Conversation
ylabonte
added a commit
that referenced
this pull request
May 17, 2026
The action self-test failed on PR #8 with `sh: 1: ghaar: not found` in ~400ms — too fast for npx to have actually installed anything. On `ubuntu-latest` runners (which ship npm 10.x by default in the ubuntu-24.04 image until they bundle npm 11), the form `npx -y -p PKG@VERSION BIN ARGS` was observed to skip the install step and fall through to `sh -c "BIN ARGS"`. Since `ghaar` isn't on the runner's PATH, that exits 127. This was masked while we were pre-1.0.0: the self-test workflow gates on `npm view github-actions-annotations-reporter version`, so the actual action invocation was skipped on every run. Once 1.0.0 landed on npm, the gate flipped and the dispatcher's brittleness surfaced. Switch to the documented modern form: npm exec --yes --package="$PKG@$VERSION" -- ghaar "${args[@]}" `--package=…` is unambiguous about which token is the package spec and which is the binary to run. `--` separates flags from positional args. Verified locally to work identically on npm 10.x and 11.x. No behavior change for callers; the action's inputs / outputs / env contracts are unchanged. The existing marketplace-description.md changeset is updated in the same commit to mention both fixes — they're a single v1.0.2 patch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ylabonte
added a commit
that referenced
this pull request
May 17, 2026
The previous attempt to swap `npx -y -p X bin` for `npm exec --yes --package=X -- bin` was insufficient: the latest action self-test run on PR #8 (commit 7912b3a) reproduced the same `sh: 1: ghaar: not found` exit-127 failure in ~400ms. Both forms rely on npm's bin lookup heuristics, and on `ubuntu-latest` runners (npm 10.x in the ubuntu-24.04 image) those heuristics silently fall through to a `sh -c "ghaar args"` shell expansion when the bin can't be located — which appears to be the case for `npm install`'s npx-cache fast path when the package isn't already there. Replace the heuristic-based forms entirely with an explicit install to a per-invocation temp prefix, then invoke the bin via its concrete path: ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX") npm install --silent --no-save --no-audit --no-fund \ --prefix "$ghaar_install" \ "github-actions-annotations-reporter@$GHAAR_VERSION" "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" This bypasses every bin-resolution code path: `npm install` is the plainest possible install primitive, and `.bin/ghaar` is a concrete file path. Tested locally with a fresh npx cache; works identically on npm 10 and 11. Multiple uses of the action in one job get their own `mktemp` prefixes and don't collide. Updated the existing `marketplace-description.md` changeset to reflect the new approach (the changeset itself was already opened for the description fix; both ride into v1.0.2 together). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
GitHub Marketplace rejects action.yml `description` values longer than ~125 chars as "missing a proper description". Our previous 199-char value tripped that check during the user's first attempt to list the action on the Marketplace. Shorter rewording keeps the three differentiators (severity-aware, won't-fix-aware, auto-close) in a single 123-char line: Turn workflow annotations into dedup-aware GitHub Issues — severity-labeled, won't-fix-aware, auto-closing when noise stops. No behavior change. The longer marketing-style description still lives in `package.json` (npm shows the full thing) and in the README's intro paragraph; only the Action's own metadata is tightened. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The action self-test failed on PR #8 with `sh: 1: ghaar: not found` in ~400ms — too fast for npx to have actually installed anything. On `ubuntu-latest` runners (which ship npm 10.x by default in the ubuntu-24.04 image until they bundle npm 11), the form `npx -y -p PKG@VERSION BIN ARGS` was observed to skip the install step and fall through to `sh -c "BIN ARGS"`. Since `ghaar` isn't on the runner's PATH, that exits 127. This was masked while we were pre-1.0.0: the self-test workflow gates on `npm view github-actions-annotations-reporter version`, so the actual action invocation was skipped on every run. Once 1.0.0 landed on npm, the gate flipped and the dispatcher's brittleness surfaced. Switch to the documented modern form: npm exec --yes --package="$PKG@$VERSION" -- ghaar "${args[@]}" `--package=…` is unambiguous about which token is the package spec and which is the binary to run. `--` separates flags from positional args. Verified locally to work identically on npm 10.x and 11.x. No behavior change for callers; the action's inputs / outputs / env contracts are unchanged. The existing marketplace-description.md changeset is updated in the same commit to mention both fixes — they're a single v1.0.2 patch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous attempt to swap `npx -y -p X bin` for `npm exec --yes --package=X -- bin` was insufficient: the latest action self-test run on PR #8 (commit 7912b3a) reproduced the same `sh: 1: ghaar: not found` exit-127 failure in ~400ms. Both forms rely on npm's bin lookup heuristics, and on `ubuntu-latest` runners (npm 10.x in the ubuntu-24.04 image) those heuristics silently fall through to a `sh -c "ghaar args"` shell expansion when the bin can't be located — which appears to be the case for `npm install`'s npx-cache fast path when the package isn't already there. Replace the heuristic-based forms entirely with an explicit install to a per-invocation temp prefix, then invoke the bin via its concrete path: ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX") npm install --silent --no-save --no-audit --no-fund \ --prefix "$ghaar_install" \ "github-actions-annotations-reporter@$GHAAR_VERSION" "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" This bypasses every bin-resolution code path: `npm install` is the plainest possible install primitive, and `.bin/ghaar` is a concrete file path. Tested locally with a fresh npx cache; works identically on npm 10 and 11. Multiple uses of the action in one job get their own `mktemp` prefixes and don't collide. Updated the existing `marketplace-description.md` changeset to reflect the new approach (the changeset itself was already opened for the description fix; both ride into v1.0.2 together). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR shortens the GitHub Action metadata description for Marketplace constraints and also changes how the composite action installs and invokes the published CLI package.
Changes:
- Shortens
action.ymldescription to fit Marketplace listing limits. - Replaces
npx -p ... ghaarwithnpm install --prefix <tmp>plus direct.bin/ghaarexecution. - Adds a patch changeset documenting the Action-side fixes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
action.yml |
Updates Marketplace description and dispatcher package invocation. |
.changeset/marketplace-description.md |
Adds patch release note for the description and dispatcher changes. |
Comments suppressed due to low confidence (1)
action.yml:219
- This change stops using
npx, but the publicversioninput description and nearby dispatcher comments still describe the package as being run via/passed tonpx. Please update those references so the action metadata and maintenance comments match the new install-and-direct-bin execution path.
npm install --silent --no-save --no-audit --no-fund --prefix "$ghaar_install" \
"github-actions-annotations-reporter@$GHAAR_VERSION"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Copilot caught a regression I introduced in 822db21: when I split the old `npx -p PKG BIN` call into an explicit `npm install --prefix` step followed by a direct bin invocation, the install ended up OUTSIDE the `set +e ... set -e` block. The bin call stayed inside, but the install did not. So any install failure (network blip, registry timeout, version-not-found 404, etc.) would kill the dispatcher mid-script under the top-level `set -euo pipefail`, skipping every output step below and leaving downstream `steps.<id>.outputs.*` empty. The original `npx` invocation did NOT have this hole — the install was bundled into the same call that ran inside `set +e`. The point of the `set +e` block was to make the action emit its JSON / counter outputs even on CLI failure, so consumers' downstream `if:` expressions and `outputs.*` reads stay reliable. Fix: chain both steps inside the same `set +e` block via `&&`: set +e npm install --silent --no-save --no-audit --no-fund \ --prefix "$ghaar_install" \ "github-actions-annotations-reporter@$GHAAR_VERSION" \ && "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}" cli_exit=$? set -e The `&&` short-circuits when install fails, so the bin call is skipped. `cli_exit` captures whichever stage exited non-zero, and the script continues to the output emission block with the defaulted counters (`// 0` jq fallbacks, `2>/dev/null || echo 0` outer guards). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ylabonte
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two Action-side fixes that ship together as v1.0.2.
1. Marketplace listing. Shorten the
descriptionfield inaction.ymlfrom 199 chars to 123 chars so the GitHub Marketplace publish flow accepts it (the constraint is ≤125). Same scope, fewer words:2. Composite-action dispatcher reliability. The action self-test surfaced that the published
v1.0.1is broken onubuntu-latestrunners: the bash dispatcher invokednpx -y -p PKG BIN, but on the runner's npm 10.x that form was skipping the install step and falling through to `sh -c "ghaar …"` → `command not found` → exit 127.npm exec --package=exhibited the same fallback behavior.Replace the heuristic-based forms with an explicit install + direct bin invocation, both inside the existing
set +eblock so a registry failure still lets the action emit itsjson/ counter outputs:```bash
ghaar_install=$(mktemp -d "$RUNNER_TEMP/ghaar-install.XXXXXXXX")
set +e
npm install --silent --no-save --no-audit --no-fund --prefix "$ghaar_install" \
"github-actions-annotations-reporter@$GHAAR_VERSION" \
&& "$ghaar_install/node_modules/.bin/ghaar" "${args[@]}"
cli_exit=$?
set -e
```
This bypasses every bin-resolution code path and works identically on npm 10 and 11. No behavior change for callers; the action's inputs / outputs / env contracts are unchanged.
Test plan
🤖 Generated with Claude Code