Merge pull request 'Ship: Renovate onboarding + dependency modernization batches 1–3' (#221) from dev into main
Build images / sign-extension (push) Successful in 3s
CI / lint (push) Successful in 4s
Build images / build-agent (push) Successful in 8s
extension / lint (push) Successful in 16s
CI / frontend-build (push) Successful in 29s
CI / backend-lint-and-test (push) Successful in 1m4s
Build images / build-web (push) Successful in 1m24s
Build images / build-ml (push) Successful in 2m36s
CI / integration (push) Successful in 3m46s

This commit was merged in pull request #221.
This commit is contained in:
2026-07-11 23:16:33 -04:00
7 changed files with 46 additions and 24 deletions
+13 -8
View File
@@ -9,10 +9,15 @@ name: CI
on: on:
push: push:
branches: [dev, main] branches: [dev, main]
# pull_request trigger intentionally absent — with branches: [dev, main] # Renovate opens PRs from `renovate/*` branches into `dev`. Those branches
# above, every PR commit already fires CI via the push event on dev. Adding # never push to dev/main, so the push trigger above gives them NO pre-merge
# pull_request would duplicate runs on dev→main PRs. FC has no fork PRs # CI — a bump could only be validated after it was already merged. This
# (single-operator Forgejo repo) so push coverage is complete. # pull_request trigger (base `dev` only) validates Renovate PRs before merge.
# It deliberately does NOT fire on dev→main PRs (base `main`), which still
# rely on the dev push run — so no duplicate runs. FC has no fork PRs
# (single-operator Forgejo repo), so secrets-on-PR is not a concern.
pull_request:
branches: [dev]
jobs: jobs:
# Fast-fail lint lane. ruff is pre-installed in the ci-python image, so # Fast-fail lint lane. ruff is pre-installed in the ci-python image, so
@@ -92,10 +97,10 @@ jobs:
# If we want strict lockfile-based reproducibility later, commit a # If we want strict lockfile-based reproducibility later, commit a
# package-lock.json and flip this back to `npm ci`. # package-lock.json and flip this back to `npm ci`.
- run: npm install --no-audit --no-fund - run: npm install --no-audit --no-fund
# `npm run check` (vue-tsc --noEmit) skipped: the frontend is pure JS # No type-check step: the frontend is pure JS (no .ts files, no JSDoc),
# with no .ts files and no JSDoc annotations, so vue-tsc has nothing # so a type-checker has nothing to do. The vue-tsc devDep + its `check`
# to type-check. Re-enable once we add a tsconfig.json and either # script were dropped 2026-07-11 rather than bumped to v3. If we add
# convert to TS or add JSDoc. # TS/JSDoc later, re-add a tsconfig.json + vue-tsc + a type-check step.
- run: npm run test:unit - run: npm run test:unit
- run: npm run build - run: npm run build
+1 -1
View File
@@ -20,7 +20,7 @@ jobs:
lint: lint:
runs-on: python-ci runs-on: python-ci
container: container:
image: node:22-bookworm-slim image: node:24-bookworm-slim
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Install web-ext - name: Install web-ext
+2 -2
View File
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1.7 # syntax=docker/dockerfile:1.25
FROM node:22-alpine AS frontend-builder FROM node:24-alpine AS frontend-builder
WORKDIR /build WORKDIR /build
COPY frontend/package.json frontend/package-lock.json* ./ COPY frontend/package.json frontend/package-lock.json* ./
# No package-lock.json is tracked yet (we don't run npm locally per # No package-lock.json is tracked yet (we don't run npm locally per
+1 -1
View File
@@ -1,4 +1,4 @@
# syntax=docker/dockerfile:1.7 # syntax=docker/dockerfile:1.25
FROM python:3.14-slim FROM python:3.14-slim
ENV PYTHONUNBUFFERED=1 \ ENV PYTHONUNBUFFERED=1 \
+5 -7
View File
@@ -10,8 +10,7 @@
"dev": "vite", "dev": "vite",
"build": "vite build", "build": "vite build",
"preview": "vite preview", "preview": "vite preview",
"test:unit": "vitest run", "test:unit": "vitest run"
"check": "vue-tsc --noEmit"
}, },
"dependencies": { "dependencies": {
"vue": "^3.4.0", "vue": "^3.4.0",
@@ -21,13 +20,12 @@
"@mdi/font": "^7.4.0" "@mdi/font": "^7.4.0"
}, },
"devDependencies": { "devDependencies": {
"@vitejs/plugin-vue": "^5.0.0", "@vitejs/plugin-vue": "^6.0.0",
"vite": "^5.2.0", "vite": "^8.0.0",
"vue-tsc": "^2.0.0",
"vite-plugin-vuetify": "^2.0.0", "vite-plugin-vuetify": "^2.0.0",
"sass": "^1.71.0", "sass": "^1.71.0",
"vitest": "^2.1.0", "vitest": "^4.0.0",
"@vue/test-utils": "^2.4.0", "@vue/test-utils": "^2.4.0",
"happy-dom": "^15.0.0" "happy-dom": "^20.0.0"
} }
} }
+19
View File
@@ -0,0 +1,19 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
],
"packageRules": [
{
"description": "Bundle the interlocking frontend build/test toolchain into ONE PR. vite, vitest, @vitejs/plugin-vue, happy-dom and @vue/test-utils are version-coupled — a lone major bump red-fails the build/tests until its peers land, so they must move together.",
"matchPackageNames": [
"vite",
"vitest",
"@vitejs/plugin-vue",
"happy-dom",
"@vue/test-utils"
],
"groupName": "frontend build/test toolchain"
}
]
}
+5 -5
View File
@@ -7,14 +7,14 @@ sqlalchemy[asyncio]>=2.0,<2.1
asyncpg>=0.31,<0.32 asyncpg>=0.31,<0.32
psycopg[binary]>=3.3,<3.4 psycopg[binary]>=3.3,<3.4
alembic>=1.18,<1.19 alembic>=1.18,<1.19
pgvector>=0.4,<0.5 pgvector>=0.5,<0.6
# Task queue # Task queue
celery>=5.6,<5.7 celery>=5.6,<5.7
redis>=7.4,<8.0 redis>=7.4,<8.0
# Crypto for credential storage (lands in FC-3, but pinned now for stability) # Crypto for credential storage (lands in FC-3, but pinned now for stability)
cryptography>=48,<49 cryptography>=49,<50
# Image handling (lands in FC-2) # Image handling (lands in FC-2)
pillow>=12,<13 pillow>=12,<13
@@ -30,10 +30,10 @@ yt-dlp>=2025.1
# Utilities # Utilities
python-dotenv>=1.2,<2.0 python-dotenv>=1.2,<2.0
structlog>=25.5,<26.0 structlog>=26.1,<26.2
# HTML sanitization for scraped post descriptions (FC-2d provenance) # HTML sanitization for scraped post descriptions (FC-2d provenance)
nh3>=0.2,<0.3 nh3>=0.3,<0.4
# Archive extraction (FC-2d-iii filesystem-import aid) # Archive extraction (FC-2d-iii filesystem-import aid)
rarfile>=4.2,<5 rarfile>=4.2,<5
@@ -42,4 +42,4 @@ py7zr>=1,<2
# Google Drive fetcher for off-platform file-host links (external downloads, # Google Drive fetcher for off-platform file-host links (external downloads,
# #830). Handles Drive's confirm-token + virus-scan interstitial. mega.nz uses # #830). Handles Drive's confirm-token + virus-scan interstitial. mega.nz uses
# the `megatools` binary instead (Debian apt pkg in the runtime image, not pip). # the `megatools` binary instead (Debian apt pkg in the runtime image, not pip).
gdown>=5,<6 gdown>=6,<7