sciencecorp · namthor9 · May 22, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
@@ -44,7 +44,16 @@ jobs:
         run: npm run test
         shell: bash
 
+  # The test-install jobs install this repo via `npm install git://...#<sha>`
+  # to verify the postinstall pipeline. They cannot run on PRs: pacote's
+  # prepare phase strips .git from its install cache and doesn't expose the
+  # commit SHA via any env var or package.json field, so postinstall.sh has
+  # no way to identify which synapse-api submodule SHA to download. After
+  # release-please tags the version on main, the v$version tag fallback in
+  # postinstall.sh works, which is what these jobs exercise. Run them on
+  # push to main and manual dispatch only.
   test-install:
+    if: github.event_name != 'pull_request'
     runs-on: ${{ inputs.runner }}
     steps:
       - name: Use Node.js
@@ -57,6 +66,7 @@ jobs:
         shell: bash
 
   test-install-with-token:
+    if: github.event_name != 'pull_request'
     runs-on: ${{ inputs.runner }}
     env:
       SCIENCE_CORPORATION_SYNAPSE_TOKEN: ${{ secrets.SCIENCECORP_SYNAPSE_READ_TOKEN }}

diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh
@@ -39,15 +39,49 @@ fi
 # Else, fallback to downloading from github
 echo "Downloading synapse-api..."
 
+# Resolve which synapse-typescript ref to ask the GitHub API about, in order
+# of decreasing fidelity:
+#   1. git HEAD when there's a real working tree (most accurate).
+#   2. The SHA in $npm_package_resolved — npm exports this during install
+#      lifecycle scripts as `git+ssh://...#<sha>`. This is the one that
+#      makes `npm install git://...#<sha>` actually work, since during
+#      pacote's prepare phase the .git dir has been moved away and the
+#      package.json gitHead field has not yet been injected.
+#   3. package.json#gitHead — npm writes this after prepare completes, so
+#      it's available for downstream consumers reading an already-installed
+#      package, just not during the prepare phase itself.
+#   4. v$version tag, as a last resort for vanilla tarball installs after a
+#      release has tagged the version.
+REF_LIB=""
 if [ "$HAS_GIT" = true ]; then
     REF_LIB=$(git rev-parse HEAD)
-else
-    REF_LIB=$(node -p "require('./package.json').version")
-    if [ -z "$REF_LIB" ]; then
+fi
+
+if [ -z "$REF_LIB" ] && [ -n "$npm_package_resolved" ]; then
+    # Strip everything up to and including the last '#' to get the SHA.
+    CANDIDATE="${npm_package_resolved##*#}"
+    # Only accept if it looks like a SHA (40 hex chars). Anything else is
+    # probably a URL with no fragment, which would leave the var untouched.
+    if [ "${#CANDIDATE}" = 40 ] && [ -z "${CANDIDATE//[0-9a-f]/}" ]; then
+        REF_LIB="$CANDIDATE"
+        echo " - Using npm_package_resolved SHA for ref lookup"
+    fi
+fi
+
+if [ -z "$REF_LIB" ]; then
+    REF_LIB=$(node -e "const p=require('./package.json'); if (p.gitHead) process.stdout.write(p.gitHead);" 2>/dev/null)
+    if [ -n "$REF_LIB" ]; then
+        echo " - Using package.json gitHead for ref lookup"
+    fi
+fi
+
+if [ -z "$REF_LIB" ]; then
+    PKG_VERSION=$(node -p "require('./package.json').version")
+    if [ -z "$PKG_VERSION" ]; then
         echo " - Failed to get version from package.json"
         exit 1
     fi
-    REF_LIB=v$REF_LIB
+    REF_LIB=v$PKG_VERSION
 fi
 
 echo "- Looking up synapse-api ref for synapse-typescript ref $REF_LIB"