From 421f7cf5da2da10ce6c6870f71f9beed73ea6b9a Mon Sep 17 00:00:00 2001 From: Nathan Rajlich Date: Thu, 16 Apr 2026 18:17:27 -0700 Subject: [PATCH 1/5] ci: upgrade pnpm/action-setup to v5 and read version from package.json (#1785) * ci: upgrade pnpm/action-setup to v6 and read version from package.json Removes hardcoded pnpm version (10.14.0) from all workflows and instead reads the version from the packageManager field in package.json, so CI stays in sync with the version used locally. * ci: update setup-workflow-dev composite action to use pnpm/action-setup@v6 Also removes the pnpm-version input since the action now reads the version from package.json#packageManager. * ci: downgrade pnpm/action-setup to v5 v6 installs pnpm 11 RC/beta, which has a regression (pnpm/pnpm#11264, pnpm/action-setup#225/#227/#228) that causes 'ERR_PNPM_BROKEN_LOCKFILE: expected a single document in the stream' when the project's packageManager pins a 10.x pnpm version. v5 is the latest stable release before v6 and supports reading the version from package.json#packageManager. --- .github/actions/setup-workflow-dev/action.yml | 8 +------- .github/workflows/debug-windows.yml | 4 +--- .github/workflows/release.yml | 4 +--- .github/workflows/tests.yml | 8 ++------ 4 files changed, 5 insertions(+), 19 deletions(-) diff --git a/.github/actions/setup-workflow-dev/action.yml b/.github/actions/setup-workflow-dev/action.yml index 44da12c1bc..d12b3eff98 100644 --- a/.github/actions/setup-workflow-dev/action.yml +++ b/.github/actions/setup-workflow-dev/action.yml @@ -6,10 +6,6 @@ inputs: description: 'Node.js version to use' required: false default: '22.x' - pnpm-version: - description: 'pnpm version to use' - required: false - default: '10.14.0' setup-rust: description: 'Whether to setup Rust toolchain' required: false @@ -37,9 +33,7 @@ runs: toolchain: stable - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: ${{ inputs.pnpm-version }} + uses: pnpm/action-setup@v5 - name: Setup Node.js ${{ inputs.node-version }} uses: actions/setup-node@v4 diff --git a/.github/workflows/debug-windows.yml b/.github/workflows/debug-windows.yml index 919886b3ba..82e4bcf09e 100644 --- a/.github/workflows/debug-windows.yml +++ b/.github/workflows/debug-windows.yml @@ -27,9 +27,7 @@ jobs: target: wasm32-unknown-unknown - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f908da9008..d514d22ec8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -42,9 +42,7 @@ jobs: git config user.email "${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 24.x uses: actions/setup-node@v4 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ae63f758c3..987c391625 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -161,9 +161,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4 @@ -622,9 +620,7 @@ jobs: target: wasm32-unknown-unknown - name: Setup pnpm - uses: pnpm/action-setup@v3 - with: - version: 10.14.0 + uses: pnpm/action-setup@v5 - name: Setup Node.js 22.x uses: actions/setup-node@v4 From b7c7bc8ff594699d3b58355461b15836f06e27aa Mon Sep 17 00:00:00 2001 From: Nathan Rajlich Date: Wed, 29 Apr 2026 10:25:36 -0700 Subject: [PATCH 2/5] ci: stop using Release App token in release workflows (#1866) The Release App has been temporarily removed. Switch the Release and Backport workflows to use the default GITHUB_TOKEN, and disable the cross-repo Front dispatch workflow until the App is restored. Also add a workflow_dispatch trigger to release.yml so the Version Packages PR can be created/updated manually (since pushes made by GITHUB_TOKEN do not trigger downstream workflow runs). --- .../dispatch-front-workflow-release-pr.yml | 8 +++++++ .github/workflows/release.yml | 21 ++++++++----------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/.github/workflows/dispatch-front-workflow-release-pr.yml b/.github/workflows/dispatch-front-workflow-release-pr.yml index b65bbfa66a..a28c2bff47 100644 --- a/.github/workflows/dispatch-front-workflow-release-pr.yml +++ b/.github/workflows/dispatch-front-workflow-release-pr.yml @@ -1,5 +1,11 @@ name: Dispatch Front Workflow Release PR +# DISABLED: This workflow dispatches to vercel/front (cross-repo) which +# requires a GitHub App token. The Release App has been temporarily +# removed, so this workflow is disabled (all jobs gated on `if: false`) +# until the App is restored. See .github/workflows/release.yml and +# .github/workflows/backport.yml, which have also been updated to no +# longer rely on the Release App. on: pull_request: types: [opened, synchronize, reopened, closed] @@ -15,6 +21,7 @@ jobs: dispatch-front-sync: name: Dispatch Front Sync if: > + false && startsWith(github.event.pull_request.head.ref, 'changeset-release/') && github.event.action != 'closed' runs-on: ubuntu-latest @@ -68,6 +75,7 @@ jobs: dispatch-front-close: name: Dispatch Front Close if: > + false && startsWith(github.event.pull_request.head.ref, 'changeset-release/') && github.event.action == 'closed' runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d514d22ec8..71c93a2825 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,11 @@ on: branches: - main - stable + # Allow manual triggering from the Actions tab. Useful for re-running the + # release flow when a push from the default GITHUB_TOKEN (e.g. a clean + # cherry-pick from the backport workflow, or a merged "Version Packages" + # PR) does not automatically trigger this workflow. + workflow_dispatch: concurrency: ${{ github.workflow }}-${{ github.ref }} @@ -23,23 +28,15 @@ jobs: TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} TURBO_TEAM: ${{ vars.TURBO_TEAM }} steps: - - name: Generate GitHub App Token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - - name: Checkout Repo uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ steps.app-token.outputs.token }} - name: Configure Git identity run: | - git config user.name "${{ steps.app-token.outputs.app-slug }}[bot]" - git config user.email "${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Setup pnpm uses: pnpm/action-setup@v5 @@ -63,12 +60,12 @@ jobs: createGithubReleases: false setupGitUser: false env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create GitHub Release if: steps.changesets.outputs.published == 'true' env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }} run: | # Generate release notes (PUBLISHED_PACKAGES filters to only include packages from this release) From b7857a001e2858babd37ec083b3a7eac9bed9ac5 Mon Sep 17 00:00:00 2001 From: Nathan Rajlich Date: Wed, 29 Apr 2026 10:34:24 -0700 Subject: [PATCH 3/5] ci: use GitHub API commit mode for changesets action (#1867) The repo enforces "Commits must have verified signatures" via an org/enterprise-level ruleset, which blocks unsigned commits pushed via the Git CLI by GITHUB_TOKEN. Switching the changesets action to commitMode: github-api makes commits GPG-signed by GitHub. --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 71c93a2825..49357598af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,6 +59,8 @@ jobs: publish: pnpm ci:publish createGithubReleases: false setupGitUser: false + # Use GitHub API for GPG-signed commits (required by branch rules). + commitMode: github-api env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6eb9bbec41f89895554b04efa4c3084b1204a360 Mon Sep 17 00:00:00 2001 From: Nathan Rajlich Date: Mon, 4 May 2026 02:03:22 -0700 Subject: [PATCH 4/5] Add changeset for backport --- .changeset/backport-release-app-token-removal.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .changeset/backport-release-app-token-removal.md diff --git a/.changeset/backport-release-app-token-removal.md b/.changeset/backport-release-app-token-removal.md new file mode 100644 index 0000000000..1031c501ca --- /dev/null +++ b/.changeset/backport-release-app-token-removal.md @@ -0,0 +1,4 @@ +--- +--- + +Backport CI changes from `main` to unblock releases on `stable`. Removes the dependency on the temporarily-removed Release App by switching to `secrets.GITHUB_TOKEN` with `commitMode: github-api` for GPG-signed commits, and bumps `pnpm/action-setup` to `v5` so the version is read from `package.json#packageManager`. Backports #1785, #1866, and #1867. From 41047e50072123068640130eaf317daae926c117 Mon Sep 17 00:00:00 2001 From: Nathan Rajlich Date: Mon, 4 May 2026 02:08:42 -0700 Subject: [PATCH 5/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Rajlich --- .github/workflows/dispatch-front-workflow-release-pr.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dispatch-front-workflow-release-pr.yml b/.github/workflows/dispatch-front-workflow-release-pr.yml index a28c2bff47..1fbc4aad58 100644 --- a/.github/workflows/dispatch-front-workflow-release-pr.yml +++ b/.github/workflows/dispatch-front-workflow-release-pr.yml @@ -3,9 +3,8 @@ name: Dispatch Front Workflow Release PR # DISABLED: This workflow dispatches to vercel/front (cross-repo) which # requires a GitHub App token. The Release App has been temporarily # removed, so this workflow is disabled (all jobs gated on `if: false`) -# until the App is restored. See .github/workflows/release.yml and -# .github/workflows/backport.yml, which have also been updated to no -# longer rely on the Release App. +# until the App is restored. See .github/workflows/release.yml, which +# has also been updated to no longer rely on the Release App. on: pull_request: types: [opened, synchronize, reopened, closed]