Skip to content

chore: drop lockfile-check.yml workflow and scaffold template#162

Open
vibe-dex wants to merge 1 commit into
mainfrom
chore/drop-lockfile-check-workflow
Open

chore: drop lockfile-check.yml workflow and scaffold template#162
vibe-dex wants to merge 1 commit into
mainfrom
chore/drop-lockfile-check-workflow

Conversation

@vibe-dex

@vibe-dex vibe-dex commented May 9, 2026

Copy link
Copy Markdown
Contributor

Summary

The PR-time lockfile-check.yml guardrail was redundant. Removing it and the scaffold logic that adds it to new migrations.

Why

The actual enforcement against lockfile drift already lives in three other layers:

  1. packageManager: \"bun@1.3.5\" in package.json — Corepack-aware npm/yarn/pnpm refuse to install when the declared manager doesn't match. This is the real blast-door against npm i regenerating package-lock.json.
  2. .gitignore lockfile banspackage-lock.json / yarn.lock / pnpm-lock.yaml can't be accidentally committed.
  3. Cloudflare Workers Builds runs bun install --frozen-lockfile at deploy time — drift cannot reach production silently.

A fourth, PR-time-only workflow adds nothing measurable and creates a fifth file per site that has to stay in lockstep with `CANONICAL_BUN_VERSION`. Net negative.

Changes

  • Delete .github/workflows/lockfile-check.yml from the framework repo (dogfooded copy).
  • Delete scripts/migrate/templates/lockfile-check-yml.{ts,test.ts}.
  • Remove the writeFile(... lockfile-check.yml ...) call + import in phase-scaffold.ts.
  • Remove .github/workflows/lockfile-check.yml from phase-verify.ts REQUIRED_FILES.
  • Update the CANONICAL_BUN_VERSION doc comment to reflect the remaining enforcement story (Corepack via packageManager).

Test plan

  • `bun run typecheck` passes
  • All 276 `scripts/migrate` tests pass
  • Confirm no surviving references to `lockfile-check` in the codebase (`rg lockfile-check`)

Made with Cursor


Summary by cubic

Removed the redundant PR-time lockfile-check.yml workflow and its scaffold. Lockfile enforcement stays covered by packageManager: "bun@1.3.5" in package.json, .gitignore lockfile bans, and Cloudflare Workers Builds running bun install --frozen-lockfile.

  • Refactors
    • Deleted .github/workflows/lockfile-check.yml and the scripts/migrate/templates/lockfile-check-yml.* files.
    • Removed workflow scaffolding and verification from phase-scaffold.ts and phase-verify.ts.
    • Updated the CANONICAL_BUN_VERSION comment to reflect the remaining enforcement path.

Written for commit 688e78a. Summary will update on new commits.

The PR-time `lockfile-check.yml` guardrail was redundant with the
actual enforcement we already have:

- The `packageManager` field in `package.json` is honoured by
  Corepack-aware npm/yarn/pnpm — they refuse to install when the
  declared manager doesn't match. That's the real blast-door against
  someone running `npm i` and regenerating `package-lock.json`.
- `.gitignore` lockfile bans prevent any non-bun lockfile from being
  accidentally committed.
- Cloudflare Workers Builds runs `bun install --frozen-lockfile` at
  deploy time anyway — drift cannot land in production silently.

Adding a separate PR-time workflow on top of those three layers buys
nothing measurable and adds one more piece of YAML per site to keep
in lockstep with `CANONICAL_BUN_VERSION`. Removing it.

- Delete `.github/workflows/lockfile-check.yml` from the framework repo.
- Delete `scripts/migrate/templates/lockfile-check-yml.ts` + tests.
- Drop the `writeFile(... lockfile-check.yml ...)` call from
  `phase-scaffold.ts` and the import.
- Drop `.github/workflows/lockfile-check.yml` from the
  `phase-verify.ts` `REQUIRED_FILES` list.
- Update the `CANONICAL_BUN_VERSION` doc comment to reflect the
  remaining enforcement story (Corepack via `packageManager`).

Co-authored-by: Cursor <cursoragent@cursor.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 6 files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant