aevgarik/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Merge pull request #707 from paperclipai/nm/premerge-lockfile-refresh"

Browse Source 
This reverts commit 56df8d3cf0, reversing
changes made to ac82cae39a.
This commit is contained in:
Dotta
2026-03-12 12:13:39 -05:00
parent 56df8d3cf0
commit b888f92718
5 changed files with 94 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.github/workflows/pr-policy.yml vendored
View File

@@ -13,8 +13,6 @@ jobs:
policy:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
pull-requests: read
steps:
- name: Checkout repository
@@ -33,38 +31,19 @@ jobs:
with:
node-version: 20
- name: Enforce lockfile policy when manifests change
env:
GH_TOKEN: ${{ github.token }}
- name: Block manual lockfile edits
if: github.head_ref != 'chore/refresh-lockfile'
run: |
changed="$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" --paginate --jq '.[].filename')"
manifest_pattern='(^|/)package\.json$|^pnpm-workspace\.yaml$|^\.npmrc$|^pnpmfile\.(cjs|js|mjs)$'
manifest_changed=false
lockfile_changed=false
if printf '%s\n' "$changed" | grep -Eq "$manifest_pattern"; then
manifest_changed=true
fi
changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
if printf '%s\n' "$changed" | grep -qx 'pnpm-lock.yaml'; then
lockfile_changed=true
fi
if [ "$lockfile_changed" = true ] && [ "$manifest_changed" != true ]; then
echo "pnpm-lock.yaml changed without a dependency manifest change." >&2
echo "Do not commit pnpm-lock.yaml in pull requests. CI owns lockfile updates."
exit 1
fi
if [ "$manifest_changed" = true ]; then
- name: Validate dependency resolution when manifests change
run: |
changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
manifest_pattern='(^|/)package\.json$|^pnpm-workspace\.yaml$|^\.npmrc$|^pnpmfile\.(cjs|js|mjs)$'
if printf '%s\n' "$changed" | grep -Eq "$manifest_pattern"; then
pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
if ! git diff --quiet -- pnpm-lock.yaml; then
if [ "${{ github.event.pull_request.head.repo.full_name }}" = "${{ github.repository }}" ]; then
echo "pnpm-lock.yaml is stale for this PR. Wait for the Refresh Lockfile workflow to push the bot commit, then rerun checks." >&2
else
echo "pnpm-lock.yaml is stale for this fork PR. Run pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile and commit pnpm-lock.yaml." >&2
fi
exit 1
fi
fi

2
.github/workflows/pr-verify.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
run: pnpm install --no-frozen-lockfile
- name: Typecheck
run: pnpm -r typecheck

111
.github/workflows/refresh-lockfile-pr.yml vendored
View File

@@ -1,111 +0,0 @@
name: Refresh Lockfile
on:
pull_request:
branches:
- master
types:
- opened
- synchronize
- reopened
- ready_for_review
concurrency:
group: refresh-lockfile-pr-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
refresh:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
pull-requests: read
steps:
- name: Detect dependency manifest changes
id: changes
env:
GH_TOKEN: ${{ github.token }}
run: |
changed="$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files" --paginate --jq '.[].filename')"
manifest_pattern='(^|/)package\.json$|^pnpm-workspace\.yaml$|^\.npmrc$|^pnpmfile\.(cjs|js|mjs)$'
if printf '%s\n' "$changed" | grep -Eq "$manifest_pattern"; then
echo "manifest_changed=true" >> "$GITHUB_OUTPUT"
else
echo "manifest_changed=false" >> "$GITHUB_OUTPUT"
fi
if [ "${{ github.event.pull_request.head.repo.full_name }}" = "${{ github.repository }}" ]; then
echo "same_repo=true" >> "$GITHUB_OUTPUT"
else
echo "same_repo=false" >> "$GITHUB_OUTPUT"
fi
- name: Checkout pull request head
if: steps.changes.outputs.manifest_changed == 'true'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
fetch-depth: 0
- name: Setup pnpm
if: steps.changes.outputs.manifest_changed == 'true'
uses: pnpm/action-setup@v4
with:
version: 9.15.4
run_install: false
- name: Setup Node.js
if: steps.changes.outputs.manifest_changed == 'true'
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- name: Refresh pnpm lockfile
if: steps.changes.outputs.manifest_changed == 'true'
run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
- name: Fail on unexpected file changes
if: steps.changes.outputs.manifest_changed == 'true'
run: |
changed="$(git status --porcelain)"
if [ -z "$changed" ]; then
echo "Lockfile is already up to date."
exit 0
fi
if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
echo "Unexpected files changed during lockfile refresh:"
echo "$changed"
exit 1
fi
- name: Commit refreshed lockfile to same-repo PR branch
if: steps.changes.outputs.manifest_changed == 'true' && steps.changes.outputs.same_repo == 'true'
run: |
if git diff --quiet -- pnpm-lock.yaml; then
echo "Lockfile unchanged, nothing to do."
exit 0
fi
git config user.name "lockfile-bot"
git config user.email "lockfile-bot@users.noreply.github.com"
git add pnpm-lock.yaml
git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
git push origin "HEAD:${{ github.event.pull_request.head.ref }}"
- name: Fail fork PRs that need a lockfile refresh
if: steps.changes.outputs.manifest_changed == 'true' && steps.changes.outputs.same_repo != 'true'
run: |
if git diff --quiet -- pnpm-lock.yaml; then
echo "Lockfile unchanged, nothing to do."
exit 0
fi
echo "This fork PR changes dependency manifests and requires a refreshed pnpm-lock.yaml." >&2
echo "Run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile" >&2
echo "Then commit pnpm-lock.yaml to the PR branch." >&2
exit 1

81
.github/workflows/refresh-lockfile.yml vendored Normal file
View File

@@ -0,0 +1,81 @@
name: Refresh Lockfile
on:
push:
branches:
- master
workflow_dispatch:
concurrency:
group: refresh-lockfile-master
cancel-in-progress: false
jobs:
refresh:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 9.15.4
run_install: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- name: Refresh pnpm lockfile
run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
- name: Fail on unexpected file changes
run: |
changed="$(git status --porcelain)"
if [ -z "$changed" ]; then
echo "Lockfile is already up to date."
exit 0
fi
if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
echo "Unexpected files changed during lockfile refresh:"
echo "$changed"
exit 1
fi
- name: Create or update pull request
env:
GH_TOKEN: ${{ github.token }}
run: |
if git diff --quiet -- pnpm-lock.yaml; then
echo "Lockfile unchanged, nothing to do."
exit 0
fi
BRANCH="chore/refresh-lockfile"
git config user.name "lockfile-bot"
git config user.email "lockfile-bot@users.noreply.github.com"
git checkout -B "$BRANCH"
git add pnpm-lock.yaml
git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
git push --force origin "$BRANCH"
# Create PR if one doesn't already exist
existing=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number')
if [ -z "$existing" ]; then
gh pr create \
--head "$BRANCH" \
--title "chore(lockfile): refresh pnpm-lock.yaml" \
--body "Auto-generated lockfile refresh after dependencies changed on master. This PR only updates pnpm-lock.yaml."
echo "Created new PR."
else
echo "PR #$existing already exists, branch updated via force push."
fi

6
doc/DEVELOPING.md
View File

@@ -19,9 +19,9 @@ Current implementation status:
GitHub Actions owns `pnpm-lock.yaml`.
- Same-repo pull requests that change dependency manifests are auto-refreshed by GitHub Actions before merge.
- Fork pull requests that change dependency manifests must include the refreshed `pnpm-lock.yaml`.
- Pull request CI validates lockfile freshness when manifests change and verifies with `--frozen-lockfile`.
- Do not commit `pnpm-lock.yaml` in pull requests.
- Pull request CI validates dependency resolution when manifests change.
- Pushes to `master` regenerate `pnpm-lock.yaml` with `pnpm install --lockfile-only --no-frozen-lockfile`, commit it back if needed, and then run verification with `--frozen-lockfile`.
## Start Dev