Use npm ci in eval workflow dependencies#2748
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the eval GitHub Actions workflow to use lockfile-driven installs, making dependency installation deterministic and avoiding implicit postinstall behavior at the repo root (which previously installed scripts/ dependencies via npm install).
Changes:
- Switch the root dependency install in the eval workflow from
npm installtonpm ci --ignore-scripts. - Add an explicit
scripts/dependency install step vianpm ci(within the same workflow step) to keepnpm run vallyworking.
There was a problem hiding this comment.
The approach here is correct. The root package.json has a postinstall hook (cd scripts && npm install) that implicitly installed scripts/ dependencies. Since --ignore-scripts skips that hook, the explicit cd scripts; npm ci step is the right compensation.
Both root and scripts/ have a package-lock.json, so npm ci will work in both locations.
One minor note on the scripts install below.
jongio
left a comment
There was a problem hiding this comment.
Incremental review (new commits since my last pass):
The scripts/ install now includes --ignore-scripts, which was the one suggestion from my prior review. Both install steps are consistent: lockfile-pinned (npm ci) with script suppression for CI safety.
Final state looks correct. No remaining concerns.
RickWinter
left a comment
There was a problem hiding this comment.
This switches the eval workflow to lockfile-pinned installs and explicitly restores the scripts dependencies skipped by the root install. The approach is the right shape. The current discussion proposes removing that required scripts install, which would break the metadata validation step. That must be resolved before merge.
3de0f37 to
ea8877b
Compare
Summary
npm installwith deterministic lockfile installs in the eval workflow.npm ci --ignore-scriptsat repo root.scriptsdependencies explicitly vianpm cisonpm run vallystill works.Safety rationale
npm ciusespackage-lock.jsonexactly and avoids lockfile drift in CI.postinstallbehavior from root only.