From 688e78ad60d8bfb4915eb88e5375c3f0b173969f Mon Sep 17 00:00:00 2001 From: Fernando Frizzatti Date: Fri, 8 May 2026 22:29:25 -0300 Subject: [PATCH] chore: drop lockfile-check.yml workflow and scaffold template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PR-time `lockfile-check.yml` guardrail was redundant with the actual enforcement we already have: - The `packageManager` field in `package.json` is honoured by Corepack-aware npm/yarn/pnpm — they refuse to install when the declared manager doesn't match. That's the real blast-door against someone running `npm i` and regenerating `package-lock.json`. - `.gitignore` lockfile bans prevent any non-bun lockfile from being accidentally committed. - Cloudflare Workers Builds runs `bun install --frozen-lockfile` at deploy time anyway — drift cannot land in production silently. Adding a separate PR-time workflow on top of those three layers buys nothing measurable and adds one more piece of YAML per site to keep in lockstep with `CANONICAL_BUN_VERSION`. Removing it. - Delete `.github/workflows/lockfile-check.yml` from the framework repo. - Delete `scripts/migrate/templates/lockfile-check-yml.ts` + tests. - Drop the `writeFile(... lockfile-check.yml ...)` call from `phase-scaffold.ts` and the import. - Drop `.github/workflows/lockfile-check.yml` from the `phase-verify.ts` `REQUIRED_FILES` list. - Update the `CANONICAL_BUN_VERSION` doc comment to reflect the remaining enforcement story (Corepack via `packageManager`). Co-authored-by: Cursor --- .github/workflows/lockfile-check.yml | 35 ---------- scripts/migrate/phase-scaffold.ts | 13 +--- scripts/migrate/phase-verify.ts | 1 - .../templates/lockfile-check-yml.test.ts | 26 -------- .../migrate/templates/lockfile-check-yml.ts | 66 ------------------- scripts/migrate/templates/package-json.ts | 12 ++-- 6 files changed, 6 insertions(+), 147 deletions(-) delete mode 100644 .github/workflows/lockfile-check.yml delete mode 100644 scripts/migrate/templates/lockfile-check-yml.test.ts delete mode 100644 scripts/migrate/templates/lockfile-check-yml.ts diff --git a/.github/workflows/lockfile-check.yml b/.github/workflows/lockfile-check.yml deleted file mode 100644 index ef369c6e..00000000 --- a/.github/workflows/lockfile-check.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: lockfile-check - -# PR-time guardrail: re-runs the same install our release workflow -# runs on main (`bun install --frozen-lockfile`). Fails the PR if -# bun.lock would have rejected the install — closes the loop so drift -# can never reach main. -# -# Pairs with: -# - "packageManager": "bun@1.3.5" in package.json -# - .gitignore bans on package-lock.json / yarn.lock / pnpm-lock.yaml -# - the deco-post-cleanup audit's lockfile-* rules -# -# Adjust `bun-version` here in lockstep with the package.json -# `packageManager` field. - -on: - pull_request: - paths: - - "package.json" - - "bun.lock" - - ".github/workflows/lockfile-check.yml" - -permissions: - contents: read - -jobs: - frozen-install: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 - with: - bun-version: 1.3.5 - - name: bun install --frozen-lockfile - run: bun install --frozen-lockfile diff --git a/scripts/migrate/phase-scaffold.ts b/scripts/migrate/phase-scaffold.ts index ad18ecf1..5daf669a 100644 --- a/scripts/migrate/phase-scaffold.ts +++ b/scripts/migrate/phase-scaffold.ts @@ -2,8 +2,7 @@ import * as fs from "node:fs"; import * as path from "node:path"; import type { MigrationContext } from "./types"; import { log, logPhase } from "./types"; -import { CANONICAL_BUN_VERSION, generatePackageJson } from "./templates/package-json"; -import { generateLockfileCheckYml } from "./templates/lockfile-check-yml"; +import { generatePackageJson } from "./templates/package-json"; import { generateTsconfig } from "./templates/tsconfig"; import { generateViteConfig } from "./templates/vite-config"; import { generateKnipConfig } from "./templates/knip-config"; @@ -73,16 +72,6 @@ export function scaffold(ctx: MigrationContext): void { tabWidth: 2, }, null, 2) + "\n"); - // PR-time lockfile guardrail. Lives in the site repo (per-site, not - // a centralised reusable workflow) because per D6.3 we are not - // scaffolding caller stubs into storefronts. Bun version is pinned - // in lockstep with `package.json` via CANONICAL_BUN_VERSION. - writeFile( - ctx, - ".github/workflows/lockfile-check.yml", - generateLockfileCheckYml(CANONICAL_BUN_VERSION), - ); - // Server entry files (server.ts, worker-entry.ts, router.tsx, runtime.ts, context.ts) writeMultiFile(ctx, generateServerEntry(ctx)); diff --git a/scripts/migrate/phase-verify.ts b/scripts/migrate/phase-verify.ts index b11a655c..2a23341c 100644 --- a/scripts/migrate/phase-verify.ts +++ b/scripts/migrate/phase-verify.ts @@ -17,7 +17,6 @@ const REQUIRED_FILES = [ // Workers Builds (D6.3) -- configured in the CF dashboard, not via // GitHub workflow files in the site repo. ".github/workflows/regen-blocks.yml", - ".github/workflows/lockfile-check.yml", "knip.config.ts", ".prettierrc", "src/server.ts", diff --git a/scripts/migrate/templates/lockfile-check-yml.test.ts b/scripts/migrate/templates/lockfile-check-yml.test.ts deleted file mode 100644 index 0f4bcd61..00000000 --- a/scripts/migrate/templates/lockfile-check-yml.test.ts +++ /dev/null @@ -1,26 +0,0 @@ -import { describe, expect, it } from "vitest"; -import { generateLockfileCheckYml } from "./lockfile-check-yml"; - -describe("generateLockfileCheckYml", () => { - it("emits a valid GitHub Actions workflow with the bun version pinned", () => { - const yaml = generateLockfileCheckYml("1.3.5"); - expect(yaml).toContain("name: lockfile-check"); - expect(yaml).toContain("on:"); - expect(yaml).toContain("pull_request:"); - expect(yaml).toContain("bun-version: 1.3.5"); - expect(yaml).toContain("bun install --frozen-lockfile"); - }); - - it("strips an accidental `bun@` prefix from the version input", () => { - const yaml = generateLockfileCheckYml("bun@1.3.5"); - expect(yaml).toContain("bun-version: 1.3.5"); - expect(yaml).not.toMatch(/bun-version:\s*bun@/); - }); - - it("scopes the trigger to package.json + bun.lock + the workflow itself", () => { - const yaml = generateLockfileCheckYml("1.3.5"); - expect(yaml).toContain('"package.json"'); - expect(yaml).toContain('"bun.lock"'); - expect(yaml).toContain('".github/workflows/lockfile-check.yml"'); - }); -}); diff --git a/scripts/migrate/templates/lockfile-check-yml.ts b/scripts/migrate/templates/lockfile-check-yml.ts deleted file mode 100644 index 787b7f81..00000000 --- a/scripts/migrate/templates/lockfile-check-yml.ts +++ /dev/null @@ -1,66 +0,0 @@ -/** - * Generates `.github/workflows/lockfile-check.yml`, the PR-time - * guardrail that fails any pull request which would have failed - * Cloudflare Workers Builds with `lockfile had changes, but lockfile - * is frozen`. This catches drift before it reaches main, instead of - * only after deploy attempts. - * - * Lives in the site repo (per-site, not centralised) because per - * D6.3 we are NOT scaffolding caller stubs that pull in - * `decocms/deco-start@vN` reusable workflows. The check is small - * enough that copy-paste-per-site is the right tradeoff. - * - * Bun version pinning matches the `packageManager` field in the - * scaffolded `package.json` (see `templates/package-json.ts`'s - * `CANONICAL_BUN_VERSION`). Kept in lockstep manually for now; - * future iterations may consolidate both into a shared constant. - */ -export function generateLockfileCheckYml(bunVersion: string): string { - const v = stripBunPrefix(bunVersion); - return `name: lockfile-check - -# PR-time guardrail: re-runs the same install Cloudflare Workers Builds -# runs on deploy (\`bun install --frozen-lockfile\`). Fails the PR if -# bun.lock would have rejected the install — closes the loop so drift -# can never reach main, only to be caught by Workers Builds at deploy -# time. -# -# Pairs with: -# - "packageManager": "bun@${v}" in package.json -# - .gitignore bans on package-lock.json / yarn.lock / pnpm-lock.yaml -# - the deco-post-cleanup audit's lockfile-* rules -# -# Adjust \`bun-version\` here in lockstep with the package.json -# \`packageManager\` field. - -on: - pull_request: - paths: - - "package.json" - - "bun.lock" - - ".github/workflows/lockfile-check.yml" - -permissions: - contents: read - -jobs: - frozen-install: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: oven-sh/setup-bun@v2 - with: - bun-version: ${v} - - name: bun install --frozen-lockfile - run: bun install --frozen-lockfile -`; -} - -/** - * Strip an accidental `bun@` prefix from the version string so the - * YAML's `bun-version` input (which expects a bare semver) doesn't - * receive `bun@1.3.5`. - */ -function stripBunPrefix(input: string): string { - return input.replace(/^bun@/, ""); -} diff --git a/scripts/migrate/templates/package-json.ts b/scripts/migrate/templates/package-json.ts index aae47591..cc48ff6a 100644 --- a/scripts/migrate/templates/package-json.ts +++ b/scripts/migrate/templates/package-json.ts @@ -2,13 +2,11 @@ import { execSync } from "node:child_process"; import type { MigrationContext } from "../types"; /** - * Fleet-wide canonical bun version. Bumped here propagates to all newly - * migrated sites via the `packageManager` field AND the - * `lockfile-check.yml` workflow's `bun-version` input. See - * MIGRATION_TOOLING_PLAN.md for the bun-canonical decision. - * - * Exported because the lockfile-check workflow template reads it - * directly to keep both files in lockstep. + * Fleet-wide canonical bun version. Propagates to all newly migrated + * sites via the `packageManager` field — Corepack-aware tooling (npm + * 10+, yarn 4+, pnpm 9+) reads this and refuses to install with the + * wrong package manager, which is the actual enforcement we rely on. + * See MIGRATION_TOOLING_PLAN.md for the bun-canonical decision. */ export const CANONICAL_BUN_VERSION = "1.3.5";