ci: auto-rebuild web dist on dependabot web-deps PRs#713
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every dependabot web-deps PR (e.g. #712, and #673/#658 before it) arrives with a red
dist-driftcheck, by construction: the bot bumpsweb/package.json+web/pnpm-lock.yamlbut cannot runmake web, so the committed bundle atinternal/graphview/dist(go:embed-ed into the binary) is always stale. Until now the fix was a human checking out the bot branch and hand-pushing a rebuild (a7e5177, and again on #673 and #712). Worse, becausedist-driftis not a required check, merging red ships a binary whose embedded bundle does not contain the bumped deps at all.Fix
.github/workflows/dependabot-web-dist.yml— on dependabot PRs touching the web manifests, rebuild the bundle and push it back to the PR branch:pnpm installruns lifecycle scripts of freshly-bumped packages (untrusted code that can poisonGITHUB_PATH/GITHUB_ENV). The build job holds no secrets and hands the bundle over as an artifact; the push job runs on a fresh runner, never executes package code, and refuses any archive entry that is a link or outsidedist/.synchronizeruns so the full CI suite re-runs unattended. Deploy-key pushes still go through the ruleset, so the key can't land anything on main outside a PR.[dependabot skip]commit body so dependabot keeps rebasing/recreating the branch over the bot commit (without it, the first push permanently stops dependabot from resolving future conflicts — GitHub-documented behavior).overwrite: trueartifact for re-runs, pinned GitHub host keys, hooks disabled while the key is on disk, key scrubbed after push.Companion fixes:
dist-drift+ lefthookweb-dist-drift: drift detection switched fromgit diff --quiettogit status --porcelain— the old check was blind to a rebuild that adds a file. Pointer comment ondist-driftfor discoverability.branch-name: exemptdependabot/*— the convention is for human branches, and it blocked committing a rebuild onto a checked-out bot branch.Setup required (one-time, not yet done)
The workflow needs a write deploy key stored as the Dependabot secret
DIST_DEPLOY_KEY(dependabot-triggered runs can only read that store). Until it exists, the workflow fails with a clear error on dependabot PRs — no worse than today. Revoke anytime under Settings → Deploy keys.Verification
@dependabot rebase), and a genuinely breaking dep bump fails the build job red — the correct human signal.Follow-up worth considering once this proves itself: add
dist-driftto the ruleset's required checks — required-but-auto-fixed is strictly safer than optional-and-red.