Skip to content

ci: update github workflows#395

Merged
lachlancollins merged 2 commits intomainfrom
update-workflows
Mar 17, 2026
Merged

ci: update github workflows#395
lachlancollins merged 2 commits intomainfrom
update-workflows

Conversation

@lachlancollins
Copy link
Member

@lachlancollins lachlancollins commented Mar 17, 2026
edited by coderabbitai bot
Loading

🎯 Changes

Sync changes from other TanStack projects

Add changeset version preview (see TanStack/router#6937 and TanStack/config#356)

✅ Checklist

  • I have followed the steps in the Contributing guide.
  • I have tested this code locally with pnpm test:pr.

🚀 Release Impact

  • This change affects published code, and I have generated a changeset.
  • This change is docs/CI/dev-only (no release).

Summary by CodeRabbit

  • Chores
    • Updated CI tooling and developer dependencies to newer versions.
    • Simplified PR trigger filters to ensure consistent builds.
    • Improved release automation with a new preview job and PR notifications for published releases.
    • Tweaked config/schema references and repository tooling settings for smoother dev workflows.

@changeset-bot
Copy link

changeset-bot bot commented Mar 17, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 030ef7c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026
edited
Loading

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

@nx-cloud
Copy link

nx-cloud bot commented Mar 17, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 030ef7c

Command Status Duration Result
nx affected --targets=test:eslint,test:sherif,t... ✅ Succeeded 8s View ↗
nx run-many --targets=build --exclude=examples/** ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-17 13:41:02 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 17, 2026
edited
Loading

More templates

@tanstack/devtools

npm i https://pkg.pr.new/@tanstack/devtools@395

@tanstack/devtools-a11y

npm i https://pkg.pr.new/@tanstack/devtools-a11y@395

@tanstack/devtools-client

npm i https://pkg.pr.new/@tanstack/devtools-client@395

@tanstack/devtools-ui

npm i https://pkg.pr.new/@tanstack/devtools-ui@395

@tanstack/devtools-utils

npm i https://pkg.pr.new/@tanstack/devtools-utils@395

@tanstack/devtools-vite

npm i https://pkg.pr.new/@tanstack/devtools-vite@395

@tanstack/devtools-event-bus

npm i https://pkg.pr.new/@tanstack/devtools-event-bus@395

@tanstack/devtools-event-client

npm i https://pkg.pr.new/@tanstack/devtools-event-client@395

@tanstack/preact-devtools

npm i https://pkg.pr.new/@tanstack/preact-devtools@395

@tanstack/react-devtools

npm i https://pkg.pr.new/@tanstack/react-devtools@395

@tanstack/solid-devtools

npm i https://pkg.pr.new/@tanstack/solid-devtools@395

@tanstack/vue-devtools

npm i https://pkg.pr.new/@tanstack/vue-devtools@395

commit: 030ef7c

@coderabbitai
Copy link

coderabbitai bot commented Mar 17, 2026
edited
Loading

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f84f16e-e397-4195-a6e7-1589c723b938

📥 Commits

Reviewing files that changed from the base of the PR and between 7ace46b and 030ef7c.

📒 Files selected for processing (3)
  • .github/workflows/autofix.yml
  • .github/workflows/pr.yml
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

Updates to Changesets config and CLI, devDependency bump, Nx config addition, and multiple GitHub Actions workflow adjustments including checkout version bumps, removal of PR path filters, added pull-request write permission, a Version Preview job, and a release PR comment step.

Changes

Cohort / File(s) Summary
Changesets config & dependency
.changeset/config.json, package.json		 Updated Changesets config schema reference to 3.1.2 and bumped @changesets/cli devDependency to ^2.30.0.
GitHub Actions workflows
.github/workflows/autofix.yml, .github/workflows/pr.yml, .github/workflows/release.yml		 Standardized actions/checkout to v6.0.2; replaced tanstack/.../setup usage with TanStack/.../setup; removed PR path filtering; added permissions.pull-requests: write; introduced version-preview job in PR workflow; updated changesets/action to v1.7.0 and added release PR comment step.
Nx configuration
nx.json		 Added top-level tui block with "enabled": false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through configs, tidy and spry,
Changesets polished, workflows on high,
Checkouts updated, previews take stage,
Nx keeps its hush in a quiet cage,
Bravo — a small carrot for CI's bright sky! 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main changes: updating GitHub workflows with version bumps and new changeset preview job.
Description check ✅ Passed The description follows the template structure with completed sections, checked checklist items, and proper release impact classification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update-workflows
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/pr.yml (1)

63-65: Pin cross-repo reusable workflow actions to immutable commit SHAs.

The TanStack/config/.github/setup@main and TanStack/config/.github/changeset-preview@main references on lines 63 and 65 use mutable branch pointers. Replace @main with a full commit SHA for better reproducibility and supply-chain safety.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr.yml around lines 63 - 65, Replace the mutable branch
references for the two reusable workflow actions so the workflow pins to
immutable commit SHAs: find the uses entries referencing
"tanstack/config/.github/setup@main" and
"tanstack/config/.github/changeset-preview@main" and swap the "@main" suffix for
the full commit SHA for each action (use the exact commit SHA from the upstream
TanStack/config repo for the desired revisions) so both the setup and
changeset-preview steps are pinned to specific commits.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr.yml:
- Around line 13-15: The top-level GitHub Actions permissions block currently
grants pull-requests: write globally; remove pull-requests: write from the
top-level permissions and instead add a job-level permissions block for the
version-preview job that includes pull-requests: write (keep contents: read at
top-level). Update the job named version-preview to include permissions: {
pull-requests: write, contents: read } (or merge with its existing permissions)
so only that job has write scope; also mirror the same change for the other
occurrence noted around lines 56-65 by removing global write and scoping write
to the specific job(s).

---

Nitpick comments:
In @.github/workflows/pr.yml:
- Around line 63-65: Replace the mutable branch references for the two reusable
workflow actions so the workflow pins to immutable commit SHAs: find the uses
entries referencing "tanstack/config/.github/setup@main" and
"tanstack/config/.github/changeset-preview@main" and swap the "@main" suffix for
the full commit SHA for each action (use the exact commit SHA from the upstream
TanStack/config repo for the desired revisions) so both the setup and
changeset-preview steps are pinned to specific commits.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3c8e8d56-9f24-4515-915d-5bf2c406b340

📥 Commits

Reviewing files that changed from the base of the PR and between 45bdbb0 and 7ace46b.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (6)
  • .changeset/config.json
  • .github/workflows/autofix.yml
  • .github/workflows/pr.yml
  • .github/workflows/release.yml
  • nx.json
  • package.json

.github/workflows/pr.yml
Comment on lines 13 to +15
permissions:
contents: read
pull-requests: write
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Scope PR write permission to the Version Preview job only.

Line 15 grants pull-requests: write to every job, including jobs executing third-party tooling. Restrict it to version-preview to reduce token blast radius.

🔐 Proposed least-privilege adjustment 
 permissions:
   contents: read
-  pull-requests: write

 jobs:
   test:
@@
   version-preview:
     name: Version Preview
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6.0.2

Also applies to: 56-65

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr.yml around lines 13 - 15, The top-level GitHub Actions
permissions block currently grants pull-requests: write globally; remove
pull-requests: write from the top-level permissions and instead add a job-level
permissions block for the version-preview job that includes pull-requests: write
(keep contents: read at top-level). Update the job named version-preview to
include permissions: { pull-requests: write, contents: read } (or merge with its
existing permissions) so only that job has write scope; also mirror the same
change for the other occurrence noted around lines 56-65 by removing global
write and scoping write to the specific job(s).

@lachlancollins lachlancollins merged commit 604c96d into main Mar 17, 2026
6 of 7 checks passed
@lachlancollins lachlancollins deleted the update-workflows branch March 17, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lachlancollins