ci: harden the build and API-pages workflows#843
Conversation
… the lockfile build_n_push: add a per-ref concurrency group so two quick merges to main can't race the :main tag (last push wins regardless of commit order, and the server auto-pulls :main); add permissions: contents: read; validate .dockerignore and package.json changes in the PR path filter. generate_api_pages: pin Node 20 and switch npm install -> npm ci so the run can never rewrite the now-tracked package-lock.json with a divergent macOS-resolved tree; stage only src/pages/ipa/resources instead of git add -A; drop --force from the push — a force-push from this workflow would silently rewrite main and destroy any PR merged since its checkout.
…ookup buildGitDateMap now logs a warning when it emits no dates (git missing or shallow clone) instead of silently blanking every page's Updated line and the sitemap lastmod entries; document the squash-merge assumption behind the --name-only walk. Remove the unused getGitLastModified. Note in CLAUDE.md that npm run start warns under output: 'standalone'. Gen output verified byte-identical.
Rebase the single generated-files commit onto the moved branch before pushing, so a PR merged during the multi-minute run no longer rejects the push (the failure --force was presumably papering over). A genuine conflict — a concurrent edit of the generated files themselves — still fails the run loudly with main untouched. Also serialise dispatches with a concurrency group: run history shows several same-day dispatches, and overlapping runs regenerate the same files. Sandbox-tested against a bare repo: plain push rejected on race; rebase+push lands with both commits intact; true conflict exits 1 leaving the branch tip untouched.
A run queued behind another checks out the commit pinned at its dispatch time; regenerating against that stale base means the pre-push rebase replays a snapshot diff, and a file the newer spec removed can silently survive from the prior run. Fetch + reset to the branch tip before generating so the diff is computed against reality. Also note the latest-dispatched-vs-newest-tag caveat on the concurrency comment. Sandbox-proven: with the old order a removed-in-newer-spec file survives the rebase replay; with sync-first it is gone.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThis PR updates two GitHub Actions workflows to add permissions, concurrency controls, a branch-sync step, deterministic npm ci installs, and a rebase-based commit flow scoped to generated output. It also refactors scripts/git-dates.mjs caching/logging and updates CLAUDE.md documentation. ChangesCI Workflow Updates
Git Dates Script and Docs Update
Estimated code review effort: 2 (Simple) | ~12 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
scripts/git-dates.mjsOops! Something went wrong! :( ESLint: 9.39.2 TypeError: Converting circular structure to JSON Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Why
Two gaps in the pipeline around the recently-tracked lockfile and the
:mainimage tag:build_n_pushhad no concurrency group: two quick merges tomainrace the image push, and whichever finishes last wins the:maintag regardless of commit order — the server pulls:main, so an older build can silently ship.generate_api_pagesrannpm installon an unpinned Node and committed withgit add -A+git push --force. Sincepackage-lock.jsonis now tracked, a divergent macOS-resolved lockfile could be swept into the auto-commit; and a force-push from this workflow would rewritemain, destroying any PR merged during its multi-minute run.What
build_n_push.yml
permissions: contents: read..dockerignoreandpackage.json.generate_api_pages.yml
npm install→npm ci(this workflow never changes dependencies, so it installs the lockfile exactly and can never rewrite it).src/pages/ipa/resources(change-check scoped to match).--force: ifmainmoved during the run, the single generated-files commit replays cleanly on top; a genuine conflict fails the run loudly withmainuntouched. If anyone remembers a deliberate reason the push was--force, please flag it.scripts/git-dates.mjs
<lastmod>.git log --name-onlywalk; drop the unused per-file lookup.CLAUDE.md
npm run startwarns underoutput: 'standalone'(safe to ignore locally; prod runsnode server.js).Summary by CodeRabbit
Bug Fixes
Documentation