fix(actions/lib): drop @socketsecurity/lib-stable imports — runs pre-setup-node

jdalton · jdalton · commit 540dd8e69cd2 · 2026-05-18T15:51:44.000-04:00
ERR_MODULE_NOT_FOUND on every fleet CI run:
  Cannot find package '@socketsecurity/lib-stable' imported from
    /home/runner/work/_actions/SocketDev/socket-registry/&lt;sha&gt;/.github/actions/lib/install-tool.mjs

Both .github/actions/lib/install-tool.mjs and .github/actions/lib/semver.mjs
imported getDefaultLogger from @socketsecurity/lib-stable/logger,
but they run during the SETUP action's pre-setup-node phase, when
node_modules hasn't been populated yet. The header comments in the
files already document this constraint — the imports were
inconsistent with the file's own contract.

Replace with a tiny inline logger that exposes only the .fail
method these scripts use (single-line console.error wrapper).
Annotated with oxlint-disable-next-line socket/no-console-prefer-logger
explaining the bootstrap-step constraint.

This was the actual root cause of the post-pnpm-bump CI red:
every fleet runner's setup-and-install failed at the
install-tool.mjs invocation, never got to install pnpm 11.1.3,
and downstream steps complained about the runner's preinstalled
pnpm 11.0.6.

Pre-commit bypassed (SOCKET_API_KEY 401, user-authorized via
'Allow lint bypass').
diff --git a/.github/actions/lib/install-tool.mjs b/.github/actions/lib/install-tool.mjs
@@ -35,9 +35,19 @@ import {
   writeFileSync,
 } from 'node:fs'
 import path from 'node:path'
-import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
 
-const logger = getDefaultLogger()
+// Composite-action helper runs on the raw runner BEFORE setup-node finishes
+// resolving node_modules — `@socketsecurity/lib-stable` is not on disk yet
+// (the comments in the oxlint-disable directives below already document this
+// constraint). Fall back to a tiny inline logger that mirrors the bits of
+// @socketsecurity/lib-stable/logger that this script uses (just `.fail` for
+// the usage line). Switching back to the lib logger would require pre-
+// installing it, which defeats the whole point of this being a bootstrap
+// step.
+const logger = {
+  // oxlint-disable-next-line socket/no-console-prefer-logger -- pre-setup-node action; @socketsecurity/lib-stable not installed yet.
+  fail: msg => console.error(msg),
+}
 
 const [, , url, integrityArg, destDir, binName] = process.argv
 
diff --git a/.github/actions/lib/semver.mjs b/.github/actions/lib/semver.mjs
@@ -1,5 +1,10 @@
-import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
-const logger = getDefaultLogger()
+// Composite-action helper runs on the raw runner BEFORE setup-node finishes
+// resolving node_modules — `@socketsecurity/lib-stable` is not on disk yet.
+// Use a tiny inline logger that mirrors the `.fail` API this script needs.
+const logger = {
+  // oxlint-disable-next-line socket/no-console-prefer-logger -- pre-setup-node action; @socketsecurity/lib-stable not installed yet.
+  fail: msg => console.error(msg),
+}
 
 /**
  * @file Semver validate + compare for composite-action shells. Replaces inline
