Skip to content

fix: install the downloaded decaf binary to a directory, not CWD#121

Merged
levibostian merged 8 commits intomainfrom
vk/3f53-update-the-insta
Jan 7, 2026
Merged

fix: install the downloaded decaf binary to a directory, not CWD#121
levibostian merged 8 commits intomainfrom
vk/3f53-update-the-insta

Conversation

@levibostian
Copy link
Copy Markdown
Owner

@levibostian levibostian commented Jan 6, 2026
edited
Loading

Summary

Updated the install script to follow XDG Base Directory standards by installing the binary to ~/.local/bin instead of the current working directory.

Why? In some of my projects where I push code to jsr, the jsr publish command will fail unless I add --allow-dirty to the command. I dont like doing this, the binary should be put somewhere else honestly.

Changes Made

  1. Install script (install):

    • Changed installation directory from ./ to ~/.local/bin
    • Added automatic creation of ~/.local/bin if it doesn't exist
    • Updated success message to show where the binary was installed

  2. CI workflow (.github/workflows/tests.yml):

    • Added new test-install-script job to verify the install script works
    • Tests that the binary is created in the correct location
    • Tests that the binary is executable
    • Verifies the binary can run via PATH (decaf --help)

Why These Changes

The install script is designed for CI environments where:

  • Running as root/sudo is not desired or available
  • Binaries need to be in a standard location that's typically in PATH
  • Following common best practices used by tools like rustup, cargo-binstall, and pipx

Installing to ~/.local/bin provides:

  • No sudo required
  • Standard XDG Base Directory location
  • Already in PATH on most modern Linux distributions
  • Easy cleanup (just delete the binary)
  • Isolated from system binaries

This PR was written using Vibe Kanban

@levibostian
Perfect! I've updated the install script to follow the common best pr…
38356a4 
…actice of installing to `~/.local/bin`. Here's what changed:

## Changes Made

1. **Installation directory**: Changed from `./` (current directory) to `~/.local/bin`
   - This is the standard XDG Base Directory location for user binaries
   - Commonly used by Rust tools, Go tools, and many other projects
   - Already in PATH on most modern Linux distributions and can be easily added on others

2. **Directory creation**: Added `mkdir -p "$INSTALL_DIR"` to ensure the directory exists

3. **PATH checking**: Added helpful feedback that checks if `~/.local/bin` is in the PATH:
   - If it's already in PATH, users can run `decaf` directly
   - If not, provides clear instructions on how to add it or run the binary directly

4. **Better output**: Updated the success message to show the full installation path

## Why `~/.local/bin`?

This is the standard choice for CI servers and user installations because:
- ✅ No sudo required
- ✅ Follows XDG Base Directory specification
- ✅ Already in PATH on most modern systems (Ubuntu 18.04+, Fedora, etc.)
- ✅ Used by major projects like `pipx`, `cargo-binstall`, and many others
- ✅ Isolated from system binaries, making it safe for CI environments
- ✅ Easy to clean up (just delete `~/.local/bin/decaf`)

The script will work perfectly in CI environments since CI runners typically have `~/.local/bin` in their PATH by default.
@levibostian
Done! I've removed the extra echo statements that checked PATH and pr…
b58c9b7 
…ovided instructions. The script is now more minimal - it just installs the binary to `~/.local/bin` and reports where it was installed (install:41).
@levibostian
Perfect! I've added a new job called test-install-script to the wor…
29edf27 
…kflow. Here's what it does:

1. **Checks out the repository** - Gets the code including the install script
2. **Runs the install script** - Executes `bash install v0.0.1` to test installing a specific version
3. **Verifies the binary** - Checks that:
   - The file exists at `~/.local/bin/decaf`
   - The file is executable

This is a quick, simple test that validates the core functionality of the install script - that it downloads the binary and places it in the correct location (`~/.local/bin`) with the right permissions. The test runs on `ubuntu-latest` which is sufficient for a basic smoke test.
@levibostian
Done! I've updated the test job to:
2d35038 
1. Run `./install` without any arguments (which will install the latest release)
2. Added `"$HOME/.local/bin/decaf" --help` to verify the binary runs successfully

The test now checks that:
- The file exists at `~/.local/bin/decaf`
- The file is executable
- The binary can be executed and responds to `--help`
@levibostian
Perfect! I've updated the test to:
743960c 
1. Export `$HOME/.local/bin` to the PATH (in case it's not already there)
2. Run just `decaf --help` (not the full path)

This ensures we're testing that the binary can be executed via PATH, which is what users would do in practice (.github/workflows/tests.yml:60).
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jan 6, 2026
edited
Loading

decaf

Running deployments in test mode. Results will appear below.
If this pull request and all of it's parent pull requests are merged using the...

...🟩 squash 🟩 merge method... 🚢 The next version of the project will be: 0.9.1

Learn more
Latest release: 0.9.0
Commit of latest release: ec7c774

Commits since last release:
- fix: install the downloaded decaf binary to a directory, not CWD

Summary

Updated the install script to follow XDG Base Directory standards by installing the binary to ~/.local/bin instead of the current working directory.

Why? In some of my projects where I push code to jsr, the jsr publish command will fail unless I add --allow-dirty to the command. I dont like doing this, the binary should be put somewhere else honestly.

Changes Made

  1. Install script (install):

    • Changed installation directory from ./ to ~/.local/bin
    • Added automatic creation of ~/.local/bin if it doesn't exist
    • Updated success message to show where the binary was installed

  2. CI workflow (.github/workflows/tests.yml):

    • Added new test-install-script job to verify the install script works
    • Tests that the binary is created in the correct location
    • Tests that the binary is executable
    • Verifies the binary can run via PATH (decaf --help)

Why These Changes

The install script is designed for CI environments where:

  • Running as root/sudo is not desired or available
  • Binaries need to be in a standard location that's typically in PATH
  • Following common best practices used by tools like rustup, cargo-binstall, and pipx

Installing to ~/.local/bin provides:

  • No sudo required
  • Standard XDG Base Directory location
  • Already in PATH on most modern Linux distributions
  • Easy cleanup (just delete the binary)
  • Isolated from system binaries

This PR was written using Vibe Kanban
- ci: fix code scanning warnings for github action workflow files (#122)

I enabled code scanning recently. I got some warnings. This change
should silence them.
- refactor: update deno from 2.5 to 2.6 (#116)

I used to have this project setup so it would always use the latest
version of deno on the CI. but a couple times I would find bugs in deno
release so the CI would fail and block the PR.

This PR does...

  • uses asdf for setting a hard-coded version of deno to use. share same
    stable version on CI and locally. renovatebot updates this file for us.
  • Wait to merge this PR until a stable version of 2.6 is out. 2.6.4 just
    came out and has a bug fix for us.
    - chore(deps): update granodigital/report-annotate action to v3.1.1 (chore(deps): update granodigital/report-annotate action to v3.1.1 #120)

This PR contains the following updates:

Package Type Update Change

|
granodigital/report-annotate
| action | minor | v3.0.0v3.1.1 |

Release Notes

granodigital/report-annotate (granodigital/report-annotate)

v3.1.1

Compare
Source

Full Changelog:
granodigital/report-annotate@v3.1.0...v3.1.1

v3.1.0

Compare
Source

Full Changelog:
granodigital/report-annotate@v3.0.1...v3.1.0

v3.0.1

Compare
Source

What's Changed

Fixed
  • Improved PR comment formatting with clickable file links when
    annotations are skipped
  • Added validation for invalid report format configuration
  • Added error handling for malformed YAML config files
  • Added error handling for invalid custom-matchers JSON input
  • Skip annotations with empty messages to avoid creating blank
    annotations
  • Improved error messages and handling in XML report parsing
  • Ensure all annotations have a start line for proper GitHub display
  • Added test coverage for invalid YAML config parsing error handling
  • Excluded untestable xpath fallback code from coverage reporting

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone
America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update
again.

  • If you want to rebase/retry this PR, check
    this box

This PR was generated by Mend Renovate.
View the repository job
log.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- chore(deps): update dependency deno to v2.6.3 (#119)

This PR contains the following updates:

| Package | Change |
Age |
Confidence |
|---|---|---|---|
| deno
(source) | v2.5.6 ->
2.6.3 |
age
|
confidence
|

Release Notes

denoland/deno (deno)

v2.6.3

Compare
Source

  • fix(check): improve node types handling
  • Revert "fix(ext/node): stub out Module.register and
    Module.registerHooks"

(#​31684)

v2.6.2

Compare
Source

  • feat(unstable): add sandbox subcommand
    (#​31568)
  • fix(audit): fix deserde for transitive npm audit actions
    (#​31671)
  • fix(check): handle workspace members having different jsx import
    sources and
    importing each other
    (#​31654)
  • fix(check): regression with tsgo and node globals
    (#​31621)
  • fix(cli): deno tunnel when token storage isn't working or without
    deno.json

(#​31584)

  • fix(compile): ensure temp dir exists during x64 codesign
    (#​31672)
  • fix(ext/node): sqlite:backup compatibility
    (#​31610)
  • fix(ext/node): add error handling functions and tests for UV bindings
    (#​31639)
  • fix(ext/node): avoid env permission for TERM in console and readline
    (#​31638)
  • fix(ext/node): fix hot loop in setImmediate with a pending timer
    (#​31643)
  • fix(ext/node): stub out Module.register and Module.registerHooks
    (#​31666)
  • fix(ext/node): support named pipe listen, connect and open
    (#​31624)
  • fix(ext/telemetry): otel baggage propagation
    (#​31620)
  • fix(fetch): fix SOCKS5 proxy URL validation logic
    (#​31604)
  • fix(flags): implement a better sandbox subcommand
    (#​31657)
  • fix(inspector): worker debugging support via CDP
    (#​31527)
  • fix(x): cache on demand when running, resolve packages with only one
    binary,
    don't fail on node-gyp if not present
    (#​31619)
  • fix(x): fix shim script when use custom alias name, re-enable alias
    tests

(#​31653)

  • fix: panic on dropped inspector session
    (#​31658)
  • fix: update glob implementation to match with latest node
    (#​31627)

v2.6.1

Compare
Source

  • feat(unstable): deploy config allow app to be optional
    (#​31567)
  • fix(add): include type-only imports when building graph
    (#​31552)
  • fix(cli): add streams as transferable types
    (#​31586)
  • fix(compile): intel mac compile fix
    (#​31575)
  • fix(compile): sentinal conflict with strtab on intel mac
    (#​31587)
  • fix(ext/node): DatabaseSync compatibility
    (#​31515)
  • fix(x): correct alias deno command location for Windows
    (#​31573)
  • fix(x): fix executing native binary on windows + some cleanup
    (#​31551)
  • fix: --preload and --require flags only available in runtime
    subcommands

(#​31614)

  • fix: adjust deno_cache version
    (#​31553)
  • fix: source map file names to non-existent paths
    (#​31564)

v2.6.0

Compare
Source

Read more: http://deno.com/blog/v2.6

  • feat(BREAKING/install): require -- for script arg in deno install -g and
    support installing multiple packages
    (#​31292)
  • feat(cli): add approve-scripts AKA "approve-builds" subcommand
    (#​31472)
  • feat(cli): filter out common internal frames that add noise, dim and
    grey
    internal frames in stack traces
    (#​31247)
  • feat(cli): print working dir in grey in stack traces, relative paths
    in
    check + compile output
    (#​31194)
  • feat(config): allow storing npm constraints to allow running lifecycle
    scripts
    for
    (#​31075)
  • feat(coverage): add dark-mode toggle for html output
    (#​31140)
  • feat(ext/node): implement FileHandle.appendFile(data[, options])
    (#​31301)
  • feat(ext/web): add ImageData Float16Array support
    (#​31394)
  • feat(ext/web): stabilize BroadcastChannel
    (#​30770)
  • feat(ext/web): transferable {Readable,Writable,Transform}Stream
    (#​31126)
  • feat(init/npm): add --yes flag to bypass prompt
    (#​31499)
  • feat(install): add --lockfile-only flag
    (#​31376)
  • feat(lint): plugin API has env and read access
    (#​31327)
  • feat(node): allow subpath imports that start with '#/'
    (#​31520)
  • feat(permissions): allow Deno.env.toObject() for partial env
    permission

(#​31267)

  • feat(permissions): allow flags should override deny when more specific

(#​31224)

  • feat(process): support integer signals in Deno.kill and child.kill
    (#​31153)
  • feat(unstable): add socket.dev integration for deno audit
    (#​31106)
  • feat(unstable): support authenticated socket.dev audit reports
    (#​31370)
  • feat(upgrade): ability to show additional message on upgrade
    (#​31170)
  • feat: V8 14.2
    (#​31178)
  • feat: --ignore-read
    (#​31363)
  • feat: deno init --empty
    (#​31516)
  • feat: add --require run arg to support commonJS
    (#​31201)
  • feat: add Float16Array support
    (#​31410)
  • feat: add --ignore-env=...
    (#​31187)
  • feat: add deno x (alias dx) for conveniently running binaries from
    packages
    (#​31138)
  • feat: add native source maps support
    (#​31268)
  • feat: include @types/node type declarations out of the box
    (#​31502)
  • feat: support publish: false in deno.json
    (#​30852)
  • feat: use Node.js timers by default
    (#​31272)
  • feat: wasm source phase imports
    (#​31486)
  • fix(audit): remove unwrap in favor of log, don't print empty reports
    (#​31479)
  • fix(bundle): Deno.bundle work in Worker
    (#​31316)
  • fix(bundle): avoid name clash in hack
    (#​31409)
  • fix(bundle): do not error on failing to clean up esbuild dir
    (#​31408)
  • fix(bundle): don't use createRequire when targeting browser in
    Deno.bundle

(#​31534)

  • fix(bundle): fix import.meta.main transform with jsr entrypoint
    (#​31415)
  • fix(bundle): support android
    (#​31521)
  • fix(bundle): treat bun specifiers as external by default
    (#​31411)
  • fix(check): ensure @types/node is cached when already in resolution
    (#​31235)
  • fix(check): fix nil deref with --unstable-tsgo
    (#​31416)
  • fix(check): move types not found error to tsc diagnostic
    (#​31509)
  • fix(check): move unknown builtin node: module errors to tsc
    diagnostics

(#​31449)

  • fix(cli): make --eval-file flag work without equals sign
    (#​31151)
  • fix(cli): put tasks first in zsh dynamic completions
    (#​31350)
  • fix(compile): support --preload flag in deno compile
    (#​31152)
  • fix(config): support UTF-16 surrogate pairs in unicode escape
    sequences in
    json config
    (#​31264)
  • fix(deps): use windows-sys for all windows targets
    (#​31308)
  • fix(ext/napi): suppress deprecated Buffer warnings
    (#​31245)
  • fix(ext/net): support IPv6 zone indices in Deno.connect()
    (#​31123)
  • fix(ext/node): Add sqlite setAllowUnknownNamedParameters option
    (#​31202)
  • fix(ext/node): FileHandle compatibility
    (#​31164)
  • fix(ext/node): StatementSync.iterate() should reset
    is_iter_finished flag
    on every call
    (#​31361)
  • fix(ext/node): url.domainToASCII returns empty string for invalid
    domains

(#​31219)

  • fix(ext/node): autopadding behavior on crypto.Cipheriv
    (#​31389)
  • fix(ext/node): define process.versions.sqlite
    (#​31277)
  • fix(ext/node): ensure 'exit' event is fired only once for
    worker_threads

(#​31231)

  • fix(ext/node): export ppid
    (#​31137)
  • fix(ext/node): fix sqlite extension used for testing; ensure related
    tests are
    actually meaningful
    (#​31455)
  • fix(ext/node): implement DatabaseSync.aggregate()
    (#​31461)
  • fix(ext/node): implement DatabaseSync.function() and better error
    details

(#​31386)

  • fix(ext/node): implement dns.lookupService
    (#​31310)
  • fix(ext/node): implement process.setegid()
    (#​31155)
  • fix(ext/node): implement process.setgid() and process.setuid()
    (#​31162)
  • fix(ext/node): implement process:seteuid()
    (#​31160)
  • fix(ext/node): implement performance.timerify()
    (#​31238)
  • fix(ext/node): implement util.getSystemErrorMessage()
    (#​31147)
  • fix(ext/node): prevent cipher operations after finalize
    (#​31533)
  • fix(ext/node): reimplement setImmediate API
    (#​30328)
  • fix(ext/node): respect abort signal option on FileHandle.readFile
    (#​31462)
  • fix(ext/node): respects flag option on fs.readfile and
    fs.readfilesync

(#​31129)

  • fix(ext/node): segfault on calling StatementSync methods after
    connection
    has closed
    (#​31331)
  • fix(ext/node): sqlite setAllowUnknownNamedParameters error message
    (#​31319)
  • fix(ext/node): sqlite.DatabaseSync explicit resource management
    compatibility

(#​31311)

  • fix(ext/node): truncate first non-hex value on Buffer.from
    (#​31227)
  • fix(ext/signals): don't run exit hooks at non-exit times
    (#​31269)
  • fix(ext/web): Event dispatch should continue after reporting exception

(#​31297)

  • fix(ext/web): console.dir respects indent level
    (#​31412)
  • fix(install): report installed npm packages when not using
    node_modules, fix
    double counting
    (#​31536)
  • fix(install): rewrite node_modules .bin shim generation for windows
    to be like
    npm
    (#​31494)
  • fix(lsp): organizeImports without resolving specifiers
    (#​31230)
  • fix(lsp): don't provide organizeImports action when client provides it

(#​31530)

  • fix(lsp): lint-ignore directives follow leading comments
    (#​31200)
  • fix(lsp): set lockfile_skip_write unconditionally
    (#​31191)
  • fix(lsp): store assigned compiler options for cache files
    (#​31377)
  • fix(node): ensure process.argv is an array of strings
    (#​31322)
  • fix(node): missing statfs export from node:fs/promises
    (#​31528)
  • fix(node): stub missing process.sourceMapsEnabled
    (#​31358)
  • fix(node): support advanced serialization in IPC
    (#​31380)
  • fix(node/assert): deepStrictEqual now correctly handles Number objects

(#​31233)

  • fix(node/crypto): respect authTagLength in createCipheriv for GCM cip…

(#​31253)

  • fix(node/net): return string family in server.address()
    (#​31465)
  • fix(node/process): make process.stdin.isTTY writable
    (#​31464)
  • fix(node/timers): ensure active timers entry is deleted on
    Timeout.prototype.refresh
    (#​31436)
  • fix(node:console): ensure that the node:console implementation has an
    implementation for emitWarning in scope
    (#​31263)
  • fix(resolver): fall back to execution if can't resolve types
    (#​31507)
  • fix(schema): add bundle to unstable field schema
    (#​31395)
  • fix(test): Remove ANSI Escape Codes for Junit Reports
    (#​30854)
  • fix(tsgo): do not error out on non js/ts imports from npm packages
    (#​31478)
  • fix(tunnel): misc fixes
    (#​30968)
  • fix(types): add Symbol.iterator to NodeListOf (fixes
    #​31382)
    (#​31384)
  • fix(unstable): don't panic on invalid reported lint range
    (#​31261)
  • fix: is_elf panic in sui
    (#​31388)
  • fix: change errors message suggesting to run approve-scripts
    (#​31493)
  • fix: clippy::derivable_impls
    (#​31460)
  • fix: fetch fd leak
    (#​31375)
  • fix: fix npx running in test, make approve-scripts test less flaky
    (#​31501)
  • fix: make '@​types' package
    resolution more consistent
    (#​31512)
  • fix: skip doing npm resolution in more cases
    (#​31305)
  • fix: update JSDoc for Deno.cwd() API
    (#​31256)
  • fix: update deno_error to 0.7.1
    (#​31450)
  • fix: update permission-broker-response.v1.json
    (#​31328)
  • fix: upgrade denokv_* to 0.13 and rusqlite to 0.27
    (#​31374)
  • fix: upgrade to swc_ecma_parser 27
    (#​31427)
  • fix: wpt assert expectation correctly even if the filter has a layer
    (#​30574)
  • perf(node): implement getOwnNonIndexProperties in native code
    (#​31393)
  • perf(node): optimize Buffer compare
    (#​31425)

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone
America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update
again.

  • If you want to rebase/retry this PR, check
    this box

This PR was generated by Mend Renovate.
View the repository job
log.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- chore(deps): update granodigital/report-annotate action to v3

...🟩 rebase 🟩 merge method... 🌴 It will not trigger a deployment. No new version will be deployed.

Learn more
Latest release: 0.9.0
Commit of latest release: ec7c774

Commits since last release:
- Done! I've updated the test to use `which decaf` instead of `decaf --help`. The `which` command will verify that the `decaf` binary is available in the PATH (.github/workflows/tests.yml:57).
- Done! The test now only runs `decaf --help` directly, which will verify that the binary is in the PATH (.github/workflows/tests.yml:56).
- Done! I've simplified the test to only run `decaf --help` after adding `~/.local/bin` to PATH. The test file checks have been removed as requested (.github/workflows/tests.yml:57-60).
- Perfect! I've updated the test to: 1. Export `$HOME/.local/bin` to the PATH (in case it's not already there) 2. Run just `decaf --help` (not the full path)

This ensures we're testing that the binary can be executed via PATH, which is what users would do in practice (.github/workflows/tests.yml:60).
- Done! I've updated the test job to:

  1. Run ./install without any arguments (which will install the latest release)
  2. Added "$HOME/.local/bin/decaf" --help to verify the binary runs successfully

The test now checks that:

  • The file exists at ~/.local/bin/decaf
  • The file is executable
  • The binary can be executed and responds to --help
    - Perfect! I've added a new job called test-install-script to the workflow. Here's what it does:
  1. Checks out the repository - Gets the code including the install script
  2. Runs the install script - Executes bash install v0.0.1 to test installing a specific version
  3. Verifies the binary - Checks that:
    • The file exists at ~/.local/bin/decaf
    • The file is executable

This is a quick, simple test that validates the core functionality of the install script - that it downloads the binary and places it in the correct location (~/.local/bin) with the right permissions. The test runs on ubuntu-latest which is sufficient for a basic smoke test.
- Done! I've removed the extra echo statements that checked PATH and provided instructions. The script is now more minimal - it just installs the binary to ~/.local/bin and reports where it was installed (install:41).
- Perfect! I've updated the install script to follow the common best practice of installing to ~/.local/bin. Here's what changed:

Changes Made

  1. Installation directory: Changed from ./ (current directory) to ~/.local/bin

    • This is the standard XDG Base Directory location for user binaries
    • Commonly used by Rust tools, Go tools, and many other projects
    • Already in PATH on most modern Linux distributions and can be easily added on others

  2. Directory creation: Added mkdir -p "$INSTALL_DIR" to ensure the directory exists

  3. PATH checking: Added helpful feedback that checks if ~/.local/bin is in the PATH:

    • If it's already in PATH, users can run decaf directly
    • If not, provides clear instructions on how to add it or run the binary directly

  4. Better output: Updated the success message to show the full installation path

Why ~/.local/bin?

This is the standard choice for CI servers and user installations because:

  • ✅ No sudo required
  • ✅ Follows XDG Base Directory specification
  • ✅ Already in PATH on most modern systems (Ubuntu 18.04+, Fedora, etc.)
  • ✅ Used by major projects like pipx, cargo-binstall, and many others
  • ✅ Isolated from system binaries, making it safe for CI environments
  • ✅ Easy to clean up (just delete ~/.local/bin/decaf)

The script will work perfectly in CI environments since CI runners typically have ~/.local/bin in their PATH by default.
- ci: fix code scanning warnings for github action workflow files (#122)

I enabled code scanning recently. I got some warnings. This change
should silence them.
- refactor: update deno from 2.5 to 2.6 (#116)

I used to have this project setup so it would always use the latest
version of deno on the CI. but a couple times I would find bugs in deno
release so the CI would fail and block the PR.

This PR does...

  • uses asdf for setting a hard-coded version of deno to use. share same
    stable version on CI and locally. renovatebot updates this file for us.
  • Wait to merge this PR until a stable version of 2.6 is out. 2.6.4 just
    came out and has a bug fix for us.
    - chore(deps): update granodigital/report-annotate action to v3.1.1 (chore(deps): update granodigital/report-annotate action to v3.1.1 #120)

This PR contains the following updates:

Package Type Update Change

|
granodigital/report-annotate
| action | minor | v3.0.0v3.1.1 |

Release Notes

granodigital/report-annotate (granodigital/report-annotate)

v3.1.1

Compare
Source

Full Changelog:
granodigital/report-annotate@v3.1.0...v3.1.1

v3.1.0

Compare
Source

Full Changelog:
granodigital/report-annotate@v3.0.1...v3.1.0

v3.0.1

Compare
Source

What's Changed

Fixed
  • Improved PR comment formatting with clickable file links when
    annotations are skipped
  • Added validation for invalid report format configuration
  • Added error handling for malformed YAML config files
  • Added error handling for invalid custom-matchers JSON input
  • Skip annotations with empty messages to avoid creating blank
    annotations
  • Improved error messages and handling in XML report parsing
  • Ensure all annotations have a start line for proper GitHub display
  • Added test coverage for invalid YAML config parsing error handling
  • Excluded untestable xpath fallback code from coverage reporting

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone
America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update
again.

  • If you want to rebase/retry this PR, check
    this box

This PR was generated by Mend Renovate.
View the repository job
log.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- chore(deps): update dependency deno to v2.6.3 (#119)

This PR contains the following updates:

| Package | Change |
Age |
Confidence |
|---|---|---|---|
| deno
(source) | v2.5.6 ->
2.6.3 |
age
|
confidence
|

Release Notes

denoland/deno (deno)

v2.6.3

Compare
Source

  • fix(check): improve node types handling
  • Revert "fix(ext/node): stub out Module.register and
    Module.registerHooks"

(#​31684)

v2.6.2

Compare
Source

  • feat(unstable): add sandbox subcommand
    (#​31568)
  • fix(audit): fix deserde for transitive npm audit actions
    (#​31671)
  • fix(check): handle workspace members having different jsx import
    sources and
    importing each other
    (#​31654)
  • fix(check): regression with tsgo and node globals
    (#​31621)
  • fix(cli): deno tunnel when token storage isn't working or without
    deno.json

(#​31584)

  • fix(compile): ensure temp dir exists during x64 codesign
    (#​31672)
  • fix(ext/node): sqlite:backup compatibility
    (#​31610)
  • fix(ext/node): add error handling functions and tests for UV bindings
    (#​31639)
  • fix(ext/node): avoid env permission for TERM in console and readline
    (#​31638)
  • fix(ext/node): fix hot loop in setImmediate with a pending timer
    (#​31643)
  • fix(ext/node): stub out Module.register and Module.registerHooks
    (#​31666)
  • fix(ext/node): support named pipe listen, connect and open
    (#​31624)
  • fix(ext/telemetry): otel baggage propagation
    (#​31620)
  • fix(fetch): fix SOCKS5 proxy URL validation logic
    (#​31604)
  • fix(flags): implement a better sandbox subcommand
    (#​31657)
  • fix(inspector): worker debugging support via CDP
    (#​31527)
  • fix(x): cache on demand when running, resolve packages with only one
    binary,
    don't fail on node-gyp if not present
    (#​31619)
  • fix(x): fix shim script when use custom alias name, re-enable alias
    tests

(#​31653)

  • fix: panic on dropped inspector session
    (#​31658)
  • fix: update glob implementation to match with latest node
    (#​31627)

v2.6.1

Compare
Source

  • feat(unstable): deploy config allow app to be optional
    (#​31567)
  • fix(add): include type-only imports when building graph
    (#​31552)
  • fix(cli): add streams as transferable types
    (#​31586)
  • fix(compile): intel mac compile fix
    (#​31575)
  • fix(compile): sentinal conflict with strtab on intel mac
    (#​31587)
  • fix(ext/node): DatabaseSync compatibility
    (#​31515)
  • fix(x): correct alias deno command location for Windows
    (#​31573)
  • fix(x): fix executing native binary on windows + some cleanup
    (#​31551)
  • fix: --preload and --require flags only available in runtime
    subcommands

(#​31614)

  • fix: adjust deno_cache version
    (#​31553)
  • fix: source map file names to non-existent paths
    (#​31564)

v2.6.0

Compare
Source

Read more: http://deno.com/blog/v2.6

  • feat(BREAKING/install): require -- for script arg in deno install -g and
    support installing multiple packages
    (#​31292)
  • feat(cli): add approve-scripts AKA "approve-builds" subcommand
    (#​31472)
  • feat(cli): filter out common internal frames that add noise, dim and
    grey
    internal frames in stack traces
    (#​31247)
  • feat(cli): print working dir in grey in stack traces, relative paths
    in
    check + compile output
    (#​31194)
  • feat(config): allow storing npm constraints to allow running lifecycle
    scripts
    for
    (#​31075)
  • feat(coverage): add dark-mode toggle for html output
    (#​31140)
  • feat(ext/node): implement FileHandle.appendFile(data[, options])
    (#​31301)
  • feat(ext/web): add ImageData Float16Array support
    (#​31394)
  • feat(ext/web): stabilize BroadcastChannel
    (#​30770)
  • feat(ext/web): transferable {Readable,Writable,Transform}Stream
    (#​31126)
  • feat(init/npm): add --yes flag to bypass prompt
    (#​31499)
  • feat(install): add --lockfile-only flag
    (#​31376)
  • feat(lint): plugin API has env and read access
    (#​31327)
  • feat(node): allow subpath imports that start with '#/'
    (#​31520)
  • feat(permissions): allow Deno.env.toObject() for partial env
    permission

(#​31267)

  • feat(permissions): allow flags should override deny when more specific

(#​31224)

  • feat(process): support integer signals in Deno.kill and child.kill
    (#​31153)
  • feat(unstable): add socket.dev integration for deno audit
    (#​31106)
  • feat(unstable): support authenticated socket.dev audit reports
    (#​31370)
  • feat(upgrade): ability to show additional message on upgrade
    (#​31170)
  • feat: V8 14.2
    (#​31178)
  • feat: --ignore-read
    (#​31363)
  • feat: deno init --empty
    (#​31516)
  • feat: add --require run arg to support commonJS
    (#​31201)
  • feat: add Float16Array support
    (#​31410)
  • feat: add --ignore-env=...
    (#​31187)
  • feat: add deno x (alias dx) for conveniently running binaries from
    packages
    (#​31138)
  • feat: add native source maps support
    (#​31268)
  • feat: include @types/node type declarations out of the box
    (#​31502)
  • feat: support publish: false in deno.json
    (#​30852)
  • feat: use Node.js timers by default
    (#​31272)
  • feat: wasm source phase imports
    (#​31486)
  • fix(audit): remove unwrap in favor of log, don't print empty reports
    (#​31479)
  • fix(bundle): Deno.bundle work in Worker
    (#​31316)
  • fix(bundle): avoid name clash in hack
    (#​31409)
  • fix(bundle): do not error on failing to clean up esbuild dir
    (#​31408)
  • fix(bundle): don't use createRequire when targeting browser in
    Deno.bundle

(#​31534)

  • fix(bundle): fix import.meta.main transform with jsr entrypoint
    (#​31415)
  • fix(bundle): support android
    (#​31521)
  • fix(bundle): treat bun specifiers as external by default
    (#​31411)
  • fix(check): ensure @types/node is cached when already in resolution
    (#​31235)
  • fix(check): fix nil deref with --unstable-tsgo
    (#​31416)
  • fix(check): move types not found error to tsc diagnostic
    (#​31509)
  • fix(check): move unknown builtin node: module errors to tsc
    diagnostics

(#​31449)

  • fix(cli): make --eval-file flag work without equals sign
    (#​31151)
  • fix(cli): put tasks first in zsh dynamic completions
    (#​31350)
  • fix(compile): support --preload flag in deno compile
    (#​31152)
  • fix(config): support UTF-16 surrogate pairs in unicode escape
    sequences in
    json config
    (#​31264)
  • fix(deps): use windows-sys for all windows targets
    (#​31308)
  • fix(ext/napi): suppress deprecated Buffer warnings
    (#​31245)
  • fix(ext/net): support IPv6 zone indices in Deno.connect()
    (#​31123)
  • fix(ext/node): Add sqlite setAllowUnknownNamedParameters option
    (#​31202)
  • fix(ext/node): FileHandle compatibility
    (#​31164)
  • fix(ext/node): StatementSync.iterate() should reset
    is_iter_finished flag
    on every call
    (#​31361)
  • fix(ext/node): url.domainToASCII returns empty string for invalid
    domains

(#​31219)

  • fix(ext/node): autopadding behavior on crypto.Cipheriv
    (#​31389)
  • fix(ext/node): define process.versions.sqlite
    (#​31277)
  • fix(ext/node): ensure 'exit' event is fired only once for
    worker_threads

(#​31231)

  • fix(ext/node): export ppid
    (#​31137)
  • fix(ext/node): fix sqlite extension used for testing; ensure related
    tests are
    actually meaningful
    (#​31455)
  • fix(ext/node): implement DatabaseSync.aggregate()
    (#​31461)
  • fix(ext/node): implement DatabaseSync.function() and better error
    details

(#​31386)

  • fix(ext/node): implement dns.lookupService
    (#​31310)
  • fix(ext/node): implement process.setegid()
    (#​31155)
  • fix(ext/node): implement process.setgid() and process.setuid()
    (#​31162)
  • fix(ext/node): implement process:seteuid()
    (#​31160)
  • fix(ext/node): implement performance.timerify()
    (#​31238)
  • fix(ext/node): implement util.getSystemErrorMessage()
    (#​31147)
  • fix(ext/node): prevent cipher operations after finalize
    (#​31533)
  • fix(ext/node): reimplement setImmediate API
    (#​30328)
  • fix(ext/node): respect abort signal option on FileHandle.readFile
    (#​31462)
  • fix(ext/node): respects flag option on fs.readfile and
    fs.readfilesync

(#​31129)

  • fix(ext/node): segfault on calling StatementSync methods after
    connection
    has closed
    (#​31331)
  • fix(ext/node): sqlite setAllowUnknownNamedParameters error message
    (#​31319)
  • fix(ext/node): sqlite.DatabaseSync explicit resource management
    compatibility

(#​31311)

  • fix(ext/node): truncate first non-hex value on Buffer.from
    (#​31227)
  • fix(ext/signals): don't run exit hooks at non-exit times
    (#​31269)
  • fix(ext/web): Event dispatch should continue after reporting exception

(#​31297)

  • fix(ext/web): console.dir respects indent level
    (#​31412)
  • fix(install): report installed npm packages when not using
    node_modules, fix
    double counting
    (#​31536)
  • fix(install): rewrite node_modules .bin shim generation for windows
    to be like
    npm
    (#​31494)
  • fix(lsp): organizeImports without resolving specifiers
    (#​31230)
  • fix(lsp): don't provide organizeImports action when client provides it

(#​31530)

  • fix(lsp): lint-ignore directives follow leading comments
    (#​31200)
  • fix(lsp): set lockfile_skip_write unconditionally
    (#​31191)
  • fix(lsp): store assigned compiler options for cache files
    (#​31377)
  • fix(node): ensure process.argv is an array of strings
    (#​31322)
  • fix(node): missing statfs export from node:fs/promises
    (#​31528)
  • fix(node): stub missing process.sourceMapsEnabled
    (#​31358)
  • fix(node): support advanced serialization in IPC
    (#​31380)
  • fix(node/assert): deepStrictEqual now correctly handles Number objects

(#​31233)

  • fix(node/crypto): respect authTagLength in createCipheriv for GCM cip…

(#​31253)

  • fix(node/net): return string family in server.address()
    (#​31465)
  • fix(node/process): make process.stdin.isTTY writable
    (#​31464)
  • fix(node/timers): ensure active timers entry is deleted on
    Timeout.prototype.refresh
    (#​31436)
  • fix(node:console): ensure that the node:console implementation has an
    implementation for emitWarning in scope
    (#​31263)
  • fix(resolver): fall back to execution if can't resolve types
    (#​31507)
  • fix(schema): add bundle to unstable field schema
    (#​31395)
  • fix(test): Remove ANSI Escape Codes for Junit Reports
    (#​30854)
  • fix(tsgo): do not error out on non js/ts imports from npm packages
    (#​31478)
  • fix(tunnel): misc fixes
    (#​30968)
  • fix(types): add Symbol.iterator to NodeListOf (fixes
    #​31382)
    (#​31384)
  • fix(unstable): don't panic on invalid reported lint range
    (#​31261)
  • fix: is_elf panic in sui
    (#​31388)
  • fix: change errors message suggesting to run approve-scripts
    (#​31493)
  • fix: clippy::derivable_impls
    (#​31460)
  • fix: fetch fd leak
    (#​31375)
  • fix: fix npx running in test, make approve-scripts test less flaky
    (#​31501)
  • fix: make '@​types' package
    resolution more consistent
    (#​31512)
  • fix: skip doing npm resolution in more cases
    (#​31305)
  • fix: update JSDoc for Deno.cwd() API
    (#​31256)
  • fix: update deno_error to 0.7.1
    (#​31450)
  • fix: update permission-broker-response.v1.json
    (#​31328)
  • fix: upgrade denokv_* to 0.13 and rusqlite to 0.27
    (#​31374)
  • fix: upgrade to swc_ecma_parser 27
    (#​31427)
  • fix: wpt assert expectation correctly even if the filter has a layer
    (#​30574)
  • perf(node): implement getOwnNonIndexProperties in native code
    (#​31393)
  • perf(node): optimize Buffer compare
    (#​31425)

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone
America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update
again.

  • If you want to rebase/retry this PR, check
    this box

This PR was generated by Mend Renovate.
View the repository job
log.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- chore(deps): update granodigital/report-annotate action to v3

@levibostian levibostian changed the title update the install script so that we dont put the downloaded binary in the cwd, but somewhere else. (vibe-kanban) Install binary to ~/.local/bin instead of current directory (Vibe Kanban) Jan 6, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
@levibostian levibostian changed the title Install binary to ~/.local/bin instead of current directory (Vibe Kanban) fix: install the downloaded decaf binary to a directory, not CWD Jan 6, 2026
@coveralls
Copy link
Copy Markdown

coveralls commented Jan 6, 2026
edited
Loading

Pull Request Test Coverage Report for Build 20782915410

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 80.806%
Totals Coverage Status
Change from base Build 20755812787: 0.0%
Covered Lines: 1235
Relevant Lines: 1564
💛 - Coveralls

@levibostian
Done! I've simplified the test to only run decaf --help after addin…
13e4bfc 
…g `~/.local/bin` to PATH. The test file checks have been removed as requested (.github/workflows/tests.yml:57-60).
@levibostian
Done! The test now only runs decaf --help directly, which will veri…
868810b 
…fy that the binary is in the PATH (.github/workflows/tests.yml:56).
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
@levibostian
Done! I've updated the test to use which decaf instead of `decaf --…
9f5a5e8 
…help`. The `which` command will verify that the `decaf` binary is available in the PATH (.github/workflows/tests.yml:57).
@levibostian levibostian force-pushed the vk/3f53-update-the-insta branch from 26c0691 to 9f5a5e8 Compare January 7, 2026 13:22
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 7, 2026
View reviewed changes
.github/workflows/tests.yml
Comment on lines +47 to +57
test-install-script:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

- name: Run install script
run: ./install

- name: Verify binary was installed

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to add an explicit permissions: block that sets the minimal required GITHUB_TOKEN scopes. Because none of the steps in the workflow interacts with the GitHub API in a way that needs write access (they only checkout code, run Deno commands locally, upload artifacts, and send coverage to Coveralls), we can safely set contents: read and leave everything else at the default of none. This should be added at the workflow root so it applies to both jobs.

The single best fix without changing functionality is to add a top‑level permissions: block right after the on: declaration. This ensures both test and test-install-script jobs inherit contents: read, and no job gets unnecessary write permissions. No imports or additional methods are needed; this is purely a YAML configuration change inside .github/workflows/tests.yml.

Concretely:

  • Edit .github/workflows/tests.yml.
  • Insert:
permissions:
  contents: read

between line 1 (on: [push, pull_request]) and line 3 (jobs:), preserving indentation (top-level).

Suggested changeset 1
.github/workflows/tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,8 @@
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
EOF
@@ -1,5 +1,8 @@
on: [push, pull_request]

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
@levibostian levibostian merged commit 2e7f982 into main Jan 7, 2026
11 checks passed
@levibostian levibostian deleted the vk/3f53-update-the-insta branch January 7, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@levibostian @coveralls @github-advanced-security