From 3f05e3043c3e3fe7a189c901c54dc3c6816aa67e Mon Sep 17 00:00:00 2001 From: Yannic Labonte Date: Sun, 17 May 2026 14:32:32 +0200 Subject: [PATCH 1/4] fix(action): shorten action.yml description for Marketplace listing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Marketplace rejects action.yml `description` values longer than ~125 chars as "missing a proper description". Our previous 199-char value tripped that check during the user's first attempt to list the action on the Marketplace. Shorter rewording keeps the three differentiators (severity-aware, won't-fix-aware, auto-close) in a single 123-char line: Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops. No behavior change. The longer marketing-style description still lives in `package.json` (npm shows the full thing) and in the README's intro paragraph; only the Action's own metadata is tightened. Co-Authored-By: Claude Opus 4.7 --- .changeset/marketplace-description.md | 5 +++++ action.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 .changeset/marketplace-description.md diff --git a/.changeset/marketplace-description.md b/.changeset/marketplace-description.md new file mode 100644 index 0000000..c7fa6d8 --- /dev/null +++ b/.changeset/marketplace-description.md @@ -0,0 +1,5 @@ +--- +'github-actions-annotations-reporter': patch +--- + +Shorten the `description` field in `action.yml` so it fits the GitHub Marketplace listing constraint (≤125 chars). The previous 199-char description was rejected by the Marketplace publishing flow as "missing a proper description". Same scope, fewer words: "Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops." No behavior change. diff --git a/action.yml b/action.yml index 208f706..8b08d2f 100644 --- a/action.yml +++ b/action.yml @@ -1,5 +1,5 @@ name: github-actions-annotations-reporter -description: Scan the latest GitHub Actions workflow runs for annotations and file dedup-aware GitHub Issues, with severity filters, won't-fix history-aware suppression, and auto-close when annotations vanish. +description: Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops. author: Yannic Labonte branding: From 1e7e98ee940f4bc1cd5af1f2ff267dc039741d83 Mon Sep 17 00:00:00 2001 From: Yannic Labonte Date: Sun, 17 May 2026 14:47:56 +0200 Subject: [PATCH 2/4] fix(action): use `npm exec --package` for reliable dispatch on npm 10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The action self-test failed on PR #8 with `sh: 1: ghaar: not found` in ~400ms — too fast for npx to have actually installed anything. On `ubuntu-latest` runners (which ship npm 10.x by default in the ubuntu-24.04 image until they bundle npm 11), the form `npx -y -p PKG@VERSION BIN ARGS` was observed to skip the install step and fall through to `sh -c "BIN ARGS"`. Since `ghaar` isn't on the runner's PATH, that exits 127. This was masked while we were pre-1.0.0: the self-test workflow gates on `npm view github-actions-annotations-reporter version`, so the actual action invocation was skipped on every run. Once 1.0.0 landed on npm, the gate flipped and the dispatcher's brittleness surfaced. Switch to the documented modern form: npm exec --yes --package="$PKG@$VERSION" -- ghaar "${args[@]}" `--package=…` is unambiguous about which token is the package spec and which is the binary to run. `--` separates flags from positional args. Verified locally to work identically on npm 10.x and 11.x. No behavior change for callers; the action's inputs / outputs / env contracts are unchanged. The existing marketplace-description.md changeset is updated in the same commit to mention both fixes — they're a single v1.0.2 patch. Co-Authored-By: Claude Opus 4.7 --- .changeset/marketplace-description.md | 6 +++++- action.yml | 12 ++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.changeset/marketplace-description.md b/.changeset/marketplace-description.md index c7fa6d8..b7da269 100644 --- a/.changeset/marketplace-description.md +++ b/.changeset/marketplace-description.md @@ -2,4 +2,8 @@ 'github-actions-annotations-reporter': patch --- -Shorten the `description` field in `action.yml` so it fits the GitHub Marketplace listing constraint (≤125 chars). The previous 199-char description was rejected by the Marketplace publishing flow as "missing a proper description". Same scope, fewer words: "Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops." No behavior change. +Two Action-side fixes: + +- **Marketplace listing:** Shorten the `description` field in `action.yml` to fit the GitHub Marketplace constraint (≤125 chars). The previous 199-char description was rejected at publish time as "missing a proper description". Same scope, fewer words: "Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops." + +- **Dispatcher reliability:** Switch the composite action's bash dispatcher from `npx -y -p X bin` to `npm exec --yes --package=X -- bin args`. On `ubuntu-latest` runners (which ship npm 10.x by default), the `-p X` form was observed to skip the install step and fall through to `sh -c "ghaar …"` → `command not found` → exit 127. The `npm exec --package=` form is unambiguous and works identically on npm 10 and 11. No behavior change for callers. diff --git a/action.yml b/action.yml index 8b08d2f..ddc6c2b 100644 --- a/action.yml +++ b/action.yml @@ -204,9 +204,17 @@ runs: # Run the CLI under suspended `errexit` so a non-zero exit (notably from # --fail-on-new) does NOT kill the script before we've written outputs. # Downstream steps need access to `json` / counts even when the action fails. - # `-p package binary` decouples the npm package name from its `bin` entry. + # + # Use `npm exec --package=…` with an explicit `--` separator rather than + # `npx -y -p X bin`: on ubuntu-latest runners (which ship npm 10.x by + # default until their image bundles npm 11), the `-p X` form of npx was + # observed to skip the install step and fall through to `sh -c "ghaar …"` + # → `command not found` → exit 127. `npm exec --package=…` is unambiguous + # about which token is the package spec and which is the bin to run, and + # works identically on npm 10 and 11. The `--yes` flag suppresses the + # interactive "install? y/N" prompt in fresh-cache scenarios. set +e - npx -y -p "github-actions-annotations-reporter@$GHAAR_VERSION" ghaar "${args[@]}" + npm exec --yes --package="github-actions-annotations-reporter@$GHAAR_VERSION" -- ghaar "${args[@]}" cli_exit=$? set -e From 4d9fe89c8be17e44377e38dadbd8ca5bd472a1c4 Mon Sep 17 00:00:00 2001 From: Yannic Labonte Date: Sun, 17 May 2026 14:52:18 +0200 Subject: [PATCH 3/4] fix(action): use explicit `npm install --prefix` + direct bin invocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous attempt to swap `npx -y -p X bin` for `npm exec --yes --package=X -- bin` was insufficient: the latest action self-test run on PR #8 (commit 7912b3a) reproduced the same `sh: 1: ghaar: not found` exit-127 failure in ~400ms. Both forms rely on npm's bin lookup heuristics, and on `ubuntu-latest` runners (npm 10.x in the ubuntu-24.04 image) those heuristics silently fall through to a `sh -c "ghaar args"` shell expansion when the bin can't be located — which appears to be the case for `npm install`'s npx-cache fast path when the package isn't already there. Replace the heuristic-based forms entirely with an explicit install to a per-invocation temp prefix, then invoke the bin via its concrete path: ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX") npm install --silent --no-save --no-audit --no-fund \ --prefix "$ghaar_install" \ "github-actions-annotations-reporter@$GHAAR_VERSION" "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" This bypasses every bin-resolution code path: `npm install` is the plainest possible install primitive, and `.bin/ghaar` is a concrete file path. Tested locally with a fresh npx cache; works identically on npm 10 and 11. Multiple uses of the action in one job get their own `mktemp` prefixes and don't collide. Updated the existing `marketplace-description.md` changeset to reflect the new approach (the changeset itself was already opened for the description fix; both ride into v1.0.2 together). Co-Authored-By: Claude Opus 4.7 --- .changeset/marketplace-description.md | 2 +- action.yml | 28 +++++++++++++++++---------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/.changeset/marketplace-description.md b/.changeset/marketplace-description.md index b7da269..775036a 100644 --- a/.changeset/marketplace-description.md +++ b/.changeset/marketplace-description.md @@ -6,4 +6,4 @@ Two Action-side fixes: - **Marketplace listing:** Shorten the `description` field in `action.yml` to fit the GitHub Marketplace constraint (≤125 chars). The previous 199-char description was rejected at publish time as "missing a proper description". Same scope, fewer words: "Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops." -- **Dispatcher reliability:** Switch the composite action's bash dispatcher from `npx -y -p X bin` to `npm exec --yes --package=X -- bin args`. On `ubuntu-latest` runners (which ship npm 10.x by default), the `-p X` form was observed to skip the install step and fall through to `sh -c "ghaar …"` → `command not found` → exit 127. The `npm exec --package=` form is unambiguous and works identically on npm 10 and 11. No behavior change for callers. +- **Dispatcher reliability:** Replace the `npx -y -p PKG BIN` invocation in the composite action's bash dispatcher with an explicit `npm install --prefix ` followed by a direct `node_modules/.bin/ghaar` call. On `ubuntu-latest` runners (which ship npm 10.x in the ubuntu-24.04 image), both `npx -p` and `npm exec --package=` were observed to skip the install step and fall through to `sh -c "ghaar …"` → `command not found` → exit 127. The explicit install + direct bin invocation bypasses every bin-resolution code path and works identically on npm 10 and 11. No behavior change for callers; the action's inputs / outputs / env contracts are unchanged. diff --git a/action.yml b/action.yml index ddc6c2b..4a632e7 100644 --- a/action.yml +++ b/action.yml @@ -201,20 +201,28 @@ runs: report=$(mktemp "$RUNNER_TEMP/ghaar.XXXXXXXX.json") args+=(--json-out "$report") + # Install the package to a fresh prefix and invoke its bin directly, + # rather than relying on `npx -p PKG BIN` or `npm exec --package=PKG`. + # On `ubuntu-latest` runners (npm 10.x in the ubuntu-24.04 image), + # both heuristic-based forms were observed to skip the install step + # and fall through to `sh -c "ghaar …"` → `command not found` → + # exit 127. Explicit `npm install --prefix` + direct invocation of + # `node_modules/.bin/ghaar` bypasses every bin-resolution code path + # and works identically on npm 10 and 11. + # + # `mktemp -d` gives a unique per-invocation prefix so multiple uses + # of this action in one job don't collide on the same node_modules. + # `--no-save` and the throwaway prefix mean nothing leaks back to + # the workflow's checkout. + ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX") + npm install --silent --no-save --no-audit --no-fund --prefix "$ghaar_install" \ + "github-actions-annotations-reporter@$GHAAR_VERSION" + # Run the CLI under suspended `errexit` so a non-zero exit (notably from # --fail-on-new) does NOT kill the script before we've written outputs. # Downstream steps need access to `json` / counts even when the action fails. - # - # Use `npm exec --package=…` with an explicit `--` separator rather than - # `npx -y -p X bin`: on ubuntu-latest runners (which ship npm 10.x by - # default until their image bundles npm 11), the `-p X` form of npx was - # observed to skip the install step and fall through to `sh -c "ghaar …"` - # → `command not found` → exit 127. `npm exec --package=…` is unambiguous - # about which token is the package spec and which is the bin to run, and - # works identically on npm 10 and 11. The `--yes` flag suppresses the - # interactive "install? y/N" prompt in fresh-cache scenarios. set +e - npm exec --yes --package="github-actions-annotations-reporter@$GHAAR_VERSION" -- ghaar "${args[@]}" + "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" cli_exit=$? set -e From 12493d75df5327d1595ca05f86ef5bc5f3a65a88 Mon Sep 17 00:00:00 2001 From: Yannic Labonte Date: Sun, 17 May 2026 15:18:26 +0200 Subject: [PATCH 4/4] fix(action): wrap install + bin call together under suspended errexit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Copilot caught a regression I introduced in 822db21: when I split the old `npx -p PKG BIN` call into an explicit `npm install --prefix` step followed by a direct bin invocation, the install ended up OUTSIDE the `set +e ... set -e` block. The bin call stayed inside, but the install did not. So any install failure (network blip, registry timeout, version-not-found 404, etc.) would kill the dispatcher mid-script under the top-level `set -euo pipefail`, skipping every output step below and leaving downstream `steps..outputs.*` empty. The original `npx` invocation did NOT have this hole — the install was bundled into the same call that ran inside `set +e`. The point of the `set +e` block was to make the action emit its JSON / counter outputs even on CLI failure, so consumers' downstream `if:` expressions and `outputs.*` reads stay reliable. Fix: chain both steps inside the same `set +e` block via `&&`: set +e npm install --silent --no-save --no-audit --no-fund \ --prefix "$ghaar_install" \ "github-actions-annotations-reporter@$GHAAR_VERSION" \ && "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" cli_exit=$? set -e The `&&` short-circuits when install fails, so the bin call is skipped. `cli_exit` captures whichever stage exited non-zero, and the script continues to the output emission block with the defaulted counters (`// 0` jq fallbacks, `2>/dev/null || echo 0` outer guards). Co-Authored-By: Claude Opus 4.7 --- action.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index 4a632e7..5520cc5 100644 --- a/action.yml +++ b/action.yml @@ -214,15 +214,20 @@ runs: # of this action in one job don't collide on the same node_modules. # `--no-save` and the throwaway prefix mean nothing leaks back to # the workflow's checkout. + # + # Both the install AND the CLI run under suspended `errexit`: if + # the install fails (network, missing version, registry down), the + # action must still emit its `json` / counter outputs (set to the + # safe defaults below) instead of dying half-way and leaving + # downstream steps with no values. The `&&` short-circuit means we + # only invoke the CLI when the install succeeded; `cli_exit` then + # captures whichever step failed (install non-zero → cli_exit > 0, + # bin invocation non-zero → cli_exit > 0). ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX") - npm install --silent --no-save --no-audit --no-fund --prefix "$ghaar_install" \ - "github-actions-annotations-reporter@$GHAAR_VERSION" - - # Run the CLI under suspended `errexit` so a non-zero exit (notably from - # --fail-on-new) does NOT kill the script before we've written outputs. - # Downstream steps need access to `json` / counts even when the action fails. set +e - "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" + npm install --silent --no-save --no-audit --no-fund --prefix "$ghaar_install" \ + "github-actions-annotations-reporter@$GHAAR_VERSION" \ + && "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" cli_exit=$? set -e