From 9924921e00db88b45eafa7e4e8c64b7b32bae8db Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 16:46:20 +0800 Subject: [PATCH 1/2] ci: auto-rebuild action bundle on Renovate dependency bumps Renovate bumps to bundled deps (@actions/*, yaml, zod) or the vite-plus bundler change dist/index.mjs, which fails the 'Verify dist is up to date' check until someone manually runs 'vp run build' and commits. Add a label-triggered workflow that rebuilds dist/ and pushes it back to the PR branch, and configure Renovate to attach the needs-bundle-rebuild label to those bumps. A GitHub App token is used for the push so the PR's required checks re-run. --- .github/renovate.json | 12 +++++ .github/workflows/rebuild-bundle.yml | 68 ++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 .github/workflows/rebuild-bundle.yml diff --git a/.github/renovate.json b/.github/renovate.json index 756f9c7..17ed5d8 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -2,6 +2,18 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["github>Boshen/renovate"], "ignoreDeps": ["@void-sdk/void"], + "packageRules": [ + { + "description": "Runtime deps are bundled into dist/index.mjs; label so the rebuild-bundle workflow refreshes dist/.", + "matchDepTypes": ["dependencies"], + "addLabels": ["needs-bundle-rebuild"] + }, + { + "description": "vite-plus is the bundler; its updates can change dist/ output.", + "matchPackageNames": ["vite-plus"], + "addLabels": ["needs-bundle-rebuild"] + } + ], "customManagers": [ { "customType": "regex", diff --git a/.github/workflows/rebuild-bundle.yml b/.github/workflows/rebuild-bundle.yml new file mode 100644 index 0000000..65a1804 --- /dev/null +++ b/.github/workflows/rebuild-bundle.yml @@ -0,0 +1,68 @@ +name: Rebuild action bundle + +# The `needs-bundle-rebuild` label (Renovate adds it for bumps to deps compiled +# into dist/index.mjs, or to the vite-plus bundler) triggers a rebuild of the +# bundle and a push of the refreshed dist/, so the "Verify dist is up to date" +# check passes without a manual `vp run build`. +on: + pull_request: + types: [labeled] + +permissions: {} + +concurrency: + group: rebuild-bundle-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + rebuild: + name: rebuild bundle + # Only for our label, and only same-repo branches we can push back to + # (Renovate PRs are same-repo; fork PRs can't be pushed to). + if: >- + github.event.label.name == 'needs-bundle-rebuild' && + github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + permissions: + contents: read + steps: + # A GitHub App token so the follow-up push re-triggers the PR's required + # checks; a push with the default GITHUB_TOKEN does not (loop prevention). + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + id: app-token + with: + client-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + # Actions are pinned to a full commit SHA (org policy). + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ steps.app-token.outputs.token }} + + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 + with: + version: 11.9.0 + + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: 24 + cache: pnpm + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Rebuild the action bundle + run: pnpm build + + - name: Commit and push the rebuilt bundle if it changed + run: | + if git diff --quiet -- dist/; then + echo "Bundle already up to date; nothing to push." + exit 0 + fi + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add dist/ + git commit -m "chore: rebuild action bundle for dependency update" + git push From 81545af5a825444936d199aa01a232dbbb439d3c Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 17:00:05 +0800 Subject: [PATCH 2/2] ci: source pnpm/node versions from repo config in rebuild workflow Drop the hardcoded pnpm version (read from package.json packageManager) and use .node-version instead of a pinned node-version, matching the existing build job and avoiding version drift. --- .github/workflows/rebuild-bundle.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/rebuild-bundle.yml b/.github/workflows/rebuild-bundle.yml index 65a1804..8c0c88a 100644 --- a/.github/workflows/rebuild-bundle.yml +++ b/.github/workflows/rebuild-bundle.yml @@ -40,13 +40,12 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} token: ${{ steps.app-token.outputs.token }} + # pnpm version is read from package.json's packageManager field. - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 - with: - version: 11.9.0 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: 24 + node-version-file: .node-version cache: pnpm - name: Install dependencies