Skip to content

feat: add npm distribution with platform-specific packages#7

Merged
khooihzhz merged 5 commits into
mainfrom
feat/npm-distribution
May 11, 2026
Merged

feat: add npm distribution with platform-specific packages#7
khooihzhz merged 5 commits into
mainfrom
feat/npm-distribution

Conversation

@khooihzhz
Copy link
Copy Markdown
Collaborator

@khooihzhz khooihzhz commented Mar 9, 2026
edited
Loading

Summary

  • Adds npm distribution using the platform-specific optional dependencies pattern (same approach as esbuild, turbo, swc)
  • @coingecko/cg umbrella package + 6 platform packages (darwin/linux/win32 × arm64/x64)
  • Publish script with SHA-256 checksum verification against goreleaser's checksums.txt, retry safety for partial failures, and --provenance for supply-chain verification
  • Smoke test step (npm pack → install → cg version) runs before publishing to catch packaging issues early
  • Users install with: npm install -g @coingecko/cg

Fork rehearsal results

End-to-end release flow verified in a personal fork under @khooihongzhe scope:

  • goreleaser builds archives + checksums
  • Smoke test passes (pack → install → run)
  • All 7 npm packages published successfully (0.0.1-test.3)
  • npm install -g @khooihongzhe/cg installs correct platform binary
  • cg version executes correctly through the npm wrapper

Key findings:

  • npm token must be a Classic Automation token (Granular tokens require 2FA which blocks CI)
  • --provenance requires a public repo + id-token: write workflow permission
  • npm publish is one-way — the smoke test step before publish is essential

Setup required

  • Add NPM_TOKEN secret to GitHub repo (Classic Automation token from npmjs.com)
  • Ensure @coingecko npm org/scope exists

Test plan

  • Fork rehearsal: full release flow verified end-to-end
  • Verify NPM_TOKEN secret is configured in production repo settings
  • Tag a release and confirm all 7 npm packages are published with provenance
  • Verify npm install -g @coingecko/cg works on macOS, Linux, and Windows
  • Verify cg version outputs the correct version after npm install

🤖 Generated with Claude Code

@khooihzhz khooihzhz requested a review from jasonjul March 9, 2026 08:32
jasonjul
jasonjul reviewed Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jasonjul jasonjul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its a public release so I'll try to be stricter.

  1. Is the smoke-test supposed to only test for one arch? Github actions runner using runs-on: ubuntu-latest runs on x64 arch. I don't see any workflow matrix call over here.

  2. Check with @czhc on the MIT license. We probably want a little bit of attribution.

Comment thread npm/cg/package.json Outdated
Comment thread scripts/npm-publish.sh Outdated
Comment thread scripts/npm-publish.sh
Comment thread scripts/npm-publish.sh
@khooihzhz
Copy link
Copy Markdown
Collaborator Author

khooihzhz commented Mar 9, 2026

Its a public release so I'll try to be stricter.

  1. Is the smoke-test supposed to only test for one arch? Github actions runner using runs-on: ubuntu-latest runs on x64 arch. I don't see any workflow matrix call over here.
  2. Check with @czhc on the MIT license. We probably want a little bit of attribution.
  1. Yes, the idea here is to just test whether the installation works. We rely on goreleaser to make sure it's compatible to other architectures. Running it on all arch is overkill here IMO

jasonjul
jasonjul approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jasonjul jasonjul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah alright, I totally missed that! I was only looking at the deltas.

So goreleaser will publish to the release page in this repo, and after that we will publish to npm, alright cool.

Just pending license discussion.

khooihzhz and others added 3 commits May 11, 2026 14:33
@khooihzhz @claude
feat: add npm distribution with platform-specific packages
3355366 
Distribute the CoinGecko CLI via npm using the industry-standard
platform-specific optional dependencies pattern (like esbuild/turbo).

- @coingecko/cg umbrella package with JS bin wrapper
- 6 platform packages: darwin/linux/win32 × arm64/x64
- Publish script with checksum verification, retry safety, and provenance
- Smoke test runs npm pack + install + cg version before publishing
- Release workflow updated with setup-node + npm publish step

Users install with: npm install -g @coingecko/cg

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@khooihzhz @claude
fix: include umbrella npm package and fix gitignore pattern
6b02243 
The npm/cg/ directory was excluded by the overly broad `cg` gitignore
pattern. Changed to `/cg` to only match the root-level binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@khooihzhz @claude
fix: address PR review feedback for npm distribution
94553c6 
- Bump node engine requirement from >=16 to >=20 (LTS)
- Remove shasum fallback, require sha256sum only
- Add comment that provenance requires GitHub-hosted public runners

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@khooihzhz khooihzhz force-pushed the feat/npm-distribution branch from 67159d8 to 94553c6 Compare May 11, 2026 06:34
@khooihzhz khooihzhz requested a review from a team May 11, 2026 06:34
khooihzhz added 2 commits May 11, 2026 14:52
@khooihzhz
chore: ship LICENSE, README, and metadata in npm packages
d99b2cd 
npm tarballs are immutable once published, so missing files would persist
in the first release forever.

- Bundle LICENSE in umbrella and all 6 platform packages
- Copy main README into umbrella at publish/smoke-test time so the npmjs.com
  page mirrors the GitHub README
- Document the npm install path in the project README
- Add homepage and bugs.url to all 7 package.json files
@khooihzhz
refactor(scripts): consolidate npm script cleanup with trap
628c9b8 
Smoke test had three separate cleanup paths (happy-path rm, error-branch
rm, and an unhandled abort case). Replace with a single trap on EXIT so
the umbrella README, extracted binary, and temp dirs are always removed.

Publish script: add a trap to remove the copied README after the umbrella
publish completes, since local runs would otherwise leave it behind.
@khooihzhz khooihzhz merged commit daa68cd into main May 11, 2026
3 checks passed
@khooihzhz khooihzhz deleted the feat/npm-distribution branch May 11, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weiyuan95 weiyuan95 weiyuan95 approved these changes

@jasonjul jasonjul jasonjul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@khooihzhz @weiyuan95 @jasonjul