Skip to content

ci: adopt detect-changes gating, runloopai actions, pnpm 10 workspace security pins, drop ink-big-text#243

Open
jason-rl wants to merge 4 commits into
mainfrom
jason/ci-detect-changes
Open

ci: adopt detect-changes gating, runloopai actions, pnpm 10 workspace security pins, drop ink-big-text#243
jason-rl wants to merge 4 commits into
mainfrom
jason/ci-detect-changes

Conversation

@jason-rl

@jason-rl jason-rl commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Adapts the CI consolidation and supply-chain hardening patterns from runloopai/runloop-fe#1919 into rl-cli, and removes the ink-big-text runtime dependency.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code refactoring
  • Performance improvement
  • Test updates

Related Issues

Closes #

Changes Made

ci.yml — adopt runloop-fe#1919 patterns

  • detect-changes job: gates format/lint/build/test via tj-actions/changed-files (SHA-pinned) + inlined ci.yml self-change detection. Self-change detection now enumerates job keys via yq rather than a hardcoded list, so new jobs are automatically detected.
  • runloopai/* action wrappers: runloopai/checkout@main, runloopai/pnpm-action@master, runloopai/setup-node@main, runloopai/github-script@main, runloopai/upload-artifact@main throughout. Third-party tj-actions/changed-files remains SHA-pinned.
  • Push trigger on main with push-aware concurrency (run_id key for push — never cancels main builds; ref key for PRs — cancels superseded runs).
  • Conditional runs-on: when a job will do real work it gets ubuntu-latest; when skipped it stays on ubuntu-slim. Job-level if: with failure() || (success() && (pull_request || output != 'false')) ensures required status checks always report even when skipped.
  • No job-level name: fields: GitHub uses the job ID as the status-check context when name: is absent. Omitting them preserves the lowercase-hyphen job-ID contexts the branch ruleset requires (detect-changes, format, lint, build, test).
  • Removes the old ready-to-merge aggregator and the old inlined dependency-check job.

dependency-age-check.yml — separated supply-chain gate

Moves the dependency age gate out of ci.yml into its own workflow using runloopai/lisan-al-gaib-action@main (already in place). Adds a push trigger with path filters so the gate re-runs on main merges that touch the lockfile or workspace configuration.

release.yml — App token for release-please (unchanged from prior commit)

  • actions/create-github-app-token@v3 mints a short-lived token for release-please so its PRs fire a normal pull_request event, eliminating the need for pull_request_target.

pnpm 10 + pnpm-workspace.yaml — security pins

  • Bumps packageManager to pnpm@10.33.0 and removes the "pnpm" field from package.json (pnpm 10 reads these settings from pnpm-workspace.yaml instead).
  • New pnpm-workspace.yaml: minimumReleaseAge: 10080 (7-day supply-chain gate matching lisan-al-gaib's min-age-days), @runloop/api-client excluded from the age gate, onlyBuiltDependencies: [esbuild].
  • 23 advisory-keyed security overrides: each key is the Dependabot advisory's vulnerable_version_range, value is the exact first_patched_version (no carets). Replaces the old scoped/caret-based overrides in package.json#pnpm.

ink-big-text removal

  • src/components/Banner.tsx: replaces the runtime cfonts/ink-big-text render with a pre-rendered BANNER_ART template literal, removing the cfonts/window-size transitive dependency subtree.
  • Cleans up jest.mock("ink-big-text", …) from all three test setup files and removes ink-big-text from jest.config.js transformIgnorePatterns.

Lockfile hygiene

  • .gitattributes: pnpm-lock.yaml -merge linguist-vendored (prevents garbage merge conflicts; drops lockfile from GitHub language stats).
  • .prettierignore: adds pnpm-lock.yaml.

Testing

  • pnpm run build (tsc) → clean
  • pnpm run lint → 0 errors (pre-existing warnings only)
  • pnpm run format:check → passes
  • pnpm run test:components → 34 suites, 296 tests pass
  • actionlint .github/workflows/ci.yml .github/workflows/dependency-age-check.yml → clean
  • yq -r '.jobs | keys | .[]' and yq -r '.jobs["detect-changes"].outputs | keys | .[]' on ci.yml return expected keys

End-to-end caveat: the detect-changes/yq/self-change logic and the dependency-check/minimumReleaseAge age gates only fully exercise in GitHub Actions and depend on yq being present on ubuntu-slim. First CI run on this PR is the real validation.

Manual prerequisites before merging:

  1. Create a GitHub App with contents: write + pull-requests: write, install it on this repo, and add repo secrets DEPLOY_APP_CLIENT_ID and DEPLOY_APP_PRIVATE_KEY. Also ensure Settings → Actions → "Allow GitHub Actions to create and approve pull requests" is enabled.
  2. Update the "main" branch ruleset required-status-check contexts atomically with this merge: remove ready-to-merge and add detect-changes so the full required set is: detect-changes, format, lint, build, test, dependency-check, pr-title-check. If detect-changes is omitted, a runner outage silently skips all downstream jobs and unblocks merge.

Checklist

  • My code follows the code style of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have updated the documentation accordingly
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published

@jason-rl jason-rl force-pushed the jason/ci-detect-changes branch from 5472e66 to 9e756d9 Compare June 8, 2026 20:37
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 8, 2026
View reviewed changes
Comment thread .github/workflows/dependency-age-check.yml
Comment on lines +10 to +23
name: Check dependency age
runs-on: ubuntu-latest

steps:
- name: Check out Git repository
uses: runloopai/checkout@main

- name: Check dependency age (supply-chain gate)
uses: runloopai/lisan-al-gaib-action@main
with:
ecosystems: npm
min-age-days: '7'
warn-age-days: '14'
bypass-keyword: 'bypass-age-gate'
@jason-rl jason-rl force-pushed the jason/ci-detect-changes branch 4 times, most recently from 121f99f to eb1d883 Compare June 9, 2026 00:23
@jason-rl jason-rl changed the title ci: restructure with detect-changes, path filters, drop pull_request_target ci: adopt detect-changes gating, runloopai actions, pnpm 10 workspace security pins, drop ink-big-text Jun 9, 2026
@jason-rl jason-rl force-pushed the jason/ci-detect-changes branch from eb1d883 to d29b861 Compare June 9, 2026 00:28
@jason-rl
ci: adopt detect-changes gating, runloopai actions, pnpm 10 workspace…
7574efb 
… overrides, drop ink-big-text

Adapts runloopai/runloop-fe#1919's CI-consolidation and supply-chain patterns
into rl-cli.

CI (ci.yml):
- detect-changes job gates all check jobs (format/lint/build/test) via
  tj-actions/changed-files path groups + yq-enumerated self-change detection
- Conditional runs-on (ubuntu-latest when running, ubuntu-slim when skipping)
  and job-level if: ensures required status checks satisfy the branch ruleset
  even when skipped
- Push trigger on main with push-aware concurrency (run_id key, never cancels)
- runloopai/* action wrappers throughout (checkout, pnpm-action, setup-node,
  github-script, upload-artifact)
- Removes the old aggregator job (ready-to-merge) and the inlined
  dependency-check job (now a separate dependency-age-check.yml)

dependency-age-check.yml: adds push trigger with path filters so the
  supply-chain gate re-runs on main merges that touch lockfiles.

pnpm 10 + security overrides:
- Bumps packageManager to pnpm@10.33.0 and moves pnpm field to
  pnpm-workspace.yaml (pnpm 10 ignores package.json#pnpm)
- Overrides keyed by Dependabot advisory vulnerable_version_range with
  exact first_patched_version values (no carets) for 23 CVE advisories
- minimumReleaseAge: 10080 (7 days) with @runloop/api-client excluded

ink-big-text: replaced runtime cfonts rendering with a pre-rendered BANNER_ART
  template literal; removes the cfonts/window-size/define-property transitive
  dep subtree.

Divergences from runloop-fe#1919 (intentional):
- Job IDs kept lowercase with hyphens (detect-changes, not detect_changes) and
  no job-level name: fields — branch ruleset requires bare job IDs as required
  status checks
- node-version: "20" explicit (no .nvmrc in this repo)
- yq bracket path .jobs["detect-changes"].outputs for hyphenated job ID
- jobToOutputKey = {} (no shard jobs in rl-cli)
- minimumReleaseAge: 10080 minutes (7 days, matching lisan-al-gaib min-age-days)
@jason-rl jason-rl force-pushed the jason/ci-detect-changes branch from d29b861 to 7574efb Compare June 9, 2026 00:31
@jason-rl jason-rl force-pushed the jason/ci-detect-changes branch from 609b8cf to 9034de6 Compare June 9, 2026 00:43
@jason-rl jason-rl marked this pull request as ready for review June 9, 2026 00:54
@jason-rl jason-rl requested a review from dines-rl June 9, 2026 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dines-rl dines-rl Awaiting requested review from dines-rl

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jason-rl @github-advanced-security