From ec6528d7e8208416878da25a07d98642ee9db981 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 30 May 2026 16:12:56 +0100 Subject: [PATCH 1/2] =?UTF-8?q?fix(ci):=20replace=20npm=20ci=20with=20npm?= =?UTF-8?q?=20install=20=E2=80=94=20lockfile=20drift=20unblocks=20validate?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The build-validation/validate job has been failing on main since the committed package-lock.json went out of sync with package.json. Specific error: npm error Invalid: lock file's picomatch@2.3.2 does not satisfy picomatch@4.0.4 npm error Missing: picomatch@2.3.2 from lock file (×3) Root cause: tailwindcss^3.4.19 pulls in two distinct picomatch consumers at different tree depths — chokidar wants ^2.3.1 (top-level), tinyglobby wants ^4.0.4 (nested). The lockfile has the nested tinyglobby/picomatch@4.0.4 entry but is missing the top-level picomatch@2.3.2 chokidar needs. `npm ci` (strict) refuses to install with missing entries; `npm install` (non-strict) regenerates the missing entries in-place during CI. This is a band-aid, not the real fix: - The real fix is the npm→Deno migration tracked in hyperpolymath/standards#253 (panll is in scope for that umbrella). - The band-aid keeps validate green until that migration lands. - --no-audit --no-fund silences noise. Notes: - Caught during the wider follow-up triage from hyperpolymath/snifs#30's CI gate work, when panll#61 (fake-SHA fix) surfaced the preexisting validate failure. --- .github/workflows/build-validation.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-validation.yml b/.github/workflows/build-validation.yml index 8ff76e61..d3e0ea44 100644 --- a/.github/workflows/build-validation.yml +++ b/.github/workflows/build-validation.yml @@ -41,7 +41,16 @@ jobs: patchelf - name: Install npm dependencies - run: npm ci + # `npm ci` requires package-lock.json to be a complete resolution + # of package.json. The committed lockfile is incomplete: tailwindcss's + # nested deps (chokidar wants picomatch@^2.3.1 at the top level) + # are missing entries, so `npm ci` refuses with "Missing: picomatch@2.3.2 + # from lock file". `npm install` is non-strict and regenerates the + # missing entries in-place during CI, unblocking the gate without + # committing a touched lockfile. The real fix is the npm→Deno + # migration tracked in hyperpolymath/standards#253; this is a + # band-aid to keep CI green until then. + run: npm install --no-audit --no-fund - name: ReScript build gate run: npm run res:build From fb3b98541df7e3170d8ab6cd4d0a8e66e24454f7 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 30 May 2026 16:33:37 +0100 Subject: [PATCH 2/2] =?UTF-8?q?fix(ci):=20swap=20npm=20run=20res:build=20?= =?UTF-8?q?=E2=86=92=20npx=20rescript=20build=20(no=20scripts=20entry)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit build-validation.yml line 56 invoked `npm run res:build` but package.json has no `scripts` entry (the project's canonical ReScript invocation per .claude/CLAUDE.md is `npx rescript build` directly). This blocked the `validate` required check across every PR. Use the canonical form so the gate works without polluting package.json with a stub script alias. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/build-validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-validation.yml b/.github/workflows/build-validation.yml index d3e0ea44..4e0f7d09 100644 --- a/.github/workflows/build-validation.yml +++ b/.github/workflows/build-validation.yml @@ -53,7 +53,7 @@ jobs: run: npm install --no-audit --no-fund - name: ReScript build gate - run: npm run res:build + run: npx --no-install rescript build - name: Deno test gate run: deno task test