Skip to content

feat(node-ci): forward cache-dependency-path to setup-node#19

Merged
WomB0ComB0 merged 1 commit into
mainfrom
feat/node-ci-cache-dep-path
Apr 22, 2026
Merged

feat(node-ci): forward cache-dependency-path to setup-node#19
WomB0ComB0 merged 1 commit into
mainfrom
feat/node-ci-cache-dep-path

Conversation

@WomB0ComB0
Copy link
Copy Markdown
Member

@WomB0ComB0 WomB0ComB0 commented Apr 22, 2026
edited by coderabbitai Bot
Loading

Summary

Polyglot repos with a lockfile outside the repo root couldn't adopt this reusable — actions/setup-node bailed with Dependencies lock file is not found because the reusable didn't accept a cache-dependency-path input.

Surfaced during resq-software/viz PR #58 adoption attempt. Viz's client pipeline (src/ResQ.Viz.Web/package-lock.json) currently uses a hand-rolled inline job because of this gap; once this lands + the viz ref pin bumps, it can switch to the shared reusable.

Changes

node-ci.yml

  • New optional input cache-dependency-path: string (default "").
  • Forwards to the actions/setup-node step's cache-dependency-path key.

required.yml

  • Pass-through input node-cache-dependency-path so consumers routing through the org aggregator (most of them) can set it.

Backwards compatibility

Default is "". When unset, actions/setup-node treats the key as absent and falls back to repo-root lockfile detection — exactly the pre-PR behaviour. No current consumer needs updating; this only enables new adoption patterns.

Verification

  • ruby -ryaml parses both YAMLs after the change
  • node-ci.yml inputs: [... working-directory, cache-dependency-path, install-cmd, ...]
  • required.yml node-* inputs: [..., node-build-cmd, node-cache-dependency-path]

Test plan (follow-up in viz)

Once merged, viz's ci.yml can switch from the hand-rolled client job to:

client:
  uses: resq-software/.github/.github/workflows/node-ci.yml@<new-sha>
  with:
    package-manager: npm
    working-directory: src/ResQ.Viz.Web
    cache-dependency-path: src/ResQ.Viz.Web/package-lock.json
    install-cmd: npm ci --legacy-peer-deps
    typecheck-cmd: npx tsc --noEmit
    build-cmd: npx vite build

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced Node.js dependency caching in CI/CD workflows to support custom lockfile paths, enabling improved build performance for repositories with lockfiles in non-standard locations.

@WomB0ComB0 @claude
feat(node-ci): forward cache-dependency-path to setup-node
0dd3efc 
Polyglot repos with a lockfile outside the repo root (e.g. viz's
`src/ResQ.Viz.Web/package-lock.json`) couldn't adopt this reusable —
actions/setup-node bailed with "Dependencies lock file is not found"
because the reusable didn't accept a `cache-dependency-path` input.

Changes:
- node-ci.yml: add optional `cache-dependency-path` input, forward to
  the setup-node step. Default empty preserves current behaviour.
- required.yml: add pass-through `node-cache-dependency-path` input
  so consumers routing through the org aggregator can set it.

Surfaced during resq-software/viz PR #58 adoption attempt. Viz's
client pipeline currently uses a hand-rolled inline job because of
this gap — once this lands + the viz ref pin bumps, it can switch
to the shared reusable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 22, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 22, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 03fd0673-82ab-4004-bd3b-3f0ac60a0300

📥 Commits

Reviewing files that changed from the base of the PR and between 109c36b and 0dd3efc.

📒 Files selected for processing (2)
  • .github/workflows/node-ci.yml
  • .github/workflows/required.yml
📝 Walkthrough

Walkthrough

GitHub Actions workflow files updated to support flexible Node.js dependency lockfile path configuration. Added cache-dependency-path input to node-ci.yml and node-cache-dependency-path input to required.yml, enabling proper cache key generation for polyglot repositories with lockfiles in non-root directories.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/node-ci.yml, .github/workflows/required.yml		 Added cache-dependency-path and node-cache-dependency-path inputs respectively with default empty strings. Updated workflow steps to forward the cache path parameter through the workflow call chain to actions/setup-node for dependency caching.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through workflows deep,
With cache paths now in tidy keep,
No more lockfiles lost in nested places—
Each polyglot repo finds its traces! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding and forwarding the cache-dependency-path parameter to setup-node in the node-ci workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/node-ci-cache-dep-path

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@WomB0ComB0 WomB0ComB0 merged commit 23ce94e into main Apr 22, 2026
7 checks passed
@WomB0ComB0 WomB0ComB0 deleted the feat/node-ci-cache-dep-path branch April 22, 2026 11:35
@WomB0ComB0 WomB0ComB0 mentioned this pull request Apr 23, 2026
Merged
4 tasks
WomB0ComB0 added a commit to resq-software/viz that referenced this pull request Apr 23, 2026
@WomB0ComB0 @claude
ci: adopt node-ci.yml reusable (org PR #19 landed) (#60)
18a9e76 
* ci: switch client job to node-ci.yml reusable (org PR #19 landed)

Swap the hand-rolled frontend install+typecheck+build steps for the
org-wide node-ci.yml reusable. The prior adoption attempt failed with
"Dependencies lock file is not found" because the reusable hardcoded
`cache-dependency-path: package-lock.json` (repo root) — viz's lockfile
lives at src/ResQ.Viz.Web/package-lock.json.

resq-software/.github#19 parameterised `cache-dependency-path` on the
reusable; this PR consumes the merged SHA.

Call node-ci.yml directly rather than via required.yml because viz
already calls required.yml as `lang: dotnet` for the backend stream; a
second `lang: node` dispatch would duplicate the security-scan job.

client-budget stays as a companion — the reusable exposes neither
bundle outputs nor artifact upload, and the bundle-size ceiling is
viz-specific policy.

Ref pinned to merge commit 23ce94eabddf963835624451e89baca7ac9db541.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* deps: force uuid to ^14 via override (GHSA-w5hq-g745-h8pq)

osv-scanner surfaced GHSA-w5hq-g745-h8pq (medium) against uuid@13.0.0,
pulled transitively through effect@4.0.0-beta.52 → uuid: ^13.0.0.
effect hasn't bumped its caret yet.

Add a top-level npm `overrides` entry to force uuid@^14.0.0. uuid's
public surface (v4()/validate()/parse()) is unchanged across the
13→14 major, so effect's usage is unaffected.

Lockfile regenerated; typecheck + vite build both clean. Bundle size
unchanged (776 KB JS, within 800 KB budget).

This is an unrelated advisory bundled here only because it landed in
osv.dev between main's last build and this branch, and the gate now
blocks the CI-reusable-adoption signal we're verifying. Remove the
override once `effect` upstream bumps its `uuid: ^13.0.0` range.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WomB0ComB0