ci: clean up publish and docs deploy workflows

[jaysin586]

Summary

This PR cleans up CI and docs deployment so the docs site deploys through Cloudflare Workers instead of Pages, while keeping publish workflows safer around skipped releases and dependency/tooling changes.

Changes

• 🔄 CI/CD: Migrate the docs deploy workflow from Cloudflare Pages to Workers and regenerate Worker environment types for the new asset binding.
• 🔄 CI/CD: Add skip-publish label detection and make publish/coverage jobs tolerate skipped or failed Coveralls steps without blocking cleanup behavior.
• 🔄 CI/CD: Update pnpm setup actions and Trunk CI/tooling configuration.
• 📦 Dependency changes: Refresh package, docs, Wrangler, Svelte, TypeScript, lint, and lockfile versions.
• 🔧 Tooling: Add pnpm build allowlists for dependencies that need install-time build scripts.
• 🧹 Cleanup: Remove Dependabot version update configuration and remove TypeScript from .ncuskip files.

Commits

• a52cd7e ci: update pnpm setup action
• 13f665f chore: apply ci cleanup updates
• b316904 ci: migrate docs deploy to Workers
• d76e585 build: allow pnpm dependency builds
• 8f4c0f3 Merge branch 'main' of https://github.com/humanspeak/memory-cache into fix/ci-seo-lint-cleanup
• 5805b4b chore: add typescript to .ncuskip to prevent major version bumps
• 99c4e4e Remove dependabot version updates

[coderabbitai]

Warning

Review limit reached

@jaysin586, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 7 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7fb2c5a1-f32c-42e0-9e74-252a8ea3ddf4

📥 Commits

Reviewing files that changed from the base of the PR and between a52cd7e and 699ea2d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (6)

• .gitignore
• docs/package.json
• docs/static/llms-append.md
• docs/static/llms-prepend.md
• docs/vite.config.ts
• package.json

📝 Walkthrough

Walkthrough

This PR updates CI/CD workflows, tooling versions, and deployment infrastructure. Primary changes include migrating docs deployment from Cloudflare Pages to Workers, standardizing pnpm action versions to v6 across all workflows, refining publish job dependencies and version bumping logic, and upgrading Trunk plugin and tool versions alongside project dependencies.

Changes

Tooling and Infrastructure Updates

Layer / File(s)	Summary
Cloudflare Workers Deployment Migration .github/workflows/cloudflare-deploy.yml	Workflow repurposed from Pages to Workers with expanded path filters (src/\, static/\, config files). Job now conditionally runs on manual dispatch or merged PRs. NODE_OPTIONS environment variable added to increase Node memory during deployment.
pnpm Action v4→v6 Standardization Across CI .github/workflows/coveralls.yml, .github/workflows/npm-publish.yml, .github/workflows/run-tests.yml, .trunk/setup-ci/action.yaml	All GitHub workflows and Trunk composite action upgraded from pnpm/action-setup@v4 to v6. Explicit pnpm version configurations removed in favor of v6 defaults.
Publish Workflow Job Gating and Version Logic .github/workflows/npm-publish.yml	Added skip-publish label detection in check-if-merged outputs. Tightened job dependencies: coverage-report now requires build success; publish-github-packages requires both build success and coverage-report success/skipped. Version bumping refactored to read package.json directly instead of parsing command output.
Trunk Plugin and Tool Versions .trunk/trunk.yaml	Trunk plugin source upgraded to v1.10.0. Python runtime bumped to 3.14.4. Multiple lint/security tools updated: grype, shfmt, actionlint, checkov, eslint, osv-scanner, prettier, trufflehog.
Documentation Deployment for Workers docs/package.json, docs/wrangler.jsonc, docs/scripts/generate-sitemap-manifest.mjs	Deploy script changed to use wrangler deploy instead of wrangler pages deploy. Compatibility date advanced to 2026-04-21. Docs-kit dependency and devDependencies updated. Sitemap generator refactored to output formatted JavaScript object literals with single quotes and unquoted keys.
Root Dependencies and Workspace Build Configuration package.json, pnpm-workspace.yaml	Root devDependencies updated across linting, formatting, and testing tools. pnpm-workspace.yaml now explicitly lists allowed/built dependencies: @humanspeak/docs-kit, esbuild, sharp, workerd. Node version bumped to 24.15.0 in volta configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• humanspeak/memory-cache#35: Both PRs modify .github/workflows/npm-publish.yml job gating logic for coverage-report and publish-github-packages dependencies.
• humanspeak/memory-cache#3: Both PRs touch docs/scripts/generate-sitemap-manifest.mjs; main PR refines formatting while retrieved PR introduces the sitemap infrastructure.
• humanspeak/memory-cache#33: Both PRs update Trunk configuration (plugin source, Python runtime) and related CI setup introduced in PR #33.

Poem

🔧 From Pages to Workers we deploy with grace,
pnpm v6 runs the CI race,
Tool versions climb, jobs align with care,
Workspace builds thrive in the CI air,
One byte closer to the perfect build! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: CI/CD cleanup with focus on publish and docs deploy workflows migrating to Cloudflare Workers.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering workflow migrations, dependency updates, and tooling changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-seo-lint-cleanup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

docs/scripts/generate-sitemap-manifest.mjs (1)

116-116: 💤 Low value

Remove no-op replace.

.replace(/: null/g, ': null') substitutes a string with itself — it has no effect and can be dropped.

♻️ Proposed cleanup

         .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
-        .replace(/: null/g, ': null')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/scripts/generate-sitemap-manifest.mjs` at line 116, Remove the no-op
string replacement call .replace(/: null/g, ': null') from the string processing
chain in generate-sitemap-manifest.mjs; locate the expression that chains
.replace calls (the occurrence of ".replace(/: null/g, ': null')") and delete
that specific replace invocation so the surrounding replacements remain
unchanged, then run the script or build to verify no behavioral change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cloudflare-deploy.yml:
- Line 36: The pnpm/action-setup@v6 step lacks a pnpm version to install causing
failure; either add a `with: version: "<pnpm-version>"` input to the
pnpm/action-setup@v6 step in the Cloudflare deploy workflow or add a root
package.json "packageManager": "pnpm@<pnpm-version>" field so the action can
resolve the version; update the step referencing pnpm/action-setup@v6 or the
root package.json accordingly and ensure the version string (e.g., "7.23.0") is
pinned.

In @.github/workflows/coveralls.yml:
- Line 26: The workflow step using "uses: pnpm/action-setup@v6" does not pin a
pnpm version and therefore can’t infer a deterministic version because
package.json lacks packageManager; update the coveralls workflow step to include
a pinned pnpm version by adding a with: version entry for the
pnpm/action-setup@v6 step (or alternatively add a packageManager field to the
root package.json) so that subsequent pnpm install --frozen-lockfile runs
deterministically.

In @.trunk/trunk.yaml:
- Line 17: The runtimes.enabled entry currently pins python@3.14.4 which is
unsupported by Checkov; update the runtimes.enabled value to pin a
Checkov-supported interpreter (e.g., change python@3.14.4 to python@3.13.x) so
Python-based linters like Checkov run correctly; verify the YAML value for
runtimes.enabled and ensure any dependent config referencing that runtime (e.g.,
Checkov enablement) continues to reference the updated python@3.13.x string.

In `@docs/scripts/generate-sitemap-manifest.mjs`:
- Line 115: The current replacement .replace(/: "([^"]*)"/g, (_, value) => `:
'${value}'`) (in generate-sitemap-manifest.mjs) turns double-quoted values into
single-quoted ones but does not escape inner single quotes, producing invalid JS
for strings like "User's Guide"; update the arrow function to escape single
quotes inside value before wrapping (e.g., transform value with a replace that
converts ' to \\' or otherwise escape single quotes) so the resulting `: '...'`
string is valid JavaScript.

In `@package.json`:
- Around line 109-110: Add a top-level packageManager field to package.json to
pin the pnpm version used by CI (e.g., "pnpm@X.Y.Z") so pnpm/action-setup@v6 has
a deterministic version to install; update package.json alongside the existing
volta.node and pnpm.overrides entries, ensuring the pinned version matches the
one expected by your workflows and CI.

In `@pnpm-workspace.yaml`:
- Around line 10-14: Remove the legacy onlyBuiltDependencies block and its
entries (the keys named onlyBuiltDependencies and the list items
'`@humanspeak/docs-kit`', esbuild, sharp, workerd) from the workspace config; if
you still need to restrict approved builds, replace it with the modern
allowBuilds setting using the same package names (use allowBuilds: with
appropriate entries) so pnpm v11+ uses the new behavior instead of the
deprecated field.

---

Nitpick comments:
In `@docs/scripts/generate-sitemap-manifest.mjs`:
- Line 116: Remove the no-op string replacement call .replace(/: null/g, ':
null') from the string processing chain in generate-sitemap-manifest.mjs; locate
the expression that chains .replace calls (the occurrence of ".replace(/:
null/g, ': null')") and delete that specific replace invocation so the
surrounding replacements remain unchanged, then run the script or build to
verify no behavioral change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5a797eaa-15dd-4b0c-9ec2-c1ecd1ccd96b

📥 Commits

Reviewing files that changed from the base of the PR and between dfddaea and a52cd7e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (13)

• .github/dependabot.yml
• .github/workflows/cloudflare-deploy.yml
• .github/workflows/coveralls.yml
• .github/workflows/npm-publish.yml
• .github/workflows/run-tests.yml
• .trunk/setup-ci/action.yaml
• .trunk/trunk.yaml
• docs/package.json
• docs/scripts/generate-sitemap-manifest.mjs
• docs/src/worker-configuration.d.ts
• docs/wrangler.jsonc
• package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What Python versions does Checkov currently support, and does Trunk use the Python version pinned under runtimes.enabled for Python-based linters such as Checkov?

💡 Result:

As of June 2, 2026, Checkov officially supports Python versions 3.9 through 3.13, inclusive [1][2]. The project maintains this support by following the official Python release cycle and conducting automated tests across these supported versions [1][2]. Regarding Trunk, it does not rely on a user-provided or local Python installation for its managed linters [3]. Instead, Trunk manages the runtimes required for its tools—including Checkov—automatically [3]. When you configure runtimes in your repository's.trunk/trunk.yaml file, such as under runtimes.enabled, you are specifying the versions Trunk should use to run those tools [3][4]. Trunk caches these linters, formatters, and their respective runtime environments (e.g., specific Python versions) in ~/.cache/trunk, ensuring that the tool execution is isolated and consistent across different environments regardless of what is installed on the host machine [3].

Citations:

• 1: https://pypi.org/project/checkov/
• 2: https://github.com/bridgecrewio/checkov
• 3: https://marketplace.visualstudio.com/items?itemName=Trunk.io
• 4: https://blog.hungovercoders.com/datagriff/2024/08/15/protecting-code-quality-with-trunk.io.html

---

Pin Trunk’s Python runtime to a Checkov-supported version (≤3.13)

In .trunk/trunk.yaml, runtimes.enabled pins python@3.14.4 (line 17) while Checkov supports Python only up through 3.13. Trunk uses the configured runtimes.enabled Python version to run Python-based linters like Checkov (enabled on line 34), so this can break local/CI runs. Pin Python to python@3.13.x until Checkov adds 3.14 support.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.trunk/trunk.yaml at line 17, The runtimes.enabled entry currently pins
python@3.14.4 which is unsupported by Checkov; update the runtimes.enabled value
to pin a Checkov-supported interpreter (e.g., change python@3.14.4 to
python@3.13.x) so Python-based linters like Checkov run correctly; verify the
YAML value for runtimes.enabled and ensure any dependent config referencing that
runtime (e.g., Checkov enablement) continues to reference the updated
python@3.13.x string.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Escape single quotes when converting values to single-quoted strings.

Converting : "value" → : 'value' doesn't escape apostrophes inside the value. JSON does not escape ', so a title/sourceUrl containing an apostrophe (e.g. metadata title User's Guide) emits 'User's Guide', producing invalid JS that breaks the generated +page.ts.

🐛 Proposed fix to escape inner single quotes

-        .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
+        .replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	.replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
	.replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/scripts/generate-sitemap-manifest.mjs` at line 115, The current
replacement .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`) (in
generate-sitemap-manifest.mjs) turns double-quoted values into single-quoted
ones but does not escape inner single quotes, producing invalid JS for strings
like "User's Guide"; update the arrow function to escape single quotes inside
value before wrapping (e.g., transform value with a replace that converts ' to
\\' or otherwise escape single quotes) so the resulting `: '...'` string is
valid JavaScript.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show relevant part of pnpm-workspace.yaml (with line numbers)
if [ -f "pnpm-workspace.yaml" ]; then
  nl -ba pnpm-workspace.yaml | sed -n '1,160p'
else
  echo "Missing pnpm-workspace.yaml"
fi

# Search repo for both settings
rg -n "allowBuilds|onlyBuiltDependencies" -S .

Repository: humanspeak/memory-cache

Length of output: 110

---

🌐 Web query:

pnpm settings onlyBuiltDependencies removed in v11 allowBuilds replacement

💡 Result:

In pnpm v11, the settings onlyBuiltDependencies (and related onlyBuiltDependenciesFile, neverBuiltDependencies, ignoredBuiltDependencies, and ignoreDepScripts) were removed and replaced by the single allowBuilds setting (a map of package name patterns to booleans). [1][2][3] Practical replacement: - Before (v10-era): onlyBuiltDependencies: [electron] neverBuiltDependencies: [core-js] ignoredBuiltDependencies: [esbuild] - After (v11+): allowBuilds: electron: true core-js: false esbuild: false [2][3] Related detail: pnpm provides a CLI workflow (pnpm approve-builds) that adds entries into allowBuilds (pnpm-workspace.yaml) with true for approved packages and false for unapproved ones; it also fills allowBuilds placeholders for ignored builds that aren’t yet in the file. [4] Note: The pnpm v11 migration guides explicitly instruct you to migrate onlyBuiltDependencies and friends to allowBuilds. [1][3]

Citations:

• 1: https://pnpm.io/migration
• 2: https://pnpm.io/blog/releases/11.0
• 3: https://pnpm.io/settings
• 4: https://pnpm.io/cli/approve-builds

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show pnpm-workspace.yaml with line numbers (no nl dependency)
if [ -f "pnpm-workspace.yaml" ]; then
  awk '{printf "%5d\t%s\n", NR, $0}' pnpm-workspace.yaml | sed -n '1,200p'
else
  echo "Missing pnpm-workspace.yaml"
  exit 1
fi

# Search specifically within pnpm-workspace.yaml
rg -n "onlyBuiltDependencies|allowBuilds" pnpm-workspace.yaml || true

# Also search across repo for both keys (in case they appear elsewhere)
rg -n "onlyBuiltDependencies|allowBuilds" -S . || true

Repository: humanspeak/memory-cache

Length of output: 587

---

Drop the legacy onlyBuiltDependencies list.

pnpm v11 removed onlyBuiltDependencies in favor of allowBuilds; keeping both makes build approval behavior depend on the pnpm version reading the workspace config. (See https://pnpm.io/settings and https://pnpm.io/migration)

Suggested cleanup

 allowBuilds:
     '`@humanspeak/docs-kit`': true
     esbuild: true
     sharp: true
     workerd: true
 
-onlyBuiltDependencies:
-    - '`@humanspeak/docs-kit`'
-    - esbuild
-    - sharp
-    - workerd
 minimumReleaseAge: 2880
 minimumReleaseAgeExclude:
     - '`@humanspeak/`*'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 10 - 14, Remove the legacy
onlyBuiltDependencies block and its entries (the keys named
onlyBuiltDependencies and the list items '`@humanspeak/docs-kit`', esbuild, sharp,
workerd) from the workspace config; if you still need to restrict approved
builds, replace it with the modern allowBuilds setting using the same package
names (use allowBuilds: with appropriate entries) so pnpm v11+ uses the new
behavior instead of the deprecated field.

[jaysin586]

⏭️ NPM publishing was skipped due to the skip-publish label.