Skip to content

ci: auto-rebuild web dist on dependabot web-deps PRs#713

Merged
germanamz merged 1 commit into
mainfrom
ci/auto-rebuild-web-dist
Jul 13, 2026
Merged

ci: auto-rebuild web dist on dependabot web-deps PRs#713
germanamz merged 1 commit into
mainfrom
ci/auto-rebuild-web-dist

Conversation

@germanamz

Copy link
Copy Markdown
Owner

Problem

Every dependabot web-deps PR (e.g. #712, and #673/#658 before it) arrives with a red dist-drift check, by construction: the bot bumps web/package.json + web/pnpm-lock.yaml but cannot run make web, so the committed bundle at internal/graphview/dist (go:embed-ed into the binary) is always stale. Until now the fix was a human checking out the bot branch and hand-pushing a rebuild (a7e5177, and again on #673 and #712). Worse, because dist-drift is not a required check, merging red ships a binary whose embedded bundle does not contain the bumped deps at all.

Fix

.github/workflows/dependabot-web-dist.yml — on dependabot PRs touching the web manifests, rebuild the bundle and push it back to the PR branch:

  • Two jobs for supply-chain isolation: pnpm install runs lifecycle scripts of freshly-bumped packages (untrusted code that can poison GITHUB_PATH/GITHUB_ENV). The build job holds no secrets and hands the bundle over as an artifact; the push job runs on a fresh runner, never executes package code, and refuses any archive entry that is a link or outside dist/.
  • Deploy-key push, not GITHUB_TOKEN: pull_request runs for a GITHUB_TOKEN push are created approval-required (a human click per bump); a deploy-key push fires normal synchronize runs so the full CI suite re-runs unattended. Deploy-key pushes still go through the ruleset, so the key can't land anything on main outside a PR.
  • [dependabot skip] commit body so dependabot keeps rebasing/recreating the branch over the bot commit (without it, the first push permanently stops dependabot from resolving future conflicts — GitHub-documented behavior).
  • Loop-safe (actor gate + clean-diff early exit), queue-not-cancel concurrency, overwrite: true artifact for re-runs, pinned GitHub host keys, hooks disabled while the key is on disk, key scrubbed after push.

Companion fixes:

  • ci.yml dist-drift + lefthook web-dist-drift: drift detection switched from git diff --quiet to git status --porcelain — the old check was blind to a rebuild that adds a file. Pointer comment on dist-drift for discoverability.
  • lefthook branch-name: exempt dependabot/* — the convention is for human branches, and it blocked committing a rebuild onto a checked-out bot branch.
  • docs/packages/graphview.md: one line pointing at the new workflow.

Setup required (one-time, not yet done)

The workflow needs a write deploy key stored as the Dependabot secret DIST_DEPLOY_KEY (dependabot-triggered runs can only read that store). Until it exists, the workflow fails with a clear error on dependabot PRs — no worse than today. Revoke anytime under Settings → Deploy keys.

Verification

  • build: bump the web-deps group in /web with 3 updates #712 was fixed by hand-executing exactly what this workflow automates (rebuild with Node 20/pnpm 9.12.0 → commit → SSH push): all 9 checks went green, confirming the commit message passes commitlint and an SSH push re-triggers the full suite.
  • Design adversarially reviewed by a 5-lens panel against GitHub docs (Dependabot secret-store semantics, retrigger semantics, artifact scoping, re-run privileges); tar guards unit-tested against escape/symlink archives; actionlint clean.
  • Residuals documented in the workflow header: human pushes/"Update branch" don't re-trigger (recovery: @dependabot rebase), and a genuinely breaking dep bump fails the build job red — the correct human signal.

Follow-up worth considering once this proves itself: add dist-drift to the ruleset's required checks — required-but-auto-fixed is strictly safer than optional-and-red.

@germanamz germanamz merged commit e073127 into main Jul 13, 2026
9 checks passed
@germanamz germanamz deleted the ci/auto-rebuild-web-dist branch July 13, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant