[codex] Fix packed export validation in CI#1107
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens release safety checks by validating that each package’s packed (publishable) artifact matches its declared package.json export surface, preventing CI from passing on workspace-only builds that don’t reflect what gets published.
Changes:
- Run packed export verification for publishable packages during release safety checks and the publish dry-run sweep.
- Move the packed export verifier implementation into the CLI package (and make the root script a thin delegator).
- Clean up/align package build + export surfaces (remove stale
smrt-svelteexports; restore./utilsbuild outputs forplaces/profiles).
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/verify-package-types-exports.js | Replaces the root verifier implementation with a delegator to the CLI-bundled verifier. |
| scripts/validate-publish-packages.js | Adds packed export verification after npm pack --dry-run for each publishable package. |
| pnpm-lock.yaml | Locks acorn and updates transitive acorn-* snapshot resolutions. |
| packages/smrt-svelte/package.json | Removes stale subpath exports pointing at non-published artifacts. |
| packages/profiles/vite.config.ts | Restores utils as an additional build entry via the shared package Vite config. |
| packages/places/vite.config.ts | Switches to shared package Vite config and restores utils build entry. |
| packages/cli/src/commands/utilities.ts | Extends doctor to run packed publish artifact verification when a package appears publishable. |
| packages/cli/src/commands/tests/utilities.test.ts | Adds a test ensuring doctor reports broken packed artifacts for publishable packages. |
| packages/cli/scripts/verify-package-types-exports.js | Introduces the new packed export verifier implementation (wildcards + .svelte type-only import handling). |
| packages/cli/package.json | Publishes the scripts/ folder with the CLI package. |
| package.json | Adds acorn at the repo root. |
| .github/workflows/publish.yml | Runs node scripts/validate-publish-packages.js as part of release safety checks. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e7ab65b922
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
@happyvertical/smrt-sveltesubpath exports that pointed at files that are not published./utilsbuild outputs forsmrt-placesandsmrt-profiles.sveltefilesRoot cause
The current CI path was proving that packages could be built from workspace source, but it was not proving that the packed artifacts matched each package's published export map. That allowed stale export declarations to ship green. While tightening that check, the verifier also exposed a false positive for type-only imports inside shipped
.sveltefiles.Validation
pnpm exec node scripts/verify-package-types-exports.js packages/smrt-sveltepnpm exec node scripts/verify-package-types-exports.js packages/placespnpm exec node scripts/verify-package-types-exports.js packages/profilespnpm exec node scripts/verify-package-types-exports.js packages/productspnpm exec node scripts/verify-package-types-exports.js packages/corepnpm exec node scripts/verify-package-types-exports.js packages/secretspnpm exec node scripts/verify-package-types-exports.js packages/tenancyyamllint .github/workflows/publish.ymlactionlint .github/workflows/publish.ymlformat-check, workflow validation)Notes
node scripts/validate-publish-packages.jssweep is still useful as the final repo-wide proof and the PR CI will now enforce that path directly.productsalso exposed untracked generatedvite.config.jsartifacts locally; those were local shadow files rather than repo changes, so they are not part of this PR.