pgserve 2.1.3 → 2.2.1

package/.github/workflows/release.yml

@@ -1,289 +0,0 @@
-name: Release
-
-# Single-branch release pipeline modeled on khal-os/desktop.
-#
-# Two trigger paths into the same workflow:
-#
-#   1. push to main with a hand-bumped package.json (no [skip ci] marker)
-#      -> auto-detect path: prepare reads package.json, checks if v${version}
-#         tag exists, builds + publishes + creates GitHub Release if not.
-#
-#   2. workflow_dispatch with bump=patch|minor|major
-#      -> bump job runs `npm version`, commits with [skip ci], tags, pushes.
-#         prepare/build/release continue inline in the same workflow run.
-#
-# Bot-loop guard: bump commits carry [skip ci]. Push of those commits is
-# filtered out by the prepare gate, so the bot's own push does not retrigger.
-#
-# Auth: npm OIDC Trusted Publishing (configured via build-all-platforms.yml).
-
-on:
-  push:
-    branches: [main]
-  workflow_dispatch:
-    inputs:
-      bump:
-        description: "Version bump type"
-        required: true
-        type: choice
-        options:
-          - patch
-          - minor
-          - major
-
-concurrency:
-  group: release-${{ github.ref }}
-  cancel-in-progress: false
-
-permissions:
-  contents: write
-  id-token: write   # required so the reusable `version.yml` workflow can mint
-                    # the OIDC token for npm Trusted Publishing — without this,
-                    # GH rejects the workflow at parse time (startup_failure)
-                    # because the called job's `id-token: write` permission
-                    # exceeds what the caller has granted.
-
-jobs:
-  # ---------------------------------------------------------------------------
-  # Bump (workflow_dispatch only): npm version, commit [skip ci], tag, push.
-  # ---------------------------------------------------------------------------
-  bump:
-    name: Bump version
-    if: github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      version: ${{ steps.bump.outputs.version }}
-      tag: ${{ steps.bump.outputs.tag }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: main
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-
-      - name: Configure git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Bump version
-        id: bump
-        run: |
-          npm version "${{ inputs.bump }}" --no-git-tag-version
-          VERSION=$(node -p "require('./package.json').version")
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Bumped to ${VERSION}"
-
-      - name: Commit, tag, push
-        run: |
-          VERSION="${{ steps.bump.outputs.version }}"
-          TAG="${{ steps.bump.outputs.tag }}"
-          git add package.json
-          git commit -m "[skip ci] release ${TAG}"
-          git tag -a "${TAG}" -m "release ${TAG}"
-          git push origin HEAD --follow-tags
-
-  # ---------------------------------------------------------------------------
-  # Prepare: resolve version, skip if tag already exists, build changelog.
-  #
-  # Gate handles both event types:
-  #   - push:    bump is skipped; the !cancelled() && !failure() guard lets
-  #              this job run regardless. The [skip ci] check filters the
-  #              bot's own bump-commit push so it does not retrigger.
-  #   - dispatch: bump succeeded; the workflow_dispatch branch of the OR
-  #              short-circuits the [skip ci] check (the dispatch event
-  #              itself does not carry the bump's commit message).
-  # ---------------------------------------------------------------------------
-  prepare:
-    name: Prepare release
-    needs: bump
-    if: |
-      !cancelled() && !failure() &&
-      (github.event_name == 'workflow_dispatch' ||
-       (github.event_name == 'push' &&
-        !startsWith(github.event.head_commit.message, '[skip ci]')))
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    outputs:
-      version: ${{ steps.ver.outputs.version }}
-      tag: ${{ steps.ver.outputs.tag }}
-      skip: ${{ steps.ver.outputs.skip }}
-      changelog: ${{ steps.changelog.outputs.notes }}
-      # Surface the resolved checkout-ref so downstream jobs (build, release)
-      # can use it. They cannot reference `needs.bump.outputs.*` directly
-      # because they only have `needs: prepare` (or [prepare, build]) — not
-      # `bump` — in their needs context.
-      ref: ${{ needs.bump.outputs.tag || github.sha }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          # On dispatch, check out the freshly-pushed tag; on push, the
-          # triggering SHA already has the bumped package.json.
-          # (Prepare cannot reference its own `outputs.ref` here — that's
-          # only available to downstream jobs.)
-          ref: ${{ needs.bump.outputs.tag || github.sha }}
-          fetch-depth: 0
-
-      - name: Resolve version
-        id: ver
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          VERSION=$(node -p "require('./package.json').version")
-          TAG="v${VERSION}"
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-
-          if gh release view "${TAG}" > /dev/null 2>&1; then
-            echo "Release ${TAG} already exists — skipping"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Find previous release tag
-        id: prev
-        if: steps.ver.outputs.skip == 'false'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          TAG="${{ steps.ver.outputs.tag }}"
-          PREV=$(gh release list --limit 50 --json tagName -q '.[].tagName' | grep -v "^${TAG}$" | head -1)
-          if [ -n "$PREV" ] && git merge-base --is-ancestor "$PREV" HEAD 2>/dev/null; then
-            echo "tag=${PREV}" >> "$GITHUB_OUTPUT"
-            echo "Previous tag: ${PREV}"
-          else
-            echo "tag=" >> "$GITHUB_OUTPUT"
-            echo "No previous tag reachable from HEAD"
-          fi
-
-      - name: Generate changelog
-        id: changelog
-        if: steps.ver.outputs.skip == 'false' && steps.prev.outputs.tag != ''
-        run: |
-          PREV="${{ steps.prev.outputs.tag }}"
-          NOTES=$(git log --oneline "${PREV}..HEAD" --pretty="- %s" | head -50)
-          {
-            echo "notes<<EOF"
-            echo "$NOTES"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      # Echo the resolved outputs so downstream skip/no-skip decisions are
-      # debuggable from the run log without re-running with step debug.
-      - name: Debug resolved outputs
-        run: |
-          echo "version=${{ steps.ver.outputs.version }}"
-          echo "tag=${{ steps.ver.outputs.tag }}"
-          echo "skip=${{ steps.ver.outputs.skip }}"
-          echo "prev=${{ steps.prev.outputs.tag }}"
-
-  # ---------------------------------------------------------------------------
-  # Build & Publish: matrix build of platform binaries + npm publish via OIDC.
-  #
-  # The reusable workflow filename is `version.yml` because npm Trusted
-  # Publisher is configured against that exact path. Renaming requires
-  # updating the npmjs.com Trusted Publisher entry first.
-  #
-  # The `if:` uses `always() && needs.prepare.result == 'success' &&
-  # needs.prepare.outputs.skip != 'true'`. This is the bulletproof pattern
-  # for reusable-workflow callers when any upstream job in the `needs:`
-  # chain was SKIPPED. With the simpler `needs.prepare.outputs.skip != 'true'`
-  # alone, GH Actions silently evaluated the gate as false even though the
-  # debug step in `prepare` proved the output was actually `'false'` — a
-  # known GH Actions quirk: when a job's transitive `needs:` chain includes
-  # a skipped job (here, `bump` is skipped on push events), the reusable-
-  # workflow caller's expression evaluator treats `needs.<job>.outputs.<x>`
-  # as null/missing regardless of the actual value.
-  #
-  # `always()` opts out of the implicit success() filter; the explicit
-  # `result == 'success'` reinstates it correctly; the outputs check then
-  # works as intended.
-  # ---------------------------------------------------------------------------
-  build:
-    name: Build & Publish
-    needs: prepare
-    if: |
-      always() &&
-      needs.prepare.result == 'success' &&
-      needs.prepare.outputs.skip != 'true'
-    uses: ./.github/workflows/version.yml
-    with:
-      version: ${{ needs.prepare.outputs.version }}
-      npm_tag: latest
-      # Use prepare.outputs.ref (which resolves to the bump-job tag on
-      # dispatch, or `github.sha` on push). Build cannot reference
-      # `needs.bump.*` directly — only `prepare` is in its `needs:` chain.
-      # On the push path nobody creates the tag before this runs; the
-      # SHA-based checkout works because the merge commit already has the
-      # bumped package.json. The release job creates the tag at the end
-      # via `gh release create`.
-      ref: ${{ needs.prepare.outputs.ref }}
-    secrets: inherit
-
-  # ---------------------------------------------------------------------------
-  # Release: download artifacts, create GitHub Release with cliff-free notes.
-  # ---------------------------------------------------------------------------
-  release:
-    name: Create GitHub Release
-    needs: [prepare, build]
-    if: |
-      always() &&
-      needs.prepare.result == 'success' &&
-      needs.build.result == 'success' &&
-      needs.prepare.outputs.skip != 'true'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          # Same as the build job: prefer the bump job's tag (dispatch
-          # path) but fall back to the SHA (push path, no tag exists yet).
-          ref: ${{ needs.prepare.outputs.ref }}
-
-      - name: Download binaries
-        uses: actions/download-artifact@v4
-        with:
-          path: dist/
-          pattern: binaries-*
-          merge-multiple: true
-
-      - name: List artifacts
-        run: ls -la dist/
-
-      - name: Create release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_NOTES: ${{ needs.prepare.outputs.changelog }}
-        run: |
-          TAG="${{ needs.prepare.outputs.tag }}"
-          VERSION="${{ needs.prepare.outputs.version }}"
-
-          if [ -z "$RELEASE_NOTES" ]; then
-            RELEASE_NOTES="Release ${TAG}"
-          fi
-
-          {
-            echo "$RELEASE_NOTES"
-            echo ""
-            echo "## Install"
-            echo ""
-            echo '```bash'
-            echo "npm install pgserve@${VERSION}"
-            echo "bunx pgserve@${VERSION}"
-            echo '```'
-          } > /tmp/release-notes.md
-
-          # The tag already exists (created by bump job on dispatch, or by the
-          # human commit on push). gh release create resolves --target via the
-          # tag automatically when omitted.
-          gh release create "${TAG}" \
-            --title "${TAG}" \
-            --notes-file /tmp/release-notes.md \
-            dist/*

package/.github/workflows/version.yml

@@ -1,228 +0,0 @@
-name: Build All Platforms
-
-on:
-  workflow_call:
-    inputs:
-      version:
-        description: 'Version to publish'
-        required: true
-        type: string
-      npm_tag:
-        description: 'npm dist-tag (next or latest)'
-        required: false
-        type: string
-        default: 'next'
-      ref:
-        description: 'Git ref to checkout (tag or commit)'
-        required: false
-        type: string
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version (leave empty for build-only)'
-        required: false
-        type: string
-      npm_tag:
-        description: 'npm dist-tag'
-        required: false
-        type: choice
-        options:
-          - next
-          - latest
-        default: 'next'
-
-concurrency:
-  group: build-all-platforms-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    name: Build ${{ matrix.platform }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # Linux x64
-          - platform: linux-x64
-            output: pgserve-linux-x64
-            os: ubuntu-latest
-          # macOS ARM64 (Apple Silicon)
-          - platform: darwin-arm64
-            output: pgserve-darwin-arm64
-            os: macos-latest
-          # Windows x64 - must build on Windows for --windows-icon
-          - platform: windows-x64
-            output: pgserve-windows-x64.exe
-            os: windows-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.11
-
-      - name: Install dependencies
-        run: bun install
-
-      # Windows: native build with icon and proper metadata
-      - name: Build for Windows (with branding)
-        if: matrix.platform == 'windows-x64'
-        run: |
-          New-Item -ItemType Directory -Force -Path dist | Out-Null
-          $RAW_VERSION = node -p "require('./package.json').version"
-          # Convert 1.1.3-rc.10 to 1.1.3.10 (Windows requires X.Y.Z.W format)
-          $WIN_VERSION = $RAW_VERSION -replace '-rc\.', '.'
-          Write-Host "Raw version: $RAW_VERSION -> Windows version: $WIN_VERSION"
-          bun build --compile `
-            --define BUILD_VERSION="'$RAW_VERSION'" `
-            --windows-icon=assets/icon.ico `
-            --windows-title="pgserve" `
-            --windows-publisher="Namastex Labs" `
-            --windows-description="Embedded PostgreSQL Server - Zero config, auto-provision, unlimited connections" `
-            --windows-version="$WIN_VERSION" `
-            --windows-copyright="Copyright (c) 2025 Namastex Labs" `
-            bin/postgres-server.js --outfile dist/${{ matrix.output }}
-          Get-ChildItem dist/
-        shell: pwsh
-
-      # Linux/macOS: native build
-      - name: Build for ${{ matrix.platform }}
-        if: matrix.platform != 'windows-x64'
-        run: |
-          mkdir -p dist
-          VERSION=$(node -p "require('./package.json').version")
-          bun build --compile --define BUILD_VERSION="'$VERSION'" bin/postgres-server.js --outfile dist/${{ matrix.output }}
-          ls -lh dist/
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binaries-${{ matrix.platform }}
-          path: dist/${{ matrix.output }}*
-          retention-days: 7
-
-  publish:
-    name: Publish to npm
-    needs: build
-    runs-on: ubuntu-latest
-    if: inputs.version != ''
-    # Note: `environment: npm-publish` was removed because the npmjs.com
-    # Trusted Publisher entry for `pgserve` does not declare an environment
-    # name. With the env gate present here, the OIDC token's environment
-    # claim did not match the registry's expectation and `npm publish`
-    # returned 404. Re-add this line if/when the Trusted Publisher entry
-    # has its Environment Name field set to `npm-publish`.
-    permissions:
-      id-token: write
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      # Node 24 ships npm 11.5+ which has built-in OIDC trusted-publisher
-      # support. Avoids the `npm install -g npm@latest` self-upgrade bug
-      # (Arborist clobbering its own promise-retry dep mid-install) that
-      # broke rlmx's OIDC publish on Node 22.
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '24'
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.11
-
-      - name: Install dependencies
-        run: bun install
-
-      - name: Verify npm version supports OIDC trusted publishing
-        run: |
-          NPM_VERSION=$(npm --version)
-          echo "npm version: ${NPM_VERSION}"
-          MAJOR=$(echo "${NPM_VERSION}" | cut -d. -f1)
-          if [ "${MAJOR}" -lt 11 ]; then
-            echo "::error::npm ${NPM_VERSION} too old — OIDC requires >= 11.5.1. Bump node-version above."
-            exit 1
-          fi
-
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: dist/
-          pattern: binaries-*
-          merge-multiple: true
-
-      - name: Verify binaries
-        run: |
-          echo "Downloaded binaries:"
-          ls -la dist/
-
-          MISSING=""
-          # Supported platforms: linux-x64, darwin-arm64, windows-x64
-          for platform in linux-x64 darwin-arm64; do
-            if [ ! -f "dist/pgserve-$platform" ]; then
-              MISSING="$MISSING pgserve-$platform"
-            fi
-          done
-          if [ ! -f "dist/pgserve-windows-x64.exe" ]; then
-            MISSING="$MISSING pgserve-windows-x64.exe"
-          fi
-
-          if [ -n "$MISSING" ]; then
-            echo "Missing binaries:$MISSING"
-            exit 1
-          fi
-
-          echo "All binaries present!"
-
-      - name: Check if version already published
-        id: check
-        run: |
-          VERSION="${{ inputs.version }}"
-          if npm view pgserve@$VERSION version >/dev/null 2>&1; then
-            echo "Version $VERSION already published"
-            echo "published=true" >> $GITHUB_OUTPUT
-          else
-            echo "Version $VERSION not yet published"
-            echo "published=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Publish to npm via OIDC
-        if: steps.check.outputs.published == 'false'
-        env:
-          HUSKY: "0"
-          # npm auto-enables provenance in any CI env with `id-token: write`,
-          # regardless of the --provenance CLI flag. On some runners the
-          # server-side sigstore check fails with 422; disable explicitly.
-          # OIDC token exchange still happens.
-          NPM_CONFIG_PROVENANCE: "false"
-        run: |
-          echo "Publishing version ${{ inputs.version }} with tag ${{ inputs.npm_tag }} via OIDC"
-          npm publish --access public --tag ${{ inputs.npm_tag }}
-
-      - name: Verify publish
-        if: steps.check.outputs.published == 'false'
-        run: |
-          # npm registry can take up to 30s to propagate
-          for i in 1 2 3 4 5; do
-            echo "Attempt $i: Checking npm for pgserve@${{ inputs.version }}..."
-            if npm view pgserve@${{ inputs.version }} version 2>/dev/null; then
-              echo "Successfully published pgserve@${{ inputs.version }} with tag @${{ inputs.npm_tag }}"
-              exit 0
-            fi
-            echo "Not found yet, waiting 10s..."
-            sleep 10
-          done
-          echo "Warning: Version not found after 50s, but publish command succeeded"
-          exit 0

package/.husky/pre-commit

@@ -1,2 +0,0 @@
-bunx lint-staged
-bun run deadcode