mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-15 06:10:32 +00:00
14 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
43db152e9b
|
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` → `v1.9.1` | `v1.14.1` (+10) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1): : Cold install overhaul, HTTP prefetch, and workspace fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1) A performance- and correctness-focused patch release. Cold installs get a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS fast path, and the resolver's cold path overlaps DNS, TLS, and packument prefetch with the manifest/workspace/lockfile work that used to serialize them. On the fix side, `aube run` once again finds `node-gyp` for package scripts, and `aube update` / `aube outdated` stop trying to fetch unpublished `workspace:` deps from the registry. #### Added - **Pre-resolver packument prefetch + shared HTTP utilities** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a new `aube-util::http` module consolidates client-side primitives (`prewarm`, `priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one warm-pool surface with consistent killswitch semantics. On install entry, aube now reads `package.json` and fires fire-and-forget packument GETs for every registry-shaped direct dep before workspace yaml load, settings resolve, lockfile parse, and resolver construction — by the time the resolver pops its first task, the packument cache and reqwest pool are warm. `RegistryClient::prewarm_connection` now covers the default registry **plus** every scoped (`@org:registry=...`) and per-uri auth registry, with parallel DNS preresolve so DNS RTT hides behind the TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC 9218 Critical) so H2 schedulers prioritize resolver-blocking metadata over pending tarball frames. New killswitches: `AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`, `AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a no-op when offline or when any lockfile is present. - **Cold install pipeline overhaul** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — several overlapping wins on the cold-cache path: - **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`, killswitch `AUBE_DISABLE_TARBALL_STREAM`) — HTTP body chunks pipe through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by the registry's `tarball_max_bytes` cap. - **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP` fallback to the tempfile path, `posix_fallocate` to avoid ext4 fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`. - **Materialize-stream into the lockfile fast path** — both lockfile and no-lockfile branches now share the GVS prewarm materializer, hiding 30-200ms of GVS reflinks behind the in-flight download tail. - **Resolver tuning** — foldhash on `graph_hash` hot maps, pre-sized resolver caches, thread-local `node_semver::Version` parse cache, `PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) / `max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` / `AUBE_TOKIO_BLOCKING`). - **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store root; cross-volume detection (drive letters on Windows, `dev` id on Unix) is gated per-platform. Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster than Bun across svelte/vite/next/babylon. - **Per-project materialize pipelined into fetch** ([#​527](https://redirect.github.com/endevco/aube/pull/527) by [@​imjustprism](https://redirect.github.com/imjustprism)) — when GVS is off, each fetched `(canonical_key, PackageIndex)` triggers `materialize_into` against `.aube/<dep_path>/` immediately, so by the time fetch finishes the dedicated link phase only has to create top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet` instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks abort instead of detaching and racing install cleanup. \~10% improvement on warm fresh installs in the local benchmark matrix. #### Fixed - **`aube run` / `aube test` find `node-gyp`** ([#​518](https://redirect.github.com/endevco/aube/pull/518) by [@​jdx](https://redirect.github.com/jdx)) — package scripts only had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail with `node-gyp: not found` on hosts that didn't already ship it. Script execution now reuses aube's existing node-gyp bootstrap (via a lazy shim bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into the offline node-gyp bootstrap bats suite. - **`workspace:` deps in `aube update` / `aube outdated`** ([#​523](https://redirect.github.com/endevco/aube/pull/523) by [@​jdx](https://redirect.github.com/jdx), fixes [#​520](https://redirect.github.com/endevco/aube/discussions/520)) — `aube update` now discovers workspace package `name`/`version` pairs and passes them into resolver workspace resolution so `workspace:` deps from `package.json#workspaces` resolve locally instead of triggering registry packument fetches. `aube outdated` filters out direct deps with `workspace:` specifiers and reports "no matching dependencies" rather than attempting a packument fetch. Adds a new `WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace packages without a `name` field. - **Resolver peer-context divergence is fatal** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and ship a broken graph; it now returns a fatal `Error::PeerContextDivergence(usize)`. `state::remove_state` errors at `--force` and GVS-transition sites also propagate instead of being silently swallowed, so permission-denied or Windows-locked sidecars no longer defeat the freshness check. - **Tarball hardening** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — entries declared as 0 bytes with non-zero stream payload are now rejected (synthetic-entry injection guard), and GNU `LongName` / `LongLink` metadata records are correctly accepted. - **Patches loaded once per cwd** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `load_patches_for_linker` walked `patches/` from disk 2-3 times per install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites). Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.9.0...v1.9.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0): : Comment-preserving workspace edits, deploy bundling, and node --inspect [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0) A focused release: `aube deploy` learns to bundle workspace siblings and local-path deps into the deploy artifact, workspace-yaml writers stop eating user comments, aube-owned settings move out of `.npmrc`, and `aube run` forwards Node debugger flags. #### Added - **Aube settings move out of `.npmrc`** ([#​517](https://redirect.github.com/endevco/aube/pull/517) by [@​jdx](https://redirect.github.com/jdx)) — known aube-owned settings now live in `~/.config/aube/config.toml` (XDG-aware), while registry, auth, and unknown keys keep using `.npmrc`. `aube config get/set/list/delete` reads and writes the right file automatically, and migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc` writes are also atomic against the **symlink target** now, so dotfile setups that symlink `~/.npmrc` into a managed config repo stop having the symlink replaced by a regular file. - **`aube run --inspect` / `--inspect-brk`** ([#​515](https://redirect.github.com/endevco/aube/pull/515) by [@​jdx](https://redirect.github.com/jdx)) — both flags accept an optional `[host:]port` (e.g. `--inspect=9229`, `--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv when aube can identify a Node-backed target — direct `node ...` scripts in `package.json` and local `node_modules/.bin` fallbacks resolved through shims/symlinks. The flags are passed as argv rather than via `NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes spawned by the script. - **`aube deploy --no-prod`** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — opt out of the default `--prod` filter for deploys that need devDependencies at runtime (test-harness staging, build-step artifacts). Mutually exclusive with `--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but drop optionals. - **Comment-preserving workspace yaml writes** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — every workspace-yaml writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily `cleanupUnusedCatalogs` install pass, and `aube config set --location workspace`) now routes through `yamlpatch` instead of round-tripping the file through a serializer. Keys, comments, and whitespace the edit didn't touch land back on disk byte-identical, so user annotations on adjacent entries survive. Empty/missing files still go through the regular serializer since there are no comments to preserve. #### Fixed - **`aube deploy` bundles local dependencies** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — fixes two real bugs reported in [#​345](https://redirect.github.com/endevco/aube/discussions/345): - **`workspace:*` siblings tried to fetch from the registry.** Deploy used to rewrite `workspace:*` to a concrete version and ask install to resolve it — fine for published siblings, broken for the (very common) unpublished case. Reachable workspace siblings are now copied into `<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a relative `file:` pointer. Recursion handles sibling chains where a sibling's own deps are workspace siblings. - **`file:` deps resolved relative to the deploy output dir.** A `file:../local-vendor` spec used to ride along unchanged in the deployed manifest, pointing at `<target>/../local-vendor` instead of the source workspace's `local-vendor`. Local-path deps now go through the same staging pipeline. When bundling occurs the lockfile-subset path is skipped, since the rewritten `file:` pointers don't appear in the source lockfile and would otherwise trip a frozen install. - **`aube remove` preserves dependency order** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — dropping one dep used to alphabetize the remaining entries in the affected `package.json` section as a side effect. Surviving entries now stay in their original on-disk order, matching pnpm/npm. (`aube add` is unaffected — sorted inserts there are intentional.) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.8.0...v1.9.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0): : Stable error codes, smarter run/dlx, and a new install progress UI [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0) A polish-and-plumbing release: install progress gets a from-scratch redesign, errors and warnings now carry stable identifiers (with bespoke exit codes and dep-chain context), `aube run` / `aube dlx` prefer locally-installed binaries, and a handful of workspace-from-subpackage and `aube add` ergonomics get fixed. #### Added - **Redesigned install progress UI** ([#​501](https://redirect.github.com/endevco/aube/pull/501) by [@​jdx](https://redirect.github.com/jdx)) — fixed 15-char bar on the left, stats on the right, phase-aware label (`resolving` / `fetching` / `linking`), ETA, transfer rate, and an estimated install size derived from the resolve stream: ``` aube 1.8.0 by en.dev █████░░░░░░░░░░ 23/142 pkgs · 4.2 MB / ~13.8 MB · 1.4 MB/s · ETA 5s ███████████████ 1230/1230 pkgs · linking ✓ resolved 1230 · reused 98 · downloaded 1132 (54.6 MB) in 6.8s ``` Installs that finish before the first 2s heartbeat now print a single self-identifying summary line (`✓ installed 5 packages in 423ms`) instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1 packages` overflow on platform-mismatched non-optional deps, and the "stuck at 90%" undercount caused by `filter_graph` dropping packages after the denominator was inflated). - **Local bins for `aube run` and `aube dlx`** ([#​502](https://redirect.github.com/endevco/aube/pull/502) by [@​jdx](https://redirect.github.com/jdx)) — `aube run <name>` falls back to `node_modules/.bin/<name>` when no `package.json` script matches, and `aube dlx` / `aubx` will execute an already-installed local binary instead of doing a throwaway install. Pass `-p` / `--package` (or a versioned spec) to force the install path. - **Stable error and warning codes** ([#​492](https://redirect.github.com/endevco/aube/pull/492) by [@​jdx](https://redirect.github.com/jdx)) — every error and warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*` identifier in a structured field, so CI scripts and ndjson consumers can branch on the code instead of substring-matching English messages. A curated subset maps to bespoke Unix exit codes (10–99 in 10-wide ranges by category) so shells can react to specific failures without parsing stderr — e.g. `aube install --frozen-lockfile` in an empty dir exits with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a specific package now also include the dependency chain back to the importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch failure tells you *why* your install pulled that transitive dep. The full code list lives at `docs/error-codes.md`. #### Fixed - **`aube why` / `list` / `query` from a workspace subpackage** ([#​504](https://redirect.github.com/endevco/aube/pull/504) by [@​jdx](https://redirect.github.com/jdx)) — these commands resolved cwd via the nearest `package.json`, so running them inside `packages/foo/` errored with `No lockfile found. Run aube install first.` even though the workspace lockfile sat one level up. They now walk up to the workspace root when one is present. - **Workspace lifecycle scripts and pnpm-lock npm aliases** ([#​500](https://redirect.github.com/endevco/aube/pull/500) by [@​jdx](https://redirect.github.com/jdx)) — recursive workspace installs now run `preinstall`/`install`/`postinstall`/`prepare` for each linked workspace importer in dependency order (not just the root), and the build-script policy merges `pnpm.allowBuilds` / `onlyBuiltDependencies` / `neverBuiltDependencies` across all participating manifests so a member can approve its own dep's builds. `pnpm-lock.yaml` now writes npm aliases in pnpm's native `<real>@​<version>` encoding instead of leaking aube's internal `aliasOf` field. - **`aube add` auto-detects local paths** ([#​499](https://redirect.github.com/endevco/aube/pull/499) by [@​jdx](https://redirect.github.com/jdx)) — `aube add /path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no longer fall through to the registry path with a confusing `HTTP 405 Method Not Allowed`. Bare paths default to `link:` for directories and `file:` for tarballs (pnpm parity); explicit prefixes are preserved. Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint instead of a 405. #### Changed - **Per-command `--help` is bucketed** ([#​505](https://redirect.github.com/endevco/aube/pull/505) by [@​jdx](https://redirect.github.com/jdx)) — `--frozen-lockfile` / `--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and `--disable/--enable-global-virtual-store` moved off the global flag set into per-command groups under `Lockfile` / `Network` / `Virtual store` headings, and now appear only on commands that consume them. Seven pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`, `--include-workspace-root`, `--aggregate-output`, `--stream`, `--use-stderr`, `--yes`) are still parsed but hidden from `--help`. Pre-subcommand placement still works (`aube --frozen-lockfile install`, `aube --registry=URL install`) via an argv pre-pass. One caveat: implicit-script invocations like `aube --frozen-lockfile dev` (where `dev` is a `package.json` script) no longer apply the flag — write `aube run --frozen-lockfile dev` instead. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.7.0...v1.8.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0): : Local & git specs in aube add, faster cold installs [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0) A feature-heavy release: `aube add` learns git and local-path specs, workspace commands gain support for yaml-only "coordinator" monorepos, `aube update` and `aube rebuild` get pnpm-parity polish, and a deep performance pass speeds up cold installs by up to \~1.9×. #### Highlights - **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and `link:` / `file:` local-path dependencies — not just registry packages. - **Performance pass on the install hot path** ([#​469](https://redirect.github.com/endevco/aube/pull/469)) lands streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering, and a long tail of cold-path cleanups, with measured cold-install speedups up to \~1.9× vs v1.6.2. - **Workspace and pnpm parity polish** across `update`, `rebuild`, yaml-only roots, unversioned members, and nested `link:` / `file:` resolution. #### Added - **`aube add file:./pkg` / `link:../sibling`** ([#​487](https://redirect.github.com/endevco/aube/pull/487) by [@​jdx](https://redirect.github.com/jdx)) — local-path specs are routed through a non-registry branch, with the manifest key derived from the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit alias. `aube add my-bundle@file:./bundle.tgz` works too. - **`aube add` supports git specs** ([#​483](https://redirect.github.com/endevco/aube/pull/483) by [@​jdx](https://redirect.github.com/jdx)) — bare GitHub shorthand, `github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` / `git+https` URLs, and aliases. The verbatim spec is written to `package.json` and the resolver handles the rest: ```bash aube add kevva/is-negative aube add github:kevva/is-positive aube add my-alias@git+https://github.com/kevva/is-negative.git ``` - **Yaml-only workspace roots** ([#​486](https://redirect.github.com/endevco/aube/pull/486) by [@​jdx](https://redirect.github.com/jdx)) — `install`, `list`, `run -r`, `query`, and `why` now work in pure-coordinator monorepos that have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no root `package.json` (Turborepo-style layouts). Single-project commands like `add` / `remove` still hard-error without a manifest. - **`aube update <pkg>` rewrites manifest ranges by default** ([#​479](https://redirect.github.com/endevco/aube/pull/479) by [@​jdx](https://redirect.github.com/jdx)) — caret/tilde ranges (`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max, matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git, `workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep the previous behavior. - **`aube rebuild <pkg>...`** ([#​477](https://redirect.github.com/endevco/aube/pull/477) by [@​jdx](https://redirect.github.com/jdx)) — runs lifecycle scripts only for the named deps, bypasses the `allowBuilds` / `onlyBuiltDependencies` policy, and skips root hooks. Composes with `--filter`. Bare `aube rebuild` continues to do a full policy-respecting rebuild. - **Persistent unreviewed-builds warning** ([#​476](https://redirect.github.com/endevco/aube/pull/476) by [@​jdx](https://redirect.github.com/jdx)) — repeat warm-path installs no longer swallow the "ignored build scripts for N package(s)" nudge; the spec keys are persisted in `.aube-state` and re-emitted on every install. - **`aube update --depth` no longer silently ignored** ([#​473](https://redirect.github.com/endevco/aube/pull/473) by [@​jdx](https://redirect.github.com/jdx)) — emits a one-line warning pointing at `rm aube-lock.yaml && aube install` for the only useful semantic case. #### Fixed - **Faster cold installs** ([#​469](https://redirect.github.com/endevco/aube/pull/469) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a wide hot-path pass with measurable wins on real registries: | Project | v1.6.2 | v1.7.0 | Speedup | | ----------------- | --------: | ------: | ------: | | svelte (56 pkg) | 1393 ms | 1386 ms | 1.01× | | vue (117 pkg) | 1590 ms | 1360 ms | 1.17× | | next.js (336 pkg) | 14071 ms | 9160 ms | 1.54× | | babylon (21 pkg) | \~6000 ms | 3186 ms | \~1.9× | Highlights: streaming SHA-512 over the wire (no second buffered hash pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm behind manifest parse, native-build packages floated to the front of the fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network concurrency default raised 64 → 128, and zero-copy packument parsing. Every change ships with an `AUBE_DISABLE_*` killswitch (`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`, `AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`, `AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an `AUBE_CONCURRENCY=N` clamp. - **Nested `link:` / `file:` resolution** ([#​470](https://redirect.github.com/endevco/aube/pull/470) by [@​jdx](https://redirect.github.com/jdx)) — fixes the `transitive local specifier link:./libs/foo cannot be resolved without the parent package source root` install error in two cases: a `file:` / `link:` parent declaring a transitive `link:`, and a root `pnpm.overrides` rewriting a registry dep to a local path. Override paths now anchor at the project root like pnpm does. - **Workspace members without `version`** ([#​480](https://redirect.github.com/endevco/aube/pull/480) by [@​jdx](https://redirect.github.com/jdx)) — fall back to `0.0.0` instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link locally; specific ranges like `workspace:^2.0.0` still correctly fail to satisfy. Unblocks repos like [tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584). - **Bare `user/repo` parsed as GitHub shorthand** ([#​472](https://redirect.github.com/endevco/aube/pull/472) by [@​jdx](https://redirect.github.com/jdx)) in lockfile/spec parsing, with `update --latest` now skipping git-spec deps so they can't be silently rewritten into registry pins. - **CLI short help wraps cleanly** ([#​478](https://redirect.github.com/endevco/aube/pull/478) by [@​jdx](https://redirect.github.com/jdx)) — many flags across `add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc comments that clap merged into 120+ char paragraphs for `-h`. Now each flag has a one-line summary followed by the longer prose, restoring readable short help on standard terminals. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.2...v1.7.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` → `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) — aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` → `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** — the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** — a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** — tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write — matching pnpm's approach — with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** — previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk → write there. 2. Otherwise, if `package.json#pnpm` is already declared → write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise → write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** — `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@…` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** — the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** — when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** — yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** — set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged — aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install — it's the
script-runner shorthand (`aubr <script>` ≡ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && …"`). The literal
`npm` works for both callers — aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` — parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** — single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** — generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean — succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) — succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` — clean
- [x] `aubr lint` — clean
- [x] `aubr package` — produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesn’t change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`’s generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
0b4dcb0c10
|
ci: add communique to enhance release notes (#411)
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
jdx
|
bd8ba20c56
|
chore: added release-plz | ||
|
jdx
|
ec352a8916
|
chore: node-24 | ||
|
jdx
|
5f7b5f779d
|
chore: loosen node version | ||
|
jdx
|
3601336acb
|
chore: updated deps | ||
|
jdx
|
793f8df484
|
chore: added pre-commit task | ||
|
renovate[bot]
|
c34172bab2
|
chore(deps): update dependency node to v22 (#143)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c1be5dfbbf
|
chore(deps): update dependency node to v20.18.0 (#126)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
9d00159afd
|
chore(deps): update dependency node to v20.17.0 (#112)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
5d3e058edf
|
feat: support windows (#122) |
Renamed from .mise.toml (Browse further)