feat(e2e): claude-code smoke with Zstd + tar.gz + archive verify (#12)

* feat(e2e): claude-code smoke with Zstd + tar.gz + archive verify

- Add `Zstd` to the compress-node enum (core/inputs.ts), regenerate
  action.yml / packages/build/action.yml / docs/inputs.md, rebundle
  dist. Zstd requires Node.js >= 22.15 on the build host.
- New `claude-code-smoke` e2e job: installs @anthropic-ai/claude-code
  from npm, builds via SEA mode with compress-node=Zstd + tar.gz +
  sha256 on ubuntu-x64/arm64, macos-arm64, windows-x64. Runs the
  binary with `claude --version`, then recomputes the sha256 against
  the sidecar and extracts the tarball to re-verify --version on the
  archived copy.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(e2e): pin claude-code 2.1.114 (last pure-JS) + pkg 6.18 for Zstd

- @anthropic-ai/claude-code >= 2.1.117 ships as a thin wrapper that
  delegates to a native binary via optionalDependencies; pkg can't
  bundle that. Pin 2.1.114, the last release whose `bin.claude`
  points at a real `cli.js`.
- pkg 6.17 is the first yao-pkg/pkg to accept `--compress Zstd`; the
  action's default pkg-version (~6.16.0) rejected it with "Invalid
  compression algorithm Zstd". Override to ~6.18.0 for this job.
- Resolve `pkg.bin.claude` explicitly (instead of Object.values()[0])
  so a future per-OS alias can't steer us at the wrong entrypoint.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(e2e): pin claude-code 2.1.112 + print binary output on non-zero exit

- 2.1.113 already switched @anthropic-ai/claude-code from a pure-JS
  cli.js entrypoint to a native-binary wrapper (bin/claude.exe). My
  earlier pin of 2.1.114 landed inside the new layout, so pkg was
  compiling a shell-script placeholder that errors at runtime. 2.1.112
  is the last pure-JS release — verified locally with SEA+Zstd: builds
  in ~20s, binary runs and prints "2.1.112 (Claude Code)" on --version.
- Previous `--version` step captured output via `out=$(... 2>&1)` under
  `set -e`, which aborted before echoing when the binary exited non-
  zero (as it did on every runner). Suspend `set -e` around the capture
  so the logs actually show what the binary printed.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(archive): drop --mtime on bsdtar; strip sha256sum backslash-escape

Surfaced by the new claude-code-smoke e2e:

- macOS: the macos-latest runner's bsdtar rejects `--mtime` outright
  with "Option --mtime is not supported", even though upstream
  libarchive accepts it. The action was always passing --mtime; tiny-
  cjs never hit this because its macOS matrix entry uses zip. Keep
  --mtime on GNU tar (linux) only; rely on the utimes pre-pin for
  bsdtar paths (archive() is single-file, so the header inherits that
  mtime). Test updated to assert --mtime presence only on linux.

- Windows: git-bash's `sha256sum` escapes the output line with a
  leading backslash when the filename contains backslashes (Windows
  paths), per GNU coreutils convention. The e2e's verify step was
  comparing `\<digest>` against the sidecar's clean hex. Strip the
  leading backslash via sed before parsing.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* fix(e2e): cygpath archive/extract paths on Windows before tar

GNU tar from git-bash parses `D:\a\...` as a remote host:path target
(colon-separated rsh syntax), producing:
    tar (child): Cannot connect to D: resolve failed

Convert any Windows drive-letter path to the POSIX form (`/d/a/...`)
via cygpath before invoking tar. No-op on Linux/macOS — falls back to
echo when cygpath isn't on PATH. --version + sha256 sidecar check
already passed on Windows in the previous run; this unblocks the
tar-round-trip tail.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* chore(e2e): trip-wire for non-JS claude bin + cygpath fixture path

Review follow-ups on #12:

- Guard the pin: assert the resolved bin entry is a JS file (.js/.mjs/
  .cjs) before patching it into the fixture package.json. If the
  @anthropic-ai/claude-code pin ever drifts past 2.1.112 into the
  native-binary wrapper layout (bin → bin/claude.exe shell-script
  placeholder), fail loudly rather than bundling garbage.
- Replace the ad-hoc `${fix//\\//}` backslash-strip with the same
  cygpath helper used in the verify step, so the fixture path emitted
  to GITHUB_OUTPUT is always POSIX-form on Windows git-bash.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* revert(e2e): restore drive-letter fixture path; cygpath was Node-incompatible

Reverting the $fix cygpath conversion from 3fca6c7. cygpath -u emits
POSIX form (/d/a/...), which GNU tar in git-bash handles correctly
but Node's fs on Windows misparses as drive-relative, producing paths
like D:\d\a\_temp\... and failing with ENOENT. The composite's build
step is Node-based, not shell-tar-based, so it wants the drive-letter-
plus-forward-slash form (D:/a/...) that ${fix//\\//} produces.

cygpath stays in the verify step where tar is the consumer — different
tool, different path convention.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* feat(build): drop duplicate pkg log + group per-target logs with timings

Surfaced by matrix e2e debugging: the orchestrator emitted every pkg
argv twice (once as "[pkg-action] pkg …" in main.ts, once as
"[pkg-action] Invoking: …" from the runner) and was silent through the
finalize stages — no signal for when archive started, when the
checksum was computed, or which shasum files were written.

- Drop the main.ts pre-log; runPkg's "Invoking:" already carries the
  command path, and GH Actions renders the raw `[command]` line too,
  so three copies was overkill.
- Log pkg wall time after runPkg completes.
- Group the per-target finalize loop under a `logger.startGroup` so
  each target collapses into its own fold in the GH Actions UI —
  matters for matrix runs where 4+ targets interleave.
- Add explicit archive/checksum progress lines with sizes + timings
  (`archive → …`, `archived … (17.8 MB, 4.2s)`, `sha256 <digest>
  <file>`) so any downstream verification failure trivially diffs
  against the build log.
- Log each SHASUMS file as it's written, with entry count.
- Include overall wall time in the final "done" line.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

* feat(build): group pkg invocation in its own log fold

The pkg CLI emits ~15–30 lines per build (Walking dependencies, node
download/extract, SEA asset generation, blob injection, strip warnings)
and the GH-Actions exec shim adds `[command]` echo on top. On a multi-
target run all of that interleaved with finalize output is hard to
skim.

Wrap runPkg in startGroup/endGroup with a header that names the target
list, so reviewers see a single collapsible "pkg build (targets=…)"
block followed by the one-line wall-time summary. Same pattern we
already use for the per-target finalize blocks.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

Author: robertsLando

.github/workflows/e2e.yml

@@ -250,3 +250,204 @@ jobs:
           [ -f "$bin" ] || { echo "::error::binary missing: $bin"; exit 1; }
           echo "Checking $bin"
           node --experimental-strip-types .github/scripts/assert-windows-metadata.ts "$bin"
+
+  # ──────────────────────────────────────────────────────────────────────
+  # Real-world smoke: pull @anthropic-ai/claude-code from npm, build a
+  # native binary per runner OS/arch with Zstd-compressed pkg payload +
+  # tar.gz archive, execute the binary with --version, then verify the
+  # archive round-trips and the sha256 sidecar matches the archive bytes.
+  #
+  # claude-code is ESM, so mode: sea (standard pkg can't bytecode-compile
+  # ESM). Each matrix entry builds for the runner's native target so the
+  # produced binary can be launched in-place for the smoke assertion,
+  # giving real cross-OS + cross-arch coverage (x64 and arm64 on Linux,
+  # arm64 on macOS, x64 on Windows). Zstd bundled-binary compression
+  # requires Node.js >= 22.15 on the build host; .node-version is 22.22.
+  claude-code-smoke:
+    name: claude-code-smoke / ${{ matrix.os }} / ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: node22-linux-x64
+          - os: ubuntu-24.04-arm
+            target: node22-linux-arm64
+          - os: macos-latest
+            target: node22-macos-arm64
+          - os: windows-latest
+            target: node22-win-x64
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: .node-version
+
+      - name: Prepare claude-code fixture
+        id: fix
+        shell: bash
+        run: |
+          set -euo pipefail
+          fix="${RUNNER_TEMP}/claude-code-fixture"
+          mkdir -p "$fix"
+          cd "$fix"
+          npm init -y >/dev/null
+          # Pin 2.1.112 — the last pure-JS release of
+          # @anthropic-ai/claude-code. Starting at 2.1.113 the package
+          # ships as a thin wrapper around a native binary distributed
+          # via platform optionalDependencies (bin points to a shell-
+          # script placeholder like `bin/claude.exe`), which pkg can't
+          # meaningfully bundle. --ignore-scripts skips the postinstall
+          # native-binary fetcher — irrelevant for 2.1.112 but a cheap
+          # guardrail if the pin ever drifts.
+          npm install --omit=dev --ignore-scripts @anthropic-ai/[email protected]
+          # Resolve the package's `claude` bin entry. Prefer the named
+          # 'claude' key so we don't accidentally pick a future per-OS
+          # alias (e.g. 'claude.exe') that would break pkg on Linux.
+          entry=$(node -e "
+            const path = require('path');
+            const pkgPath = require.resolve('@anthropic-ai/claude-code/package.json', { paths: [process.cwd()] });
+            const pkgDir = path.dirname(pkgPath);
+            const pkg = require(pkgPath);
+            const bin = typeof pkg.bin === 'string'
+              ? pkg.bin
+              : (pkg.bin && pkg.bin.claude) || Object.values(pkg.bin || {})[0];
+            if (!bin) throw new Error('claude bin not found in package.json');
+            console.log(path.relative(process.cwd(), path.resolve(pkgDir, bin)).split(path.sep).join('/'));
+          ")
+          echo "entry=$entry"
+          # Trip-wire: if the pin ever drifts to a claude-code version
+          # that again points `bin.claude` at a shell-script placeholder
+          # (bin/claude.exe), fail loudly here rather than letting pkg
+          # silently bundle a non-JS file.
+          case "$entry" in
+            *.js|*.mjs|*.cjs) ;;
+            *) echo "::error::claude bin is not a JS entrypoint ($entry) — pin may have drifted past 2.1.112"; exit 1 ;;
+          esac
+          node -e "
+            const fs = require('fs');
+            const p = './package.json';
+            const pkg = JSON.parse(fs.readFileSync(p, 'utf8'));
+            pkg.bin = './' + process.argv[1];
+            pkg.pkg = {
+              assets: ['node_modules/@anthropic-ai/claude-code/**/*']
+            };
+            fs.writeFileSync(p, JSON.stringify(pkg, null, 2));
+          " "$entry"
+          cat ./package.json
+          # Emit drive-letter + forward-slash form (e.g. `D:/a/_temp/…`).
+          # The downstream composite is Node-based: Node's fs resolves
+          # `D:/a/…` correctly on Windows but mis-parses cygpath's POSIX
+          # form (`/d/a/…`) as drive-relative, yielding `D:\d\a\…`.
+          echo "fixture=${fix//\\//}" >> "$GITHUB_OUTPUT"
+
+      - name: Build claude binary
+        id: build
+        uses: ./
+        with:
+          config: ${{ steps.fix.outputs.fixture }}/package.json
+          targets: ${{ matrix.target }}
+          mode: sea
+          compress-node: Zstd
+          # Zstd landed in @yao-pkg/pkg 6.17. The action's default
+          # (~6.16.0) predates it, so pin a Zstd-capable version.
+          pkg-version: ~6.18.0
+          compress: tar.gz
+          checksum: sha256
+          filename: 'claude-{version}-{os}-{arch}'
+
+      - name: Run claude --version
+        shell: bash
+        run: |
+          set -uo pipefail
+          bin=$(echo '${{ steps.build.outputs.binaries }}' | jq -r '.[0]')
+          [ -f "$bin" ] || { echo "::error::binary missing: $bin"; exit 1; }
+          chmod +x "$bin" || true
+          # Capture without `set -e` so stderr-carrying, non-zero exits
+          # still print the output for diagnosis.
+          out=$("$bin" --version 2>&1)
+          status=$?
+          echo "--- claude --version (exit=$status) ---"
+          echo "$out"
+          echo "--- end ---"
+          [ "$status" -eq 0 ] || { echo "::error::claude --version exited $status"; exit 1; }
+          # claude --version prints a semver-shaped string. Enforce the
+          # shape to catch silent regressions where the binary boots but
+          # spits an unrelated banner.
+          echo "$out" | grep -qE '[0-9]+\.[0-9]+\.[0-9]+' || {
+            echo "::error::unexpected --version output"; exit 1;
+          }
+
+      - name: Verify tar.gz archive + sha256 sidecar
+        shell: bash
+        run: |
+          set -euo pipefail
+          # GNU tar in git-bash parses `D:\a\...` / `D:/a/...` as
+          # host:path (colon-separated remote rsh target). cygpath
+          # converts to the POSIX form (`/d/a/...`) that GNU tar treats
+          # as a local absolute path. No-op on Linux/macOS.
+          to_posix() {
+            if command -v cygpath >/dev/null 2>&1; then
+              cygpath -u "$1"
+            else
+              echo "$1"
+            fi
+          }
+          archive=$(to_posix "$(echo '${{ steps.build.outputs.artifacts }}' | jq -r '.[0]')")
+          [ -f "$archive" ] || { echo "::error::archive missing: $archive"; exit 1; }
+          case "$archive" in
+            *.tar.gz) ;;
+            *) echo "::error::expected .tar.gz archive, got: $archive"; exit 1 ;;
+          esac
+
+          # Sidecar must exist and carry a 64-hex-char sha256 + the archive
+          # basename. Recompute the digest locally and compare byte-for-byte
+          # against the sidecar so we catch any post-build tampering.
+          sidecar="${archive}.sha256"
+          [ -f "$sidecar" ] || { echo "::error::missing checksum sidecar: $sidecar"; exit 1; }
+          recorded=$(awk 'NR==1 { print $1 }' "$sidecar")
+          [ "${#recorded}" -eq 64 ] || { echo "::error::malformed sha256 in sidecar: $recorded"; exit 1; }
+          # sha256sum on git-bash prefixes the whole line with a literal
+          # backslash when the filename contains backslashes (Windows
+          # paths), per GNU coreutils' name-escape convention — strip it
+          # before comparing against the sidecar's clean hex digest.
+          if command -v sha256sum >/dev/null 2>&1; then
+            actual=$(sha256sum "$archive" | sed 's/^\\//' | awk '{print $1}')
+          else
+            actual=$(shasum -a 256 "$archive" | awk '{print $1}')
+          fi
+          if [ "$recorded" != "$actual" ]; then
+            echo "::error::sha256 mismatch — sidecar=$recorded actual=$actual"; exit 1
+          fi
+          echo "sidecar sha256 OK: $recorded"
+
+          # Tar round-trip: extract into a scratch dir, confirm the binary
+          # lands inside, then run --version on the extracted copy so we
+          # know the archive itself — not just the pre-archive binary — is
+          # usable.
+          extract=$(to_posix "${RUNNER_TEMP}/claude-extract")
+          rm -rf "$extract"
+          mkdir -p "$extract"
+          tar -tzf "$archive" >/dev/null
+          tar -xzf "$archive" -C "$extract"
+
+          bin_basename=$(basename "$(echo '${{ steps.build.outputs.binaries }}' | jq -r '.[0]')")
+          extracted_bin=$(find "$extract" -type f -name "$bin_basename" | head -n 1)
+          [ -n "$extracted_bin" ] || { echo "::error::extracted tar missing $bin_basename"; exit 1; }
+          chmod +x "$extracted_bin" || true
+          # Temporarily suspend `set -e` so non-zero exits still print
+          # the captured output for diagnosis.
+          set +e
+          out=$("$extracted_bin" --version 2>&1)
+          status=$?
+          set -e
+          echo "--- extracted $extracted_bin --version (exit=$status) ---"
+          echo "$out"
+          echo "--- end ---"
+          [ "$status" -eq 0 ] || { echo "::error::extracted binary exited $status"; exit 1; }
+          echo "$out" | grep -qE '[0-9]+\.[0-9]+\.[0-9]+' || {
+            echo "::error::extracted binary produced unexpected output"; exit 1;
+          }

action.yml

@@ -22,7 +22,7 @@ inputs:
     description: 'pkg''s bundled Node.js major (e.g. 22, 24). Does not affect the action''s own Node runtime.'
     default: '22'
   compress-node:
-    description: 'pkg''s bundled-binary compression: Brotli | GZip | None.'
+    description: 'pkg''s bundled-binary compression: Brotli | GZip | Zstd | None. Zstd requires Node.js >= 22.15 on the build host.'
     default: 'None'
   fallback-to-source:
     description: 'Pass pkg --fallback-to-source for bytecode-fabricator failures.'

docs/inputs.md

@@ -13,7 +13,7 @@ Every `pkg-action` input, grouped by category.
 | `targets` | — | no | no | Comma- or newline-separated pkg target triples, e.g. node22-linux-x64,node22-macos-arm64. Defaults to the host target. |
 | `mode` | `standard` | no | no | standard \| sea — selects pkg Standard or SEA mode. |
 | `node-version` | `22` | no | no | pkg's bundled Node.js major (e.g. 22, 24). Does not affect the action's own Node runtime. |
-| `compress-node` | `None` | no | no | pkg's bundled-binary compression: Brotli \| GZip \| None. |
+| `compress-node` | `None` | no | no | pkg's bundled-binary compression: Brotli \| GZip \| Zstd \| None. Zstd requires Node.js >= 22.15 on the build host. |
 | `fallback-to-source` | `false` | no | no | Pass pkg --fallback-to-source for bytecode-fabricator failures. |
 | `public` | `false` | no | no | Pass pkg --public (ships sources as plaintext). |
 | `public-packages` | — | no | no | Comma-separated package names to mark public (pkg --public-packages). |

packages/build/action.yml

@@ -19,7 +19,7 @@ inputs:
     description: 'pkg''s bundled Node.js major (e.g. 22, 24). Does not affect the action''s own Node runtime.'
     default: '22'
   compress-node:
-    description: 'pkg''s bundled-binary compression: Brotli | GZip | None.'
+    description: 'pkg''s bundled-binary compression: Brotli | GZip | Zstd | None. Zstd requires Node.js >= 22.15 on the build host.'
     default: 'None'
   fallback-to-source:
     description: 'Pass pkg --fallback-to-source for bytecode-fabricator failures.'