Skip to content

ci: clean up publish and docs deploy workflows #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jaysin586 merged 9 commits into from
Jun 2, 2026
Merged

ci: clean up publish and docs deploy workflows #158

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
99c4e4e
Remove dependabot version updates
jaysin586 Mar 23, 2026
5805b4b
chore: add typescript to .ncuskip to prevent major version bumps
jaysin586 Mar 29, 2026
8f4c0f3
Merge branch 'main' of https://github.com/humanspeak/memory-cache int…
jaysin586 Jun 2, 2026
d76e585
build: allow pnpm dependency builds
jaysin586 Jun 2, 2026
b316904
ci: migrate docs deploy to Workers
jaysin586 Jun 2, 2026
13f665f
chore: apply ci cleanup updates
jaysin586 Jun 2, 2026
a52cd7e
ci: update pnpm setup action
jaysin586 Jun 2, 2026
8603fbd
build: pin pnpm package manager
jaysin586 Jun 2, 2026
699ea2d
docs: add llms documentation outputs
jaysin586 Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 0 additions & 17 deletions .github/dependabot.yml
View file
Open in desktop

This file was deleted.

18 changes: 13 additions & 5 deletions .github/workflows/cloudflare-pages.yml → .github/workflows/cloudflare-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Cloudflare Pages - Deploy
name: Cloudflare Workers - Deploy

permissions:
contents: read
Expand All @@ -8,7 +8,13 @@ on:
types: [closed]
paths:
- docs/**
- .github/workflows/cloudflare-pages.yml
- src/**
- static/**
- package.json
- pnpm-lock.yaml
- svelte.config.js
- vite.config.ts
- .github/workflows/cloudflare-deploy.yml
branches:
- main
workflow_dispatch:
Expand All @@ -17,22 +23,23 @@ on:

jobs:
deploy:
if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
environment: docs
name: Deploy
steps:
- name: Checkout
uses: actions/checkout@v6 # zizmor: ignore[unpinned-uses]
with:
persist-credentials: false

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Use Node.js - 24
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
with:
node-version: 24
cache: pnpm

- name: Install Root Dependencies
run: pnpm install --frozen-lockfile
Expand All @@ -47,6 +54,7 @@ jobs:
- name: Deploy Docs
working-directory: docs
env:
NODE_OPTIONS: --max-old-space-size=4096
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/coveralls.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,7 @@ jobs:
persist-credentials: false
token: ${{ secrets.ACTIONS_KEY }}

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
33 changes: 22 additions & 11 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,18 +44,22 @@ jobs:
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
outputs:
should_run: ${{ steps.check.outputs.should_run }}
has_skip_label: ${{ steps.check.outputs.has_skip_label }}
steps:
- id: check
env:
EVENT_NAME: ${{ github.event_name }}
PR_MERGED: ${{ github.event.pull_request.merged }}
HAS_SKIP_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'skip-publish') }}
run: |
if [[ "$EVENT_NAME" == "pull_request" && "$PR_MERGED" != "true" ]]; then
echo "should_run=false" >> $GITHUB_OUTPUT
else
echo "should_run=true" >> $GITHUB_OUTPUT
fi

echo "has_skip_label=$HAS_SKIP_LABEL" >> $GITHUB_OUTPUT

debug-check:
needs: check-if-merged
if: needs.check-if-merged.outputs.should_run == 'true'
Expand Down Expand Up @@ -213,9 +217,7 @@ jobs:
persist-credentials: false
token: ${{ secrets.ACTIONS_KEY }}

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down Expand Up @@ -245,26 +247,35 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
flag-name: node-${{ matrix.node-version }}
parallel: true
fail-on-error: false
if: matrix.node-version == '22'

# Removed dependency caching to reduce cache-poisoning risk

# 4. Coverage reporting (depends on tests)
coverage-report:
needs: [check-if-merged, build]
if: needs.check-if-merged.outputs.should_run == 'true'
if: |
always() &&
needs.check-if-merged.outputs.should_run == 'true' &&
needs.build.result == 'success'
runs-on: blacksmith-2vcpu-ubuntu-2404 # trunk-ignore(actionlint/runner-label)
steps:
- name: Coveralls Finished
uses: coverallsapp/github-action@v2 # zizmor: ignore[unpinned-uses]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
parallel-finished: true
fail-on-error: false

# 5. Publishing job (main deployment logic)
publish-github-packages:
needs: [check-if-merged, build, coverage-report]
if: needs.check-if-merged.outputs.should_run == 'true'
if: |
always() &&
needs.check-if-merged.outputs.should_run == 'true' &&
needs.build.result == 'success' &&
(needs.coverage-report.result == 'success' || needs.coverage-report.result == 'skipped')
runs-on: ubuntu-latest
environment: production
permissions:
Expand All @@ -282,9 +293,7 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js - 24
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses,cache-poisoning]
Expand Down Expand Up @@ -420,9 +429,11 @@ jobs:
;;
esac

# Get the new version number
NEW_VERSION=$(pnpm version "$BUMP_TYPE" --no-git-tag-version)
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
# Mutate package.json only — do NOT parse pnpm stdout (pnpm 11 prints multi-line text)
pnpm version "$BUMP_TYPE" --no-git-tag-version
PACKAGE_VERSION=$(node -p "require('./package.json').version")
NEW_VERSION="v${PACKAGE_VERSION}"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"

# Escape special characters in PR title and URL
ESCAPED_TITLE=$(echo "$PR_TITLE" | sed 's/[`$"\]/\\&/g')
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/run-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,7 @@ jobs:
persist-credentials: false
fetch-depth: 1

- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,8 @@ junit-vitest.xml
/docs/static/social-cards
docs/static/og-default.png
docs/static/twitter-default.png
docs/static/docs/
docs/static/llms-full.txt
docs/static/llms.txt
mprocs.log
docs/src/lib/github-stats.json
4 changes: 1 addition & 3 deletions .trunk/setup-ci/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,7 @@ description: Set up dependencies for Trunk Code Quality
runs:
using: composite
steps:
- uses: pnpm/action-setup@v4 # zizmor: ignore[unpinned-uses]
with:
version: 10
- uses: pnpm/action-setup@v6 # zizmor: ignore[unpinned-uses]

- name: Setup Node.js
uses: actions/setup-node@v6 # zizmor: ignore[unpinned-uses]
Expand Down
17 changes: 9 additions & 8 deletions .trunk/trunk.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ cli:
plugins:
sources:
- id: trunk
ref: v1.7.6
ref: v1.10.0
uri: https://github.com/trunk-io/plugins
# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
runtimes:
enabled:
- go@1.21.0
- node@22.16.0
- python@3.10.8
- python@3.14.4

@coderabbitai coderabbitai Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What Python versions does Checkov currently support, and does Trunk use the Python version pinned under runtimes.enabled for Python-based linters such as Checkov?

💡 Result:

As of June 2, 2026, Checkov officially supports Python versions 3.9 through 3.13, inclusive [1][2]. The project maintains this support by following the official Python release cycle and conducting automated tests across these supported versions [1][2]. Regarding Trunk, it does not rely on a user-provided or local Python installation for its managed linters [3]. Instead, Trunk manages the runtimes required for its tools—including Checkov—automatically [3]. When you configure runtimes in your repository's.trunk/trunk.yaml file, such as under runtimes.enabled, you are specifying the versions Trunk should use to run those tools [3][4]. Trunk caches these linters, formatters, and their respective runtime environments (e.g., specific Python versions) in ~/.cache/trunk, ensuring that the tool execution is isolated and consistent across different environments regardless of what is installed on the host machine [3].

Citations:

Pin Trunk’s Python runtime to a Checkov-supported version (≤3.13)

In .trunk/trunk.yaml, runtimes.enabled pins python@3.14.4 (line 17) while Checkov supports Python only up through 3.13. Trunk uses the configured runtimes.enabled Python version to run Python-based linters like Checkov (enabled on line 34), so this can break local/CI runs. Pin Python to python@3.13.x until Checkov adds 3.14 support.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.trunk/trunk.yaml at line 17, The runtimes.enabled entry currently pins
python@3.14.4 which is unsupported by Checkov; update the runtimes.enabled value
to pin a Checkov-supported interpreter (e.g., change python@3.14.4 to
python@3.13.x) so Python-based linters like Checkov run correctly; verify the
YAML value for runtimes.enabled and ensure any dependent config referencing that
runtime (e.g., Checkov enablement) continues to reference the updated
python@3.13.x string.

# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
lint:
ignore:
Expand All @@ -27,17 +27,18 @@ lint:
paths:
- '**/pnpm-lock.yaml'
enabled:
- grype@0.112.0
- shellcheck@0.11.0
- shfmt@3.6.0
- actionlint@1.7.11
- checkov@3.2.510
- eslint@10.1.0
- actionlint@1.7.12
- checkov@3.2.532
- eslint@10.4.1
- git-diff-check
- markdownlint@0.48.0
- osv-scanner@2.3.3
- prettier@3.8.1
- osv-scanner@2.3.8
- prettier@3.8.3
- svgo@4.0.1
- trufflehog@3.94.0
- trufflehog@3.95.5
- yamllint@1.38.0
actions:
disabled:
Expand Down
61 changes: 31 additions & 30 deletions docs/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"cf-typegen": "wrangler types && mv worker-configuration.d.ts src/",
"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
"deploy": "npm run build && wrangler pages deploy",
"deploy": "npm run build && wrangler deploy",
"dev": "vite dev",
"generate-social": "tsx ./scripts/generate-social-cards.ts",
"sitemap:manifest": "node ./scripts/generate-sitemap-manifest.mjs",
Expand All @@ -20,50 +20,51 @@
"preview": "vite preview"
},
"dependencies": {
"@humanspeak/docs-kit": "github:humanspeak/docs-kit#2026.3.18",
"@humanspeak/docs-kit": "github:humanspeak/docs-kit#2026.6.4",
"@humanspeak/memory-cache": "workspace:*",
"@humanspeak/svelte-markdown": "^1.5.4",
"github-slugger": "^2.0.0",
"runed": "^0.37.1"
},
"devDependencies": {
"@cloudflare/workers-types": "^4.20260317.1",
"@eslint/compat": "^2.0.3",
"@cloudflare/workers-types": "^4.20260531.1",
"@eslint/compat": "^2.1.0",
"@eslint/js": "^10.0.1",
"@humanspeak/svelte-motion": "^0.1.32",
"@humanspeak/svelte-motion": "^0.6.2",
"@lucide/svelte": "^1.17.0",
"@sveltejs/adapter-cloudflare": "^7.2.8",
"@sveltejs/kit": "^2.55.0",
"@sveltejs/vite-plugin-svelte": "^7.0.0",
"@tailwindcss/postcss": "^4.2.2",
"@sveltejs/kit": "^2.61.1",
"@sveltejs/vite-plugin-svelte": "^7.1.2",
"@tailwindcss/postcss": "^4.3.0",
"@tailwindcss/typography": "^0.5.19",
"@tailwindcss/vite": "^4.2.2",
"@typescript-eslint/eslint-plugin": "^8.57.1",
"@typescript-eslint/parser": "^8.57.1",
"autoprefixer": "^10.4.27",
"@tailwindcss/vite": "^4.3.0",
"@typescript-eslint/eslint-plugin": "^8.60.0",
"@typescript-eslint/parser": "^8.60.0",
"autoprefixer": "^10.5.0",
"chokidar-cli": "^3.0.0",
"eslint": "^10.1.0",
"eslint": "^10.4.1",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-svelte": "3.16.0",
"globals": "^17.4.0",
"@lucide/svelte": "^0.577.0",
"eslint-plugin-svelte": "3.19.0",
"globals": "^17.6.0",
"mdsvex": "^0.12.7",
"mode-watcher": "^1.1.0",
"prettier": "^3.8.1",
"prettier": "^3.8.3",
"prettier-plugin-organize-imports": "^4.3.0",
"prettier-plugin-sort-json": "^4.2.0",
"prettier-plugin-svelte": "^3.5.1",
"prettier-plugin-tailwindcss": "^0.7.2",
"shiki": "^4.0.2",
"svelte": "^5.54.1",
"svelte-check": "^4.4.5",
"tailwind-merge": "^3.5.0",
"tailwindcss": "^4.2.2",
"tsx": "^4.21.0",
"typescript": "^5.9.3",
"typescript-eslint": "^8.57.1",
"vite": "^8.0.1",
"wrangler": "^4.76.0"
"prettier-plugin-svelte": "^4.0.1",
"prettier-plugin-tailwindcss": "^0.8.0",
"shiki": "^4.1.0",
"svelte": "^5.56.0",
"svelte-check": "^4.4.8",
"tailwind-merge": "^3.6.0",
"tailwindcss": "^4.3.0",
"tsx": "^4.22.4",
"typescript": "^6.0.3",
"typescript-eslint": "^8.60.0",
"vite": "^8.0.14",
"wrangler": "^4.95.0"
},
"volta": {
"node": "24.13.0"
"node": "24.15.0"
}
}
9 changes: 8 additions & 1 deletion docs/scripts/generate-sitemap-manifest.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,14 @@ async function updateExamplesPageTs(examples) {
// Find the examples object in the file and replace it
// More robust regex that matches the entire examples object declaration
const examplesObjectRegex = /const examples\s*=\s*\{[\s\S]*?\n\s*\}(?=\s*\n\s*return)/
const newExamplesObject = `const examples = ${JSON.stringify(examples, null, 4).replace(/^/gm, ' ').trim()}`
// Format as JS object literal with single quotes and unquoted keys (matching prettier config)
const jsObject = JSON.stringify(examples, null, 4)
.replace(/"([^"]+)":/g, (_, key) =>
/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(key) ? `${key}:` : `'${key}':`
)
.replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)

@coderabbitai coderabbitai Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Escape single quotes when converting values to single-quoted strings.

Converting : "value": 'value' doesn't escape apostrophes inside the value. JSON does not escape ', so a title/sourceUrl containing an apostrophe (e.g. metadata title User's Guide) emits 'User's Guide', producing invalid JS that breaks the generated +page.ts.

🐛 Proposed fix to escape inner single quotes 
-        .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
+        .replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`)
.replace(/: "([^"]*)"/g, (_, value) => `: '${value.replace(/'/g, "\\'")}'`)
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/scripts/generate-sitemap-manifest.mjs` at line 115, The current
replacement .replace(/: "([^"]*)"/g, (_, value) => `: '${value}'`) (in
generate-sitemap-manifest.mjs) turns double-quoted values into single-quoted
ones but does not escape inner single quotes, producing invalid JS for strings
like "User's Guide"; update the arrow function to escape single quotes inside
value before wrapping (e.g., transform value with a replace that converts ' to
\\' or otherwise escape single quotes) so the resulting `: '...'` string is
valid JavaScript.

.replace(/: null/g, ': null')
const newExamplesObject = `const examples = ${jsObject.replace(/^/gm, ' ').trim()}`

if (examplesObjectRegex.test(content)) {
content = content.replace(examplesObjectRegex, newExamplesObject)
Expand Down
Loading
Loading