Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 0 additions & 17 deletions .github/dependabot.yml

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Cloudflare Pages - Deploy
name: Cloudflare Workers - Deploy

permissions:
contents: read
Expand All @@ -8,7 +8,13 @@ on:
types: [closed]
paths:
- docs/**
- .github/workflows/cloudflare-pages.yml
- src/**
- static/**
- package.json
- pnpm-lock.yaml
- svelte.config.js
- vite.config.ts
- .github/workflows/cloudflare-deploy.yml
branches:
- main
workflow_dispatch:
Expand All @@ -17,22 +23,23 @@ on:

jobs:
deploy:
if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
environment: docs
name: Deploy
steps:
- name: Checkout
uses: actions/checkout@v6 # zizmor: ignore[unpinned-uses]
with:
persist-credentials: false

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Use Node.js - 24
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
with:
node-version: 24
cache: pnpm

- name: Install Root Dependencies
run: pnpm install --frozen-lockfile
Expand All @@ -47,6 +54,7 @@ jobs:
- name: Deploy Docs
working-directory: docs
env:
NODE_OPTIONS: --max-old-space-size=4096
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/coveralls.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,7 @@ jobs:
persist-credentials: false
token: ${{ secrets.ACTIONS_KEY }}

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
33 changes: 22 additions & 11 deletions .github/workflows/npm-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,18 +44,22 @@ jobs:
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
outputs:
should_run: ${{ steps.check.outputs.should_run }}
has_skip_label: ${{ steps.check.outputs.has_skip_label }}
steps:
- id: check
env:
EVENT_NAME: ${{ github.event_name }}
PR_MERGED: ${{ github.event.pull_request.merged }}
HAS_SKIP_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'skip-publish') }}
run: |
if [[ "$EVENT_NAME" == "pull_request" && "$PR_MERGED" != "true" ]]; then
echo "should_run=false" >> $GITHUB_OUTPUT
else
echo "should_run=true" >> $GITHUB_OUTPUT
fi

echo "has_skip_label=$HAS_SKIP_LABEL" >> $GITHUB_OUTPUT

debug-check:
needs: check-if-merged
if: needs.check-if-merged.outputs.should_run == 'true'
Expand Down Expand Up @@ -213,9 +217,7 @@ jobs:
persist-credentials: false
token: ${{ secrets.ACTIONS_KEY }}

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down Expand Up @@ -245,26 +247,35 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
flag-name: node-${{ matrix.node-version }}
parallel: true
fail-on-error: false
if: matrix.node-version == '22'

# Removed dependency caching to reduce cache-poisoning risk

# 4. Coverage reporting (depends on tests)
coverage-report:
needs: [check-if-merged, build]
if: needs.check-if-merged.outputs.should_run == 'true'
if: |
always() &&
needs.check-if-merged.outputs.should_run == 'true' &&
needs.build.result == 'success'
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
steps:
- name: Coveralls Finished
uses: coverallsapp/github-action@v2 # zizmor: ignore[unpinned-uses]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
parallel-finished: true
fail-on-error: false

# 5. Publishing job (main deployment logic)
publish-github-packages:
needs: [check-if-merged, build, coverage-report]
if: needs.check-if-merged.outputs.should_run == 'true'
if: |
always() &&
needs.check-if-merged.outputs.should_run == 'true' &&
needs.build.result == 'success' &&
(needs.coverage-report.result == 'success' || needs.coverage-report.result == 'skipped')
runs-on: ubuntu-latest
environment: production
permissions:
Expand All @@ -282,9 +293,7 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js - 24
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses,cache-poisoning]
Expand Down Expand Up @@ -420,9 +429,11 @@ jobs:
;;
esac

# Get the new version number
NEW_VERSION=$(pnpm version "$BUMP_TYPE" --no-git-tag-version)
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
# Mutate package.json only — do NOT parse pnpm stdout (pnpm 11 prints multi-line text)
pnpm version "$BUMP_TYPE" --no-git-tag-version
PACKAGE_VERSION=$(node -p "require('./package.json').version")
NEW_VERSION="v${PACKAGE_VERSION}"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"

# Escape special characters in PR title and URL
ESCAPED_TITLE=$(echo "$PR_TITLE" | sed 's/[`$"\]/\\&/g')
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/run-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,7 @@ jobs:
persist-credentials: false
fetch-depth: 1

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,8 @@ junit-vitest.xml
/docs/static/social-cards
docs/static/og-default.png
docs/static/twitter-default.png
docs/static/docs/
docs/static/llms-full.txt
docs/static/llms.txt
mprocs.log
docs/src/lib/github-stats.json
4 changes: 1 addition & 3 deletions .trunk/setup-ci/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,7 @@ description: Set up dependencies for Trunk Code Quality
runs:
using: composite
steps:
- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Setup Node.js
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
17 changes: 9 additions & 8 deletions .trunk/trunk.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ cli:
plugins:
sources:
- id: trunk
ref: v1.7.6
ref: v1.10.0
uri: https://github.com/trunk-io/plugins
# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
runtimes:
enabled:
- go@1.21.0
- node@22.16.0
- python@3.10.8
- python@3.14.4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What Python versions does Checkov currently support, and does Trunk use the Python version pinned under runtimes.enabled for Python-based linters such as Checkov?

💡 Result:

As of June 2, 2026, Checkov officially supports Python versions 3.9 through 3.13, inclusive [1][2]. The project maintains this support by following the official Python release cycle and conducting automated tests across these supported versions [1][2]. Regarding Trunk, it does not rely on a user-provided or local Python installation for its managed linters [3]. Instead, Trunk manages the runtimes required for its tools—including Checkov—automatically [3]. When you configure runtimes in your repository's.trunk/trunk.yaml file, such as under runtimes.enabled, you are specifying the versions Trunk should use to run those tools [3][4]. Trunk caches these linters, formatters, and their respective runtime environments (e.g., specific Python versions) in ~/.cache/trunk, ensuring that the tool execution is isolated and consistent across different environments regardless of what is installed on the host machine [3].

Citations:


Pin Trunk’s Python runtime to a Checkov-supported version (≤3.13)

In .trunk/trunk.yaml, runtimes.enabled pins python@3.14.4 (line 17) while Checkov supports Python only up through 3.13. Trunk uses the configured runtimes.enabled Python version to run Python-based linters like Checkov (enabled on line 34), so this can break local/CI runs. Pin Python to python@3.13.x until Checkov adds 3.14 support.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.trunk/trunk.yaml at line 17, The runtimes.enabled entry currently pins
python@3.14.4 which is unsupported by Checkov; update the runtimes.enabled value
to pin a Checkov-supported interpreter (e.g., change python@3.14.4 to
python@3.13.x) so Python-based linters like Checkov run correctly; verify the
YAML value for runtimes.enabled and ensure any dependent config referencing that
runtime (e.g., Checkov enablement) continues to reference the updated
python@3.13.x string.

# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
lint:
ignore:
Expand All @@ -27,17 +27,18 @@ lint:
paths:
- '**/pnpm-lock.yaml'
enabled:
- grype@0.112.0
- shellcheck@0.11.0
- shfmt@3.6.0
- actionlint@1.7.11
- checkov@3.2.510
- eslint@10.1.0
- actionlint@1.7.12
- checkov@3.2.532
- eslint@10.4.1
- git-diff-check
- markdownlint@0.48.0
- osv-scanner@2.3.3
- prettier@3.8.1
- osv-scanner@2.3.8
- prettier@3.8.3
- svgo@4.0.1
- trufflehog@3.94.0
- trufflehog@3.95.5
- yamllint@1.38.0
actions:
disabled:
Expand Down
61 changes: 31 additions & 30 deletions docs/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"cf-typegen": "wrangler types && mv worker-configuration.d.ts src/",
"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
"deploy": "npm run build && wrangler pages deploy",
"deploy": "npm run build && wrangler deploy",
"dev": "vite dev",
"generate-social": "tsx ./scripts/generate-social-cards.ts",
"sitemap:manifest": "node ./scripts/generate-sitemap-manifest.mjs",
Expand All @@ -20,50 +20,51 @@
"preview": "vite preview"
},
"dependencies": {
"@humanspeak/docs-kit": "github:humanspeak/docs-kit#2026.3.18",
"@humanspeak/docs-kit": "github:humanspeak/docs-kit#2026.6.4",
"@humanspeak/memory-cache": "workspace:*",
"@humanspeak/svelte-markdown": "^1.5.4",
"github-slugger": "^2.0.0",
"runed": "^0.37.1"
},
"devDependencies": {
"@cloudflare/workers-types": "^4.20260317.1",
"@eslint/compat": "^2.0.3",
"@cloudflare/workers-types": "^4.20260531.1",
"@eslint/compat": "^2.1.0",
"@eslint/js": "^10.0.1",
"@humanspeak/svelte-motion": "^0.1.32",
"@humanspeak/svelte-motion": "^0.6.2",
"@lucide/svelte": "^1.17.0",
"@sveltejs/adapter-cloudflare": "^7.2.8",
"@sveltejs/kit": "^2.55.0",
"@sveltejs/vite-plugin-svelte": "^7.0.0",
"@tailwindcss/postcss": "^4.2.2",
"@sveltejs/kit": "^2.61.1",
"@sveltejs/vite-plugin-svelte": "^7.1.2",
"@tailwindcss/postcss": "^4.3.0",
"@tailwindcss/typography": "^0.5.19",
"@tailwindcss/vite": "^4.2.2",
"@typescript-eslint/eslint-plugin": "^8.57.1",
"@typescript-eslint/parser": "^8.57.1",
"autoprefixer": "^10.4.27",
"@tailwindcss/vite": "^4.3.0",
"@typescript-eslint/eslint-plugin": "^8.60.0",
"@typescript-eslint/parser": "^8.60.0",
"autoprefixer": "^10.5.0",
"chokidar-cli": "^3.0.0",
"eslint": "^10.1.0",
"eslint": "^10.4.1",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-svelte": "3.16.0",
"globals": "^17.4.0",
"@lucide/svelte": "^0.577.0",
"eslint-plugin-svelte": "3.19.0",
"globals": "^17.6.0",
"mdsvex": "^0.12.7",
"mode-watcher": "^1.1.0",
"prettier": "^3.8.1",
"prettier": "^3.8.3",
"prettier-plugin-organize-imports": "^4.3.0",
"prettier-plugin-sort-json": "^4.2.0",
"prettier-plugin-svelte": "^3.5.1",
"prettier-plugin-tailwindcss": "^0.7.2",
"shiki": "^4.0.2",
"svelte": "^5.54.1",
"svelte-check": "^4.4.5",
"tailwind-merge": "^3.5.0",
"tailwindcss": "^4.2.2",
"tsx": "^4.21.0",
"typescript": "^5.9.3",
"typescript-eslint": "^8.57.1",
"vite": "^8.0.1",
"wrangler": "^4.76.0"
"prettier-plugin-svelte": "^4.0.1",
"prettier-plugin-tailwindcss": "^0.8.0",
"shiki": "^4.1.0",
"svelte": "^5.56.0",
"svelte-check": "^4.4.8",
"tailwind-merge": "^3.6.0",
"tailwindcss": "^4.3.0",
"tsx": "^4.22.4",
"typescript": "^6.0.3",
"typescript-eslint": "^8.60.0",
"vite": "^8.0.14",
"wrangler": "^4.95.0"
},
"volta": {
"node": "24.13.0"
"node": "24.15.0"
}
}
9 changes: 8 additions & 1 deletion docs/scripts/generate-sitemap-manifest.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,14 @@ async function updateExamplesPageTs(examples) {
// Find the examples object in the file and replace it
// More robust regex that matches the entire examples object declaration
const examplesObjectRegex = /const examples\s*=\s*\{[\s\S]*?\n\s*\}(?=\s*\n\s*return)/
const newExamplesObject = `const examples = ${JSON.stringify(examples, null, 4).replace(/^/gm, ' ').trim()}`
// Format as JS object literal with single quotes and unquoted keys (matching prettier config)
const jsObject = JSON.stringify(examples, null, 4)
.replace(/"([^"]+)":/g, (_, key) =>
/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(key) ? `${key}:` : `'${key}':`
)
.replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Escape single quotes when converting values to single-quoted strings.

Converting : "value": 'value' doesn't escape apostrophes inside the value. JSON does not escape ', so a title/sourceUrl containing an apostrophe (e.g. metadata title User's Guide) emits 'User's Guide', producing invalid JS that breaks the generated +page.ts.

🐛 Proposed fix to escape inner single quotes
-        .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
+        .replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
.replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/scripts/generate-sitemap-manifest.mjs` at line 115, The current
replacement .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`) (in
generate-sitemap-manifest.mjs) turns double-quoted values into single-quoted
ones but does not escape inner single quotes, producing invalid JS for strings
like "User's Guide"; update the arrow function to escape single quotes inside
value before wrapping (e.g., transform value with a replace that converts ' to
\\' or otherwise escape single quotes) so the resulting `: '...'` string is
valid JavaScript.

.replace(/: null/g, ': null')
const newExamplesObject = `const examples = ${jsObject.replace(/^/gm, ' ').trim()}`

if (examplesObjectRegex.test(content)) {
content = content.replace(examplesObjectRegex, newExamplesObject)
Expand Down
Loading
Loading