fix(pipelines): drop private packages from npm publish lists#3189
Open
liamcrumm wants to merge 1 commit into
Open
fix(pipelines): drop private packages from npm publish lists#3189liamcrumm wants to merge 1 commit into
liamcrumm wants to merge 1 commit into
Conversation
agentmesh-api and agent-os-copilot-extension are runnable apps marked "private": true in their package.json, not publishable libraries. They were listed in the npm publish flows, so the ESRP "Pack & validate" step failed with "X is marked private", and npm publish would reject them on release. Remove both from the ESRP npmPackages list and from the GitHub Actions npm matrix and selector allow-list. CI build/test of these packages is unchanged. Signed-off-by: Liam Crumm <liamcrumm@gmail.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PR Review Summary
Verdict: AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims. |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove
agentmesh-apiandagent-os-copilot-extensionfrom the npm publish lists. They are runnable apps marked"private": true, not publishable libraries, and fail in the ESRP release pipeline.Problem
In ADO build 2604396, two npm jobs failed with
##[error]<pkg> is marked private->Bash exited with code '1'. The pipeline'sPack & validatestep rejects any package whosepackage.jsonhas"private": true.Both packages are deployable apps, not consumable libraries:
@microsoft/agentmesh-apiis an Express HTTP service underservices/api(start: node dist/index.js).@microsoft/agent-os-copilot-extensionis a hosted GitHub Copilot webhook app underextensions/copilot(Express + octokit).They are the only two of the npm publish entries marked
private: true; every other entry (CLIs, SDK, mcp-proxy, mcp-server, integrations) isprivate: false. Theprivate: trueflag is the correct intent. The bug was that they were added to the publish lists anyway. The samenpm publishonreleasein the Actions workflow would also reject them.Changes
.github/pipelines/esrp-publish.ymlnpmPackagesparameter (used by both the build/pack and ESRP publish loops).github/workflows/publish.ymlNPM_INPUTSselector allow-list.github/workflows/ci.ymlis intentionally unchanged. Itsbuild-npmjob only builds and tests (no pack/validate or publish), so it should keep building these two apps.Testing
yaml.safe_load.publish.ymlparse withjson.loads; matrix is 9 entries, neither private package present;NPM_INPUTSis 20 entries, neither present.