Skip to content

fix(release): shape the ios-spm manifest per channel and verify the real manifest#405

Open
NathanWalker wants to merge 3 commits into
mainfrom
feat/spm-release-reland
Open

fix(release): shape the ios-spm manifest per channel and verify the real manifest#405
NathanWalker wants to merge 3 commits into
mainfrom
feat/spm-release-reland

Conversation

@NathanWalker

@NathanWalker NathanWalker commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Verify channels per target (ios, visionos) and ensure manifest never contains a target that it was not intended for (next tags, etc.)

Summary by CodeRabbit

  • New Features
    • iOS and visionOS builds now source NativeScript frameworks through Swift Package Manager.
    • Releases publish SwiftPM-compatible artifacts for iOS and visionOS.
    • Local builds can use locally generated SwiftPM artifacts and manifests.
  • Bug Fixes
    • Improved version alignment by stamping the project template to match the released artifacts.
    • Added a post-publish smoke test to verify SwiftPM resolution for the released version and checksums.
  • Release Improvements
    • Refreshed the release workflow to be tag/channel-aware and matrix-based per target, with automated artifact packaging, GitHub Release publishing, SwiftPM updates, and npm publication.

@NathanWalker NathanWalker requested a review from edusperoni July 10, 2026 21:47
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7a53298f-4a3f-4cbc-b72d-f2688e1e1cf3

📥 Commits

Reviewing files that changed from the base of the PR and between 5393b34 and 348b4f5.

📒 Files selected for processing (1)
  • .github/workflows/npm_release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/npm_release.yml

📝 Walkthrough

Walkthrough

The PR moves iOS and visionOS runtime delivery to SwiftPM-backed artifacts, updates project templates and packaging scripts, and adds target-aware release, publication, ios-spm update, and verification stages.

Changes

SwiftPM release pipeline

Layer / File(s) Summary
Release matrix and target builds
.github/workflows/npm_release.yml
The workflow resolves versions and channels, builds iOS and conditional visionOS targets, and uploads target-specific npm, SwiftPM, and dSYM artifacts.
SwiftPM artifact packaging
build_all_ios.sh, build_all_vision.sh, build_spm_artifacts.sh, build_npm_ios.sh, build_npm_vision.sh
Build scripts create zipped xcframework artifacts and checksums; npm packages now reference SwiftPM releases, with an optional local package for iOS builds.
Xcode SwiftPM integration
project-template-ios/..., project-template-vision/...
Project templates link SwiftPM products instead of embedding local xcframeworks, and linker settings rely on SwiftPM-provided frameworks.
Manifest generation and verification tools
scripts/generate-spm-manifest.mjs, scripts/generate-spm-probe.mjs, scripts/stamp-template-*.mjs
CLI scripts validate versions and checksums, generate manifests and probe packages, and stamp remote or local SwiftPM references into templates.
Release publication and verification
.github/workflows/npm_release.yml
Release stages create GitHub assets, update and tag ios-spm, publish npm packages using selectable authentication, and resolve a SwiftPM probe package.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Build as Matrix build
  participant Release as GitHub release
  participant SPM as ios-spm repository
  participant NPM as npm registry
  participant Verify as SwiftPM probe
  Build->>Release: Upload xcframework and dSYM assets
  Release->>SPM: Generate and tag Package.swift
  SPM->>NPM: Publish target package
  NPM->>Verify: Resolve exact release version
  Verify->>Verify: Validate checksums and package resolution
Loading

Possibly related PRs

Poem

I’m a rabbit hopping through the build,
Where SwiftPM frameworks bloom and yield.
Tags fly high, checksums gleam,
Packages resolve like a carrot dream.
Hop, release, and verify with cheer!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: release-channel-specific ios-spm manifest generation and verification.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
.github/workflows/npm_release.yml (2)

149-168: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Template-injection pattern: matrix values interpolated directly into run:.

npm run ${{ matrix.script }} (line 152) embeds a workflow expression straight into a shell command. The values are currently hardcoded in setup's BUILD_MATRIX, so the practical risk is nil today, but the pattern is fragile against future matrix changes and is what zizmor's template-injection audit flags. Prefer routing through env: so the value is passed as data, not shell source.

♻️ Proposed fix
       - name: Build (${{ matrix.target }})
-        run: npm run ${{ matrix.script }}
+        env:
+          BUILD_SCRIPT: ${{ matrix.script }}
+        run: npm run "$BUILD_SCRIPT"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm_release.yml around lines 149 - 168, Update the “Build
(${{ matrix.target }})” step to pass matrix.script through the step’s env
configuration, then invoke npm using the environment variable rather than
interpolating matrix.script directly in run. Preserve the existing build
behavior while ensuring the matrix value is treated as shell data.

Source: Linters/SAST tools


4-22: 🩺 Stability & Availability | 🔵 Trivial

Consider a concurrency group for the release pipeline.

Multiple overlapping triggers (push to main, tag push, manual dispatch) can start concurrent runs that both attempt to update/force-push ios-spm and publish npm packages for the same or racing versions. A concurrency: group keyed on something like release-${{ github.ref }} would prevent two release runs from clobbering each other's ios-spm tag/commit.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm_release.yml around lines 4 - 22, Add a workflow-level
concurrency configuration for the release pipeline, using a stable group such as
release-${{ github.ref }} and disabling cancellation of in-progress runs. Place
it near the top-level workflow settings so push, tag, and manual triggers are
serialized per reference and cannot race while updating ios-spm or publishing
packages.
build_npm_ios.sh (1)

70-75: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Unquoted glob in mv *.tgz ../.

Shellcheck SC2035: if a filename produced by npm pack ever starts with - (unlikely but possible with certain scoped/prerelease names), mv could misinterpret it as an option.

🧹 Proposed fix
 pushd "$OUTPUT_DIR"
 npm pack
-mv *.tgz ../
+mv ./*.tgz ../
 popd
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build_npm_ios.sh` around lines 70 - 75, In the npm packaging block after npm
pack, update the mv command to safely handle generated archive names by
preventing option parsing and avoiding the unquoted glob; use an explicit
end-of-options marker and quote the resolved package path while preserving the
move to the parent directory.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm_release.yml:
- Around line 54-56: Disable implicit package-manager caching on all four
flagged setup-node steps by adding package-manager-cache: false to the with
configuration for the setup, github-release, spm-update, and verify-spm jobs.
Keep the existing pinned action versions and node-version settings unchanged.
- Around line 241-297: Remove the `|| true` from the “Zip dSYMs” step so any
`zip` failure causes the workflow to fail. Update the command to safely handle
filenames and ensure failures from individual dSYM archives propagate instead of
allowing release publication with incomplete symbol assets.

---

Nitpick comments:
In @.github/workflows/npm_release.yml:
- Around line 149-168: Update the “Build (${{ matrix.target }})” step to pass
matrix.script through the step’s env configuration, then invoke npm using the
environment variable rather than interpolating matrix.script directly in run.
Preserve the existing build behavior while ensuring the matrix value is treated
as shell data.
- Around line 4-22: Add a workflow-level concurrency configuration for the
release pipeline, using a stable group such as release-${{ github.ref }} and
disabling cancellation of in-progress runs. Place it near the top-level workflow
settings so push, tag, and manual triggers are serialized per reference and
cannot race while updating ios-spm or publishing packages.

In `@build_npm_ios.sh`:
- Around line 70-75: In the npm packaging block after npm pack, update the mv
command to safely handle generated archive names by preventing option parsing
and avoiding the unquoted glob; use an explicit end-of-options marker and quote
the resolved package path while preserving the move to the parent directory.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 32cac31c-8d89-4311-917e-787c0c7515ec

📥 Commits

Reviewing files that changed from the base of the PR and between 2c2b63f and 4d45a9e.

📒 Files selected for processing (14)
  • .github/workflows/npm_release.yml
  • build_all_ios.sh
  • build_all_vision.sh
  • build_npm_ios.sh
  • build_npm_vision.sh
  • build_spm_artifacts.sh
  • project-template-ios/__PROJECT_NAME__.xcodeproj/project.pbxproj
  • project-template-ios/internal/nativescript-build.xcconfig
  • project-template-vision/__PROJECT_NAME__.xcodeproj/project.pbxproj
  • project-template-vision/internal/nativescript-build.xcconfig
  • scripts/generate-spm-manifest.mjs
  • scripts/generate-spm-probe.mjs
  • scripts/stamp-template-local-spm.mjs
  • scripts/stamp-template-version.mjs

Comment thread .github/workflows/npm_release.yml
Comment thread .github/workflows/npm_release.yml
setup-node v6 enables dependency caching by default when it detects a
package manager, and this workflow runs on push to main — so the cache
is written to the default-branch scope every job can read. A poisoned
cache is worst in the jobs that mint the ios-spm App token, hold
contents:write, or publish with id-token:write, and the build job feeds
npm install output into the shipped artifact.

Set package-manager-cache: false on every setup-node step in the
release workflow (also restores the pre-v6 no-cache behavior).
@NathanWalker NathanWalker force-pushed the feat/spm-release-reland branch from 5393b34 to 348b4f5 Compare July 10, 2026 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant