fix(ci): harden error handling across CI/CD workflows

- Align FFmpeg version to n8.0 across workflow and Dockerfiles
- Add post-loop check for FFmpeg git clone retry
- Add CI completion verification before release artifact download
- Add tarball integrity validation before extraction
- Add set -e to shell scripts for fail-fast behavior
- Fix error suppression patterns that hide failures
- Add version extraction validation
- Define PLATFORMS env variable to avoid hardcoded lists

Author: pproenca

.github/workflows/build-ffmpeg.yml

@@ -52,7 +52,7 @@ env:
   LIBAOM_VERSION: 'v3.12.1'
   OPUS_VERSION: '1.5.2'
   LAME_VERSION: '3.100'
-  FFMPEG_VERSION: 'n7.1.3'
+  FFMPEG_VERSION: 'n8.0'
   # npm scope for platform packages
   NPM_SCOPE: '@pproenca/ffmpeg'
   # Bump this to invalidate all caches
@@ -103,7 +103,13 @@ jobs:
           docker cp extract:/build/lib/. artifacts/linux-x64/lib/
           docker cp extract:/build/include/. artifacts/linux-x64/include/
 
-          docker rm extract
+          docker rm -f extract 2>/dev/null || true
+
+          # Verify extraction succeeded
+          if [ ! -f artifacts/linux-x64/bin/ffmpeg ]; then
+            echo "ERROR: ffmpeg binary not extracted from container"
+            exit 1
+          fi
 
           # Verify static linking
           echo "Verifying static binary..."
@@ -112,7 +118,10 @@ jobs:
 
           # Get version info
           chmod +x artifacts/linux-x64/bin/ffmpeg
-          ./artifacts/linux-x64/bin/ffmpeg -version > artifacts/linux-x64/version.txt 2>&1 || true
+          ./artifacts/linux-x64/bin/ffmpeg -version > artifacts/linux-x64/version.txt 2>&1 || {
+            echo "WARNING: ffmpeg binary failed to execute - binary may be broken"
+            echo "Continuing anyway as version.txt is informational"
+          }
 
           # Verify dev files extracted
           echo "=== Library files ==="
@@ -178,7 +187,13 @@ jobs:
           docker cp extract-glibc:/build/lib/. artifacts/linux-x64-glibc/lib/
           docker cp extract-glibc:/build/include/. artifacts/linux-x64-glibc/include/
 
-          docker rm extract-glibc
+          docker rm -f extract-glibc 2>/dev/null || true
+
+          # Verify extraction succeeded
+          if [ ! -f artifacts/linux-x64-glibc/bin/ffmpeg ]; then
+            echo "ERROR: ffmpeg binary not extracted from container"
+            exit 1
+          fi
 
           # Verify glibc linking (should show libc.so.6)
           echo "Verifying glibc binary..."
@@ -187,7 +202,10 @@ jobs:
 
           # Get version info
           chmod +x artifacts/linux-x64-glibc/bin/ffmpeg
-          ./artifacts/linux-x64-glibc/bin/ffmpeg -version > artifacts/linux-x64-glibc/version.txt 2>&1 || true
+          ./artifacts/linux-x64-glibc/bin/ffmpeg -version > artifacts/linux-x64-glibc/version.txt 2>&1 || {
+            echo "WARNING: ffmpeg binary failed to execute - binary may be broken"
+            echo "Continuing anyway as version.txt is informational"
+          }
 
           # Verify dev files extracted
           echo "=== Library files ==="
@@ -275,7 +293,7 @@ jobs:
 
           # Try primary source with retries, fallback to GitHub mirror
           NASM_FROM_GITHUB=false
-          if curl -fSL --retry 3 --retry-delay 5 "$NASM_URL" -o nasm.tar.bz2 2>/dev/null; then
+          if curl -fSL --retry 3 --retry-delay 5 "$NASM_URL" -o nasm.tar.bz2; then
             echo "Downloaded nasm from primary source"
             tar xjf nasm.tar.bz2
             cd nasm-${NASM_VERSION}
@@ -439,6 +457,11 @@ jobs:
               echo "Clone attempt $i failed, retrying in 10s..."
               sleep 10
             done
+            # Verify clone succeeded
+            if [ ! -d ffmpeg ]; then
+              echo "ERROR: Failed to clone FFmpeg after 3 attempts"
+              exit 1
+            fi
           fi
 
           cd ffmpeg

.github/workflows/ci.yml

@@ -74,7 +74,8 @@ jobs:
         run: |
           # Workaround for known macOS 15 bug where PerfPowerServices consumes 100% CPU
           # See: https://github.com/actions/runner-images/issues/13358
-          sudo defaults -currentHost write /Library/Preferences/com.apple.powerlogd SMCMonitorCadence 0
+          # Both commands are tolerant - may fail on future macOS versions
+          sudo defaults -currentHost write /Library/Preferences/com.apple.powerlogd SMCMonitorCadence 0 || echo "Warning: defaults write failed (may not be needed on this macOS version)"
           sudo killall PerfPowerServices || true
 
       - name: Install build tools (macOS)
@@ -114,6 +115,7 @@ jobs:
 
       - name: Build with prebuildify
         run: |
+          set -e
           npx prebuildify --napi --strip --arch=${{ matrix.arch }}
 
           # prebuildify 6.x with scoped packages creates @scope+name.node
@@ -143,8 +145,14 @@ jobs:
 
       - name: Package as platform npm package
         run: |
+          set -e
           # Read version from package.json
           VERSION=$(node -p "require('./package.json').version")
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9] ]]; then
+            echo "ERROR: Failed to extract valid version from package.json: '$VERSION'"
+            exit 1
+          fi
+          echo "Package version: $VERSION"
 
           # Create platform package directory
           PKG_DIR="packages/@pproenca/node-webcodecs-${{ matrix.platform }}"

.github/workflows/release.yml

@@ -12,6 +12,10 @@ on:
 
 permissions: {}
 
+env:
+  # Define platform list once - used in verification and publish loops
+  PLATFORMS: "darwin-arm64 darwin-x64 linux-x64"
+
 jobs:
   # ============================================================================
   # Download CI artifacts and publish to npm
@@ -35,6 +39,21 @@ jobs:
           node-version: "22"
           registry-url: "https://registry.npmjs.org"
 
+      # Verify CI workflow completed successfully before downloading artifacts
+      - name: Verify CI workflow completed
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Checking if CI workflow completed for commit ${{ github.sha }}..."
+          CONCLUSION=$(gh run list --workflow=ci.yml --commit=${{ github.sha }} --status=completed --limit=1 --json conclusion -q '.[0].conclusion' || echo "not_found")
+          if [ "$CONCLUSION" != "success" ]; then
+            echo "ERROR: CI workflow has not successfully completed for commit ${{ github.sha }}"
+            echo "Found conclusion: $CONCLUSION"
+            echo "Ensure CI passes before triggering release"
+            exit 1
+          fi
+          echo "CI workflow completed successfully"
+
       # Download artifacts from the CI workflow run for this commit
       - name: Download artifacts from CI
         uses: dawidd6/action-download-artifact@0bd50d53a6d7fb5cb921e607957e9cc12b4ce392 # v6
@@ -66,6 +85,8 @@ jobs:
 
             tarball=$(find "$artifact_dir" -name "*.tar" -type f | head -1)
             if [ -n "$tarball" ]; then
+              echo "Validating $tarball integrity..."
+              tar -tf "$tarball" > /dev/null || { echo "ERROR: Tarball $tarball is corrupted"; exit 1; }
               echo "Extracting $tarball"
               tar -xvf "$tarball" -C packages/
             else
@@ -79,7 +100,7 @@ jobs:
           ls -laR packages/
 
           # Verify all platform packages present
-          for platform in darwin-arm64 darwin-x64 linux-x64; do
+          for platform in $PLATFORMS; do
             pkg_dir="packages/@pproenca/node-webcodecs-$platform"
             if [ ! -f "$pkg_dir/bin/node.napi.node" ]; then
               echo "Error: Missing binary for $platform"
@@ -91,10 +112,12 @@ jobs:
       # OIDC Trusted Publishing - no NPM_TOKEN needed
       - name: Publish platform packages
         run: |
-          for platform in darwin-arm64 darwin-x64 linux-x64; do
+          set -e
+          for platform in $PLATFORMS; do
             pkg_dir="packages/@pproenca/node-webcodecs-$platform"
             echo "Publishing $pkg_dir..."
             (cd "$pkg_dir" && npm publish --provenance --access public)
+            echo "Successfully published $platform"
           done
 
           # Wait for npm registry propagation