fix(ci): resolve Windows npm install timeout caused by SSH-locked git deps

[carlos-alm]

Root cause

`tree-sitter-gleam` and `tree-sitter-clojure` were locked in `package-lock.json` as `git+ssh://git@github.com/...` URLs. The lockfile was generated on a machine with SSH configured for GitHub, so npm captured SSH as the resolved protocol.

Windows GitHub Actions runners have no SSH key for GitHub. When npm install hits these deps and the npm cache is cold, it tries to clone via SSH — which hangs indefinitely (no fast-fail, no fallback) and times out at the 20-minute CI limit. This is what killed every Windows job on PRs #1580 and #1581.

Main branch CI passes because its Windows runs have been completing sequentially (not cancelled mid-install), keeping the npm cache warm. PR branch runs are cancelled and restarted, so the cache never gets written and every run hits the cold-path hang.

Fix

`package-lock.json` — rewrite both `resolved` URLs from `git+ssh://` to `git+https://`. The commit hash and integrity fields are unchanged; the content is identical, just fetched over HTTPS.

`.github/workflows/ci.yml` — add `git config url.insteadOf` before every `npm install` block as defense-in-depth. This ensures any future lockfile regeneration that captures SSH URLs does not silently re-introduce the problem.

After merging

Rebase PRs #1580 and #1581 on main — their Windows CI jobs will pass immediately.

[greptile-apps]

Greptile Summary

Fixes Windows CI timeouts caused by SSH-protocol git dependencies in the lockfile. Two resolved entries for tree-sitter-clojure and tree-sitter-gleam are rewritten from the SSH protocol to HTTPS; commit hashes and integrity fields are unchanged so installed content is identical.

• package-lock.json: the two affected entries now resolve over HTTPS instead of SSH, eliminating the hang on cold-cache Windows runners where no SSH key is configured.
• .github/workflows/ci.yml: two url.insteadOf git config rewrites (covering both SSH URL forms) are added before all five npm install blocks; the --add flag is used correctly on the second call so both rewrites are active simultaneously as defense-in-depth.

Confidence Score: 5/5

Safe to merge — the lockfile change is a protocol-only swap with identical commit hashes, and the workflow additions are correct and complete across all install steps.

Both the lockfile fix and the CI defense-in-depth are correct. No remaining SSH-protocol resolved entries exist in the lockfile, all five npm install blocks are covered, and the --add flag is applied properly so neither url.insteadOf rewrite shadows the other.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds git config --global url.insteadOf rewrites (both SSH URL forms) before all five npm install blocks; --add flag used correctly on the second call so both rewrites are active simultaneously.
package-lock.json	Two resolved URLs changed from git+ssh:// to git+https:// for tree-sitter-clojure and tree-sitter-gleam; commit hashes and integrity fields unchanged; grep confirms no remaining git+ssh:// entries.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GHA as GitHub Actions (Windows)
    participant npm as npm install
    participant cache as npm cache
    participant git as git clone

    Note over GHA: Before fix (cold cache)
    GHA->>npm: npm install
    npm->>cache: cache miss
    npm->>git: clone via ssh protocol
    git-->>npm: hangs (no SSH key) → 20-min timeout

    Note over GHA: After fix
    GHA->>GHA: git config url.insteadOf (ssh to https)
    GHA->>npm: npm install
    npm->>cache: cache miss
    npm->>git: clone via https (lockfile rewritten)
    git-->>npm: clones successfully
    npm-->>GHA: install complete

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GHA as GitHub Actions (Windows)
    participant npm as npm install
    participant cache as npm cache
    participant git as git clone

    Note over GHA: Before fix (cold cache)
    GHA->>npm: npm install
    npm->>cache: cache miss
    npm->>git: clone via ssh protocol
    git-->>npm: hangs (no SSH key) → 20-min timeout

    Note over GHA: After fix
    GHA->>GHA: git config url.insteadOf (ssh to https)
    GHA->>npm: npm install
    npm->>cache: cache miss
    npm->>git: clone via https (lockfile rewritten)
    git-->>npm: clones successfully
    npm-->>GHA: install complete

Loading

_{Reviews (4): Last reviewed commit: "Merge branch 'main' into fix/ci-windows-..." | Re-trigger Greptile}

[greptile-apps]

Second git config silently overwrites the first

git config key value without --add replaces an existing key, so the second url.insteadOf call discards the first value. After both lines execute, only the git@github.com: → HTTPS rewrite is active; the ssh://git@github.com/ rewrite — the exact pattern that caused the original timeout — is silently a no-op. Add --add to the second call: git config --global --add url."https://github.com/".insteadOf "git@github.com:". The same two-line pattern appears at four other npm install blocks and needs the same fix.

[carlos-alm]

Fixed — added --add flag to the second git config url.insteadOf line at all 5 npm install blocks so both rewrites are active. Without --add, the ssh://git@github.com/ rewrite was silently discarded (replaced by the git@github.com: rewrite), leaving the exact URL pattern that caused the original Windows timeout unaddressed.

[carlos-alm]

Addressed Greptile finding: added --add to the second git config url.insteadOf call at all 5 npm install blocks in ci.yml — without it the ssh:// rewrite was silently overwritten by the git@github.com: rewrite, leaving the exact URL pattern that caused the original Windows timeout unaddressed.

[carlos-alm]

@greptileai