@invarn/cibuild 1.5.3 → 1.5.5

package/dist/src/commands/run.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../../src/commands/run.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,UAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAuI3E"}
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../../src/commands/run.ts"],"names":[],"mappings":"AAeA,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,UAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CA0I3E"}

package/dist/src/commands/run.js

@@ -6,7 +6,7 @@ import { PipelineRunner } from "../runner.js";
 import { loadConfig } from "../config.js";
 import { loadYAMLPipeline } from "../yaml/parser.js";
 import { convertYAMLWithSecrets } from "../yaml/pipeline-with-secrets.js";
-import { promptForWorkflow, promptForMissingVariables, } from "../shared/prompts.js";
+import { promptForWorkflow, promptForMissingVariables, isInteractiveTTY, } from "../shared/prompts.js";
 /**
  * Run a pipeline locally. Mirrors `ci run <path>`.
  *
@@ -100,7 +100,10 @@ export async function handleRunCommand(opts = {}) {
                 config,
                 workflowName: selectedWorkflow,
                 yamlFilePath: pipelinePath,
-                interactive: true,
+                // Only prompt when stdin/stdout are real TTYs. Sandboxed runs
+                // (Tart guest, CI, `tart exec`, pipes) have no terminal and
+                // MUST fail with a clear message rather than hang on a prompt.
+                interactive: isInteractiveTTY(),
             });
             pipeline = conversionResult.pipeline;
             await runner.runPipeline(pipeline, conversionResult.warnings, conversionResult.skippedSteps);

package/dist/src/shared/prompts.d.ts

@@ -1,5 +1,17 @@
 import type { YAMLPipeline } from "../yaml/types.js";
 import type { CIConfig } from "../types.js";
+/**
+ * True only when stdin AND stdout are real TTYs AND the caller has not
+ * explicitly opted out of interactivity.
+ *
+ * `process.stdin.isTTY` is unreliable as a sole signal: Tart guest
+ * sessions opened via `tart exec` attach a pseudo-TTY, so the check
+ * passes and the prompt runs — only for nobody to ever answer it. The
+ * runner sets `CIBUILD_NON_INTERACTIVE=1` (and the generic `CI=1` env
+ * is also honored) to make the override unambiguous regardless of
+ * whether the shell looks interactive.
+ */
+export declare function isInteractiveTTY(): boolean;
 /**
  * Shows an interactive workflow picker. If exactly one workflow exists,
  * returns it without prompting. Returns `undefined` when the user cancels

package/dist/src/shared/prompts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../../src/shared/prompts.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA0BxF;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAgFlB"}
+{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../../src/shared/prompts.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAU1C;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA0BxF;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAwFlB"}

package/dist/src/shared/prompts.js

@@ -2,6 +2,26 @@ import prompts from "prompts";
 import { StepValidator, formatValidationResult } from "../yaml/step-validator.js";
 import { MissingEnvHandler } from "../yaml/missing-env-handler.js";
 import { MissingEnvironmentVariableError } from "../yaml/env-resolver.js";
+/**
+ * True only when stdin AND stdout are real TTYs AND the caller has not
+ * explicitly opted out of interactivity.
+ *
+ * `process.stdin.isTTY` is unreliable as a sole signal: Tart guest
+ * sessions opened via `tart exec` attach a pseudo-TTY, so the check
+ * passes and the prompt runs — only for nobody to ever answer it. The
+ * runner sets `CIBUILD_NON_INTERACTIVE=1` (and the generic `CI=1` env
+ * is also honored) to make the override unambiguous regardless of
+ * whether the shell looks interactive.
+ */
+export function isInteractiveTTY() {
+    if (process.env.CIBUILD_NON_INTERACTIVE === '1' ||
+        process.env.CIBUILD_NON_INTERACTIVE === 'true' ||
+        process.env.CI === '1' ||
+        process.env.CI === 'true') {
+        return false;
+    }
+    return Boolean(process.stdin.isTTY && process.stdout.isTTY);
+}
 /**
  * Shows an interactive workflow picker. If exactly one workflow exists,
  * returns it without prompting. Returns `undefined` when the user cancels
@@ -66,6 +86,11 @@ export async function promptForMissingVariables(yamlPipeline, workflowName, conf
         console.log(`  • ${issue.requirement.name.padEnd(30)}${stepInfo}`);
     }
     console.log();
+    if (!isInteractiveTTY()) {
+        console.error("\n❌ Cannot prompt for missing values: no interactive TTY available (running in a sandbox / CI).\n" +
+            "   Define the required values as env vars, secrets, or app.envs before dispatch, then retry.");
+        return false;
+    }
     const handler = new MissingEnvHandler({
         interactive: true,
         workflow: workflowName,

package/dist/src/yaml/step-validator.d.ts

@@ -34,12 +34,24 @@ export declare class StepValidator {
     private validateRequirement;
     /**
      * Extracts all $VAR and ${VAR} variable names referenced in an object recursively.
+     *
+     * `${{ secrets.X }}` / `${{ vars.X }}` references are deliberately ignored:
+     * those are resolved by the runner-side interpolator before cibuild sees
+     * the YAML (or by the dashboard's secrets-resolver on dispatch). Without
+     * this filter the inner regex would capture `{ secrets.X ` as if it were
+     * a `${VAR}` reference, producing garbled variable names in the
+     * missing-env error output.
      */
     private extractVariableReferences;
     /**
      * Replaces all unresolved $VAR and ${VAR} references with empty string.
      * Used as a lenient fallback when full interpolation fails, so that
      * getValidationRequirements can detect truly-missing variables correctly.
+     *
+     * `${{ ... }}` refs are left intact — they belong to the runner-side
+     * interpolator / dashboard secrets-resolver layer, not to shell-level
+     * variable substitution. Stripping them here would destroy the YAML for
+     * any downstream consumer that still expects to see them.
      */
     private stripUnresolvedVars;
     /**

package/dist/src/yaml/step-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"step-validator.d.ts","sourceRoot":"","sources":["../../../src/yaml/step-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,YAAY,CAAC;AACzE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAGV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAwB/B;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAG9B,OAAO,CAAC,gBAAgB,CAAoE;IAG5F,OAAO,CAAC,mBAAmB,CAA6B;gBAGtD,QAAQ,EAAE,YAAY,EACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,CAAC,EAAE,MAAM;IAwBvB;;;OAGG;IACG,gBAAgB,IAAI,OAAO,CAAC,wBAAwB,CAAC;IAuM3D;;OAEG;YACW,mBAAmB;IAsDjC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAoBjC;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,SAAS;CA8BlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,wBAAwB,GAAG,MAAM,CA4D/E"}
+{"version":3,"file":"step-validator.d.ts","sourceRoot":"","sources":["../../../src/yaml/step-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,YAAY,CAAC;AACzE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAGV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAwB/B;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,YAAY,CAAC,CAAS;IAG9B,OAAO,CAAC,gBAAgB,CAAoE;IAG5F,OAAO,CAAC,mBAAmB,CAA6B;gBAGtD,QAAQ,EAAE,YAAY,EACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,QAAQ,EAChB,YAAY,CAAC,EAAE,MAAM;IAwBvB;;;OAGG;IACG,gBAAgB,IAAI,OAAO,CAAC,wBAAwB,CAAC;IA8M3D;;OAEG;YACW,mBAAmB;IAsDjC;;;;;;;;;OASG;IACH,OAAO,CAAC,yBAAyB;IAsBjC;;;;;;;;;OASG;IACH,OAAO,CAAC,mBAAmB;IAoB3B;;OAEG;IACH,OAAO,CAAC,SAAS;CA8BlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,wBAAwB,GAAG,MAAM,CA4D/E"}

package/dist/src/yaml/step-validator.js

@@ -167,6 +167,14 @@ export class StepValidator {
                     // values set by the YAML/secrets are still treated as "provided")
                     if (Object.prototype.hasOwnProperty.call(resolvedEnv, varName))
                         continue;
+                    // Skip if the runner (or the surrounding shell) already exported
+                    // the var into our process.env. The sandbox runner delivers
+                    // dispatch-supplied `execution.env` / `execution.secrets` this
+                    // way — without this fallback, bash-style `$VAR` refs in
+                    // repo-hosted YAML (human CLI flow) would false-trigger the
+                    // auto-discovery even though they resolve at shell runtime.
+                    if (Object.prototype.hasOwnProperty.call(process.env, varName))
+                        continue;
                     // Skip if provided as output by an earlier step
                     if (this.availableOutputs.has(varName))
                         continue;
@@ -277,13 +285,22 @@ export class StepValidator {
     }
     /**
      * Extracts all $VAR and ${VAR} variable names referenced in an object recursively.
+     *
+     * `${{ secrets.X }}` / `${{ vars.X }}` references are deliberately ignored:
+     * those are resolved by the runner-side interpolator before cibuild sees
+     * the YAML (or by the dashboard's secrets-resolver on dispatch). Without
+     * this filter the inner regex would capture `{ secrets.X ` as if it were
+     * a `${VAR}` reference, producing garbled variable names in the
+     * missing-env error output.
      */
     extractVariableReferences(obj) {
         const vars = new Set();
         if (typeof obj === 'string') {
+            // Strip `${{ ... }}` refs first so they can't be mis-matched as `${VAR}`.
+            const sanitized = obj.replace(/\$\{\{[^}]*\}\}/g, '');
             const pattern = /\$\{([^}]+)\}|\$([A-Z_][A-Z_0-9]*)/g;
             let match;
-            while ((match = pattern.exec(obj)) !== null) {
+            while ((match = pattern.exec(sanitized)) !== null) {
                 vars.add(match[1] || match[2]);
             }
         }
@@ -305,10 +322,18 @@ export class StepValidator {
      * Replaces all unresolved $VAR and ${VAR} references with empty string.
      * Used as a lenient fallback when full interpolation fails, so that
      * getValidationRequirements can detect truly-missing variables correctly.
+     *
+     * `${{ ... }}` refs are left intact — they belong to the runner-side
+     * interpolator / dashboard secrets-resolver layer, not to shell-level
+     * variable substitution. Stripping them here would destroy the YAML for
+     * any downstream consumer that still expects to see them.
      */
     stripUnresolvedVars(obj) {
         if (typeof obj === 'string') {
-            return obj.replace(/\$\{[^}]+\}|\$[A-Z_][A-Z_0-9]*/g, '');
+            // `(?!\{)` prevents `\$\{[^}]+\}` from matching a leading `${` of
+            // `${{ ... }}` and stripping the inner content. Plain `$VAR` and
+            // `${VAR}` are still stripped as before.
+            return obj.replace(/\$\{(?!\{)[^}]+\}|\$[A-Z_][A-Z_0-9]*/g, '');
         }
         if (Array.isArray(obj)) {
             return obj.map((item) => this.stripUnresolvedVars(item));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@invarn/cibuild",
-  "version": "1.5.3",
+  "version": "1.5.5",
   "description": "CI Build CLI — local pipeline orchestration and validation",
   "type": "module",
   "main": "dist/cli.cjs",