If gyp-build or similar is used during npm install the built package for a release would not be platform agnostic anymore (at least not agnostic for the platforms I want the prebuilt version to work).
So if this happens, I want the pipeline to fail. It can be done by analyzing the npm install log and check for log messages hinting building bindings like gyp-build.
Could look something like this:
- name: npm ci (capture log)
shell: bash
run: |
set -euo pipefail
# Don't use --ignore-scripts; we WANT to see if any builds happen.
npm ci --loglevel=verbose 2>&1 | tee npm-install.log
# Fail if we see evidence of native compilation.
- name: Fail if native build detected in npm log
shell: bash
run: |
set -euo pipefail
# A pragmatic set of patterns that almost always appear when native builds run.
# Add/remove patterns depending on your ecosystem.
PATTERN='(node-gyp|gyp info|node-pre-gyp|prebuild-install(?!.*skipping download)|CXX|CXXFLAGS|CC=|clang\+\+|clang|gcc|g\+\+|make(\[|:)|ninja|cmake|msbuild|cl\.exe|LINK : fatal error|binding\.gyp|nan\.h|fatal error:.*\.h)'
if grep -Ein "$PATTERN" npm-install.log; then
echo ""
echo "::error:: Detected signs of native compilation during npm install."
echo "If you expected a fully prebuilt/agnostic install for this platform, a dependency likely built from source."
exit 1
else
echo "✅ No native-build patterns found in npm-install.log"
fi
If
gyp-buildor similar is used duringnpm installthe built package for a release would not be platform agnostic anymore (at least not agnostic for the platforms I want the prebuilt version to work).So if this happens, I want the pipeline to fail. It can be done by analyzing the
npm installlog and check for log messages hinting building bindings likegyp-build.Could look something like this: