fix(ci): drop -- separator before --publish flags (third release-pipeline fix)#354
Merged
Merged
Conversation
v0.6.58.0 release retry failed on macOS with:
⨯ /Users/runner/work/skytwin/skytwin/apps/desktop not a file
ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL skytwin-desktop@0.3.0 package:mac:
`tsc && pnpm run prepackage && electron-builder --mac "--" "--publish" "always"`
The literal `"--"` in the expanded command is the bug. pnpm forwards
the YAML `-- --publish always` separator verbatim into the script's
shell command, so the underlying invocation becomes:
electron-builder --mac -- --publish always
electron-builder treats `--` as "end of options" and parses
`--publish always` as TWO positional args. The first positional is
interpreted as a file path, doesn't exist, electron-builder errors
out reporting the CWD path as "not a file."
Fix: drop the `--` separator. pnpm 7+ forwards flag-args natively
without needing the separator.
Build.yml has the same pattern with `--publish never`. It worked
there only because `--publish never` mis-parsed is a no-op (the default
is to not publish in PR contexts anyway). Fixed for consistency so a
future tag-on-PR or workflow_dispatch on a tag doesn't surface the
same bug masked.
Next attempt: force-re-tag v0.6.58.0 once this lands on main. Third
time's the charm.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jayzalowitz
added a commit
that referenced
this pull request
May 23, 2026
…#355) v0.6.58.0 third release attempt failed on macOS with: ⨯ /Users/runner/work/skytwin/skytwin/apps/desktop not a file right after `empty password will be used for code signing reason= CSC_KEY_PASSWORD is not defined`. Root cause: release.yml's Build-and-publish step sets CSC_LINK from a secret via ternary. When the secret is unset, the expression evaluates to '' (empty string), NOT undefined — so CSC_LINK IS in the environment but as empty. electron-builder then interprets the empty value as a relative path-to-cert that resolves to the CWD (apps/desktop), tries to read it as a file, finds a directory, errors out before packaging even starts. build.yml dodges this by setting CSC_IDENTITY_AUTO_DISCOVERY: 'false' and NOT setting CSC_LINK. release.yml needed the same defensive guard for the no-cert-secrets case. Fix: pair CSC_LINK with CSC_IDENTITY_AUTO_DISCOVERY computed from whether the matching secret is non-empty. When secrets are present, auto-discovery is true (and CSC_LINK takes precedence anyway). When secrets are empty, auto-discovery is false and electron-builder falls through cleanly to "skip signing" — producing the unsigned artifacts the workflow header comment already documents as expected pre-Apple-Developer-enrollment. Fourth fix in the v0.6.58.0 release-pipeline chain after: - PR #352: pnpm/action-setup v4→v5 + --publish never on build.yml - PR #353: bare pnpm build instead of --filter skytwin-desktop - PR #354: drop `--` separator before --publish flags - This: CSC_IDENTITY_AUTO_DISCOVERY fallback Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jayzalowitz
added a commit
that referenced
this pull request
May 23, 2026
Five consecutive failures of release.yml on tag v0.6.58.0: 1. pnpm/action-setup v4+version conflict (PR #352 fix) 2. `pnpm --filter skytwin-desktop build` skipped workspace deps (PR #353 fix) 3. pnpm `--` separator broke electron-builder arg parsing (PR #354 fix) 4. Empty CSC_LINK env var made electron-builder treat CWD as cert path (PR #355 attempted fix — did not actually work, see #5) 5. CSC_IDENTITY_AUTO_DISCOVERY=false isn't enough because CSC_LINK="" (set-to-empty-string, not unset) still triggers the path-resolve code path Each fix revealed the next bug because release.yml was never tested end-to-end — it's been broken since the file was committed. At 5 fixes deep, the right move is to stop fixing release.yml and use the known-working publisher pattern instead. build.yml already builds artifacts successfully on tag push via its desktop-mac/desktop-windows/desktop-linux/mobile-* matrix. PR #352 deleted build.yml's softprops-based release: job specifically to avoid double-publishing with release.yml. With release.yml deleted, that conflict is gone — restore the simpler chain: - Desktop+mobile matrix builds artifacts (already works, --publish never). - New release: job downloads via actions/download-artifact and creates a draft GitHub Release via softprops/action-gh-release@v3. Trade-off: - Lose: electron-builder's GitHub publisher integration (auto-updater channel YAML). When code signing + auto-update become priorities, add release.yml back with the lessons from #352-#355 baked in OR switch to a single workflow with electron-builder publish. - Gain: artifacts actually publish today, on an unsigned-build basis, which is what the launch plan §1.6 README rewrite needs. After this lands: re-tag v0.6.58.0 (5th attempt). build.yml's matrix runs as before, plus the new release: job downloads + publishes a draft. Operator manually clicks Publish in the GitHub UI to make the release live. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.6.58.0 release retry hit a new error on macOS:
```
⨯ /Users/runner/work/skytwin/skytwin/apps/desktop not a file
ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL skytwin-desktop@0.3.0 package:mac:
`tsc && pnpm run prepackage && electron-builder --mac "--" "--publish" "always"`
```
The literal
\"--\"in the expanded command is the bug. pnpm forwards the YAML-- --publish alwaysseparator verbatim into the script's shell command, so the underlying invocation becomeselectron-builder --mac -- --publish always. electron-builder treats--as "end of options" and parses--publish alwaysas TWO positional args. The first positional is interpreted as a file path, doesn't exist → errors out reporting the CWD path.Fix: drop the
--separator. pnpm 7+ forwards flag args natively.Build.yml had the same pattern with
--publish never— fixed for consistency. It happened to work there because--publish nevermis-parsed is a no-op (default in PR contexts is to not publish anyway).Test plan
After merge: force-re-tag v0.6.58.0 → release.yml runs with the corrected command → expected to actually publish artifacts this time.
🤖 Generated with Claude Code