chore: align CI files with develop (dependabot, pr-validation, publish)#30
chore: align CI files with develop (dependabot, pr-validation, publish)#30
Conversation
|
There was a problem hiding this comment.
Pull request overview
Aligns repository CI and automation configuration with the develop branch conventions by updating workflow Node versions, simplifying PR validation, and adjusting Dependabot behavior and publish prechecks.
Changes:
- Update publish workflow to derive expected tag from
package.jsonversion and bump publish Node runtime to 22. - Simplify PR validation workflow to a single Ubuntu / Node 22 job (removing OS + Node matrix).
- Update Dependabot to run monthly, group npm updates, and change assignee; remove GitHub Actions updates.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/publish.yml | Changes release preflight logic for version/tag validation and bumps Node to 22 for publishing. |
| .github/workflows/pr-validation.yml | Simplifies CI to a single Ubuntu + Node 22 PR validation run. |
| .github/dependabot.yml | Adjusts npm update cadence/grouping and removes GitHub Actions update configuration. |
| # Since develop→master may be a squash merge, look for the latest version tag anywhere in the repo | ||
| # This handles both regular merges and squash merges | ||
| TAG=$(git tag --list --sort=-version:refname 'v*.*.*' | head -1 || echo "") | ||
| PKG_VERSION=$(grep '"version"' package.json | head -1 | sed 's/.*"version": "\([^"]*\)".*/\1/') |
There was a problem hiding this comment.
Reading the package version via grep/sed is brittle (depends on JSON formatting and the first "version" occurrence). Consider parsing package.json with a JSON-aware approach (e.g., node -p "require('./package.json').version" after setup-node, or jq -r .version) to avoid false reads/breakage when formatting changes.
| PKG_VERSION=$(grep '"version"' package.json | head -1 | sed 's/.*"version": "\([^"]*\)".*/\1/') | |
| PKG_VERSION=$(jq -r '.version' package.json) |
| echo "✅ package.json version: $PKG_VERSION" | ||
| echo "✅ Tag $TAG exists in repo" |
There was a problem hiding this comment.
git rev-parse "$TAG" only verifies that the tag exists somewhere in the repo; it doesn’t ensure the workflow is building the commit that the tag points to. As written, a push to master could publish from an untagged commit as long as an old vX.Y.Z tag exists. Consider requiring the current HEAD to be exactly tagged (e.g., git describe --tags --exact-match) or verifying git rev-parse "$TAG" equals git rev-parse HEAD before publishing.
| echo "✅ package.json version: $PKG_VERSION" | |
| echo "✅ Tag $TAG exists in repo" | |
| TAG_COMMIT=$(git rev-parse "$TAG") | |
| HEAD_COMMIT=$(git rev-parse HEAD) | |
| if [[ "$TAG_COMMIT" != "$HEAD_COMMIT" ]]; then | |
| echo "❌ ERROR: Current HEAD does not match tag $TAG" | |
| echo "" | |
| echo "Details:" | |
| echo " HEAD commit: $HEAD_COMMIT" | |
| echo " $TAG commit: $TAG_COMMIT" | |
| echo "" | |
| echo "The master branch must point to the exact commit tagged with $TAG" | |
| echo "before publishing. Make sure you are building from the tagged commit." | |
| exit 1 | |
| fi | |
| echo "✅ package.json version: $PKG_VERSION" | |
| echo "✅ Tag $TAG exists in repo and matches HEAD" |
| echo "✅ Version matches package.json: $PKG_VERSION" | ||
| echo "✅ package.json version: $PKG_VERSION" | ||
| echo "✅ Tag $TAG exists in repo" | ||
| echo "TAG_VERSION=$TAG" >> $GITHUB_ENV |
There was a problem hiding this comment.
TAG_VERSION is being set to the full tag string (e.g., v1.2.3) and doesn’t appear to be used elsewhere in this workflow. Either remove this environment export, or rename it to reflect it’s a tag (or export both TAG and a tag-less version) to avoid confusion for future edits.
| echo "TAG_VERSION=$TAG" >> $GITHUB_ENV |
| @@ -24,7 +19,7 @@ jobs: | |||
| - name: Setup Node | |||
| uses: actions/setup-node@v4 | |||
| with: | |||
| node-version: ${{ matrix.node-version }} | |||
| node-version: 22 | |||
| cache: npm | |||
There was a problem hiding this comment.
CI now runs only on Ubuntu + Node 22, but package.json declares engines.node as ">=20". If Node 20 is still supported, consider restoring a Node 20 job (and any intended OS matrix) to prevent regressions; otherwise, update the engines field to reflect the actual supported Node version(s).
| commit-message: | ||
| prefix: "chore(deps)" | ||
| include: "scope" | ||
| rebase-strategy: auto |
There was a problem hiding this comment.
This change removes Dependabot updates for github-actions. Without a separate updater, action versions in workflows will no longer be kept current, which can miss security fixes and bugfixes. Consider re-adding a github-actions update entry (potentially grouped/limited similarly) if you still want automated workflow dependency maintenance.
| rebase-strategy: auto | |
| rebase-strategy: auto | |
| - package-ecosystem: github-actions | |
| directory: "/" | |
| schedule: | |
| interval: monthly | |
| open-pull-requests-limit: 1 | |
| assignees: | |
| - CISCODE-MA/devops | |
| labels: | |
| - "dependencies" | |
| - "github-actions" | |
| commit-message: | |
| prefix: "chore(deps)" | |
| include: "scope" | |
| rebase-strategy: auto |
Summary
Why
Checklist
npm run lintpassesnpm run typecheckpassesnpm testpassesnpm run buildpassesnpx changeset) if this affects consumersNotes