejected
BEFORE cosign — invocation error)
6) Idempotent re-run preserves locked_roots — the synthetic
'frozen-test' id stays after a second create-app demo invocation,
proving BRIEF v5 A6 lock preservation is live.
Together those steps cover acceptance criteria #1, #3, #4, #5 from
WISH L142-L147 (idempotent re-run, verify rejection, verify success
against frozen lock, upgrade-after-trust-rotation).
Skips gracefully on hosts without initdb/pg_ctl/psql on PATH (mirrors
gc-provision.test.sh's contract). Wired into .github/workflows/ci.yml
as a new continue-on-error job — non-blocking until the GHA postgres
cache warms, identical to gc-provision job's policy.
Local skip path verified on this dev host (no initdb installed):
$ bash tests/integration/verify-slug-rotation.test.sh
• initdb not on PATH — skipping (suite needs a postgres install)
Summary
#!/usr/bin/env nodeto#!/usr/bin/env bun(Bun-only package)bun pm packwith--ignore-scripts --quietflagsRoot cause
The bin file had a Node.js shebang, causing
bunx pgserveto run under Node instead of Bun.Test plan
test:bunxpasses