fix: compare npm tarballs before version bump

skulidropek · skulidropek · commit 3f9de83f6b11 · 2026-01-23T17:58:21.000+04:00
diff --git a/README.md b/README.md
@@ -99,7 +99,7 @@ jobs:
 | `readme_dest` | Destination path for README | No | `packages/app/README.md` |
 | `publish_npm` | Whether to publish to npm registry | No | `true` |
 | `publish_github_packages` | Whether to publish to GitHub Packages | No | `true` |
-| `skip_if_unchanged` | Skip version bump/publish if local package.json + dist match latest npm package | No | `false` |
+| `skip_if_unchanged` | Skip version bump/publish if the local npm tarball matches the latest published tarball (ignoring version/gitHead) | No | `false` |
 | `npm_token` | NPM authentication token | No (required if `publish_npm` is true) | - |
 | `github_token` | GitHub token for releases and packages | Yes | - |
 
@@ -117,7 +117,7 @@ jobs:
 1. **Checkout**: Checks out the repository at the specified ref
 2. **Setup**: Configures pnpm and Node.js environment
 3. **Dependencies**: Installs project dependencies
-4. **Optional compare**: When `skip_if_unchanged` is true, compares local `package.json` + `dist` with the latest npm package and skips release if identical
+4. **Optional compare**: When `skip_if_unchanged` is true, compares the local npm tarball with the latest published tarball (ignoring version/gitHead) and skips release if identical
 5. **Changeset**: Creates automatic changeset if none exists
 6. **Version**: Bumps package version using changesets
 7. **Commit**: Commits version changes back to the branch
diff --git a/SETUP.md b/SETUP.md
@@ -95,7 +95,7 @@ permissions:
 
 ### Optional Behavior
 
-- `skip_if_unchanged` - When enabled, the action compares local `package.json` + `dist` with the latest npm package and skips the release if identical. For private npm packages, provide `NPM_TOKEN` so the comparison can fetch the published tarball.
+- `skip_if_unchanged` - When enabled, the action compares the local npm tarball with the latest published tarball (ignoring version/gitHead) and skips the release if identical. For private npm packages, provide `NPM_TOKEN` so the comparison can fetch the published tarball.
 
 ### Action Permissions Policy
 
diff --git a/action.yml b/action.yml
@@ -109,8 +109,6 @@ runs:
         set -euo pipefail
         PKG_PATH="${{ inputs.package_json_path }}"
         PKG_DIR="$(dirname "$PKG_PATH")"
-        LOCAL_PKG="${PKG_PATH}"
-        LOCAL_DIST="${PKG_DIR}/dist"
         PKG_NAME="$(node -p "require('./${PKG_PATH}').name")"
 
         if [ -n "${{ inputs.npm_token }}" ]; then
@@ -123,34 +121,41 @@ runs:
           exit 0
         fi
 
-        if ! TARBALL="$(npm pack "${PKG_NAME}@${LATEST_VERSION}" --silent 2>/dev/null)"; then
+        TMP_DIR="$(mktemp -d)"
+        trap 'rm -rf "$TMP_DIR"' EXIT
+
+        if ! REMOTE_TARBALL="$(npm pack "${PKG_NAME}@${LATEST_VERSION}" --silent --pack-destination "$TMP_DIR" 2>/dev/null)"; then
           echo "Unable to download ${PKG_NAME}@${LATEST_VERSION}; proceeding with release."
           echo "should_release=true" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        TMP_DIR="$(mktemp -d)"
-        trap 'rm -rf "$TMP_DIR"' EXIT
-        tar -xzf "$TARBALL" -C "$TMP_DIR"
-        rm -f "$TARBALL"
-
-        REMOTE_DIR="${TMP_DIR}/package"
-        REMOTE_PKG="${REMOTE_DIR}/package.json"
-        REMOTE_DIST="${REMOTE_DIR}/dist"
-
-        if [ ! -f "$REMOTE_PKG" ]; then
-          echo "Remote package.json missing; proceeding with release."
+        if ! LOCAL_TARBALL="$(cd "$PKG_DIR" && npm pack --silent --pack-destination "$TMP_DIR")"; then
+          echo "Unable to pack local ${PKG_NAME}; proceeding with release."
           echo "should_release=true" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        if [ ! -d "$LOCAL_DIST" ] || [ ! -d "$REMOTE_DIST" ]; then
-          echo "Missing dist folder for comparison; proceeding with release."
+        LOCAL_DIR="${TMP_DIR}/local"
+        REMOTE_DIR="${TMP_DIR}/remote"
+        mkdir -p "$LOCAL_DIR" "$REMOTE_DIR"
+
+        tar -xzf "${TMP_DIR}/${LOCAL_TARBALL}" -C "$LOCAL_DIR"
+        tar -xzf "${TMP_DIR}/${REMOTE_TARBALL}" -C "$REMOTE_DIR"
+
+        LOCAL_PKG="${LOCAL_DIR}/package/package.json"
+        REMOTE_PKG="${REMOTE_DIR}/package/package.json"
+
+        if [ ! -f "$LOCAL_PKG" ] || [ ! -f "$REMOTE_PKG" ]; then
+          echo "package.json missing in tarball; proceeding with release."
           echo "should_release=true" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        if diff -q "$LOCAL_PKG" "$REMOTE_PKG" >/dev/null 2>&1 && diff -qr "$LOCAL_DIST" "$REMOTE_DIST" >/dev/null 2>&1; then
+        node -e "const fs=require('fs');const p=process.argv[1];const pkg=JSON.parse(fs.readFileSync(p,'utf8'));delete pkg.gitHead;pkg.version='0.0.0';fs.writeFileSync(p, JSON.stringify(pkg, null, 2)+'\n');" "$LOCAL_PKG"
+        node -e "const fs=require('fs');const p=process.argv[1];const pkg=JSON.parse(fs.readFileSync(p,'utf8'));delete pkg.gitHead;pkg.version='0.0.0';fs.writeFileSync(p, JSON.stringify(pkg, null, 2)+'\n');" "$REMOTE_PKG"
+
+        if diff -qr "$LOCAL_DIR/package" "$REMOTE_DIR/package" >/dev/null 2>&1; then
           echo "::notice::No changes compared to ${PKG_NAME}@${LATEST_VERSION}. Skipping release."
           echo "should_release=false" >> "$GITHUB_OUTPUT"
         else
