Skip to content

feat: add npm distribution with platform-specific packages#7

Open
khooihzhz wants to merge 3 commits intomainfrom
feat/npm-distribution
Open

feat: add npm distribution with platform-specific packages#7
khooihzhz wants to merge 3 commits intomainfrom
feat/npm-distribution

Conversation

@khooihzhz
Copy link
Collaborator

@khooihzhz khooihzhz commented Mar 9, 2026
edited
Loading

Summary

  • Adds npm distribution using the platform-specific optional dependencies pattern (same approach as esbuild, turbo, swc)
  • @coingecko/cg umbrella package + 6 platform packages (darwin/linux/win32 × arm64/x64)
  • Publish script with SHA-256 checksum verification against goreleaser's checksums.txt, retry safety for partial failures, and --provenance for supply-chain verification
  • Smoke test step (npm pack → install → cg version) runs before publishing to catch packaging issues early
  • Users install with: npm install -g @coingecko/cg

Fork rehearsal results

End-to-end release flow verified in a personal fork under @khooihongzhe scope:

  • goreleaser builds archives + checksums
  • Smoke test passes (pack → install → run)
  • All 7 npm packages published successfully (0.0.1-test.3)
  • npm install -g @khooihongzhe/cg installs correct platform binary
  • cg version executes correctly through the npm wrapper

Key findings:

  • npm token must be a Classic Automation token (Granular tokens require 2FA which blocks CI)
  • --provenance requires a public repo + id-token: write workflow permission
  • npm publish is one-way — the smoke test step before publish is essential

Setup required

  • Add NPM_TOKEN secret to GitHub repo (Classic Automation token from npmjs.com)
  • Ensure @coingecko npm org/scope exists

Test plan

  • Fork rehearsal: full release flow verified end-to-end
  • Verify NPM_TOKEN secret is configured in production repo settings
  • Tag a release and confirm all 7 npm packages are published with provenance
  • Verify npm install -g @coingecko/cg works on macOS, Linux, and Windows
  • Verify cg version outputs the correct version after npm install

🤖 Generated with Claude Code

khooihzhz and others added 2 commits March 9, 2026 15:09
@khooihzhz @claude
feat: add npm distribution with platform-specific packages
e923604 
Distribute the CoinGecko CLI via npm using the industry-standard
platform-specific optional dependencies pattern (like esbuild/turbo).

- @coingecko/cg umbrella package with JS bin wrapper
- 6 platform packages: darwin/linux/win32 × arm64/x64
- Publish script with checksum verification, retry safety, and provenance
- Smoke test runs npm pack + install + cg version before publishing
- Release workflow updated with setup-node + npm publish step

Users install with: npm install -g @coingecko/cg

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@khooihzhz @claude
fix: include umbrella npm package and fix gitignore pattern
ea77541 
The npm/cg/ directory was excluded by the overly broad `cg` gitignore
pattern. Changed to `/cg` to only match the root-level binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@khooihzhz khooihzhz requested a review from jasonjul March 9, 2026 08:32
jasonjul
jasonjul reviewed Mar 9, 2026
View reviewed changes
Copy link
Collaborator

@jasonjul jasonjul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its a public release so I'll try to be stricter.

  1. Is the smoke-test supposed to only test for one arch? Github actions runner using runs-on: ubuntu-latest runs on x64 arch. I don't see any workflow matrix call over here.

  2. Check with @czhc on the MIT license. We probably want a little bit of attribution.

@khooihzhz
Copy link
Collaborator Author

khooihzhz commented Mar 9, 2026

Its a public release so I'll try to be stricter.

  1. Is the smoke-test supposed to only test for one arch? Github actions runner using runs-on: ubuntu-latest runs on x64 arch. I don't see any workflow matrix call over here.
  2. Check with @czhc on the MIT license. We probably want a little bit of attribution.
  1. Yes, the idea here is to just test whether the installation works. We rely on goreleaser to make sure it's compatible to other architectures. Running it on all arch is overkill here IMO

@khooihzhz @claude
fix: address PR review feedback for npm distribution
67159d8 
- Bump node engine requirement from >=16 to >=20 (LTS)
- Remove shasum fallback, require sha256sum only
- Add comment that provenance requires GitHub-hosted public runners

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jasonjul
jasonjul approved these changes Mar 9, 2026
View reviewed changes
Copy link
Collaborator

@jasonjul jasonjul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah alright, I totally missed that! I was only looking at the deltas.

So goreleaser will publish to the release page in this repo, and after that we will publish to npm, alright cool.

Just pending license discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonjul jasonjul jasonjul approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@khooihzhz @jasonjul