Skip to content

fix: correct stale tar.gz and --tarball references after zip default#1779

Merged
danielmeppiel merged 1 commit into
microsoft:mainfrom
nadav-y:main
Jun 19, 2026
Merged

fix: correct stale tar.gz and --tarball references after zip default#1779
danielmeppiel merged 1 commit into
microsoft:mainfrom
nadav-y:main

Conversation

@nadav-y

@nadav-y nadav-y commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • docs/reference/cli/publish.md: {name}-{version}.tar.gz -> .zip, --tarball -> --zip, tarball root -> archive root, removed tar czf example, fixed ellipsis and em dashes to ASCII
  • docs/guides/registries.md: same fixes in the registries guide
  • docs/reference/registry-http-api.md: corrected publish format note (was incorrectly citing apm pack tar.gz; now cites apm publish zip with backwards-compat note)
  • packages/apm-guide/.apm/skills/apm-usage/package-authoring.md: .tar.gz -> .zip, tarball -> archive, --tarball -> --zip
  • packages/apm-guide/.apm/skills/apm-usage/workflow.md: mention .zip as default alongside legacy .tar.gz
  • src/apm_cli/commands/publish.py: module docstring (em dash + "tarball")
  • src/apm_cli/deps/registry/extractor.py: "tarball sha256 mismatch" -> "archive sha256 mismatch"
  • src/apm_cli/deps/registry/resolver.py: comment em dash + "tar.gz (default)"

Context

PR #1720 switched apm pack --archive and apm publish to produce .zip by default and added --archive-format zip|tar.gz. These doc and source references were missed in that PR and still described the old .tar.gz default or the removed --tarball flag.

Test plan

  • uv run --extra dev ruff check src/ tests/ -- clean
  • uv run --extra dev ruff format --check src/ tests/ -- clean
  • pylint R0801 duplication check -- 10.00/10
  • bash scripts/lint-auth-signals.sh -- clean
  • uv run pytest tests/unit tests/test_console.py -- 5358 passed, 1 pre-existing failure unrelated to this change

Copilot AI review requested due to automatic review settings June 15, 2026 11:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR cleans up stale .tar.gz / --tarball references after PR #1720 switched the default producer format to .zip, aligning docs and a few in-code strings/comments with the current packaging behavior.

Changes:

  • Update publish/registry documentation to describe .zip as the default archive and --zip as the override path.
  • Clarify the Registry HTTP API format expectations and backwards-compat acceptance for legacy tar.gz uploads.
  • Rename/adjust a couple of in-code references from “tarball” to “archive” for accuracy.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/apm_cli/deps/registry/resolver.py Updates comment to reflect zip default + legacy tar.gz extraction support.
src/apm_cli/deps/registry/extractor.py Renames sha256 mismatch message from “tarball” to “archive”.
src/apm_cli/commands/publish.py Updates module docstring to refer to zip archive publish.
packages/apm-guide/.apm/skills/apm-usage/workflow.md Documents .zip as default bundle format alongside legacy .tar.gz.
packages/apm-guide/.apm/skills/apm-usage/package-authoring.md Updates registry publish packaging guidance to .zip / --zip.
docs/src/content/docs/reference/registry-http-api.md Updates publish-format note and adds backwards-compat acceptance statement.
docs/src/content/docs/reference/cli/publish.md Updates publish reference from tar.gz/--tarball to zip/--zip and ASCII punctuation.
docs/src/content/docs/guides/registries.md Updates registry guide to reflect zip default and --zip.

Comment thread docs/src/content/docs/reference/cli/publish.md Outdated
Comment thread docs/src/content/docs/reference/cli/publish.md Outdated
Comment thread docs/src/content/docs/reference/registry-http-api.md Outdated
@sergio-sisternes-epam sergio-sisternes-epam added the panel-review Trigger the apm-review-panel gh-aw workflow label Jun 16, 2026
@github-actions github-actions Bot mentioned this pull request Jun 16, 2026
@github-actions

Copy link
Copy Markdown

APM Review Panel: ship_with_followups

Ship with followups: --package missing from 3 copy-paste examples (crash on run), 4 stale resolver error strings, missing zip-build guidance, and no --tarball migration note are the must-fix set.

cc @nadav-y @danielmeppiel @sergio-sisternes-epam -- a fresh advisory pass is ready for your review.

PR #1779 correctly executes its stated scope -- cleaning stale tar.gz and --tarball references across docs and strings after #1720's format change. No panelist found a blocking defect. Auth, performance, and security surfaces are confirmed clean. Supply-chain invariants (hash-before-extraction, path guards, fail-closed format dispatch) are intact across both zip and tar.gz paths. The sha256 mismatch behavioral contract is fully covered at unit tier by test_mismatch_raises; only the renamed message label is undefended, which test-coverage-expert correctly classified as a nit given that the label text is low-stakes relative to the behavioral promise.

Four convergent signals demand follow-up before the next release. First (three panelists: doc-writer, devx-ux-expert, oss-growth-hacker): --package is required=True in publish.py yet is omitted from _PUBLISH_HELP and from Custom layouts examples in registries.md and package-authoring.md -- every copy-pasted command immediately fails with 'Missing option --package'. This was introduced by this PR and is the highest-priority fix. Second (three panelists: python-architect, cli-logging-expert, doc-writer): four RegistryResolutionError strings in resolver.py at lines 98, 104, 363, and 369 still say 'registry tarball for' after extractor.py was correctly updated to 'archive sha256 mismatch' -- the PR missed the same class of fix in the same package. Third (three panelists: devx-ux-expert, doc-writer, oss-growth-hacker): the Custom layouts section removed the tar czf build example and replaced it with prose saying 'build the zip yourself' with no zip equivalent, leaving first-time publishers -- especially on Windows -- without actionable guidance. Fourth (devx-ux-expert, oss-growth-hacker): users with --tarball in CI pipelines will hit 'No such option: --tarball' with zero hint that the flag was renamed; a one-line migration note in the publish.md flag table is the minimum recovery path.

One strategic flag from devx-ux-expert -- making --package optional, inferred from apm.yml name: -- is out of scope for this cleanup PR but deserves a tracked issue. The npm/pip mental model argument is sound and aligns with our pragmatic-as-npm principle: 'apm publish' with no arguments on a manifest-holding project is a stronger publisher story than requiring an explicit --package that duplicates what the manifest already declares. This is not a blocker for #1779; it is a gap in APM's publish ergonomics that the next publish-surface PR should own.

Dissent. devx-ux-expert raised '--package should be optional, inferred from apm.yml name:' as a finding against this PR. The other panelists (doc-writer, oss-growth-hacker) addressed only the symptom by requesting --package be added to examples. I side with fixing the examples now and filing the design change as a separate tracked issue: making --package optional is a behavioral change requiring manifest-inference logic, and bundling it into a string-cleanup PR conflates cleanup with feature work. The test-coverage-expert returned a missing-evidence finding on test_mismatch_raises (no match= on 'archive sha256 mismatch'). The behavioral promise (fail closed on hash mismatch) IS fully covered; only the message label is undefended. I accept the nit classification -- the match= addition is worth a one-liner follow-up but does not block ship.

Aligned with: Pragmatic as npm (--package required when apm.yml name: already encodes identity undercuts the 'auto' publish story; fixing examples now, optional-flag design change as near-term follow-up). Portable by manifest (zip-by-default is a net portability win; missing zip-build guidance in Custom layouts partially undermines it for Windows users). Secure by default (hash-before-extraction, path traversal guards, and fail-closed format dispatch all confirmed intact). OSS community driven (copy-paste-crash examples and missing --tarball migration note are the two highest contributor-friction points introduced or entrenched by this PR).

Growth signal. Zip-by-default is a durable cross-platform positioning beat: 'publish from any OS without extra tools' resonates with Windows contributors and is a clean differentiation story worth amplifying in the next release post alongside the HTTP API correction. The copy-paste-crash examples and missing --tarball migration trail are the only friction points standing between this and a clean 'lowered the barrier to publishing' release note. Fix those two and the story writes itself.

Panel summary

Persona B R N Takeaway
Python Architect 0 2 1 Three source changes are architecturally sound; resolver.py module docstring + 4 user-visible error strings still say 'registry tarball' -- same class of fix as extractor.py.
CLI Logging Expert 0 1 1 ASCII replacements are correct; one em-dash missed in a user-facing ClickException in the same file; four resolver error strings still say 'tarball'.
DevX UX Expert 0 4 1 Four UX gaps: broken inline help examples, missing zip-build guidance, no --tarball migration signal, and --package inferability anti-pattern.
Supply Chain Security Expert 0 0 2 All five security invariants hold; no regressions. Hash-before-extraction, path guards, and fail-closed on format mismatch are all intact across both formats.
OSS Growth Hacker 0 2 2 Strong cross-platform win; two contributor-funnel gaps: missing zip-creation guidance and no --tarball migration trail.
Doc Writer 0 3 2 Format references correctly updated site-wide; two Custom layouts examples omit required --package; build-step guidance removed without zip equivalent; one 'replay' word choice regresses clarity.
Test Coverage Expert 0 0 1 PR is safe -- no test asserts old message strings; rename cannot break CI. HashMismatchError path exercised at unit tier but message text undefended (nit only).

B = blocking-severity findings, R = recommended, N = nits.
Counts are signal strength, not gates. The maintainer ships.

Top 5 follow-ups

  1. [Doc Writer] Add --package OWNER/REPO to all _PUBLISH_HELP examples and to Custom layouts examples in registries.md and package-authoring.md -- Three panelists confirmed: --package is required=True; every example that omits it fails immediately with 'Missing option --package'. Copy-paste-crash is the worst possible first-publisher experience and was introduced by this PR. Trivial fix with high user-impact.
  2. [Python Architect] Replace 'registry tarball for' with 'registry archive for' in resolver.py RegistryResolutionError strings at lines 98, 104, 363, 369 -- Three panelists independently flagged this. The PR correctly updated extractor.py and missed the identical fix pattern in resolver.py. User-visible on every package validation failure; inconsistent with the extractor.py fix this PR ships.
  3. [DevX UX Expert] Add a cross-platform zip-build example to the Custom layouts section (e.g., python -m zipfile -c ./build/my-skill.zip apm.yml .apm/ or reference apm pack --archive-format zip) -- Three panelists flagged the removal of the tar czf build step with no replacement. First-time publishers on Windows are stranded with no actionable guidance.
  4. [OSS Growth Hacker] Add migration note '(renamed from --tarball in vX.Y)' to the --zip row in the publish.md flag table -- Two panelists flagged: CI pipelines using apm publish --tarball will break silently with 'No such option: --tarball'. A one-line breadcrumb prevents silent automation breakage for existing users.
  5. [CLI Logging Expert] Replace em-dash with '--' in the Forbidden ClickException message in publish.py line 272 -- The PR fixed em-dashes in logger.info() calls in the same file but missed this user-visible error message on 403 responses. Trivial one-character fix.

Architecture

classDiagram
    direction TB
    class publish_cmd {
        <<CLIEntryPoint>>
        +registry_name str
        +zip_path str
        +dry_run bool
    }
    class RegistryPackageResolver {
        <<DownloadCallback>>
        -_registries dict
        +download_package(dep_ref, target_path) PackageInfo
        +download_from_lockfile(...) PackageInfo
    }
    class extract_archive {
        <<Dispatcher>>
        +data bytes
        +content_type str
        +returns str
    }
    class verify_sha256 {
        <<SecurityGate>>
        +data bytes
        +expected_digest str
        +returns str
    }
    class HashMismatchError {
        <<Exception>>
    }
    class RegistryResolution {
        <<ValueObject>>
        +resolved_url str
        +resolved_hash str
        +version str
    }
    class RegistryClient {
        <<IOBoundary>>
        +publish_version(owner, repo, ver, bytes)
        +download_archive(owner, repo, ver)
    }
    class CommandLogger {
        +info(msg)
        +success(msg)
    }
    note for extract_archive "Strategy: dispatches to extract_zip (zip, default) or extract_tarball (legacy) via Content-Type + magic-bytes detection"
    note for verify_sha256 "Error message updated: 'archive sha256 mismatch' (format-agnostic)"
    publish_cmd ..> CommandLogger : logs via
    publish_cmd ..> RegistryClient : uploads via
    RegistryPackageResolver ..> RegistryClient : downloads via
    RegistryPackageResolver ..> extract_archive : calls
    RegistryPackageResolver ..> RegistryResolution : produces
    extract_archive ..> verify_sha256 : calls first
    extract_archive ..> HashMismatchError : raises
    verify_sha256 ..> HashMismatchError : raises
    class publish_cmd:::touched
    class RegistryPackageResolver:::touched
    class verify_sha256:::touched
    classDef touched fill:#fff3b0,stroke:#d47600
Loading
flowchart TD
    A([apm publish]) --> B{zip_path provided?}
    B -->|pre-built zip| C["read zip_path directly"]
    B -->|auto-pack| D["_pack_archive: zipfile.ZipFile\napm.yml + .apm/ -> name-ver.zip"]
    C --> E{dry_run?}
    D --> E
    E -->|dry run| F["logger: dry-run -- nothing uploaded"]
    E -->|upload| G["RegistryClient.publish_version\nPUT /v1/.../versions/ver"]
    H([apm install registry dep]) --> I["RegistryPackageResolver.download_package"]
    I --> J["RegistryClient.list_versions"]
    J --> K["_pick_version: semver best match"]
    K --> L["RegistryClient.download_archive"]
    L --> M["extract_archive dispatcher"]
    M --> N{"_detect_format\nContent-Type then magic bytes"}
    N -->|application/zip PK-magic default| O["extract_zip -> safe_extract_zip"]
    N -->|application/gzip 1f8b-magic legacy| P["extract_tarball -> _safe_extract"]
    O --> Q["verify_sha256\n'archive sha256 mismatch'"]
    P --> Q
    Q --> R["validate_apm_package -> RegistryResolution"]
Loading

Recommendation

PR #1779 is safe to merge: no blocking defects, security surfaces confirmed intact, and the core string-and-doc cleanup is correct and valuable. Ship it and open a follow-up PR -- or amend before merge if nadav-y is available -- that addresses the five items above. The --package-missing-in-examples fix and the four stale resolver error strings are the highest-priority items and are both trivial to patch. The --package optional-vs-required design question should be filed as a separate tracked issue, not held against this PR.


Full per-persona findings

Python Architect

  • [recommended] resolver.py module docstring (line 4) still says 'fetch its tarball' at src/apm_cli/deps/registry/resolver.py:4
    The PR correctly updated publish.py module docstring and extractor.py error string. The resolver.py module docstring line 4 still reads "fetch its tarball from the configured registry" -- the same class of stale reference. Misrepresents the wire format to maintainers reading the module header.
    Suggested: Change to 'fetch its archive (zip by default, legacy tar.gz via Content-Type dispatch) from the configured registry'

  • [recommended] Four user-visible RegistryResolutionError strings in resolver.py still say 'registry tarball for' at src/apm_cli/deps/registry/resolver.py:98
    Lines 98, 104, 363, 369 raise RegistryResolutionError with 'registry tarball for {repo!r} did not validate...'. Users who hit a package validation failure see this string. extractor.py was correctly updated from 'tarball' to 'archive'; the same reasoning applies here.
    Suggested: Replace 'registry tarball for' with 'registry archive for' at lines 98, 104, 363, 369.

  • [nit] resolver.py line 302 comment: 'registry serves the parent tarball' -- minor internal inconsistency at src/apm_cli/deps/registry/resolver.py:302
    Internal comment only; no user impact.
    Suggested: Change 'registry serves the parent tarball' to 'registry serves the parent archive'

CLI Logging Expert

  • [recommended] Em-dash not replaced in Forbidden ClickException in publish.py at src/apm_cli/commands/publish.py:272
    The PR replaced em-dash in logger.info() calls (lines 116, 126) and the module docstring but missed the Forbidden ClickException message at line 272. User-visible on 403 errors.
    Suggested: Change em-dash to '--' in the Forbidden ClickException message.

  • [nit] resolver.py RegistryResolutionError messages still say 'registry tarball for' at src/apm_cli/deps/registry/resolver.py
    Four user-visible strings at lines 98, 104, 363, 369 inconsistent with extractor.py fix in this PR.
    Suggested: Replace 'registry tarball for' with 'registry archive for'.

DevX UX Expert

  • [recommended] _PUBLISH_HELP inline examples omit --package but required=True causes them to crash at src/apm_cli/commands/publish.py
    publish.py lines 36-45 show four examples with no --package. Since --package is required=True, every one errors with 'Missing option --package'. The PR updated external docs but left _PUBLISH_HELP untouched.
    Suggested: Update _PUBLISH_HELP to include --package in every example.

  • [recommended] --package is required but inferrable from apm.yml name: field -- breaks npm/pip mental model at docs/src/content/docs/reference/cli/publish.md
    apm.yml already declares name: (e.g. acme/my-skill). npm, pip, cargo read identity from the manifest. Making --package required means the docs 'Auto-pack and publish' example requires an explicit flag that duplicates manifest data.
    Suggested: Make --package optional; infer from apm.yml name: when parseable as owner/repo. File as a tracked issue if not fixing in this PR.

  • [recommended] Custom layouts section says 'build the zip yourself' but removes all guidance on HOW at docs/src/content/docs/guides/registries.md
    Old example showed tar czf then publish. New example only shows the publish step. A user on Windows with no zip CLI is stranded.
    Suggested: Add python -m zipfile -c ./build/my-skill-0.0.1.zip apm.yml .apm/ or reference apm pack --archive-format zip as the cross-platform build step.

  • [recommended] No migration signal for users whose scripts use --tarball at docs/src/content/docs/reference/cli/publish.md
    Users with CI pipelines running apm publish --tarball PATH will get 'No such option: --tarball' with zero hint the flag was renamed.
    Suggested: Add '(renamed from --tarball in vX.Y)' to the --zip row in the publish.md flag table.

  • [nit] --zip PATH reads as a format toggle, not a file path argument at docs/src/content/docs/reference/cli/publish.md
    --archive PATH would match the 'archive' prose used throughout the updated docs and avoid the boolean-flag mental model.

Supply Chain Security Expert

  • [nit] Test comment in test_resolver_e2e_http.py still says 'Tarball with sha256 mismatch' at tests/unit/registry/test_resolver_e2e_http.py
    No security risk (no test asserts on the message string). Minor inconsistency with the renamed error.
    Suggested: Update comment to 'Archive with sha256 mismatch fails closed before any extraction'.

  • [nit] extract_tarball does not catch tarfile.ReadError like extract_zip catches BadZipFile at src/apm_cli/deps/registry/extractor.py
    Pre-existing issue; fail-closed behavior is correct. Inconsistent error surface, not introduced by this PR.
    Suggested: Wrap tarfile.open in extract_tarball with except tarfile.ReadError as exc: raise UnknownArchiveFormatError(...) to mirror the BadZipFile guard.

OSS Growth Hacker

  • [recommended] Custom layouts example drops the 'how to build the zip' step, leaving first-time publishers stranded at docs/src/content/docs/reference/cli/publish.md
    Old example showed full two-step flow: build archive then publish. New example only shows the publish step with a pre-built ./build/ path but no guidance on creating it.
    Suggested: Add zip -r ./build/my-skill-0.0.1.zip apm.yml SKILL.md or python -m zipfile equivalent before the apm publish --zip call.

  • [recommended] No migration breadcrumb for --tarball users; automation breakage with no in-docs recovery path at docs/src/content/docs/reference/cli/publish.md
    Users with --tarball in CI scripts get 'unknown option' with zero guidance.
    Suggested: Add '(renamed from --tarball in v0.x)' to the --zip row in the flag table.

  • [nit] Dropped 'matching npm behaviour' anchor loses trust bridge for npm-native contributors at docs/src/content/docs/guides/registries.md
    Suggested: Restore 'matching npm's behaviour' after the symlinks-excluded clause.

  • [nit] HTTP API ref update is a clean net-positive for 3rd-party registry implementers at docs/src/content/docs/reference/registry-http-api.md
    Worth amplifying in the next release post.

Auth Expert -- inactive

All changed files are documentation and cosmetic string updates with no contact with auth.py, token_manager.py, AuthResolver, credential resolution, host classification, or HTTP authorization headers.

Doc Writer

  • [recommended] Custom layouts examples missing required --package flag; commands fail at runtime at docs/src/content/docs/guides/registries.md
    registries.md and package-authoring.md Custom layouts examples omit --package OWNER/REPO which is required=True in publish.py. publish.md correctly includes --package on every invocation; the cross-page inconsistency was introduced by this PR.
    Suggested: Add --package acme/my-skill to the Custom layouts example in registries.md and package-authoring.md.

  • [recommended] Custom layouts section removes build-step example with no zip equivalent at docs/src/content/docs/guides/registries.md
    Old section showed tar czf to build a minimal archive from an explicit file list. New prose says 'build the zip yourself' but gives no example of how to do it.
    Suggested: Add zip -j my-skill-0.0.1.zip apm.yml SKILL.md or python -m zipfile equivalent before the apm publish --zip step.

  • [recommended] publish.py _PUBLISH_HELP shows 'apm publish' without --package; help text fails if copy-pasted at src/apm_cli/commands/publish.py
    _PUBLISH_HELP shows four examples all without --package. Since --package is required=True, all crash with 'Missing option --package'.
    Suggested: Update all _PUBLISH_HELP examples to include --package acme/my-skill.

  • [nit] 'Servers store and replay' is non-idiomatic; 'return' was clearer at docs/src/content/docs/reference/registry-http-api.md
    'Replay' carries media/streaming connotation; 'return' is standard for HTTP GET semantics.
    Suggested: Revert to 'Servers store and return whatever was uploaded'.

  • [nit] Section 9.4 conformance test still says 'tarball' -- inconsistent with updated narrative at docs/src/content/docs/reference/registry-http-api.md
    registry-http-api.md section 9.4 reads 'PUT with a tarball missing apm.yml -> 422'. Updated to zip/archive elsewhere on the same page.
    Suggested: Change 'PUT with a tarball missing apm.yml' to 'PUT with an archive missing apm.yml'.

Test Coverage Expert

  • [nit] test_mismatch_raises has no match= on the error text; renamed message 'archive sha256 mismatch' has no regression trap at tests/unit/registry/test_extractor.py
    Probed tests/ with grep: zero hits for either 'tarball sha256 mismatch' or 'archive sha256 mismatch'. test_mismatch_raises carries only pytest.raises(HashMismatchError) with no match=. The behavioral promise (fail closed on hash mismatch) IS fully covered; only the message label is undefended.
    Proof (missing at unit): tests/unit/registry/test_extractor.py::TestVerifySha256::test_mismatch_raises -- proves: HashMismatchError raised with message text 'archive sha256 mismatch'

Performance Expert -- inactive

All 8 changed files are documentation, docstrings, log strings, or a single comment -- none touch cache layout, transport, resolve/fetch/materialize/verify logic, parallelism, or any hot path.

This panel is advisory. It does not block merge. Re-apply the
panel-review label after addressing feedback to re-run.

Generated by PR Review Panel for issue #1779 · sonnet46 11.4M ·

@github-actions github-actions Bot removed the panel-review Trigger the apm-review-panel gh-aw workflow label Jun 16, 2026
nadav-y added a commit to nadav-y/apm that referenced this pull request Jun 16, 2026
…default (microsoft#1779)

apm publish and apm pack --archive now produce .zip by default (microsoft#1720).
This commit cleans all remaining stale references and fixes five UX gaps
surfaced in the post-merge panel review.

Stale reference cleanup:
- docs/reference/cli/publish.md: .tar.gz -> .zip, --tarball -> --zip,
  tarball root -> archive root, remove tar czf example, fix ASCII
- docs/guides/registries.md: same fixes + add cross-platform zip-build
  example in Custom layouts section
- docs/reference/registry-http-api.md: correct publish format note
- packages/apm-guide/.apm/skills/apm-usage/package-authoring.md:
  .tar.gz -> .zip, tarball -> archive, --tarball -> --zip
- packages/apm-guide/.apm/skills/apm-usage/workflow.md: .zip as default
- src/apm_cli/commands/publish.py: module docstring + em dash + tarball
- src/apm_cli/deps/registry/extractor.py: "tarball sha256 mismatch"
  -> "archive sha256 mismatch"
- src/apm_cli/deps/registry/resolver.py: em dash + tar.gz default

Panel review fixes (post-merge):
- publish.py _PUBLISH_HELP: add --package to all four examples (required=True
  flag was missing from every example -- copy-paste crash)
- publish.py line 272: replace em dash with -- in Forbidden ClickException
  (user-visible on 403 responses; prior commit missed this one)
- resolver.py lines 98, 104, 363, 369: replace "registry tarball for" with
  "registry archive for" in RegistryResolutionError strings (same class of
  fix as extractor.py, missed in first pass)
- package-authoring.md: add --package to all publish examples
- registries.md Custom layouts: add --package + python -m zipfile build step
  (Windows users had no actionable guidance after tar czf example was removed)
- publish.md --zip row: add "(renamed from --tarball in v0.20.0)" migration
  note so CI pipelines using --tarball get a recovery path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nadav-y

nadav-y commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator Author

Review of APM Review Panel: ship_with_followups.
What was fixed:

  1. --package missing from _PUBLISH_HELP examples — required=True but all four inline help examples omitted it; copy-paste crash for every new user
  2. --package missing from package-authoring.md examples — same crash in the skill guide
    3.Em dash in Forbidden ClickException (publish.py line 272) — user-visible on 403 responses; prior commit fixed logger.info() calls in the same file but missed this one
  3. Four stale registry tarball for strings in resolver.py — same class of fix as extractor.py in the original PR, missed in the first pass; user-visible on every package validation failure
  4. Missing zip-build guidance in Custom layouts (registries.md) — removed tar czf example without replacing it; added python -m zipfile as a cross-platform alternative
  5. No --tarball migration note in publish.md — CI pipelines using apm publish --tarball hit No such option: --tarball with no recovery hint

What was omitted and why:

  1. --package optional (infer from apm.yml name:) — design change requiring manifest-inference logic; panel explicitly called it out-of-scope for a string-cleanup PR
  2. test_mismatch_raises match= — nit; behavioral coverage confirmed, message-text trap deferred
  3. registries.md Custom layouts --package — already fixed by commit 24f8ded before the panel ran; nothing to add

nadav-y added a commit that referenced this pull request Jun 16, 2026
When a default registry is configured (project registries.default or
registry.<name>.default true in ~/.apm/config.json), plain owner/repo#ref
shorthand entries in apm.yml route to that registry instead of probing
GitHub. A version selector (#<ref>) is required; omitting it exits 1.

Non-semver selectors (stable, main, a branch name, or any opaque string)
are exact-matched against the registry's published version list. Use the
git: URL form in apm.yml to force the GitHub path.

Also fixes registry deps with non-semver version selectors reporting
perpetual outdated -- the drift check now uses literal equality for
non-semver registry pins rather than range comparison.

Also corrects stale tar.gz/tarball refs and publish UX gaps after zip
default (#1779): bundles now accept .zip (default) or legacy .tar.gz.

Closes #1816

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…default (microsoft#1779)

apm publish and apm pack --archive now produce .zip by default (microsoft#1720).
This commit cleans all remaining stale references and fixes five UX gaps
surfaced in the post-merge panel review.

Stale reference cleanup:
- docs/reference/cli/publish.md: .tar.gz -> .zip, --tarball -> --zip,
  tarball root -> archive root, remove tar czf example, fix ASCII
- docs/guides/registries.md: same fixes + add cross-platform zip-build
  example in Custom layouts section
- docs/reference/registry-http-api.md: correct publish format note
- packages/apm-guide/.apm/skills/apm-usage/package-authoring.md:
  .tar.gz -> .zip, tarball -> archive, --tarball -> --zip
- packages/apm-guide/.apm/skills/apm-usage/workflow.md: .zip as default
- src/apm_cli/commands/publish.py: module docstring + em dash + tarball
- src/apm_cli/deps/registry/extractor.py: "tarball sha256 mismatch"
  -> "archive sha256 mismatch"
- src/apm_cli/deps/registry/resolver.py: em dash + tar.gz default

Panel review fixes (post-merge):
- publish.py _PUBLISH_HELP: add --package to all four examples (required=True
  flag was missing from every example -- copy-paste crash)
- publish.py line 272: replace em dash with -- in Forbidden ClickException
  (user-visible on 403 responses; prior commit missed this one)
- resolver.py lines 98, 104, 363, 369: replace "registry tarball for" with
  "registry archive for" in RegistryResolutionError strings (same class of
  fix as extractor.py, missed in first pass)
- package-authoring.md: add --package to all publish examples
- registries.md Custom layouts: add --package + python -m zipfile build step
  (Windows users had no actionable guidance after tar czf example was removed)
- publish.md --zip row: add "(renamed from --tarball in v0.20.0)" migration
  note so CI pipelines using --tarball get a recovery path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nadav-y added a commit that referenced this pull request Jun 16, 2026
When a default registry is configured (project registries.default or
registry.<name>.default true in ~/.apm/config.json), plain owner/repo#ref
shorthand entries in apm.yml route to that registry instead of probing
GitHub. A version selector (#<ref>) is required; omitting it exits 1.

Non-semver selectors (stable, main, a branch name, or any opaque string)
are exact-matched against the registry's published version list. Use the
git: URL form in apm.yml to force the GitHub path.

Also fixes registry deps with non-semver version selectors reporting
perpetual outdated -- the drift check now uses literal equality for
non-semver registry pins rather than range comparison.

Also corrects stale tar.gz/tarball refs and publish UX gaps after zip
default (#1779): bundles now accept .zip (default) or legacy .tar.gz.

apm-spec-waiver: client-side routing heuristic, no new normative requirement on registries or producers; deferred to spec v0.2 registry-routing section

Closes #1816

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nadav-y added a commit that referenced this pull request Jun 18, 2026
When a default registry is configured (project registries.default or
registry.<name>.default true in ~/.apm/config.json), plain owner/repo#ref
shorthand entries in apm.yml route to that registry instead of probing
GitHub. A version selector (#<ref>) is required; omitting it exits 1.

Non-semver selectors (stable, main, a branch name, or any opaque string)
are exact-matched against the registry's published version list. Use the
git: URL form in apm.yml to force the GitHub path.

Also fixes registry deps with non-semver version selectors reporting
perpetual outdated -- the drift check now uses literal equality for
non-semver registry pins rather than range comparison.

Also corrects stale tar.gz/tarball refs and publish UX gaps after zip
default (#1779): bundles now accept .zip (default) or legacy .tar.gz.

apm-spec-waiver: client-side routing heuristic, no new normative requirement on registries or producers; deferred to spec v0.2 registry-routing section

Closes #1816

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pull Bot pushed a commit to alexravenna/apm that referenced this pull request Jun 19, 2026
…ed (microsoft#1816)

When a default registry is configured (project registries.default or
registry.<name>.default true in ~/.apm/config.json), plain owner/repo#ref
shorthand entries in apm.yml route to that registry instead of probing
GitHub. A version selector (#<ref>) is required; omitting it exits 1.

Non-semver selectors (stable, main, a branch name, or any opaque string)
are exact-matched against the registry's published version list. Use the
git: URL form in apm.yml to force the GitHub path.

Also fixes registry deps with non-semver version selectors reporting
perpetual outdated -- the drift check now uses literal equality for
non-semver registry pins rather than range comparison.

Also corrects stale tar.gz/tarball refs and publish UX gaps after zip
default (microsoft#1779): bundles now accept .zip (default) or legacy .tar.gz.

apm-spec-waiver: client-side routing heuristic, no new normative requirement on registries or producers; deferred to spec v0.2 registry-routing section

Closes microsoft#1816

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@danielmeppiel danielmeppiel added this pull request to the merge queue Jun 19, 2026
Merged via the queue into microsoft:main with commit ef2a251 Jun 19, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants