Skip to content

fix(ci): run validate without a package-lock.json#2

Merged
Ed Fricker (beastawakens) merged 1 commit into
mainfrom
fix/ci-no-lockfile
May 8, 2026
Merged

fix(ci): run validate without a package-lock.json#2
Ed Fricker (beastawakens) merged 1 commit into
mainfrom
fix/ci-no-lockfile

Conversation

@beastawakens
Copy link
Copy Markdown
Member

@beastawakens Ed Fricker (beastawakens) commented May 8, 2026
edited by prfectionist Bot
Loading

User description

Summary

The validate workflow has been failing on every PR (including the first sync PR #1 from smileidentity/lambda's automated sync workflow):

##[error]Dependencies lock file is not found ... Supported file patterns: package-lock.json, npm-shrinkwrap.json, yarn.lock

Two reasons:

  • actions/setup-node with cache: npm requires a lockfile to compute the cache key.
  • npm ci requires a lockfile to install.

The repo doesn't commit one. Switching the workflow to invoke spectral and redocly directly via npx --yes (pinned to the same versions as package.json's devDependencies) drops both requirements.

This unblocks sync PR #1 and any future automated sync PRs from lambda.

Test plan

🤖 Generated with Claude Code

PR Type

Bug fix

Description

  • Fix CI workflow failing due to missing package-lock.json

  • Remove cache: npm and npm ci steps from validate workflow

  • Use npx --yes with pinned package versions directly

  • Unblocks automated sync PRs from lambda repo

Diagram Walkthrough

flowchart LR
  A["validate.yml"] -- "remove" --> B["cache: npm + npm ci"]
  A -- "add" --> C["npx --yes with pinned versions"]
  C -- "runs" --> D["spectral-cli@^6.14.0"]
  C -- "runs" --> E["@redocly/cli@^1.28.0"]
Loading

File Walkthrough
Relevant files
Bug fix
validate.yml
Remove lockfile dependency from CI validate workflow         

.github/workflows/validate.yml

  • Removed cache: npm option from actions/setup-node step
  • Removed npm ci install step entirely
  • Changed npx spectral to npx --yes @stoplight/spectral-cli@^6.14.0
  • Changed npx redocly to npx --yes @redocly/cli@^1.28.0
 +3/-6     
Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    •

    @beastawakens @claude
    fix(ci): run validate without a package-lock.json
    3bfeabd 
    The repo has no committed package-lock.json. The validate workflow
used `actions/setup-node` with `cache: npm` (which requires a
lockfile to compute the cache key) and `npm ci` (which requires a
lockfile to install). Both fail with:

  Dependencies lock file is not found ... Supported file patterns:
  package-lock.json, npm-shrinkwrap.json, yarn.lock

Switch the workflow to invoke spectral and redocly directly via
`npx --yes`, pinned to the same versions as `package.json`'s
devDependencies. No install step or cache needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Copilot AI review requested due to automatic review settings May 8, 2026 11:04
    @prfectionist
    Copy link
    Copy Markdown

    prfectionist Bot commented May 8, 2026

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    🎫 Ticket compliance analysis 🔶

    1 - Partially compliant

    Compliant requirements:

    (This PR is a CI fix, not the sync PR itself. It unblocks the sync PR #1.)

    Non-compliant requirements:

    (Not applicable - this PR fixes CI to unblock the ticket's sync PR, it does not implement the sync itself.)

    Requires further human verification:

    ⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
    🏅 Score: 85
    🧪 No relevant tests
    🔒 No security concerns identified
    🔀 No multiple PR themes
    ⚡ Recommended focus areas for review

    Performance

    Each npx --yes invocation downloads the package fresh every time since there's no caching. The workflow now downloads @stoplight/spectral-cli twice (lines 25 and 31) and @redocly/cli once per run. This adds network latency and makes builds slower and less reproducible. Consider installing the packages once (e.g., npm install without a lockfile, or a single npm exec step) and reusing them, or at minimum caching the npm store.

     
      run: npx --yes @stoplight/spectral-cli@^6.14.0 lint specs/v3/*.yaml --fail-severity error

- name: Bundle OpenAPI specs
  run: npx --yes @redocly/cli@^1.28.0 bundle specs/v3/*.yaml -o bundled/openapi-v3.yaml

- name: Verify bundled spec is valid
  run: npx --yes @stoplight/spectral-cli@^6.14.0 lint bundled/openapi-v3.yaml --fail-severity error
    Non-deterministic Builds

    Using caret ranges (^6.14.0, ^1.28.0) means different CI runs may resolve different patch/minor versions, leading to non-reproducible results. Pinning to exact versions (e.g., @stoplight/spectral-cli@6.14.0) would ensure consistent behavior across runs.

     
      run: npx --yes @stoplight/spectral-cli@^6.14.0 lint specs/v3/*.yaml --fail-severity error

- name: Bundle OpenAPI specs
  run: npx --yes @redocly/cli@^1.28.0 bundle specs/v3/*.yaml -o bundled/openapi-v3.yaml

- name: Verify bundled spec is valid
  run: npx --yes @stoplight/spectral-cli@^6.14.0 lint bundled/openapi-v3.yaml --fail-severity error

    @prfectionist
    Copy link
    Copy Markdown

    prfectionist Bot commented May 8, 2026

    PR Code Suggestions ✨

    No code suggestions found for the PR.

    @beastawakens Ed Fricker (beastawakens) enabled auto-merge (squash) May 8, 2026 11:07
    Copilot AI reviewed May 8, 2026
    View reviewed changes
    Copy link
    Copy Markdown

    Copilot AI left a comment

    Choose a reason for hiding this comment

    The reason will be displayed to describe this comment to others. Learn more.

    Pull request overview

    Updates the GitHub Actions validate workflow to run Spectral and Redocly via npx so CI can validate OpenAPI specs without requiring a committed lockfile (and without npm ci).

    Changes:

    • Remove actions/setup-node npm caching and the npm ci install step (no lockfile required).
    • Run Spectral linting and Redocly bundling directly via npx --yes with explicit package/version selectors.

    💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

    Comment thread .github/workflows/validate.yml
    Comment on lines 24 to +31
    - name: Lint OpenAPI specs with Spectral
    run: npx spectral lint specs/v3/*.yaml --fail-severity error
    run: npx --yes @stoplight/spectral-cli@^6.14.0 lint specs/v3/*.yaml --fail-severity error

    - name: Bundle OpenAPI specs
    run: npx redocly bundle specs/v3/*.yaml -o bundled/openapi-v3.yaml
    run: npx --yes @redocly/cli@^1.28.0 bundle specs/v3/*.yaml -o bundled/openapi-v3.yaml

    - name: Verify bundled spec is valid
    run: npx spectral lint bundled/openapi-v3.yaml --fail-severity error
    run: npx --yes @stoplight/spectral-cli@^6.14.0 lint bundled/openapi-v3.yaml --fail-severity error
    Comment thread .github/workflows/validate.yml
    Comment on lines 24 to +25
    - name: Lint OpenAPI specs with Spectral
    run: npx spectral lint specs/v3/*.yaml --fail-severity error
    run: npx --yes @stoplight/spectral-cli@^6.14.0 lint specs/v3/*.yaml --fail-severity error
    @beastawakens Ed Fricker (beastawakens) enabled auto-merge (squash) May 8, 2026 11:08
    @beastawakens Ed Fricker (beastawakens) merged commit 54cb7c0 into main May 8, 2026
    5 checks passed
    @beastawakens Ed Fricker (beastawakens) deleted the fix/ci-no-lockfile branch May 8, 2026 11:08
    @beastawakens Ed Fricker (beastawakens) mentioned this pull request May 8, 2026
    Merged
    2 tasks
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    Copilot code review Copilot Copilot left review comments

    Assignees

    @beastawakens Ed Fricker (beastawakens)

    Labels

    Review effort 1/5

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    2 participants

    @beastawakens