fix(release): exclude ripgrep binaries from npm tarballs

[SandyTao520]

Summary

Unblocks the Release: Promote workflow, which has been failing with npm error code E413 Request Entity Too Large from wombat-dressing-room since 2026-04-15 because the @google/gemini-cli tarball grew past the registry's per-package upload limit.

The growth came from PR #25342, which checked in 5 cross-platform ripgrep binaries (~21 MB raw) under packages/core/vendor/ripgrep/ and unconditionally copied them into bundle/vendor/ripgrep/ on every npm run bundle — including the npm-publish path. Wombat rejected the resulting 28.4 MB compressed cli tarball.

This change keeps the binaries in the SEA build (where offline support was the goal) and stops shipping them through the npm registry, where users can rely on the existing GrepTool JS fallback when ripgrep isn't installed.

Details

Three surgical edits, all in scripts/ and packages/core/package.json:

• scripts/copy_bundle_assets.js — Removed the unconditional 5-binary ripgrep copy. This script is invoked from npm run bundle, which feeds the npm-publish path (via prepare-npm-release.js).
• scripts/build_binary.js — Added a new step (2b) that copies only the host-platform ripgrep binary into bundle/vendor/ripgrep/. Per-platform copy (vs all 5) also shrinks per-platform SEA artifacts. The runtime resolver getRipgrepPath() already looks for rg-${platform}-${arch}, so no code change required there.
• packages/core/package.json — Removed "vendor" from the published files field so the binaries don't leak through @google/gemini-cli-core either.

Verified locally with npm pack --dry-run:

Package	Before #25342	After #25342 (current main, fails E413)	With this PR
@google/gemini-cli compressed	22.3 MB	28.4 MB ❌	12.2 MB ✅
@google/gemini-cli-core compressed	—	19.3 MB	10.5 MB ✅
@google/gemini-cli-core unpacked	52 MB	63 MB	42 MB
SEA artifact	works (no ripgrep)	works (5 binaries)	works (1 binary, host only)

Why this is the right shape today

Three options exist for keeping #25342's offline-SEA goal while unblocking npm publish:

1. Strip from npm tarball, keep in SEA (this PR) — minimal, validated, ships today.
2. Convert to platform-specific optionalDependencies (esbuild/swc/rollup pattern) — better long-term shape but requires 5 new scoped packages, 5 new wombat tokens, and rework of .github/actions/publish-release/action.yml. Days to weeks of OSPO/release-infra work.
3. Compress the binaries in the tarball — half-day, but adds first-run decompression latency and a writable cache requirement.

Option 1 is the right unblock; option 2 can follow as a separate, larger PR if we want offline ripgrep for npm-installed users too.

Behavioral side-effects (intentional and benign)

• npm-installed users: lose the bundled ripgrep. canUseRipgrep() in packages/core/src/config/config.ts already catches this, registers the legacy GrepTool instead, and emits a RipgrepFallbackEvent for telemetry. This is the pre-feat: bundle ripgrep binaries into SEA for offline support #25342 behavior. Anyone with system rg (Homebrew, apt, etc.) gets it via PATH.
• SEA users: still get bundled offline ripgrep — the PR's stated goal. Bonus: per-platform SEA artifacts also shrink (1 binary instead of 5).

Related Issues

Fixes #25507
Related to #18007

How to Validate

# 1. Confirm the npm tarballs no longer ship ripgrep
npm run bundle
node scripts/prepare-npm-release.js
npm pack --dry-run -w @google/gemini-cli       | grep -iE "(ripgrep|vendor|rg-)" || echo "OK: no ripgrep in cli tarball"
npm pack --dry-run -w @google/gemini-cli-core  | grep -iE "(vendor|rg-)" || echo "OK: no ripgrep binaries in core tarball"

# 2. Confirm tarball sizes are well under wombat's limit
npm pack --dry-run -w @google/gemini-cli      2>&1 | grep -E "package size"   # expect ~12 MB
npm pack --dry-run -w @google/gemini-cli-core 2>&1 | grep -E "package size"   # expect ~10 MB

# 3. Smoke-test the bundled cli still launches
node ./bundle/gemini.js --version

# 4. SEA build (per-platform; run on at least one matrix host)
npm run build:binary
ls -la bundle/vendor/ripgrep/    # expect exactly one rg-${platform}-${arch} binary
./dist/$(node -p '`${process.platform}-${process.arch}`')/gemini --version

# 5. Confirm the runtime fallback is intact when ripgrep is missing
#    (covered by existing tests in packages/core/src/tools/ripGrep.test.ts;
#     `canUseRipgrep` returns false → GrepTool registered → RipgrepFallbackEvent
#     emitted, no crash)

Pre-Merge Checklist

• Updated relevant documentation and README (if needed) — n/a, no user-facing surface changed
• Noted breaking changes (if any) — npm-install users without system rg will use the slower GrepTool fallback (pre-feat: bundle ripgrep binaries into SEA for offline support #25342 behavior, telemetry already in place)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue preventing the successful promotion of releases by reducing the size of the @google/gemini-cli npm package. It achieves this by strategically excluding ripgrep binaries from npm tarballs, which had previously caused the package to exceed registry size limits. The changes ensure that Self-Extracting Archive (SEA) builds still receive a platform-specific ripgrep binary, maintaining offline functionality where intended, while optimizing package distribution for npm users.

Highlights

• Resolved NPM Publish Failure: Fixed the 'Release: Promote' workflow which was failing due to the '@google/gemini-cli' tarball exceeding the npm registry's upload limit (E413 Request Entity Too Large).
• Optimized Package Size: Significantly reduced the compressed size of '@google/gemini-cli' from 28.4 MB to 12.2 MB and '@google/gemini-cli-core' from 19.3 MB to 10.5 MB by excluding 'ripgrep' binaries from npm tarballs.
• Selective Ripgrep Bundling: Modified the build process to only include the host-platform specific 'ripgrep' binary for Self-Extracting Archive (SEA) builds, while completely excluding 'ripgrep' binaries from npm packages.
• Restored Pre-Existing Behavior for NPM Users: npm-installed users will now rely on the 'GrepTool' fallback or a system-installed 'ripgrep', reverting to the behavior prior to the introduction of bundled 'ripgrep' binaries in npm packages.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -4 B (0%)

Total Size: 33.7 MB

Filename	Size	Change
./bundle/chunk-4I7TIEX5.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-7ONC23QX.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-N4KY6BFY.js	0 B	-2.72 MB (removed)	🏆
./bundle/chunk-QHLZJ6KN.js	0 B	-676 kB (removed)	🏆
./bundle/chunk-SOLUYSCK.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-UQOTB6AW.js	0 B	-14.6 MB (removed)	🏆
./bundle/core-QX64VTZZ.js	0 B	-46.9 kB (removed)	🏆
./bundle/devtoolsService-JBQQEI77.js	0 B	-27.8 kB (removed)	🏆
./bundle/gemini-GVEAEH4D.js	0 B	-576 kB (removed)	🏆
./bundle/interactiveCli-WLSE6PIX.js	0 B	-1.3 MB (removed)	🏆
./bundle/liteRtServerManager-4H7L52KM.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-GCWASG4T.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-EGULAIQH.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-FYYP54YX.js	14.6 MB	+14.6 MB (new file)	🆕
./bundle/chunk-KQMPNBTT.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-NDZYCO4D.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-V6P3A5VJ.js	676 kB	+676 kB (new file)	🆕
./bundle/chunk-YDIJPP4H.js	2.72 MB	+2.72 MB (new file)	🆕
./bundle/core-MXB24J5K.js	46.9 kB	+46.9 kB (new file)	🆕
./bundle/devtoolsService-KXPZ5QA5.js	27.8 kB	+27.8 kB (new file)	🆕
./bundle/gemini-BY55SIIZ.js	576 kB	+576 kB (new file)	🆕
./bundle/interactiveCli-U4I253TL.js	1.3 MB	+1.3 MB (new file)	🆕
./bundle/liteRtServerManager-SUITEFED.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-YY2WKOA4.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-2RHFUIH4.js	1.97 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-MQEQR77B.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-HWEYBJE7.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-CUMK2JMW.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-YC5RAOSW.js	932 B	+932 B (new file)	🆕
./bundle/start-MYJEPORR.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request refactors the handling of ripgrep binaries during the build process, moving from copying all vendor binaries to selecting only the host-platform specific binary for the Single Executable Application (SEA) bundle. While the copying logic is implemented in scripts/build_binary.js, a critical issue was identified: the binary is not registered as an asset in the SEA manifest, which will cause it to be missing from the final executable and lead to runtime failures.

[Samee24]

LGTM, please address the GCA comment before merging.