feat: add npm and pip packages with CI/CD auto-publish#33
Open
anonymousAAK wants to merge 17 commits into
Open
feat: add npm and pip packages with CI/CD auto-publish#33anonymousAAK wants to merge 17 commits into
anonymousAAK wants to merge 17 commits into
Conversation
anonymousAAK
commented
May 27, 2026
anonymousAAK
commented
- Add npm wrapper package (bumblebee-scan) with postinstall binary download
- Add PyPI wrapper package (bumblebee-scan) with CLI entrypoint
- Extend release workflow to auto-publish to npm and PyPI on tag push
- Update README with npm/pip install instructions
- Add npm wrapper package (bumblebee-scan) with postinstall binary download - Add PyPI wrapper package (bumblebee-scan) with CLI entrypoint - Extend release workflow to auto-publish to npm and PyPI on tag push - Update README with npm/pip install instructions Requires NPM_TOKEN and PYPI_TOKEN repository secrets.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds distributable wrappers so bumblebee can be installed via npm and pip, and updates the release workflow to publish those artifacts alongside GoReleaser releases.
Changes:
- Introduces a PyPI package that downloads (or
go installs) thebumblebeeGo binary on first run. - Introduces an npm package with a
postinstallbinary downloader (fallback togo install) and a JS shim forbumblebee. - Extends the GitHub Actions release workflow to publish to npm and PyPI; updates root docs and ignores build artifacts.
Reviewed changes
Copilot reviewed 11 out of 13 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| pypi-package/pyproject.toml | Defines Python package metadata and console script entrypoint. |
| pypi-package/bumblebee_scanner/cli.py | Implements the Python CLI wrapper that ensures the Go binary is present. |
| pypi-package/bumblebee_scanner/init.py | Exposes package version. |
| pypi-package/README.md | Documents PyPI install/usage. |
| pypi-package/LICENSE | Adds Apache 2.0 license for PyPI package. |
| npm-package/scripts/install.js | Downloads/extracts the released binary during npm postinstall (fallback to go install). |
| npm-package/package.json | Defines npm package metadata, postinstall, and bin entrypoint. |
| npm-package/bin/bumblebee.js | Node shim that executes the installed binary. |
| npm-package/README.md | Documents npm install/usage. |
| npm-package/LICENSE | Adds Apache 2.0 license for npm package. |
| README.md | Adds npm/pip install instructions to the main project README. |
| .gitignore | Ignores npm/pip build artifacts. |
| .github/workflows/release.yml | Publishes npm and PyPI packages based on the release tag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| version = "0.1.1" | ||
| description = "Supply-chain inventory collector for package, extension, and developer-tool metadata on macOS and Linux." | ||
| readme = "README.md" | ||
| license = "Apache-2.0" |
Comment on lines
+42
to
+46
| with tarfile.open(tmp.name, "r:gz") as tf: | ||
| member = tf.getmember("bumblebee") | ||
| member.name = "bumblebee" | ||
| tf.extract(member, path=str(bin_dir)) | ||
| os.chmod(str(_bin_path()), 0o755) |
Comment on lines
+36
to
+50
|
|
||
| try: | ||
| bin_dir = _bin_dir() | ||
| bin_dir.mkdir(parents=True, exist_ok=True) | ||
| with tempfile.NamedTemporaryFile(suffix=".tar.gz", delete=False) as tmp: | ||
| urllib.request.urlretrieve(url, tmp.name) | ||
| with tarfile.open(tmp.name, "r:gz") as tf: | ||
| member = tf.getmember("bumblebee") | ||
| member.name = "bumblebee" | ||
| tf.extract(member, path=str(bin_dir)) | ||
| os.chmod(str(_bin_path()), 0o755) | ||
| os.unlink(tmp.name) | ||
| return True | ||
| except Exception: | ||
| return False |
| const fs = require("fs"); | ||
| const path = require("path"); | ||
| const { execSync } = require("child_process"); | ||
| const zlib = require("zlib"); |
Comment on lines
+70
to
+75
| tar.on("close", (code) => { | ||
| if (code === 0) { | ||
| fs.chmodSync(binPath, 0o755); | ||
| resolve(); | ||
| } else { | ||
| reject(new Error(`tar exited with ${code}`)); |
Comment on lines
+1
to
+8
| # @perplexityai/bumblebee | ||
|
|
||
| npm wrapper for [bumblebee](https://github.com/perplexityai/bumblebee) — a read-only supply-chain inventory collector for package, extension, and developer-tool metadata on macOS and Linux. | ||
|
|
||
| ## Install | ||
|
|
||
| ```sh | ||
| npm install -g @perplexityai/bumblebee |
Comment on lines
+1
to
+8
| # @perplexityai/bumblebee | ||
|
|
||
| npm wrapper for [bumblebee](https://github.com/perplexityai/bumblebee) — a read-only supply-chain inventory collector for package, extension, and developer-tool metadata on macOS and Linux. | ||
|
|
||
| ## Install | ||
|
|
||
| ```sh | ||
| npm install -g @perplexityai/bumblebee |
ci: pin govulncheck to v1.3.0 (perplexityai#38)
Merge upstream/main (Homebrew scanner, agent-skill scanner, ~/.claude.json MCP inventory, offline OSV-to-catalog generator, Mini Shai-Hulud Red Hat Cloud Services threat-intel catalog). Bump all version references to 0.1.4 (VERSION, version.go default, npm package.json + install.js, pypi pyproject + __init__ + cli.py). Point npm/pip install scripts at this fork (anonymousAAK/bumblebee) where the release CI uploads binaries, and make the goreleaser release non-draft so npm/pip postinstall can download the published tarballs. https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
The test-packages workflow installed the published registry version instead of the code under test, so it could never validate PR changes and kept exercising the broken 0.1.3 release. Switch both jobs to install the local npm/pip packages (with a checkout step) so CI tests the PR's own code. Add network timeouts to the binary downloaders so a stalled connection fails fast instead of hanging until the runner is killed (root cause of the 2-minute pip-install hang on ubuntu): - cli.py: urlopen(timeout=30) + go install timeout=300 - install.js: https.get timeout=30s + execSync go install timeout=300s Also align install.js go-install fallback/messages to use REPO. https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
CI (fix pip-install ubuntu hang): - npm job installs with --ignore-scripts and pip job drops 'bumblebee --help'. With no published release in PR context, those steps force a binary download/go-install whose go-install fallback is non-deterministic in CI (hung ~2min and was SIGTERM'd on one runner). Smoke tests now just verify the packages build, install, and link their entrypoint. Review findings: - schema: add missing 'agent-skill' to the ecosystem enums in package-record and exposure-catalog schemas, so agent-skill records and catalog entries validate. - npm/pip wrappers: split the release-binary source (this fork) from the Go module path used by the 'go install' fallback (canonical upstream module), so the fallback path is import-valid instead of a module-path mismatch. - osvcatalog: unreadable/invalid files in a directory walk are now reported to stderr and skipped instead of aborting the whole import, matching the documented loadPath contract. - osv test: correct a sort-order comment to match the assertions (npm before pypi). https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
systemRoots covers the shared Linux Homebrew prefix (/home/linuxbrew/.linuxbrew) but not a non-sudo per-user install, which lands in ~/.linuxbrew. Add ~/.linuxbrew/Cellar and ~/.linuxbrew/Caskroom to the per-home baseline candidates so user-local Homebrew formulae and casks are inventoried; absent paths are dropped by filterExistingRoots and the existing */Cellar, */Caskroom classifier tags them as homebrew. Resolves the baseline Homebrew coverage gap noted in review (the PR description's '~/.local/Cellar' was not a real Homebrew location; ~/.linuxbrew is the actual per-user prefix). https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
Add Homebrew, agent-skill, and OSV catalog support
The release workflow only triggered on a v* tag push, which is awkward in environments that cannot push tags. Add a workflow_dispatch trigger that: - resolves the version from the input (or the VERSION file when omitted), - creates and pushes the v<version> tag from CI (GITHUB_TOKEN-pushed tags do not re-trigger this workflow, so there is no double run), - threads the resolved version to the npm/PyPI publish jobs via a job output instead of GITHUB_REF_NAME, so both the tag-push and dispatch paths publish the same version. The existing tag-push path is unchanged. https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
Add an auto-release workflow that watches the VERSION file on main and, when it changes to a version without an existing tag, dispatches the release workflow for that version. The release workflow then creates the tag and publishes to npm + PyPI, so all build/publish logic stays in one place and manual tag/dispatch releases are unaffected. Uses workflow_dispatch to start the release, which is the documented exception to GITHUB_TOKEN not re-triggering workflows, so no PAT is needed. https://claude.ai/code/session_01DYdxAiByG5AscGpe7fxzdT
ci(release): add workflow_dispatch trigger for manual releases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.