diff --git a/.github/workflows/lockfile-check.yml b/.github/workflows/lockfile-check.yml deleted file mode 100644 index ef369c6e..00000000 --- a/.github/workflows/lockfile-check.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: lockfile-check - -# PR-time guardrail: re-runs the same install our release workflow -# runs on main (`bun install --frozen-lockfile`). Fails the PR if -# bun.lock would have rejected the install — closes the loop so drift -# can never reach main. -# -# Pairs with: -# - "packageManager": "bun@1.3.5" in package.json -# - .gitignore bans on package-lock.json / yarn.lock / pnpm-lock.yaml -# - the deco-post-cleanup audit's lockfile-* rules -# -# Adjust `bun-version` here in lockstep with the package.json -# `packageManager` field. - -on: - pull_request: - paths: - - "package.json" - - "bun.lock" - - ".github/workflows/lockfile-check.yml" - -permissions: - contents: read - -jobs: - frozen-install: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 - with: - bun-version: 1.3.5 - - name: bun install --frozen-lockfile - run: bun install --frozen-lockfile diff --git a/scripts/migrate/phase-scaffold.ts b/scripts/migrate/phase-scaffold.ts index ad18ecf1..5daf669a 100644 --- a/scripts/migrate/phase-scaffold.ts +++ b/scripts/migrate/phase-scaffold.ts @@ -2,8 +2,7 @@ import * as fs from "node:fs"; import * as path from "node:path"; import type { MigrationContext } from "./types"; import { log, logPhase } from "./types"; -import { CANONICAL_BUN_VERSION, generatePackageJson } from "./templates/package-json"; -import { generateLockfileCheckYml } from "./templates/lockfile-check-yml"; +import { generatePackageJson } from "./templates/package-json"; import { generateTsconfig } from "./templates/tsconfig"; import { generateViteConfig } from "./templates/vite-config"; import { generateKnipConfig } from "./templates/knip-config"; @@ -73,16 +72,6 @@ export function scaffold(ctx: MigrationContext): void { tabWidth: 2, }, null, 2) + "\n"); - // PR-time lockfile guardrail. Lives in the site repo (per-site, not - // a centralised reusable workflow) because per D6.3 we are not - // scaffolding caller stubs into storefronts. Bun version is pinned - // in lockstep with `package.json` via CANONICAL_BUN_VERSION. - writeFile( - ctx, - ".github/workflows/lockfile-check.yml", - generateLockfileCheckYml(CANONICAL_BUN_VERSION), - ); - // Server entry files (server.ts, worker-entry.ts, router.tsx, runtime.ts, context.ts) writeMultiFile(ctx, generateServerEntry(ctx)); diff --git a/scripts/migrate/phase-verify.ts b/scripts/migrate/phase-verify.ts index b11a655c..2a23341c 100644 --- a/scripts/migrate/phase-verify.ts +++ b/scripts/migrate/phase-verify.ts @@ -17,7 +17,6 @@ const REQUIRED_FILES = [ // Workers Builds (D6.3) -- configured in the CF dashboard, not via // GitHub workflow files in the site repo. ".github/workflows/regen-blocks.yml", - ".github/workflows/lockfile-check.yml", "knip.config.ts", ".prettierrc", "src/server.ts", diff --git a/scripts/migrate/templates/lockfile-check-yml.test.ts b/scripts/migrate/templates/lockfile-check-yml.test.ts deleted file mode 100644 index 0f4bcd61..00000000 --- a/scripts/migrate/templates/lockfile-check-yml.test.ts +++ /dev/null @@ -1,26 +0,0 @@ -import { describe, expect, it } from "vitest"; -import { generateLockfileCheckYml } from "./lockfile-check-yml"; - -describe("generateLockfileCheckYml", () => { - it("emits a valid GitHub Actions workflow with the bun version pinned", () => { - const yaml = generateLockfileCheckYml("1.3.5"); - expect(yaml).toContain("name: lockfile-check"); - expect(yaml).toContain("on:"); - expect(yaml).toContain("pull_request:"); - expect(yaml).toContain("bun-version: 1.3.5"); - expect(yaml).toContain("bun install --frozen-lockfile"); - }); - - it("strips an accidental `bun@` prefix from the version input", () => { - const yaml = generateLockfileCheckYml("bun@1.3.5"); - expect(yaml).toContain("bun-version: 1.3.5"); - expect(yaml).not.toMatch(/bun-version:\s*bun@/); - }); - - it("scopes the trigger to package.json + bun.lock + the workflow itself", () => { - const yaml = generateLockfileCheckYml("1.3.5"); - expect(yaml).toContain('"package.json"'); - expect(yaml).toContain('"bun.lock"'); - expect(yaml).toContain('".github/workflows/lockfile-check.yml"'); - }); -}); diff --git a/scripts/migrate/templates/lockfile-check-yml.ts b/scripts/migrate/templates/lockfile-check-yml.ts deleted file mode 100644 index 787b7f81..00000000 --- a/scripts/migrate/templates/lockfile-check-yml.ts +++ /dev/null @@ -1,66 +0,0 @@ -/** - * Generates `.github/workflows/lockfile-check.yml`, the PR-time - * guardrail that fails any pull request which would have failed - * Cloudflare Workers Builds with `lockfile had changes, but lockfile - * is frozen`. This catches drift before it reaches main, instead of - * only after deploy attempts. - * - * Lives in the site repo (per-site, not centralised) because per - * D6.3 we are NOT scaffolding caller stubs that pull in - * `decocms/deco-start@vN` reusable workflows. The check is small - * enough that copy-paste-per-site is the right tradeoff. - * - * Bun version pinning matches the `packageManager` field in the - * scaffolded `package.json` (see `templates/package-json.ts`'s - * `CANONICAL_BUN_VERSION`). Kept in lockstep manually for now; - * future iterations may consolidate both into a shared constant. - */ -export function generateLockfileCheckYml(bunVersion: string): string { - const v = stripBunPrefix(bunVersion); - return `name: lockfile-check - -# PR-time guardrail: re-runs the same install Cloudflare Workers Builds -# runs on deploy (\`bun install --frozen-lockfile\`). Fails the PR if -# bun.lock would have rejected the install — closes the loop so drift -# can never reach main, only to be caught by Workers Builds at deploy -# time. -# -# Pairs with: -# - "packageManager": "bun@${v}" in package.json -# - .gitignore bans on package-lock.json / yarn.lock / pnpm-lock.yaml -# - the deco-post-cleanup audit's lockfile-* rules -# -# Adjust \`bun-version\` here in lockstep with the package.json -# \`packageManager\` field. - -on: - pull_request: - paths: - - "package.json" - - "bun.lock" - - ".github/workflows/lockfile-check.yml" - -permissions: - contents: read - -jobs: - frozen-install: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 - with: - bun-version: ${v} - - name: bun install --frozen-lockfile - run: bun install --frozen-lockfile -`; -} - -/** - * Strip an accidental `bun@` prefix from the version string so the - * YAML's `bun-version` input (which expects a bare semver) doesn't - * receive `bun@1.3.5`. - */ -function stripBunPrefix(input: string): string { - return input.replace(/^bun@/, ""); -} diff --git a/scripts/migrate/templates/package-json.ts b/scripts/migrate/templates/package-json.ts index aae47591..cc48ff6a 100644 --- a/scripts/migrate/templates/package-json.ts +++ b/scripts/migrate/templates/package-json.ts @@ -2,13 +2,11 @@ import { execSync } from "node:child_process"; import type { MigrationContext } from "../types"; /** - * Fleet-wide canonical bun version. Bumped here propagates to all newly - * migrated sites via the `packageManager` field AND the - * `lockfile-check.yml` workflow's `bun-version` input. See - * MIGRATION_TOOLING_PLAN.md for the bun-canonical decision. - * - * Exported because the lockfile-check workflow template reads it - * directly to keep both files in lockstep. + * Fleet-wide canonical bun version. Propagates to all newly migrated + * sites via the `packageManager` field — Corepack-aware tooling (npm + * 10+, yarn 4+, pnpm 9+) reads this and refuses to install with the + * wrong package manager, which is the actual enforcement we rely on. + * See MIGRATION_TOOLING_PLAN.md for the bun-canonical decision. */ export const CANONICAL_BUN_VERSION = "1.3.5";