From 80b35f19285f298f8e6e467e67e86dd949d8b3a6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:04:05 +0000 Subject: [PATCH 1/9] fix(ci): stabilize workflow dependency and automerge gates Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc Co-authored-by: SMSDAO <144380926+SMSDAO@users.noreply.github.com> --- .github/workflows/ci.yml | 6 ++++-- .github/workflows/dependabot-automerge.yml | 9 ++++++++- apps/admin/package.json | 4 ++-- docs/DEPENDENCY-HEALTH.md | 20 +++++++++++++++----- 4 files changed, 29 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bede4e0..d1ddceb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,8 @@ permissions: jobs: ci: runs-on: ubuntu-latest + env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true steps: - uses: actions/checkout@v4 @@ -34,8 +36,8 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results - if: success() || failure() - uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 + if: always() && hashFiles('trivy-results.sarif') != '' + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 40e6fe4..45fbf98 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -22,7 +22,14 @@ jobs: - name: Auto-approve safe updates if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: gh pr review --approve "$PR_URL" + run: gh pr review --approve "$PR_URL" --body "Auto-approved after Dependabot metadata validation." + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Wait for required checks (green-only gate) + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: timeout 25m gh pr checks "$PR_URL" --required --watch env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/apps/admin/package.json b/apps/admin/package.json index 497c190..08559b3 100644 --- a/apps/admin/package.json +++ b/apps/admin/package.json @@ -38,7 +38,7 @@ "zustand": "^4.4.7" }, "devDependencies": { - "@types/node": "20.17.12", + "@types/node": "^20.17.12", "@types/react": "^19.0.0", "@types/react-dom": "^19.0.0", "@types/ws": "^8.5.10", @@ -48,4 +48,4 @@ "tailwindcss": "^3.4.0", "typescript": "5.3.3" } -} \ No newline at end of file +} diff --git a/docs/DEPENDENCY-HEALTH.md b/docs/DEPENDENCY-HEALTH.md index 1b7e105..ba20165 100644 --- a/docs/DEPENDENCY-HEALTH.md +++ b/docs/DEPENDENCY-HEALTH.md @@ -101,14 +101,23 @@ Automated health checks run on: **Actions Performed:** - Full health check execution -- Smart Brain oracle analysis - Security audit with pnpm audit - Version consistency validation - PR comments with health status - Auto-create issues on critical failures - Generate and upload health reports -### 5. Pre-commit Hooks (`.husky/pre-commit`) +### 5. Dependabot Automation (`.github/dependabot.yml` + `.github/workflows/dependabot-automerge.yml`) + +Automated dependency update management is configured with safety gates: + +- Daily Dependabot checks for npm workspace dependencies +- Grouped patch/minor and major update streams +- Auto-approval and auto-merge only for patch/minor updates +- Required-check green gate before merge activation (`gh pr checks --required --watch`) +- Major updates are labeled for manual review + +### 6. Pre-commit Hooks (`.husky/pre-commit`) Prevents problematic commits before they reach the repository: @@ -136,9 +145,9 @@ The repository maintains consistent versions across all packages: | Dependency | Version | Reason | |------------|---------|--------| | TypeScript | 5.3.3 | Stable, widely supported | -| @types/node | 20.10.6 | Matches Node.js 20.x LTS | -| Next.js | 14.2.18 | Latest stable 14.x with security patches | -| React | 18.2.0 | Stable, production-ready | +| @types/node | ^20.17.12 | Matches Node.js 20.x LTS range used in apps | +| Next.js | 15.2.4 | Current app baseline across admin/web | +| React | ^19.0.0 | Current app baseline across admin/web | | Node.js | 20.19.6 | LTS version (see .nvmrc) | | pnpm | 9.0.0 | Latest with improved workspace support | @@ -148,6 +157,7 @@ The repository maintains consistent versions across all packages: 2. **Caret ranges (^)** for tools and utilities to allow patch updates 3. **Workspace protocol (workspace:*)** for internal packages 4. **Aligned versions** across all apps and packages for shared dependencies +5. **Lockfile parity is required**: CI uses `pnpm install --frozen-lockfile`, so `package.json` and `pnpm-lock.yaml` must be committed together ## Upgrade Procedures From 784ad59ebe8453d132276f81618f322f1e4d1f55 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:05:27 +0000 Subject: [PATCH 2/9] fix(lockfile): repair broken pnpm lockfile for frozen installs Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- pnpm-lock.yaml | 88 +++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 65abe20..59674c1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -2135,8 +2135,8 @@ packages: '@napi-rs/wasm-runtime@0.2.12': resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==} - '@next/env@14.2.18': - resolution: {integrity: sha512-2vWLOUwIPgoqMJKG6dt35fVXVhgM09tw4tK3/Q34GFXDrfiHlG7iS33VA4ggnjWxjiz9KV5xzfsQzJX6vGAekA==} + '@next/env@14.2.35': + resolution: {integrity: sha512-DuhvCtj4t9Gwrx80dmz2F4t/zKQ4ktN8WrMwOuVzkJfBilwAwGr6v16M5eI8yCuZ63H9TTuEU09Iu2HqkzFPVQ==} '@next/env@15.2.4': resolution: {integrity: sha512-+SFtMgoiYP3WoSswuNmxJOCwi06TdWE733D+WPjpXIe4LXGULwEaofiiAy6kbS0+XjM5xF5n3lKuBwN2SnqD9g==} @@ -2144,8 +2144,8 @@ packages: '@next/eslint-plugin-next@14.2.35': resolution: {integrity: sha512-Jw9A3ICz2183qSsqwi7fgq4SBPiNfmOLmTPXKvlnzstUwyvBrtySiY+8RXJweNAs9KThb1+bYhZh9XWcNOr2zQ==} - '@next/swc-darwin-arm64@14.2.18': - resolution: {integrity: sha512-tOBlDHCjGdyLf0ube/rDUs6VtwNOajaWV+5FV/ajPgrvHeisllEdymY/oDgv2cx561+gJksfMUtqf8crug7sbA==} + '@next/swc-darwin-arm64@14.2.33': + resolution: {integrity: sha512-HqYnb6pxlsshoSTubdXKu15g3iivcbsMXg4bYpjL2iS/V6aQot+iyF4BUc2qA/J/n55YtvE4PHMKWBKGCF/+wA==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] @@ -2156,8 +2156,8 @@ packages: cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@14.2.18': - resolution: {integrity: sha512-uJCEjutt5VeJ30jjrHV1VIHCsbMYnEqytQgvREx+DjURd/fmKy15NaVK4aR/u98S1LGTnjq35lRTnRyygglxoA==} + '@next/swc-darwin-x64@14.2.33': + resolution: {integrity: sha512-8HGBeAE5rX3jzKvF593XTTFg3gxeU4f+UWnswa6JPhzaR6+zblO5+fjltJWIZc4aUalqTclvN2QtTC37LxvZAA==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] @@ -2168,8 +2168,8 @@ packages: cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@14.2.18': - resolution: {integrity: sha512-IL6rU8vnBB+BAm6YSWZewc+qvdL1EaA+VhLQ6tlUc0xp+kkdxQrVqAnh8Zek1ccKHlTDFRyAft0e60gteYmQ4A==} + '@next/swc-linux-arm64-gnu@14.2.33': + resolution: {integrity: sha512-JXMBka6lNNmqbkvcTtaX8Gu5by9547bukHQvPoLe9VRBx1gHwzf5tdt4AaezW85HAB3pikcvyqBToRTDA4DeLw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2180,8 +2180,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@14.2.18': - resolution: {integrity: sha512-RCaENbIZqKKqTlL8KNd+AZV/yAdCsovblOpYFp0OJ7ZxgLNbV5w23CUU1G5On+0fgafrsGcW+GdMKdFjaRwyYA==} + '@next/swc-linux-arm64-musl@14.2.33': + resolution: {integrity: sha512-Bm+QulsAItD/x6Ih8wGIMfRJy4G73tu1HJsrccPW6AfqdZd0Sfm5Imhgkgq2+kly065rYMnCOxTBvmvFY1BKfg==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2192,8 +2192,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@14.2.18': - resolution: {integrity: sha512-3kmv8DlyhPRCEBM1Vavn8NjyXtMeQ49ID0Olr/Sut7pgzaQTo4h01S7Z8YNE0VtbowyuAL26ibcz0ka6xCTH5g==} + '@next/swc-linux-x64-gnu@14.2.33': + resolution: {integrity: sha512-FnFn+ZBgsVMbGDsTqo8zsnRzydvsGV8vfiWwUo1LD8FTmPTdV+otGSWKc4LJec0oSexFnCYVO4hX8P8qQKaSlg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2204,8 +2204,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@14.2.18': - resolution: {integrity: sha512-mliTfa8seVSpTbVEcKEXGjC18+TDII8ykW4a36au97spm9XMPqQTpdGPNBJ9RySSFw9/hLuaCMByluQIAnkzlw==} + '@next/swc-linux-x64-musl@14.2.33': + resolution: {integrity: sha512-345tsIWMzoXaQndUTDv1qypDRiebFxGYx9pYkhwY4hBRaOLt8UGfiWKr9FSSHs25dFIf8ZqIFaPdy5MljdoawA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2216,8 +2216,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@14.2.18': - resolution: {integrity: sha512-J5g0UFPbAjKYmqS3Cy7l2fetFmWMY9Oao32eUsBPYohts26BdrMUyfCJnZFQkX9npYaHNDOWqZ6uV9hSDPw9NA==} + '@next/swc-win32-arm64-msvc@14.2.33': + resolution: {integrity: sha512-nscpt0G6UCTkrT2ppnJnFsYbPDQwmum4GNXYTeoTIdsmMydSKFz9Iny2jpaRupTb+Wl298+Rh82WKzt9LCcqSQ==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] @@ -2228,14 +2228,14 @@ packages: cpu: [arm64] os: [win32] - '@next/swc-win32-ia32-msvc@14.2.18': - resolution: {integrity: sha512-Ynxuk4ZgIpdcN7d16ivJdjsDG1+3hTvK24Pp8DiDmIa2+A4CfhJSEHHVndCHok6rnLUzAZD+/UOKESQgTsAZGg==} + '@next/swc-win32-ia32-msvc@14.2.33': + resolution: {integrity: sha512-pc9LpGNKhJ0dXQhZ5QMmYxtARwwmWLpeocFmVG5Z0DzWq5Uf0izcI8tLc+qOpqxO1PWqZ5A7J1blrUIKrIFc7Q==} engines: {node: '>= 10'} cpu: [ia32] os: [win32] - '@next/swc-win32-x64-msvc@14.2.18': - resolution: {integrity: sha512-dtRGMhiU9TN5nyhwzce+7c/4CCeykYS+ipY/4mIrGzJ71+7zNo55ZxCB7cAVuNqdwtYniFNR2c9OFQ6UdFIMcg==} + '@next/swc-win32-x64-msvc@14.2.33': + resolution: {integrity: sha512-nOjfZMy8B94MdisuzZo9/57xuFVLHJaDj5e/xrduJp9CV2/HrfxTRH2fbyLe+K9QT41WBLUd4iXX3R7jBp0EUg==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -7420,10 +7420,9 @@ packages: next-tick@1.1.0: resolution: {integrity: sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==} - next@14.2.18: - resolution: {integrity: sha512-H9qbjDuGivUDEnK6wa+p2XKO+iMzgVgyr9Zp/4Iv29lKa+DYaxJGjOeEA+5VOvJh/M7HLiskehInSa0cWxVXUw==} + next@14.2.35: + resolution: {integrity: sha512-KhYd2Hjt/O1/1aZVX3dCwGXM1QmOV4eNM2UTacK5gipDdPN/oHHK/4oVGy7X8GMfPMsUTUEmGlsy0EY1YGAkig==} engines: {node: '>=18.17.0'} - deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details. hasBin: true peerDependencies: '@opentelemetry/api': ^1.1.0 @@ -9586,6 +9585,7 @@ packages: uuid@9.0.1: resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==} + deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). hasBin: true v8-compile-cache-lib@3.0.1: @@ -12655,7 +12655,7 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@next/env@14.2.18': {} + '@next/env@14.2.35': {} '@next/env@15.2.4': {} @@ -12663,52 +12663,52 @@ snapshots: dependencies: glob: 10.3.10 - '@next/swc-darwin-arm64@14.2.18': + '@next/swc-darwin-arm64@14.2.33': optional: true '@next/swc-darwin-arm64@15.2.4': optional: true - '@next/swc-darwin-x64@14.2.18': + '@next/swc-darwin-x64@14.2.33': optional: true '@next/swc-darwin-x64@15.2.4': optional: true - '@next/swc-linux-arm64-gnu@14.2.18': + '@next/swc-linux-arm64-gnu@14.2.33': optional: true '@next/swc-linux-arm64-gnu@15.2.4': optional: true - '@next/swc-linux-arm64-musl@14.2.18': + '@next/swc-linux-arm64-musl@14.2.33': optional: true '@next/swc-linux-arm64-musl@15.2.4': optional: true - '@next/swc-linux-x64-gnu@14.2.18': + '@next/swc-linux-x64-gnu@14.2.33': optional: true '@next/swc-linux-x64-gnu@15.2.4': optional: true - '@next/swc-linux-x64-musl@14.2.18': + '@next/swc-linux-x64-musl@14.2.33': optional: true '@next/swc-linux-x64-musl@15.2.4': optional: true - '@next/swc-win32-arm64-msvc@14.2.18': + '@next/swc-win32-arm64-msvc@14.2.33': optional: true '@next/swc-win32-arm64-msvc@15.2.4': optional: true - '@next/swc-win32-ia32-msvc@14.2.18': + '@next/swc-win32-ia32-msvc@14.2.33': optional: true - '@next/swc-win32-x64-msvc@14.2.18': + '@next/swc-win32-x64-msvc@14.2.33': optional: true '@next/swc-win32-x64-msvc@15.2.4': @@ -19896,9 +19896,9 @@ snapshots: next-tick@1.1.0: {} - next@14.2.18(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): + next@14.2.35(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): dependencies: - '@next/env': 14.2.18 + '@next/env': 14.2.35 '@swc/helpers': 0.5.5 busboy: 1.6.0 caniuse-lite: 1.0.30001766 @@ -19908,15 +19908,15 @@ snapshots: react-dom: 18.2.0(react@18.2.0) styled-jsx: 5.1.1(@babel/core@7.28.6)(react@18.2.0) optionalDependencies: - '@next/swc-darwin-arm64': 14.2.18 - '@next/swc-darwin-x64': 14.2.18 - '@next/swc-linux-arm64-gnu': 14.2.18 - '@next/swc-linux-arm64-musl': 14.2.18 - '@next/swc-linux-x64-gnu': 14.2.18 - '@next/swc-linux-x64-musl': 14.2.18 - '@next/swc-win32-arm64-msvc': 14.2.18 - '@next/swc-win32-ia32-msvc': 14.2.18 - '@next/swc-win32-x64-msvc': 14.2.18 + '@next/swc-darwin-arm64': 14.2.33 + '@next/swc-darwin-x64': 14.2.33 + '@next/swc-linux-arm64-gnu': 14.2.33 + '@next/swc-linux-arm64-musl': 14.2.33 + '@next/swc-linux-x64-gnu': 14.2.33 + '@next/swc-linux-x64-musl': 14.2.33 + '@next/swc-win32-arm64-msvc': 14.2.33 + '@next/swc-win32-ia32-msvc': 14.2.33 + '@next/swc-win32-x64-msvc': 14.2.33 transitivePeerDependencies: - '@babel/core' - babel-plugin-macros From e91b390491f04e1dfe702fd340b47f839b89a0d6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:06:06 +0000 Subject: [PATCH 3/9] chore(ci): refine sarif gate and dependabot check timeout Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 2 +- .github/workflows/dependabot-automerge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1ddceb..b1f35c2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results - if: always() && hashFiles('trivy-results.sarif') != '' + if: (success() || failure()) && hashFiles('trivy-results.sarif') != '' uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 45fbf98..35e0cc0 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -29,7 +29,7 @@ jobs: - name: Wait for required checks (green-only gate) if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: timeout 25m gh pr checks "$PR_URL" --required --watch + run: timeout 15m gh pr checks "$PR_URL" --required --watch env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From dfc2b5cb632e612e0462f3e756940a2b98528bb5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:06:44 +0000 Subject: [PATCH 4/9] chore(ci): pin codeql action and simplify runner env Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1f35c2..930ef62 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,6 @@ permissions: jobs: ci: runs-on: ubuntu-latest - env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true steps: - uses: actions/checkout@v4 @@ -37,7 +35,7 @@ jobs: - name: Upload Trivy results if: (success() || failure()) && hashFiles('trivy-results.sarif') != '' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' From b28f5c0e938d6a504df30af59e1dc3468d4a4819 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:07:18 +0000 Subject: [PATCH 5/9] chore(ci): simplify sarif condition and parameterize merge timeout Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 2 +- .github/workflows/dependabot-automerge.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 930ef62..64d17b2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results - if: (success() || failure()) && hashFiles('trivy-results.sarif') != '' + if: hashFiles('trivy-results.sarif') != '' uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 35e0cc0..418408d 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -13,6 +13,8 @@ jobs: dependabot: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} + env: + MERGE_CHECK_TIMEOUT: 15m steps: - name: Fetch metadata id: metadata @@ -29,7 +31,7 @@ jobs: - name: Wait for required checks (green-only gate) if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: timeout 15m gh pr checks "$PR_URL" --required --watch + run: timeout "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From af309ebe160efe083362aa184dd7fc26b3193269 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:07:48 +0000 Subject: [PATCH 6/9] chore(ci): tighten trivy sarif upload guard expression Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64d17b2..02c2d1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results - if: hashFiles('trivy-results.sarif') != '' + if: hashFiles('trivy-results.sarif') uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' From 7c654a754504299330ffce5291353ae060e714e2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:08:25 +0000 Subject: [PATCH 7/9] chore(ci): validate trivy artifact and preserve check timeout status Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 11 ++++++++++- .github/workflows/dependabot-automerge.yml | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02c2d1c..bd10189 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,8 +33,17 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' + - name: Check Trivy SARIF output + id: trivy_sarif + run: | + if [ -s trivy-results.sarif ]; then + echo "ready=true" >> "$GITHUB_OUTPUT" + else + echo "ready=false" >> "$GITHUB_OUTPUT" + fi + - name: Upload Trivy results - if: hashFiles('trivy-results.sarif') + if: steps.trivy_sarif.outputs.ready == 'true' uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 418408d..9a7812b 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -31,7 +31,7 @@ jobs: - name: Wait for required checks (green-only gate) if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: timeout "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch + run: timeout --preserve-status "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7cc739df30955daf1460f340141767410c5aae7f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:09:12 +0000 Subject: [PATCH 8/9] chore(ci): ensure failure-safe trivy upload and tighten docs version matrix Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 3 ++- .github/workflows/dependabot-automerge.yml | 2 +- docs/DEPENDENCY-HEALTH.md | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd10189..b28956b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,7 @@ jobs: - name: Check Trivy SARIF output id: trivy_sarif + if: always() run: | if [ -s trivy-results.sarif ]; then echo "ready=true" >> "$GITHUB_OUTPUT" @@ -43,7 +44,7 @@ jobs: fi - name: Upload Trivy results - if: steps.trivy_sarif.outputs.ready == 'true' + if: always() && steps.trivy_sarif.outputs.ready == 'true' uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 9a7812b..418408d 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -31,7 +31,7 @@ jobs: - name: Wait for required checks (green-only gate) if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: timeout --preserve-status "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch + run: timeout "$MERGE_CHECK_TIMEOUT" gh pr checks "$PR_URL" --required --watch env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/docs/DEPENDENCY-HEALTH.md b/docs/DEPENDENCY-HEALTH.md index ba20165..7b18aeb 100644 --- a/docs/DEPENDENCY-HEALTH.md +++ b/docs/DEPENDENCY-HEALTH.md @@ -146,8 +146,8 @@ The repository maintains consistent versions across all packages: |------------|---------|--------| | TypeScript | 5.3.3 | Stable, widely supported | | @types/node | ^20.17.12 | Matches Node.js 20.x LTS range used in apps | -| Next.js | 15.2.4 | Current app baseline across admin/web | -| React | ^19.0.0 | Current app baseline across admin/web | +| Next.js | 14.2.35 / 15.2.4 | Dual baseline (`frames` on 14.x, admin/web on 15.x) | +| React | 18.2.0 / ^19.0.0 | Dual baseline aligned with package compatibility | | Node.js | 20.19.6 | LTS version (see .nvmrc) | | pnpm | 9.0.0 | Latest with improved workspace support | From 6ecb23b5a5e644d04465b3ab099068094c841ddb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 19:09:50 +0000 Subject: [PATCH 9/9] chore(ci): polish workflow condition and timeout env quoting Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/5651fc40-1dd6-40c7-a549-ed43a4fb38dc --- .github/workflows/ci.yml | 2 +- .github/workflows/dependabot-automerge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b28956b..324c549 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: fi - name: Upload Trivy results - if: always() && steps.trivy_sarif.outputs.ready == 'true' + if: (success() || failure()) && steps.trivy_sarif.outputs.ready == 'true' uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 418408d..cb0a864 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} env: - MERGE_CHECK_TIMEOUT: 15m + MERGE_CHECK_TIMEOUT: '15m' steps: - name: Fetch metadata id: metadata