hotfix(ci): bring deploy-api install-scope fix to main#287
Merged
Conversation
The Deploy API workflow was running plain \`pnpm install\` which triggers EVERY workspace's postinstall — including apps/desktop's \`electron-builder install-app-deps\` step that rebuilds better-sqlite3 against Electron headers via node-gyp. That rebuild fails on the Linux + Node 22 CI runner (V8 API mismatch in better-sqlite3 12.10.0 against current Electron headers): "no matching function for call to 'v8::External::Value()'" and friends. The API worker has nothing to do with better-sqlite3 or Electron. It runs on Cloudflare Workers and only needs its own transitive deps. So: pnpm install -> pnpm install --filter '@readied/api...' --ignore-scripts - \`--filter '@readied/api...'\` brings in @readied/api and everything it depends on (transitive within the monorepo), nothing else. - \`--ignore-scripts\` is belt-and-suspenders so we don't run install-app-deps even if some transitive dep declares a similar postinstall. This unblocks the API deploy that was failing since 2026-03-29. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
More reviews will be available in 30 minutes and 57 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions Bot
pushed a commit
that referenced
this pull request
Jun 9, 2026
## Why The Release workflow (\`semantic-release\`) was failing on the v0.15.0 release with the same better-sqlite3 native-build error that #287 fixed for \`deploy-api.yml\`. Same root cause, slightly different fix shape. semantic-release **never imports anything from apps/* or packages/*** — it only needs the root \`devDeps\` (\`semantic-release\`, \`@semantic-release/commit-analyzer\`, \`@semantic-release/github\`, etc.) plus the lockfile. So we don't need the \`--filter\` flag from #287; just \`--ignore-scripts\` is enough. ## Change \`\`\`diff - - name: Install dependencies - run: pnpm install --frozen-lockfile + - name: Install dependencies + run: pnpm install --frozen-lockfile --ignore-scripts \`\`\` ## What got blocked Release run: https://github.com/tomymaritano/readide/actions/runs/27184255087 — failed on \`pnpm install\` step with the V8 API mismatch error (\`better-sqlite3 12.10.0\` vs current Electron headers, on Linux + Node 22 runner). ## What unblocks once this merges 1. Manual re-trigger of Release workflow → \`semantic-release\` analyses conventional commits since the last release tag, bumps version (probably to \`v0.15.0\` because of multiple \`feat:\` commits in the audit), creates GitHub Release draft + tag 2. Tag push auto-triggers \`build.yml\` (mac/win/linux parallel) 3. All three builds green → release un-drafts itself ## Related - #287 (deploy-api fix, same problem in a different workflow) — already merged 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
## Why this PR PR #245 squash-merged 19 individual PRs (#266-#284) into a single commit on main: \`release: audit + Ed25519 signed envelopes + lefthook (v0.15.0) (#245)\`. That message **isn't a conventional commit type that semantic-release recognises**, so the analyser saw 11 commits since the last tag and concluded *"no release"*. The actual feat:/fix:/refactor: messages from the 19 underlying PRs were lost in the squash. Concretely, run [27184456847](https://github.com/tomymaritano/readide/actions/runs/27184456847) finished cleanly but logged: \`\`\` [semantic-release] [@semantic-release/commit-analyzer] › ℹ Analysis of 11 commits complete: no release [semantic-release] › ℹ There are no relevant changes, so no new version is released. \`\`\` ## What this PR does ### 1. Provides the release signal This commit's title is \`feat(release): cut v0.15.0 audit release\` — a recognised conventional type. semantic-release will analyse it as a **minor bump** (v0.14.x → v0.15.0). ### 2. Drops the broken \`@semantic-release/exec\` step \`release.config.js\` referenced \`node scripts/bump-version.js \${nextRelease.version}\` in a prepareCmd, but that script was deleted in the knip cleanup (#279) and the config wasn't updated. Any release triggered now would fail at the prepare step with \`ENOENT\`. The remaining \`@semantic-release/git\` plugin already commits root \`package.json\` + \`apps/desktop/package.json\` + \`CHANGELOG.md\` via its \`assets\` list — that's everything the desktop release needs bumped. Workspace packages stay at \`workspace:*\` and their numeric versions aren't user-visible. ## Side effect \`@semantic-release/exec\` is still listed in \`package.json\` devDeps but unused after this PR. Not removing it here to keep this PR surgical; can be dropped in the next knip pass. ## After this merges 1. Manually re-trigger Release workflow on main 2. semantic-release picks up this commit + the existing release notes generator → cuts **v0.15.0** 3. Creates GitHub Release draft + tag 4. Tag push fires Build workflow → mac/win/linux artefacts 5. Builds complete → release un-drafts → electron-updater serves it ## Related - #287 (deploy-api workflow fix) - #288 (release workflow install fix) - #279 (knip cleanup that deleted bump-version.js without updating release.config.js) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
Six independent fixes batched into one PR because they all touch the workflow YAML surface and reviewing them together is faster than three ping-pong PRs that all conflict on the same files. docs.yml: pnpm install scoped to @readied/web with --ignore-scripts (same shape as #287, #288). Added permissions block. Moved Build step into working-directory: apps/web. build.yml: windows-latest pinned to windows-2025-vs2026 ahead of the 2026-06-15 GitHub image migration. Removed FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env (no-op with @v5 actions). Artifact upload if-no-files-found changed from ignore to error so silent zero-asset releases fail loud. release.yml: removed HUSKY=0 env leftover from husky->lefthook migration. deploy-api.yml: added permissions block contents:read. Action versions across 8 workflows bumped @v4 to @v5 (checkout, setup-node, cache, cache/save, cache/restore, upload-artifact). GitHub announced Node 20-based actions deprecation on 2026-06-16. Verified: pnpm -r typecheck green, no test changes. Phase 0 B-bundle. Pairs with PR-A1 electron pin and PR-A2 bump-version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
The setup job's `pnpm install --frozen-lockfile` was running every workspace's postinstall — including apps/desktop's electron-builder install-app-deps, which rebuilds better-sqlite3 from source against Electron's bundled Node headers. That rebuild can break when better-sqlite3 lags an Electron major. v0.15.0 hit exactly this on Electron 42 + better-sqlite3 12.10.0 and took the whole CI matrix down. CI doesn't need a runtime-functional better-sqlite3: lint and typecheck don't load native modules, and `pnpm test` excludes storage-sqlite per CLAUDE.md. Skipping the postinstall makes setup resilient to the desktop-side native-deps churn. Same pattern already in release.yml (added in #288) and deploy-api.yml (#287). This brings ci.yml in line.
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
The setup job's `pnpm install --frozen-lockfile` was running every workspace's postinstall — including apps/desktop's electron-builder install-app-deps, which rebuilds better-sqlite3 from source against Electron's bundled Node headers. That rebuild can break when better-sqlite3 lags an Electron major. v0.15.0 hit exactly this on Electron 42 + better-sqlite3 12.10.0 and took the whole CI matrix down. CI doesn't need a runtime-functional better-sqlite3: lint and typecheck don't load native modules, and `pnpm test` excludes storage-sqlite per CLAUDE.md. Skipping the postinstall makes setup resilient to the desktop-side native-deps churn. Same pattern already in release.yml (added in #288) and deploy-api.yml (#287). This brings ci.yml in line.
github-actions Bot
pushed a commit
that referenced
this pull request
Jun 9, 2026
…postinstall in setup (#296) ## Why Two distinct CI issues, both blocking every Phase 0 PR (#290, #292, #294). Bundling them is OK because they're orthogonal-but-related: both clear a "lint-or-setup says no, so I can't merge" path on develop. ### Issue 1: Prettier fails on \`CHANGELOG.md\` semantic-release writes CHANGELOG entries without prettier formatting. The root \`format:check\` script uses \`--ignore-path .gitignore\`, which **overrides** Prettier's default \`.prettierignore\` lookup. CHANGELOG.md correctly isn't gitignored (it's tracked), so it gets linted, fails, kills lint. ### Issue 2: \`setup\` job fails when native deps don't match the host Electron \`setup\` runs \`pnpm install --frozen-lockfile\` (no \`--ignore-scripts\`). That triggers apps/desktop's \`electron-builder install-app-deps\` postinstall, which **rebuilds better-sqlite3 from source against Electron's bundled Node headers**. When better-sqlite3 lags an Electron major (the v0.15.0 incident: Electron 42 + better-sqlite3 12.10.0, V8 \`External::Value\` signature mismatch), the rebuild fails and setup dies — taking lint/test/typecheck/build down with it. The same shape took down deploy-api.yml (#287) and release.yml (#288). This brings ci.yml in line. ## What changes - **\`.prettierignore\`** (new) — CHANGELOG.md + local build artefacts (.next/, .source/, .astro/, .wrangler/, dist/, out/, release/, coverage/, pnpm-lock.yaml). - **\`package.json\`** — \`format\` and \`format:check\` now pass \`--ignore-path .gitignore --ignore-path .prettierignore\` (Prettier 3.x supports repeated \`--ignore-path\`). - **\`.github/workflows/ci.yml\`** — \`setup\` job install: \`--ignore-scripts\` added with explanatory comment. ## Verification - \`pnpm format:check\` locally → "All matched files use Prettier code style!" - CI doesn't need a runtime-functional better-sqlite3: lint and typecheck don't load native modules, and \`pnpm test\` excludes storage-sqlite per CLAUDE.md. ## Order of operations After this lands → rebase #290 / #292 / #294 → CI green → merge them in order → cut v0.15.1.
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
Six independent fixes batched into one PR because they all touch the workflow YAML surface and reviewing them together is faster than three ping-pong PRs that all conflict on the same files. docs.yml: pnpm install scoped to @readied/web with --ignore-scripts (same shape as #287, #288). Added permissions block. Moved Build step into working-directory: apps/web. build.yml: windows-latest pinned to windows-2025-vs2026 ahead of the 2026-06-15 GitHub image migration. Removed FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env (no-op with @v5 actions). Artifact upload if-no-files-found changed from ignore to error so silent zero-asset releases fail loud. release.yml: removed HUSKY=0 env leftover from husky->lefthook migration. deploy-api.yml: added permissions block contents:read. Action versions across 8 workflows bumped @v4 to @v5 (checkout, setup-node, cache, cache/save, cache/restore, upload-artifact). GitHub announced Node 20-based actions deprecation on 2026-06-16. Verified: pnpm -r typecheck green, no test changes. Phase 0 B-bundle. Pairs with PR-A1 electron pin and PR-A2 bump-version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tomymaritano
added a commit
that referenced
this pull request
Jun 9, 2026
Six independent fixes batched into one PR because they all touch the workflow YAML surface and reviewing them together is faster than three ping-pong PRs that all conflict on the same files. docs.yml: pnpm install scoped to @readied/web with --ignore-scripts (same shape as #287, #288). Added permissions block. Moved Build step into working-directory: apps/web. build.yml: windows-latest pinned to windows-2025-vs2026 ahead of the 2026-06-15 GitHub image migration. Removed FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env (no-op with @v5 actions). Artifact upload if-no-files-found changed from ignore to error so silent zero-asset releases fail loud. release.yml: removed HUSKY=0 env leftover from husky->lefthook migration. deploy-api.yml: added permissions block contents:read. Action versions across 8 workflows bumped @v4 to @v5 (checkout, setup-node, cache, cache/save, cache/restore, upload-artifact). GitHub announced Node 20-based actions deprecation on 2026-06-16. Verified: pnpm -r typecheck green, no test changes. Phase 0 B-bundle. Pairs with PR-A1 electron pin and PR-A2 bump-version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions Bot
pushed a commit
that referenced
this pull request
Jun 9, 2026
## Summary Phase 0 B-bundle of the post-audit roadmap. Six independent fixes batched into one PR because they all touch the workflow YAML surface and reviewing them together is faster than three ping-pong PRs that all conflict on the same files. ## docs.yml | Change | Why | |---|---| | \`pnpm install\` → \`pnpm install --filter '@readied/web...' --ignore-scripts\` | Marketing-site install was the last workflow still firing apps/desktop's \`electron-builder install-app-deps\` step that fails on Linux + Node 22. Same shape as #287 (deploy-api) and #288 (release). | | Added \`permissions: contents: read\` | Cloudflare Pages deploy doesn't need anything beyond checkout | | Build step moved into \`working-directory: apps/web\` | Was inline \`cd apps/web && ...\` — explicit working-directory reads better | ## build.yml | Change | Why | |---|---| | \`windows-latest\` → \`windows-2025-vs2026\` | GitHub announced \`windows-latest\` migration to that image on **2026-06-15** (6 days from this commit). Pinning ahead avoids a surprise toolchain swap mid-release. | | Removed \`FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true\` env | This was the migration toggle for the Node 20→24 actions rollout. With all actions now on @v5 (Node 24-native) it's no-op. | | Artifact upload \`if-no-files-found: ignore\` → \`error\` | Silent zero-asset releases are worse than a failed upload. If electron-builder swallowed an error, signing failed, working-directory drifted, etc., we want loud failure here, not a release un-drafted with no installers. | ## release.yml | Change | Why | |---|---| | Removed \`HUSKY: '0'\` env | Leftover from the husky → lefthook migration in #267. Lefthook only reads .git/hooks if those files exist; on fresh CI clones they don't. | ## deploy-api.yml | Change | Why | |---|---| | Added \`permissions: contents: read\` | Cloudflare deploy doesn't push commits or create issues; minimum-privilege default. | ## Action versions sweep (all 8 workflows) | From | To | |---|---| | \`actions/checkout@v4\` | \`@v5\` | | \`actions/setup-node@v4\` | \`@v5\` | | \`actions/cache@v4\` | \`@v5\` | | \`actions/cache/save@v4\` | \`@v5\` | | \`actions/cache/restore@v4\` | \`@v5\` | | \`actions/upload-artifact@v4\` | \`@v5\` | GitHub announced Node 20-based actions deprecation on **2026-06-16** (7 days from this commit). The \`@v5\` family runs on Node 24. ## Verification - ✅ \`pnpm -r typecheck\` — green - ✅ \`pnpm test\` — 17/17 (untouched) - ✅ YAML parsed locally; no syntax errors ## Stack context Phase 0 B-bundle. Pairs with #290 (A1 electron pin) and #291 (A2 bump-version). Independent files, can land in any order. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why hotfix to main
PR #245 (audit release develop→main) merged before PR #286 (deploy-api install scope fix) reached develop. Net result: main got the audit work without the workflow fix. The auto-deploy of `@readied/api` on the #245 merge failed, and manual `workflow_dispatch` from main still fails because the workflow file in main is the pre-fix version.
This PR cherry-picks the one-commit fix from develop (`53577d3`) directly onto main. Same diff as PR #286, no new logic.
What this changes
```diff
```
Applied in both the `test` and `deploy` jobs of `.github/workflows/deploy-api.yml`.
Scope: prevent `pnpm install` from running every workspace's postinstall on the CI runner. Specifically, blocks `apps/desktop`'s `electron-builder install-app-deps` step that rebuilds better-sqlite3 against Electron headers — a build that fails on Linux + Node 22 due to a V8 API mismatch in better-sqlite3 12.10.0.
Verification (already done)
The same fix on develop was validated by run https://github.com/tomymaritano/readide/actions/runs/27183894368 — `@readied/api` deployed cleanly to `readied-api-staging`, smoke test returned HTTP 200 with `{"name":"Readied API","version":"0.1.0","status":"healthy"}`.
The failing main deploy was https://github.com/tomymaritano/readide/actions/runs/27184061589.
What lands after this merges
Why directly to main (not via develop again)
🤖 Generated with Claude Code