diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index ec1dcbf..4a0af72 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -9,10 +9,15 @@ name: CI on: push: branches: [dev, main] - # pull_request trigger intentionally absent — with branches: [dev, main] - # above, every PR commit already fires CI via the push event on dev. Adding - # pull_request would duplicate runs on dev→main PRs. FC has no fork PRs - # (single-operator Forgejo repo) so push coverage is complete. + # Renovate opens PRs from `renovate/*` branches into `dev`. Those branches + # never push to dev/main, so the push trigger above gives them NO pre-merge + # CI — a bump could only be validated after it was already merged. This + # pull_request trigger (base `dev` only) validates Renovate PRs before merge. + # It deliberately does NOT fire on dev→main PRs (base `main`), which still + # rely on the dev push run — so no duplicate runs. FC has no fork PRs + # (single-operator Forgejo repo), so secrets-on-PR is not a concern. + pull_request: + branches: [dev] jobs: # Fast-fail lint lane. ruff is pre-installed in the ci-python image, so @@ -92,10 +97,10 @@ jobs: # If we want strict lockfile-based reproducibility later, commit a # package-lock.json and flip this back to `npm ci`. - run: npm install --no-audit --no-fund - # `npm run check` (vue-tsc --noEmit) skipped: the frontend is pure JS - # with no .ts files and no JSDoc annotations, so vue-tsc has nothing - # to type-check. Re-enable once we add a tsconfig.json and either - # convert to TS or add JSDoc. + # No type-check step: the frontend is pure JS (no .ts files, no JSDoc), + # so a type-checker has nothing to do. The vue-tsc devDep + its `check` + # script were dropped 2026-07-11 rather than bumped to v3. If we add + # TS/JSDoc later, re-add a tsconfig.json + vue-tsc + a type-check step. - run: npm run test:unit - run: npm run build diff --git a/.forgejo/workflows/extension.yml b/.forgejo/workflows/extension.yml index ea12cf2..3a50314 100644 --- a/.forgejo/workflows/extension.yml +++ b/.forgejo/workflows/extension.yml @@ -20,7 +20,7 @@ jobs: lint: runs-on: python-ci container: - image: node:22-bookworm-slim + image: node:24-bookworm-slim steps: - uses: actions/checkout@v4 - name: Install web-ext diff --git a/Dockerfile b/Dockerfile index 17d7944..6c9da51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -# syntax=docker/dockerfile:1.7 +# syntax=docker/dockerfile:1.25 -FROM node:22-alpine AS frontend-builder +FROM node:24-alpine AS frontend-builder WORKDIR /build COPY frontend/package.json frontend/package-lock.json* ./ # No package-lock.json is tracked yet (we don't run npm locally per diff --git a/Dockerfile.ml b/Dockerfile.ml index ee548fb..13efe30 100644 --- a/Dockerfile.ml +++ b/Dockerfile.ml @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.7 +# syntax=docker/dockerfile:1.25 FROM python:3.14-slim ENV PYTHONUNBUFFERED=1 \ diff --git a/frontend/package.json b/frontend/package.json index 5e230c5..3c394f1 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -10,8 +10,7 @@ "dev": "vite", "build": "vite build", "preview": "vite preview", - "test:unit": "vitest run", - "check": "vue-tsc --noEmit" + "test:unit": "vitest run" }, "dependencies": { "vue": "^3.4.0", @@ -21,13 +20,12 @@ "@mdi/font": "^7.4.0" }, "devDependencies": { - "@vitejs/plugin-vue": "^5.0.0", - "vite": "^5.2.0", - "vue-tsc": "^2.0.0", + "@vitejs/plugin-vue": "^6.0.0", + "vite": "^8.0.0", "vite-plugin-vuetify": "^2.0.0", "sass": "^1.71.0", - "vitest": "^2.1.0", + "vitest": "^4.0.0", "@vue/test-utils": "^2.4.0", - "happy-dom": "^15.0.0" + "happy-dom": "^20.0.0" } } diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..6275124 --- /dev/null +++ b/renovate.json @@ -0,0 +1,19 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ], + "packageRules": [ + { + "description": "Bundle the interlocking frontend build/test toolchain into ONE PR. vite, vitest, @vitejs/plugin-vue, happy-dom and @vue/test-utils are version-coupled — a lone major bump red-fails the build/tests until its peers land, so they must move together.", + "matchPackageNames": [ + "vite", + "vitest", + "@vitejs/plugin-vue", + "happy-dom", + "@vue/test-utils" + ], + "groupName": "frontend build/test toolchain" + } + ] +} diff --git a/requirements.txt b/requirements.txt index 05f7231..1950b50 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,14 +7,14 @@ sqlalchemy[asyncio]>=2.0,<2.1 asyncpg>=0.31,<0.32 psycopg[binary]>=3.3,<3.4 alembic>=1.18,<1.19 -pgvector>=0.4,<0.5 +pgvector>=0.5,<0.6 # Task queue celery>=5.6,<5.7 redis>=7.4,<8.0 # Crypto for credential storage (lands in FC-3, but pinned now for stability) -cryptography>=48,<49 +cryptography>=49,<50 # Image handling (lands in FC-2) pillow>=12,<13 @@ -30,10 +30,10 @@ yt-dlp>=2025.1 # Utilities python-dotenv>=1.2,<2.0 -structlog>=25.5,<26.0 +structlog>=26.1,<26.2 # HTML sanitization for scraped post descriptions (FC-2d provenance) -nh3>=0.2,<0.3 +nh3>=0.3,<0.4 # Archive extraction (FC-2d-iii filesystem-import aid) rarfile>=4.2,<5 @@ -42,4 +42,4 @@ py7zr>=1,<2 # Google Drive fetcher for off-platform file-host links (external downloads, # #830). Handles Drive's confirm-token + virus-scan interstitial. mega.nz uses # the `megatools` binary instead (Debian apt pkg in the runtime image, not pip). -gdown>=5,<6 +gdown>=6,<7