chore: drop lockfile-check.yml workflow and scaffold template#162
Open
vibe-dex wants to merge 1 commit into
Open
chore: drop lockfile-check.yml workflow and scaffold template#162vibe-dex wants to merge 1 commit into
vibe-dex wants to merge 1 commit into
Conversation
The PR-time `lockfile-check.yml` guardrail was redundant with the actual enforcement we already have: - The `packageManager` field in `package.json` is honoured by Corepack-aware npm/yarn/pnpm — they refuse to install when the declared manager doesn't match. That's the real blast-door against someone running `npm i` and regenerating `package-lock.json`. - `.gitignore` lockfile bans prevent any non-bun lockfile from being accidentally committed. - Cloudflare Workers Builds runs `bun install --frozen-lockfile` at deploy time anyway — drift cannot land in production silently. Adding a separate PR-time workflow on top of those three layers buys nothing measurable and adds one more piece of YAML per site to keep in lockstep with `CANONICAL_BUN_VERSION`. Removing it. - Delete `.github/workflows/lockfile-check.yml` from the framework repo. - Delete `scripts/migrate/templates/lockfile-check-yml.ts` + tests. - Drop the `writeFile(... lockfile-check.yml ...)` call from `phase-scaffold.ts` and the import. - Drop `.github/workflows/lockfile-check.yml` from the `phase-verify.ts` `REQUIRED_FILES` list. - Update the `CANONICAL_BUN_VERSION` doc comment to reflect the remaining enforcement story (Corepack via `packageManager`). Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The PR-time
lockfile-check.ymlguardrail was redundant. Removing it and the scaffold logic that adds it to new migrations.Why
The actual enforcement against lockfile drift already lives in three other layers:
packageManager: \"bun@1.3.5\"inpackage.json— Corepack-aware npm/yarn/pnpm refuse to install when the declared manager doesn't match. This is the real blast-door againstnpm iregeneratingpackage-lock.json..gitignorelockfile bans —package-lock.json/yarn.lock/pnpm-lock.yamlcan't be accidentally committed.bun install --frozen-lockfileat deploy time — drift cannot reach production silently.A fourth, PR-time-only workflow adds nothing measurable and creates a fifth file per site that has to stay in lockstep with `CANONICAL_BUN_VERSION`. Net negative.
Changes
.github/workflows/lockfile-check.ymlfrom the framework repo (dogfooded copy).scripts/migrate/templates/lockfile-check-yml.{ts,test.ts}.writeFile(... lockfile-check.yml ...)call + import inphase-scaffold.ts..github/workflows/lockfile-check.ymlfromphase-verify.tsREQUIRED_FILES.CANONICAL_BUN_VERSIONdoc comment to reflect the remaining enforcement story (Corepack viapackageManager).Test plan
Made with Cursor
Summary by cubic
Removed the redundant PR-time
lockfile-check.ymlworkflow and its scaffold. Lockfile enforcement stays covered bypackageManager: "bun@1.3.5"inpackage.json,.gitignorelockfile bans, and Cloudflare Workers Builds runningbun install --frozen-lockfile..github/workflows/lockfile-check.ymland thescripts/migrate/templates/lockfile-check-yml.*files.phase-scaffold.tsandphase-verify.ts.CANONICAL_BUN_VERSIONcomment to reflect the remaining enforcement path.Written for commit 688e78a. Summary will update on new commits.