Ship: Renovate onboarding + dependency modernization batches 1–3 #221

Merged
bvandeusen merged 20 commits from dev into main 2026-07-11 23:16:33 -04:00
7 changed files with 46 additions and 24 deletions
+13 -8
View File
@@ -9,10 +9,15 @@ name: CI
on:
push:
branches: [dev, main]
# pull_request trigger intentionally absent — with branches: [dev, main]
# above, every PR commit already fires CI via the push event on dev. Adding
# pull_request would duplicate runs on dev→main PRs. FC has no fork PRs
# (single-operator Forgejo repo) so push coverage is complete.
# Renovate opens PRs from `renovate/*` branches into `dev`. Those branches
# never push to dev/main, so the push trigger above gives them NO pre-merge
# CI — a bump could only be validated after it was already merged. This
# pull_request trigger (base `dev` only) validates Renovate PRs before merge.
# It deliberately does NOT fire on dev→main PRs (base `main`), which still
# rely on the dev push run — so no duplicate runs. FC has no fork PRs
# (single-operator Forgejo repo), so secrets-on-PR is not a concern.
pull_request:
branches: [dev]
jobs:
# Fast-fail lint lane. ruff is pre-installed in the ci-python image, so
@@ -92,10 +97,10 @@ jobs:
# If we want strict lockfile-based reproducibility later, commit a
# package-lock.json and flip this back to `npm ci`.
- run: npm install --no-audit --no-fund
# `npm run check` (vue-tsc --noEmit) skipped: the frontend is pure JS
# with no .ts files and no JSDoc annotations, so vue-tsc has nothing
# to type-check. Re-enable once we add a tsconfig.json and either
# convert to TS or add JSDoc.
# No type-check step: the frontend is pure JS (no .ts files, no JSDoc),
# so a type-checker has nothing to do. The vue-tsc devDep + its `check`
# script were dropped 2026-07-11 rather than bumped to v3. If we add
# TS/JSDoc later, re-add a tsconfig.json + vue-tsc + a type-check step.
- run: npm run test:unit
- run: npm run build
+1 -1
View File
@@ -20,7 +20,7 @@ jobs:
lint:
runs-on: python-ci
container:
image: node:22-bookworm-slim
image: node:24-bookworm-slim
steps:
- uses: actions/checkout@v4
- name: Install web-ext
+2 -2
View File
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1.7
# syntax=docker/dockerfile:1.25
FROM node:22-alpine AS frontend-builder
FROM node:24-alpine AS frontend-builder
WORKDIR /build
COPY frontend/package.json frontend/package-lock.json* ./
# No package-lock.json is tracked yet (we don't run npm locally per
+1 -1
View File
@@ -1,4 +1,4 @@
# syntax=docker/dockerfile:1.7
# syntax=docker/dockerfile:1.25
FROM python:3.14-slim
ENV PYTHONUNBUFFERED=1 \
+5 -7
View File
@@ -10,8 +10,7 @@
"dev": "vite",
"build": "vite build",
"preview": "vite preview",
"test:unit": "vitest run",
"check": "vue-tsc --noEmit"
"test:unit": "vitest run"
},
"dependencies": {
"vue": "^3.4.0",
@@ -21,13 +20,12 @@
"@mdi/font": "^7.4.0"
},
"devDependencies": {
"@vitejs/plugin-vue": "^5.0.0",
"vite": "^5.2.0",
"vue-tsc": "^2.0.0",
"@vitejs/plugin-vue": "^6.0.0",
"vite": "^8.0.0",
"vite-plugin-vuetify": "^2.0.0",
"sass": "^1.71.0",
"vitest": "^2.1.0",
"vitest": "^4.0.0",
"@vue/test-utils": "^2.4.0",
"happy-dom": "^15.0.0"
"happy-dom": "^20.0.0"
}
}
+19
View File
@@ -0,0 +1,19 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
],
"packageRules": [
{
"description": "Bundle the interlocking frontend build/test toolchain into ONE PR. vite, vitest, @vitejs/plugin-vue, happy-dom and @vue/test-utils are version-coupled — a lone major bump red-fails the build/tests until its peers land, so they must move together.",
"matchPackageNames": [
"vite",
"vitest",
"@vitejs/plugin-vue",
"happy-dom",
"@vue/test-utils"
],
"groupName": "frontend build/test toolchain"
}
]
}
+5 -5
View File
@@ -7,14 +7,14 @@ sqlalchemy[asyncio]>=2.0,<2.1
asyncpg>=0.31,<0.32
psycopg[binary]>=3.3,<3.4
alembic>=1.18,<1.19
pgvector>=0.4,<0.5
pgvector>=0.5,<0.6
# Task queue
celery>=5.6,<5.7
redis>=7.4,<8.0
# Crypto for credential storage (lands in FC-3, but pinned now for stability)
cryptography>=48,<49
cryptography>=49,<50
# Image handling (lands in FC-2)
pillow>=12,<13
@@ -30,10 +30,10 @@ yt-dlp>=2025.1
# Utilities
python-dotenv>=1.2,<2.0
structlog>=25.5,<26.0
structlog>=26.1,<26.2
# HTML sanitization for scraped post descriptions (FC-2d provenance)
nh3>=0.2,<0.3
nh3>=0.3,<0.4
# Archive extraction (FC-2d-iii filesystem-import aid)
rarfile>=4.2,<5
@@ -42,4 +42,4 @@ py7zr>=1,<2
# Google Drive fetcher for off-platform file-host links (external downloads,
# #830). Handles Drive's confirm-token + virus-scan interstitial. mega.nz uses
# the `megatools` binary instead (Debian apt pkg in the runtime image, not pip).
gdown>=5,<6
gdown>=6,<7