fix(ci): unblock v1.6.0 release publishing path

[jdx]

Summary

The v1.6.0 release shipped to GitHub but only with darwin-arm64 and the two windows tarballs — all four Linux targets failed to upload, and the downstream npm/COPR/PPA publish jobs all failed too. Fixes the three independent root causes:

• crates/aube-resolver/build.rs panics via .expect() when node is absent. The cross-rs Docker container that builds Linux release binaries and the Fedora COPR mock chroot that builds the SRPM both have scripts/generate-primer.mjs visible (mounted / bundled in the source tarball) but no node binary, so the existing "no script → empty primer" fallback (fix(resolver): ship empty primer when generator script unavailable #425) doesn't trigger. Fall back on ErrorKind::NotFound from Command::status() so the same empty-primer path covers all three "no node" environments. Verified locally with env -i + a node-less PATH: emits cargo:warning=node not found in PATH; shipping empty primer and builds clean.
• publish-npm fails with Unsupported GitHub Actions runner environment: "self-hosted". Only "github-hosted" runners are supported when publishing with provenance. Move the job from the namespace runner to ubuntu-latest. Trusted Publishing requires a github-hosted OIDC identity; the publish job is otherwise light enough that the namespace runner saves nothing.
• ppa-publish fails at dput with Connection failed, aborting. Check your network — namespace runners block outbound FTP (port 21) to ppa.launchpad.net. Move to ubuntu-latest which allows it.

After merge, re-run the failed jobs against v1.6.0 to backfill the missing Linux assets and complete the npm/COPR/PPA publishes.

Test plan

• cargo build -p aube-resolver from a node-less PATH falls back to the empty primer with the new cargo:warning=
• cargo build -p aube-resolver with node present still generates the primer and builds normally
• cargo clippy -p aube-resolver --all-targets -- -D warnings clean
• cargo fmt --check clean
• Re-run release-plz upload-assets for v1.6.0 after merge → confirm Linux tarballs land on the GH release
• Re-run publish-npm for v1.6.0 → confirm @endevco/aube* lands on npmjs.com with provenance
• Re-run copr-publish for v1.6.0 → confirm Fedora 42/43/44/rawhide builds succeed
• Re-run ppa-publish for v1.6.0 → confirm dput uploads the source package

🤖 Generated with Claude Code

---

Note

Medium Risk
Moderate risk because it changes release/publishing CI runners and alters aube-resolver build-time primer generation behavior (now falling back to an empty primer when node is unavailable), which could affect release packaging and runtime performance if mis-triggered.

Overview
Unblocks release publishing by switching the publish-npm and ppa-publish GitHub Actions jobs from the self-hosted namespace runner to ubuntu-latest to satisfy npm Trusted Publishing provenance requirements and allow outbound FTP for Launchpad dput uploads.

Makes crates/aube-resolver/build.rs resilient to environments where the primer generator script exists but node is not installed: generate() now returns a boolean and treats ErrorKind::NotFound as a non-fatal condition (emitting a cargo:warning=) so builds fall back to shipping an empty primer instead of panicking.

^{Reviewed by Cursor Bugbot for commit fa90723. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes three independent root causes that blocked the v1.6.0 Linux release assets and downstream publishes: the build.rs generate() function now gracefully handles a missing node binary (returning false to trigger the empty-primer fallback instead of panicking), and both the publish-npm and ppa-publish jobs are moved from a namespace self-hosted runner to ubuntu-latest to satisfy npm Trusted Publishing's OIDC requirement and unblock outbound FTP to Launchpad respectively. The logic changes are minimal and well-targeted, and the &&-chained bool return from generate() is a clean way to propagate the "no node" signal back to main().

Confidence Score: 5/5

Safe to merge — all three changes are narrow, well-justified fixes with no correctness or security concerns.

No P0 or P1 findings. The build.rs refactor correctly preserves the existing success path while adding a targeted NotFound fallback. The workflow runner changes are straightforward and well-explained. No new secrets, permissions, or logic complexity is introduced.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-resolver/build.rs	Refactors generate() to return bool; adds ErrorKind::NotFound arm to fall back to empty primer when node is absent rather than panicking — fixes Linux cross-compilation and COPR builds.
.github/workflows/publish-npm.yml	Switches runs-on from namespace-profile-endev-linux-amd64 to ubuntu-latest to satisfy npm Trusted Publishing's requirement for a GitHub-hosted OIDC identity.
.github/workflows/ppa-publish.yml	Switches runs-on to ubuntu-latest to unblock outbound FTP (port 21) needed by dput to upload to ppa.launchpad.net.

_{Reviews (1): Last reviewed commit: "fix(ci): unblock v1.6.0 release publishi..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.2 -> 1.6.0

Public ratios: warm installs vs Bun 6x -> 10x; warm installs vs pnpm 10x -> 14x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	230ms -> 213ms (-7%)	1488ms -> 2136ms (+44%)	2367ms -> 3088ms (+30%)
CI install (warm cache, GVS disabled)	564ms -> 957ms (+70%)	1295ms -> 2293ms (+77%)	2361ms -> 2479ms (+5%)
CI install (cold cache, GVS disabled)	5800ms -> 4248ms (-27%)	4278ms -> 4405ms (+3%)	4823ms -> 5411ms (+12%)

fa90723 vs 28582d9 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.