ci: add pkg.pr.new preview workflow

Author: NathanFlurry

.github/workflows/pkg-pr-new.yml

@@ -0,0 +1,52 @@
+name: Publish to pkg.pr.new
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/pkg-pr-new.yml"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+      - "packages/secure-exec/**"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/pkg-pr-new.yml"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+      - "packages/secure-exec/**"
+
+concurrency:
+  group: pkg-pr-new-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build package
+        run: pnpm --filter secure-exec build
+
+      - name: Publish to pkg.pr.new
+        run: pnpm dlx pkg-pr-new publish "./packages/secure-exec" --packageManager pnpm

packages/secure-exec/package.json

@@ -4,6 +4,14 @@
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rivet-dev/secure-exec.git",
+    "directory": "packages/secure-exec"
+  },
   "exports": {
     ".": {
       "import": "./dist/index.js",

packages/secure-exec/tests/pkg-pr-new-policy.test.ts

@@ -0,0 +1,49 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { describe, expect, it } from "vitest";
+
+const TESTS_ROOT = path.dirname(fileURLToPath(import.meta.url));
+const PACKAGE_ROOT = path.resolve(TESTS_ROOT, "..");
+const WORKSPACE_ROOT = path.resolve(PACKAGE_ROOT, "..", "..");
+const WORKFLOW_PATH = path.join(
+	WORKSPACE_ROOT,
+	".github",
+	"workflows",
+	"pkg-pr-new.yml",
+);
+const PACKAGE_MANIFEST_PATH = path.join(PACKAGE_ROOT, "package.json");
+
+describe("pkg.pr.new publish policy", () => {
+	it("publishes only the secure-exec package preview", async () => {
+		const workflowSource = await readFile(WORKFLOW_PATH, "utf8");
+
+		expect(workflowSource).toContain("name: Publish to pkg.pr.new");
+		expect(workflowSource).toContain(
+			'pnpm dlx pkg-pr-new publish "./packages/secure-exec" --packageManager pnpm',
+		);
+		expect(workflowSource).not.toContain("'packages/*'");
+		expect(workflowSource).not.toContain("'./packages/**/*'");
+		expect(workflowSource).not.toContain("--template");
+	});
+
+	it("packages only built artifacts for preview publishing", async () => {
+		const packageManifest = JSON.parse(
+			await readFile(PACKAGE_MANIFEST_PATH, "utf8"),
+		) as {
+			files?: string[];
+			repository?: {
+				type?: string;
+				url?: string;
+				directory?: string;
+			};
+		};
+
+		expect(packageManifest.files).toEqual(["dist"]);
+		expect(packageManifest.repository).toEqual({
+			type: "git",
+			url: "https://github.com/rivet-dev/secure-exec.git",
+			directory: "packages/secure-exec",
+		});
+	});
+});

packages/secure-exec/tests/runtime-driver/node/runtime.test.ts

@@ -57,7 +57,9 @@ describe("runtime driver specific: node", () => {
 	it("accepts Node-only exec options", async () => {
 		const runtime = createRuntime();
 		const result = await runtime.exec(`console.log("node-exec-options-ok");`, {
-			cpuTimeLimitMs: 50,
+			// Keep the limit low enough to exercise the node-only option path
+			// without coupling the test to machine-specific startup jitter.
+			cpuTimeLimitMs: 250,
 			timingMitigation: "off",
 		});
 		expect(result.code).toBe(0);