[codex] adopt shared Bazel package workflow

[Jesssullivan]

Summary

• replace repo-local CI and publish workflows with the shared Bazel JS package workflow
• keep the existing release metadata, package validation, and Bazel-artifact publish contract
• pin the reusable workflow reference to the reviewed ci-templates commit

Why

tinyvectors was carrying duplicated workflow logic for the same package-authority contract now shared across the package repos. This keeps the repo thinner and makes the authority lane easier to reason about.

Validation

• parsed .github/workflows/ci.yml
• parsed .github/workflows/publish.yml

[greptile-apps]

Greptile Summary

This PR replaces inline CI and publish workflows with a reusable shared js-bazel-package.yml workflow from tinyland-inc/ci-templates, pinned to a specific commit. It also refactors the Bazel build to be fully standalone (adding MODULE.bazel extensions for node/pnpm/npm, declaring tool binaries locally), introduces a new tinyvectors_declarations target for emitting .d.ts files via tsc, and bumps the package to 0.2.3. The LICENSE is simplified to zlib-only.

Confidence Score: 4/5

Safe to merge for CI verification; the publish path has unresolved P1 concerns from prior rounds that will cause runtime failures.

Three prior-round findings remain unresolved: missing id-token: write will cause npm provenance to fail on publish, .svelte files absent from the declarations sandbox degrade published type fidelity, and the expectedPnpmVersion undefined path produces a confusing error message. The new finding (stdout = "typecheck.log") is P2. Score is 4 rather than 3 because the core workflow plumbing is sound and CI dry-runs will pass — only the live publish path is broken.

.github/workflows/publish.yml (missing id-token: write for provenance) and BUILD.bazel (.svelte srcs absent from tinyvectors_declarations)

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	New CI workflow delegating to the shared js-bazel-package.yml at a pinned commit, with dry_run: true and secrets: inherit; well-structured.
.github/workflows/publish.yml	Inline publish job replaced with shared workflow call; id-token: write was removed — prior review flagged that publishConfig.provenance: true in package.json requires this permission and publish will fail without it.
BUILD.bazel	Adds tinyvectors_declarations tsc target (missing .svelte srcs — prior review), tool binary declarations, pnpm-lock.yaml sandbox inputs, and README.md/CSS additions to pkg; typecheck stdout redirected to file which may hide errors in CI.
scripts/check-release-metadata.mjs	Adds pnpm-version consistency check (MODULE.bazel vs package.json); expectedPnpmVersion can be undefined when packageManager is absent — prior review flagged confusing failure message.
MODULE.bazel	Refactored for standalone use: adds node/pnpm/npm Bzlmod extensions, upgrades rules_nodejs to 6.7.3, removes aspect_rules_ts, bumps version to 0.2.3.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Events
    participant CI as ci.yml (Verify)
    participant PUB as publish.yml (Publish)
    participant TPL as ci-templates/js-bazel-package.yml@dde8c37
    participant Bazel as Bazel Build
    participant NPM as npm registry

    GH->>CI: pull_request / push to main / workflow_dispatch
    CI->>TPL: uses (dry_run: true, secrets: inherit)
    TPL->>Bazel: bazel build //:pkg //:typecheck //:test
    Bazel-->>TPL: artifacts (dist/, dist-types/, typecheck.log)
    TPL-->>CI: success / failure (no publish)

    GH->>PUB: push tag v*
    PUB->>TPL: uses (dry_run: false, secrets: inherit)
    TPL->>Bazel: bazel build //:pkg //:typecheck //:test
    Bazel-->>TPL: artifacts
    TPL->>NPM: npm publish (provenance=true)
    NPM-->>TPL: published
    TPL-->>PUB: complete

Loading

_{Reviews (7): Last reviewed commit: "chore: repin final shared workflow fixes" | Re-trigger Greptile}

[greptile-apps]

expectedPnpmVersion can silently become undefined

If packageManager is absent from package.json, expectedPnpmVersion is undefined. The subsequent actual !== expected comparison then always fails (since any extracted string !== undefined), producing the confusing message: expected "undefined", found "9.15.9". A guard here makes the failure explicit:

Suggested change

	const expectedPnpmVersion = packageJson.packageManager?.replace(/^pnpm@/, '');
	const expectedPnpmVersion = packageJson.packageManager?.replace(/^pnpm@/, '');
	if (!expectedPnpmVersion) {
	console.error('packageManager field is missing or not set to a pnpm version in package.json');
	process.exit(1);
	}

[greptile-apps]

.svelte files absent from declaration sandbox

src/svelte/index.ts re-exports directly from .svelte files:

export { default as TinyVectors } from './TinyVectors.svelte';
export { default as BlobSVG } from './BlobSVG.svelte';

But tinyvectors_declarations.srcs only globs src/**/*.ts, so the .svelte files are not in Bazel's hermetic sandbox when tsc runs. TypeScript falls back to Svelte's ambient declare module '*.svelte' wildcard, which means the emitted dist-types/svelte/index.d.ts types TinyVectors and BlobSVG as the generic ambient component rather than the specific Props interface (with theme, colors, animated, blobCount, etc.). Consumers who import @tummycrypt/tinyvectors/svelte lose all prop-level type checking.

Adding "src/**/*.svelte" to srcs makes the sandbox dependency explicit. Note that plain tsc still cannot parse Svelte syntax to emit prop-typed declarations — fully-typed Svelte component declarations require a Svelte-aware tool (e.g. svelte2tsx or @sveltejs/package). As long as the intent is to rely on the ambient type, the sandbox should at least document that dependency accurately.

Suggested change

	js_run_binary(
	name = "tinyvectors_declarations",
	tool = "//:tsc",
	srcs = glob([
	"src/**/*.ts",
	]) + [
	"package.json",
	"pnpm-lock.yaml",
	"tsconfig.json",
	"tsconfig.declarations.json",
	":node_modules",
	],
	args = [
	"-p",
	"tsconfig.declarations.json",
	],
	out_dirs = ["dist-types"],
	visibility = ["//visibility:public"],
	)
	js_run_binary(
	name = "tinyvectors_declarations",
	tool = "//:tsc",
	srcs = glob([
	"src/**/*.ts",
	"src/**/*.svelte",
	]) + [
	"package.json",
	"pnpm-lock.yaml",
	"tsconfig.json",
	"tsconfig.declarations.json",
	":node_modules",
	],
	args = [
	"-p",
	"tsconfig.declarations.json",
	],
	out_dirs = ["dist-types"],
	visibility = ["//visibility:public"],
	)