Skip to content

Configure CLI build pipeline for npm publishing#2697

Open
ivan-ottinger wants to merge 11 commits intotrunkfrom
stu-1362-cli-npm-build-pipeline
Open

Configure CLI build pipeline for npm publishing#2697
ivan-ottinger wants to merge 11 commits intotrunkfrom
stu-1362-cli-npm-build-pipeline

Conversation

@ivan-ottinger
Copy link
Contributor

@ivan-ottinger ivan-ottinger commented Mar 3, 2026
edited
Loading

Related issues

In this PR I am proposing to add a new CLI build - for now with manual package creation. As the next step I am planning to look into our organization npm access so we could manually publish it (privately-first) to npm under @automattic/wp-studio - as we discussed in STU-1357.

Then we can continue with making the publishing automated.

How AI was used in this PR

Claude Code implemented the plan from STU-1362 and iterated on build issues (externalized dependency resolution, shebang injection, ...) based on my feedback and manual testing. I have reviewed the whole generated code myself and with Copilot as well.

Proposed Changes

  • Configure CLI package as @automattic/wp-studio with version, bin, files, engines, and publishConfig fields for npm publishing
  • Add vite.config.npm.ts — a separate Vite config that externalizes runtime dependencies (npm handles them) and adds a #!/usr/bin/env node shebang to the main entry point
  • Add scripts/postinstall-npm.mjs — applies patches via patch-package after npm install (no-op in workspace context)
  • Extract shared Vite config into vite.config.base.ts to reduce duplication between Electron and npm builds
  • Remove redundant web WASM pruning (removed upstream in wordpress-playground#3315)
  • Bundle @studio/common dependencies at build time rather than listing them as runtime dependencies
  • Update workspace references across root and studio app package.json files to use the new scoped package name
  • Add cli:build:npm root script for the npm build

Testing Instructions

  1. Verify the existing Electron build still works: 
    npm run cli:build
  2. Verify the npm build works: 
    npm run cli:build:npm
  3. Verify no node_modules/ in npm build output and shebang is present: 
    ls apps/cli/dist/cli/node_modules  # should not exist
head -1 apps/cli/dist/cli/main.js  # should be #!/usr/bin/env node
  4. Test end-to-end from a tarball: 
    cd apps/cli && npm pack
mkdir /tmp/test-wp-studio && cd /tmp/test-wp-studio
npm init -y && npm install /path/to/automattic-wp-studio-0.1.0.tgz
npx studio --version
npx studio --help

Pre-merge Checklist

  • Have you checked for TypeScript, React or other console errors?

@ivan-ottinger ivan-ottinger self-assigned this Mar 3, 2026
@ivan-ottinger ivan-ottinger requested a review from Copilot March 3, 2026 14:10
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prepares the Studio CLI workspace package for publishing to npm under the new scoped name @automattic/studio-cli, including a dedicated npm-oriented build (externalized deps + shebang) and an npm-consumer postinstall pruning step.

Changes:

  • Renames the CLI workspace/package to @automattic/studio-cli and updates workspace script references.
  • Adds a dedicated vite.config.npm.ts build that externalizes runtime dependencies and prepends a Node shebang to main.js.
  • Adds an npm postinstall script to apply patches and prune large/unneeded binaries after install.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
package.json Updates root scripts to reference the new scoped CLI workspace and adds cli:build:npm.
package-lock.json Reflects the CLI rename/versioning and dependency reshaping needed for npm publishing.
apps/studio/package.json Updates Studio app scripts to call the renamed CLI workspace.
apps/cli/vite.config.npm.ts Introduces npm-specific Vite build config (externalization + shebang injection + locales copy).
apps/cli/scripts/postinstall-npm.mjs Adds npm-consumer postinstall actions (patches + binary pruning).
apps/cli/package.json Updates CLI package metadata for npm publishing (name/version/bin/files/engines/scripts).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ivan-ottinger ivan-ottinger marked this pull request as ready for review March 3, 2026 15:21
@ivan-ottinger ivan-ottinger requested a review from a team March 3, 2026 15:22
fredrikekelund
fredrikekelund reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

@fredrikekelund fredrikekelund left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this! The main questions I see here are:

  1. We need to think about how to handle @studio/common when publishing to npm. I don't think the current approach of just including those dependencies in apps/cli/package.json is reliable enough.
  2. We should reduce the postinstall script as much as possible. In a follow-up PR, we should consider even removing patch-package altogether.

apps/cli/scripts/postinstall-npm.mjs
Comment on lines +26 to +34
// Apply patches via patch-package
try {
execSync( 'npx --no-install patch-package --patch-dir ./patches', {
cwd: packageDir,
stdio: 'inherit',
} );
} catch {
console.log( 'patch-package failed — patches may not apply cleanly' );
}
Copy link
Contributor

@fredrikekelund fredrikekelund Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing patch-package isn't trivial… The pm2-axon and pm2 patches will soon be redundant. We might be able to manage without the ps-man patch. The @wp-playground/wordpress patch could potentially be merged upstream in some way (gated by some config flag).

Copy link
Contributor

@wojtekn wojtekn Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anything against keeping the patch-package?

Even if we clear current ones, there is a chance we will need hotfix something in the future, so it seems reasonable to have that way available for both UI and CLI.

Copy link
Contributor

@fredrikekelund fredrikekelund Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expanded a little bit on the "why" in #2697 (comment)

Basically, the ideal end state to me is that we don't have a postinstall script when people install this package. pnpm disables the postinstall script by default and touts this as a security feature (which it is). Yarn mentions this in their docs:

Postinstall scripts should be avoided at all cost, as they make installs slower and riskier. Many users will refuse to install dependencies that have postinstall scripts. Additionally, since the output isn't shown out of the box, using them to print a message to the user will not work as you expect.

I don't know that the npm CLI has taken a stance on this, but given the multiple high-profile security incidents in the npm ecosystem in recent years, it's not unreasonable to expect them to address this.

For us, patch-package is the most difficult thing to remove. It's not feasible to tackle that in this PR, but the end goal of removing the postinstall script from the CLI package is definitely something we should consider.

@ivan-ottinger ivan-ottinger force-pushed the stu-1362-cli-npm-build-pipeline branch from 531f4cb to abf57d5 Compare March 5, 2026 14:23
@wpmobilebot
Copy link
Collaborator

wpmobilebot commented Mar 5, 2026
edited
Loading

📊 Performance Test Results

Comparing b8819dc vs trunk

site-editor

Metric trunk b8819dc Diff Change
load 1464.00 ms 1426.00 ms -38.00 ms ⚪ 0.0%

site-startup

Metric trunk b8819dc Diff Change
siteCreation 6092.00 ms 6099.00 ms +7.00 ms ⚪ 0.0%
siteStartup 3942.00 ms 3939.00 ms -3.00 ms ⚪ 0.0%

Results are median values from multiple test runs.

Legend: 🟢 Improvement (faster) | 🔴 Regression (slower) | ⚪ No change (<50ms diff)

@ivan-ottinger
Copy link
Contributor Author

ivan-ottinger commented Mar 5, 2026

We should reduce the postinstall script as much as possible. In a follow-up PR, we should consider even removing patch-package altogether.

I have created related issue: STU-1375.

@ivan-ottinger ivan-ottinger requested a review from Copilot March 6, 2026 09:16
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivan-ottinger ivan-ottinger requested a review from Copilot March 6, 2026 09:53
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@ivan-ottinger
Configure CLI build pipeline for npm publishing
bfc24f4 
Add a separate Vite config (vite.config.npm.ts) that externalizes all
runtime dependencies and adds a Node.js shebang, producing a standalone
CLI package publishable to npm as @automattic/studio-cli.

The existing Electron-bundled build (vite.config.ts) is unchanged.
@ivan-ottinger
Address Copilot review feedback
7a11d15 
- Remove unused `main` field (CLI-only package)
- Include source maps in `files` whitelist
- Use `npx --no-install` for deterministic postinstall
@ivan-ottinger
Remove redundant web WASM pruning (removed upstream in wordpress-play…
20d6efd 
…ground#3315)
@ivan-ottinger
Remove node_modules pruning from postinstall script
64fb5f6
@ivan-ottinger
Extract shared Vite config into vite.config.base.ts
336e809
@ivan-ottinger
Remove @studio/common deps from dependencies (bundled by Vite)
cb65de3
@ivan-ottinger
Rename package from @automattic/studio-cli to @automattic/wp-studio
8a40aee
@ivan-ottinger
Simplify externalDeps filter (no-op @studio/common exception removed)
14567b1
@ivan-ottinger
Fail loudly when patch-package fails during postinstall
aa2f5da
@ivan-ottinger
Use Rollup banner for shebang to preserve sourcemap accuracy
a8c6106
@ivan-ottinger
Deduplicate Node builtin externals in npm Vite config
b8819dc
@ivan-ottinger ivan-ottinger force-pushed the stu-1362-cli-npm-build-pipeline branch from 59e0919 to b8819dc Compare March 6, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wojtekn wojtekn wojtekn left review comments

Copilot code review Copilot Copilot left review comments

@fredrikekelund fredrikekelund Awaiting requested review from fredrikekelund

At least 1 approving review is required to merge this pull request.

Assignees

@ivan-ottinger ivan-ottinger

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ivan-ottinger @wpmobilebot @wojtekn @fredrikekelund