obsidian-dev-skills 1.2.3 → 1.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -141,6 +141,50 @@ jobs:
|
|
|
141
141
|
|
|
142
142
|
Then cut releases by pushing a tag (e.g. `git tag 0.1.0 && git push origin 0.1.0`) instead of uploading files manually. The workflow attaches the assets and registers the attestation, which the scorecard checks against the source repo for byte-for-byte reproducibility.
|
|
143
143
|
|
|
144
|
+
### Build verification failed (non-reproducible build)
|
|
145
|
+
|
|
146
|
+
> Build verification failed: the `main.js` built from source does not match the release artifact.
|
|
147
|
+
|
|
148
|
+
This appears even when attestation passes — attestation proves CI built the
|
|
149
|
+
asset; build verification proves the asset can be **reproduced** byte-for-byte
|
|
150
|
+
from the tagged source. The single most common cause is an **inline sourcemap**
|
|
151
|
+
in the production build.
|
|
152
|
+
|
|
153
|
+
`sourcemap: "inline"` in `esbuild.config.mjs` base64-embeds the build machine's
|
|
154
|
+
**absolute file paths** into `main.js`. GitHub Actions builds at
|
|
155
|
+
`/home/runner/work/<repo>/...`; the scorecard's reproducer builds at a
|
|
156
|
+
different path. Same source, byte-different `main.js` → verification fails. (It
|
|
157
|
+
also bloats the shipped file and leaks build paths.)
|
|
158
|
+
|
|
159
|
+
**Fix**: gate the sourcemap on build mode so production ships without one.
|
|
160
|
+
Compute the flag before `esbuild.context(...)` and reference it on the
|
|
161
|
+
`sourcemap` field:
|
|
162
|
+
|
|
163
|
+
```js
|
|
164
|
+
// Production builds must be reproducible. An inline sourcemap embeds the
|
|
165
|
+
// build machine's absolute file paths into main.js, so CI and the scorecard
|
|
166
|
+
// reproducer produce byte-different output. Ship production with no
|
|
167
|
+
// sourcemap; keep the inline sourcemap only for the dev/watch build.
|
|
168
|
+
const isProduction =
|
|
169
|
+
process.argv.slice(2).includes("build") ||
|
|
170
|
+
process.argv.slice(2).includes("production");
|
|
171
|
+
|
|
172
|
+
const context = await esbuild.context({
|
|
173
|
+
// ...
|
|
174
|
+
sourcemap: isProduction ? false : "inline",
|
|
175
|
+
// ...
|
|
176
|
+
});
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
(`pnpm build` runs `node esbuild.config.mjs production`; `pnpm dev` runs it
|
|
180
|
+
with no args, so dev/watch keeps the inline sourcemap for local debugging.)
|
|
181
|
+
|
|
182
|
+
Other reproducibility killers to rule out if the sourcemap is already gated:
|
|
183
|
+
commit `pnpm-lock.yaml` and use `pnpm install --frozen-lockfile` in CI (so the
|
|
184
|
+
dependency tree is identical), pin the CI Node version, and never hand-edit
|
|
185
|
+
`main.js` after building or upload a locally built asset — let the workflow
|
|
186
|
+
build and attach it.
|
|
187
|
+
|
|
144
188
|
### Duplicate CSS selectors
|
|
145
189
|
|
|
146
190
|
> Unexpected duplicate selector ".foo .bar", first used at line N.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "obsidian-dev-skills",
|
|
3
|
-
"version": "1.2.
|
|
3
|
+
"version": "1.2.4",
|
|
4
4
|
"description": "Agent skills for Obsidian plugin and theme development, including community scorecard compliance, release workflow attestation, and dependency vulnerability hygiene.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"obsidian",
|