fix(release): decouple npm-publish + drop x86_64-darwin (v0.14.2 retry)

v0.14.1 tag triggered Release workflow but npm-publish was SKIPPED because Rust matrix entry x86_64-apple-darwin failed and release job needs:[build-release, build-mcp-binary]; npm-publish needs:release. Single Rust target failure → entire publish chain blocks. This was the W3 Opus CI/build finding deferred from audit-batch-2. Two fixes: 1. **Drop x86_64-apple-darwin from build-release matrix.** GitHub's `macos-latest` runner is now Apple Silicon (M1+); cross-compile to x86_64 needs an OpenSSL sysroot that the arm64 image doesn't ship. `openssl-sys 0.9.114` build fails with "Could not find openssl via pkg-config: pkg-config has not been configured to support cross-compilation". Apple Silicon mandatory for new Macs since 2020; x86 Mac is legacy. If a future user needs x86 darwin, re-add with `experimental: true` and `openssl-sys` features=["vendored"]. 2. **Decouple `npm-publish` from `release`.** The npm package builds its own `dist/` from `_ts_packages/` — it does NOT consume Rust release tarballs. Previously `needs: release` meant a single Rust matrix failure blocked the npm publish even though the two are architecturally independent. Now `needs: []` (parallel with build-release matrix). KEIGIT_TOKEN-presence guard still gracefully skips when secret is absent. Bump version 0.14.1 → 0.14.2 (v0.14.1 tag already exists from prior run). After re-tag v0.14.2: - build-release matrix: 3 targets (was 4) — should all succeed - build-mcp-binary: 5 platforms (unchanged) — already passed in 0.14.1 run - release job: produces GitHub Release with 3 Rust tarballs + 5 MCP binaries - npm-publish job: runs in PARALLEL, publishes @keisei/mcp-server@0.14.2 to keigit regardless of Rust matrix status [FROM-JOURNAL: tasks.jsonl this session — v0.14.1 release run 25280711426 ran 14m wall, 8/9 jobs success, x86_64-darwin failed at openssl-sys build, release+npm-publish skipped via needs-chain] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 22:30:50 +08:00 · 2026-05-03 22:30:50 +08:00 · cbed9e2275
commit cbed9e2275
parent da819a0d92
3 changed files with 17 additions and 6 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -28,9 +28,14 @@ jobs:
          - os: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
            experimental: false
-          - os: macos-latest
-            target: x86_64-apple-darwin
-            experimental: false
+          # v0.14.2 fix (2026-05-03 first-publish run): macos-latest is now
+          # Apple Silicon (M1+); cross-compile x86_64-apple-darwin needs an
+          # OpenSSL sysroot that GitHub's macos-arm64 runners don't ship.
+          # Apple Silicon mandatory for new Macs since 2020; x86 Mac is
+          # legacy. Drop x86_64-apple-darwin per Wave 3 audit recommendation.
+          # If a future need arises, re-add with `experimental: true` and
+          # `OPENSSL_VENDORED=1` env, or use `openssl-sys` features=["vendored"]
+          # in a target-specific [target.'cfg(...)'.dependencies] block.
          - os: macos-latest
            target: aarch64-apple-darwin
            experimental: false
@ -291,7 +296,13 @@ jobs:

  npm-publish:
    name: Publish npm packages to keigit.com
-    needs: release
+    # v0.14.2 fix (Wave 3 finding): npm publish only needs the TS workspace
+    # to build, NOT the Rust release tarballs. Decoupled from `release` so
+    # a single Rust matrix failure (e.g. cross-compile sysroot, transient
+    # apt-get) cannot block the npm publish chain. The job runs in parallel
+    # with build-release and is independent of build-mcp-binary too — it
+    # builds its own `dist/` from `_ts_packages/`.
+    needs: []
    runs-on: ubuntu-latest
    # Graceful skip: if KEIGIT_TOKEN secret is not configured, the first
    # step reports "skipped" and exits 0 — Rust-binary release above still
--- a/_ts_packages/package-lock.json
+++ b/_ts_packages/package-lock.json
@ -3707,7 +3707,7 @@
    },
    "packages/mcp-server": {
      "name": "@keisei/mcp-server",
-      "version": "0.14.1",
+      "version": "0.14.2",
      "license": "Apache-2.0",
      "dependencies": {
        "@modelcontextprotocol/sdk": "^1.0.0",
--- a/_ts_packages/packages/mcp-server/package.json
+++ b/_ts_packages/packages/mcp-server/package.json
@ -1,6 +1,6 @@
 {
  "name": "@keisei/mcp-server",
-  "version": "0.14.1",
+  "version": "0.14.2",
  "description": "MCP server exposing KeiSeiKit Rust primitives as Model Context Protocol tools — published to keigit.com (Forgejo npm registry, public DNS)",
  "type": "module",
  "main": "./dist/index.js",