ci: bump actions/setup-node from 6.0.0 to 6.3.0#1
Merged
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
szTheory
added a commit
that referenced
this pull request
Apr 11, 2026
…moke Two root causes broke all five CI jobs on the initial push to GitHub: 1. Elixir 1.18.4 pin silently ignored `test_load_filters` (mix.exs) and rejected the `~r"..."E` regex modifier used by the Phoenix 1.8 phx.new dev.exs live-reload watcher. Both features are Elixir 1.19+. Library tests swept into test/example/** and failed to compile; example_*_smoke jobs died at `mix deps.get` with Regex.CompileError. 2. `yes Y | mix phx.new --no-install` in install-smoke.sh: --no-install means mix never reads stdin, so `yes` gets SIGPIPE. With `set -o pipefail` that propagates as exit 1 before phx.new even finishes. The yes-pipe was precautionary and not needed once --no-install is set. Bumping CI to match local dev (Elixir 1.19.5 / OTP 28.0) fixes root cause #1 across all five jobs. Dropping the yes-pipe fixes #2. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
szTheory
added a commit
that referenced
this pull request
Apr 11, 2026
) * fix(ci): bump Elixir to 1.19.5 + OTP 28, drop yes-pipe from install-smoke Two root causes broke all five CI jobs on the initial push to GitHub: 1. Elixir 1.18.4 pin silently ignored `test_load_filters` (mix.exs) and rejected the `~r"..."E` regex modifier used by the Phoenix 1.8 phx.new dev.exs live-reload watcher. Both features are Elixir 1.19+. Library tests swept into test/example/** and failed to compile; example_*_smoke jobs died at `mix deps.get` with Regex.CompileError. 2. `yes Y | mix phx.new --no-install` in install-smoke.sh: --no-install means mix never reads stdin, so `yes` gets SIGPIPE. With `set -o pipefail` that propagates as exit 1 before phx.new even finishes. The yes-pipe was precautionary and not needed once --no-install is set. Bumping CI to match local dev (Elixir 1.19.5 / OTP 28.0) fixes root cause #1 across all five jobs. Dropping the yes-pipe fixes #2. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(ci): pin toolchain via .tool-versions, guard Oban workers, fix :auto delivery Addresses three remaining failures on the first GitHub CI run after the initial Elixir 1.19 bump. Each is a structural/correctness fix rather than a CI workaround. 1. .tool-versions as single source of truth Replace duplicated `otp-version: '28.0'` + `elixir-version: '1.19.5'` pairs across five jobs with `version-file: .tool-versions` + `version-type: strict`. Local dev and CI now read from one file — standard erlef/setup-beam pattern. 2. Guard Oban workers behind Code.ensure_loaded?/1 Oban is declared `optional: true` in mix.exs, but the four worker modules (account_deletion, audit_cleanup, email_delivery, token_cleanup) were defined unconditionally with `use Oban.Worker`. When a consuming app pulls sigra as a dep without adding oban to its own deps, compilation fails with `module Oban.Worker is not loaded`. This was blocking the install_smoke job's `mix compile` inside a fresh phx.new project without Oban. Fix: wrap each module in `if Code.ensure_loaded?(Oban.Worker) do ... end`, the standard Elixir optional-dep pattern used by phoenix_live_view, swoosh, etc. Modules exist when the consumer pulls in Oban and simply aren't defined otherwise — matching the intent of `optional: true`. 3. Sigra.Delivery :auto mode detects supervised Oban, not loadable Oban `delivery_mode: :auto` routed to `:async` whenever Oban was loadable as a module. That's the wrong check — it only tells us the dep is present, not that the supervisor is running. Apps that add `{:oban, "~> 2.17"}` to mix.exs without wiring the supervisor tree (common during onboarding, and the state the test/example app is in) crashed at `oban.insert/1`. The Playwright golden-path smoke's register step reproduced this: the LiveView `save` handler crashed silently inside `deliver_user_ confirmation_instructions`, leaving the form on /users/register and failing the `expect(page).not.toHaveURL(/register/)` assertion. Fix: `oban_running?/0` now also checks `Process.whereis(Oban) != nil`. :auto → :sync whenever the supervisor isn't running. Tests updated to cover both branches (dummy registered-name process for the :async case). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(ci): bust example cache on lib source change, drop --no-gettext Two bugs uncovered on the PR's second CI run: 1. Example cache key was keyed only on `test/example/mix.lock`, but sigra is a path dep — library source changes don't bump that lock file. Cached `test/example/_build` was serving old compiled sigra artifacts across commits, so the previous `Sigra.Delivery.deliver` fix never actually ran in CI. Add `lib/**/*.ex` + `mix.exs` to the cache key for all three example jobs. Library source changes now force a fresh example compile. 2. `install-smoke.sh` passed `--no-gettext` to `mix phx.new`, but nine installer templates (reset_password, confirmation, API token emails, etc.) call `dgettext/2`. The generated controller then failed to compile with `undefined function dgettext/2`. Gettext is a soft requirement for `mix sigra.install` — drop the flag so the fresh app ships with gettext wired. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: silence optional-dep warnings, fix Swoosh mailer config target Two unrelated issues uncovered after the previous fixes cleared: 1. install_smoke: warnings-as-errors on optional-dep references Downstream consumers (fresh phx.new apps) compile sigra as a path dep without pulling in sigra's optional deps. The compiler then emits "module X is not available" warnings for every unguarded reference to Oban, Assent.Strategy.*, Joken, EQRCode, Bcrypt, etc — and `mix compile --warnings-as-errors` in the consuming app fails on them. Fix: add project-wide `elixirc_options: [no_warn_undefined: [...]]` in mix.exs listing every optional-dep module sigra calls plus the four conditionally-compiled worker modules. This is the standard library pattern — applies whether sigra is compiled standalone or as a dep. 2. example_playwright_smoke: registration LiveView crashed at mailer The registration `save` handler consistently crashed with: ** (KeyError) key :adapter not found in: [otp_app: :example] (swoosh) lib/swoosh/mailer.ex:207: Swoosh.Mailer.deliver/2 (example) lib/example/mailer.ex:11 The example app has two mailer modules: `Example.Mailer` (the raw `use Swoosh.Mailer`) and `Example.Accounts.Mailer` (the `Sigra.Mailer` behaviour wrapper that delegates to `Example.Mailer.deliver/1`). Only the raw one actually calls `Swoosh.Mailer.deliver/2`, so only the raw one needs the `:adapter` config. `test/example/config/dev.exs` had the adapter set on the wrong module (the wrapper), so Swoosh never found one on the raw mailer and crashed. Fix the example dev config, and fix `sigra.install`'s inject_swoosh_ config helper to target `<AppModule>.Mailer` instead of `<ContextModule>.Mailer` so fresh installs don't hit the same bug. Reproduced and verified locally via playwright-mcp: register now redirects to `/` on submit (post-registration auto-login), and the dev mailbox receives the confirmation email through the Swoosh.Local adapter. Full library suite (1253 tests) + example suite (46 tests) still green. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(install): drop .Auth. namespace from SettingsLive/ReactivationLive templates Two installer templates defined their LiveView modules under a `<web_module>.Auth.<Name>` namespace: defmodule <%= web_module %>.Auth.SettingsLive do defmodule <%= web_module %>.Auth.ReactivationLive do But the router injection in `sigra.install` writes plain route names: live "/settings", SettingsLive, :edit live "/reactivation", ReactivationLive Phoenix resolves those relative to the router's scope alias (the web module itself, e.g. `TmpAppWeb`), so they look for `TmpAppWeb.SettingsLive` and `TmpAppWeb.ReactivationLive` — not `TmpAppWeb.Auth.*`. With `mix compile --warnings-as-errors` in the consuming app, the undefined-module warnings become compile errors. test/example already uses the flat `ExampleWeb.SettingsLive` / `ExampleWeb.ReactivationLive` shape that matches its router, so this was a drift between the templates and the shipped example. `MFASettingsLive` is already flat in both places. Fix: drop `.Auth.` from both template defmodule lines so fresh installs match the router injection and the example app. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(ci): bust example cache on test/example/config + lib changes Second round of cache-staleness debugging: the example cache key missed two important source trees, letting stale compiled artifacts linger across commits. Missing from the hash: - test/example/config/** — config/dev.exs changes (like the Swoosh mailer adapter fix) never bumped the key, so the cached `_build` retained an `example.app` with the old compile-time config. Phoenix then booted with the stale config, Swoosh couldn't find `:adapter` on `Example.Mailer`, and the registration LiveView crashed. - test/example/lib/**/*.ex — example source changes (templates mirrored into the example app during development) would also have been masked by cache hits. Expand the key to hash test/example/config/**, test/example/lib/**/*.ex, and the existing library sources. Three example jobs (example, example_http_smoke, example_playwright_smoke) all updated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(playwright): target iframe#html-mail to avoid Phoenix LiveReload iframe Phoenix Live Reload injects a hidden `iframe[src="/phoenix/live_reload/frame"]` in MIX_ENV=dev. The mailbox scraper was using `frameLocator('iframe')` which matched both that and Swoosh's `iframe#html-mail`, failing strict mode. Tighten the selector to `iframe#html-mail` — an ID Swoosh has used since its MailboxPreview plug was introduced. Register → confirm → login flow now reaches the mailbox step cleanly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(ci,playwright): warm LiveView routes + make confirm check flash-free Two follow-up fixes after the previous run: 1. Cold-start race on /users/register The example app runs with `plug_init_mode: :runtime` in dev (Phoenix 1.8's default), so each route pays a compile-on-demand cost on first request. The wait-for-app loop only hit `/`, so when Playwright clicked "Create an account" the LiveView was still compiling and the URL- change assertion timed out at 5s. Retries succeeded because the second request to the same route was cached. Add a warmup loop after the health check that curls every route the golden-path test will touch (/users/register, /users/log_in, /users/confirm, /dev/mailbox, /users/sessions, /users/sudo, /users/settings/mfa). Warmup failures are non-fatal so a broken route still surfaces via the real Playwright assertion, not an opaque curl. 2. Flash-text assertion on confirm page was brittle The test asserted `getByText(/confirmed|confirmation/i)` on the page after following the email link. ConfirmationLive auto-confirms in handle_params and immediately `redirect`s to `/` with a flash — but the flash is a toast component whose visibility lifecycle has shifted across Phoenix / daisyUI versions, and the page snapshot on failure showed zero flash elements even though the redirect succeeded. Switch to a URL-change assertion instead: `expect(page).not.toHaveURL(/\/users\/confirm\//)`. We care that the user got past the confirmation token URL, not about the exact rendering of the flash toast. If the user isn't actually confirmed, the later login/sessions steps will still catch it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(playwright): wait for phx-connected and bump register URL timeout The CI server logs reveal the actual root cause of the flaky register step: LiveView is connecting via :longpoll transport in CI, not WebSocket. The full validate→save→trigger_submit chain becomes N sequential HTTP round-trips and can exceed the default 5s expect timeout, which is why retries sometimes passed and sometimes didn't. Two adjustments: 1. Wait for `body.phx-connected` before filling the register form. If the page loads faster than the LV channel joins, Playwright's fill fires against a DOM that LiveView hasn't attached its bindings to yet — the resulting phx-submit gets queued and may lose state. 2. Bump the post-click `toHaveURL` timeout from the 5s default to 15s. Longpoll + validate + save + trigger_submit + full HTTP POST can take 6-10s on a cold CI worker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(playwright): phx-connected lives on LV root div, not <body> Previous commit waited for `body.phx-connected` but Phoenix LiveView attaches the `.phx-connected` class to the LV root element (the `<div data-phx-session>`), not `<body>`. The selector never matched and the test hit its 15s timeout before ever clicking register. Verified locally via playwright-mcp's page.evaluate: { bodyClass: '', rootClass: 'phx-connected', connectedSelector: 'DIV', phxHooks: [{ tag: 'DIV', cls: 'phx-connected' }] } Switch to `[data-phx-session].phx-connected` with `state: 'attached'` — we only care that the element exists in the DOM, not that it's in the viewport. Also replaces expect() with the more direct waitForSelector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: sudo session lookup, backup codes updated_at, playwright LV waits Three related fixes surfaced by running the golden-path Playwright smoke locally and tracing every crash in the dev server log. 1. Sudo controller crash: `conn.private[:sigra_session]` was nil SudoController.create/2 reads `conn.private[:sigra_session]` to get the session's hashed_token and stamp sudo_at, but nothing in the plug chain was actually populating that private key. The form submit crashed with `(BadMapError) expected a map, got: nil`. Fix: introduce `Accounts.get_user_and_session_by_token/1` that returns `{user, session}` and have `UserAuth.fetch_current_scope/2` stash the session record into `conn.private[:sigra_session]`. Mirrored into the installer templates so fresh installs land with the same wiring. 2. Sigra.MFA.confirm_enrollment bulk insert passed updated_at The library hardcoded `updated_at: now` in the backup-code entries map, but the shipped schemas use `timestamps(updated_at: false)` so the DB doesn't have that column. insert_all failed with "unknown field `:updated_at`". Drop the field — backup codes are effectively write-once (only `used_at` changes on consumption), so updated_at is meaningless anyway. 3. Playwright config + golden-path rewrite - playwright.config.ts: global `expect.timeout: 15_000`, `actionTimeout`, `navigationTimeout`, and test-level `timeout` so longpoll-transport LV events have room to complete without sprinkling per-call `{ timeout }` options everywhere. - waitForLiveViewReady helper: waits for `[data-phx-session].phx-connected` (verified via browser inspect — the class is on the LV root div, NOT <body>). - Add waits on every LiveView navigation: register, sessions, settings/mfa, mfa challenge. - Confirm step: don't wait for phx-connected (ConfirmationLive redirects to `/` during handle_params, so by load time we're already on a non-LV page). - MFA enroll: submit via Enter keypress on the code input to avoid a DOM-detach race — phx-change re-renders the form on each keystroke which detaches the submit button between fill and click. - MFA "save backup codes" step: click the phx-click checkbox and wait for the Done button to become enabled before clicking. - Mailer config: removed reliance on brittle flash text assertions; URL-change assertions are more stable across Phoenix/daisy versions. Also adds `.actrc` for `act` (local GitHub Actions runner) — enables iterating on the full CI workflow in Docker instead of push-and-wait. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(ci): add act local CI setup + runbook section act (github.com/nektos/act) lets us run .github/workflows/ci.yml in Docker locally, mirroring the real GitHub Actions runner. This is the fastest way to iterate on CI changes — the previous push → wait loop takes ~3 minutes per cycle, act takes ~90s after the first warm-up. .actrc pins the Ubuntu image to `catthehacker/ubuntu:act-20.04`. This is load-bearing and well-documented inline: erlef/setup-beam's arm64 Erlang/OTP prebuilds on builds.hex.pm are ONLY built against Ubuntu 20.04 (libssl1.1). Any newer image (22/24) breaks the :crypto NIF with `libcrypto.so.1.1: cannot open shared object file`, which in turn breaks `mix local.rebar`. 20.04 has libssl1.1 natively. Also: `--container-options --user=0:0` forces root so setup-beam can write to /opt/hostedtoolcache. Added a full "Running CI locally with `act`" section to the UAT runbook covering: - one-time setup (brew install act, docker pull) - port 5432 collision diagnostics (Homebrew Postgres, stale containers) - common commands (-j, -l, --reuse, --graph, --verbose) - troubleshooting the three failure modes we hit during setup Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: mfa_status reads schemas from opts; Playwright golden-path green The golden-path Playwright smoke is now GREEN end-to-end locally (2.8s on warm DB). Act reproduces the same flow on arm64 Linux and catches the same bugs, so local iteration is now the tight loop. Root causes fixed along the way: 1. `Sigra.MFA.status/2` read credential schemas from `config.mfa`, but `Sigra.Config`'s NimbleOptions schema for `:mfa` doesn't accept `mfa_credential_schema` / `backup_code_schema` (those are per-call opts, same pattern as `confirm_enrollment/3` and `verify/4`). So `mfa_status/1` always returned `enabled: false` even for enrolled users, and `MFASettingsLive.mount/3` always rendered the pre- enrollment "Set up" surface on remount. Fix: accept `opts` in `Sigra.MFA.status/3` with fallback to `config.mfa` for back-compat, and have both the example and the installer template's `Accounts.mfa_status/1` wrapper pass the schemas explicitly. 2. The enrollment form uses `phx-submit="confirm_enrollment"` but `validate_enroll` also auto-calls `do_confirm_enrollment` as soon as the code hits 6 digits. Pressing Enter after `page.fill` fired confirm_enrollment a SECOND time against a socket whose raw_secret had just been nil'd by the successful first call — crashing the LV with `verify_totp(nil, ...)`. Remove the Enter press; the auto- confirm handles it. 3. The logout step used `page.request.fetch` for `DELETE /users/log_out`, which uses a separate cookie jar from the browser context — the browser session survived, and re-login silently succeeded on the existing authentication. Replace with `page.context().clearCookies()` which is simpler and matches the test's actual intent (force a fresh login), without exercising the server-side delete path (which has its own ConnTest coverage). 4. The example app uses MFA as step-up auth (sudo mode), not as a login challenge — `UserAuth.log_in_user/3` does not route through `MFAChallengeLive`. The test previously expected a `/users/mfa` redirect after re-login, which never happened. Rewrite step 8 to verify: (a) re-login works and (b) MFA state persists across the logout/login round-trip by asserting the "Disable" button is still visible on `/users/settings/mfa`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6.3.0
branch
from
c99987b to
ce58d74
Compare
szTheory
added a commit
that referenced
this pull request
Apr 12, 2026
…pitfalls, summary
Four parallel research tracks + synthesis, all focused on v1.1 Foundations
(Organizations + Passkeys):
- STACK: add {:wax_, "~> 0.7"} only; SimpleWebAuthn 13 in generator JS;
reuse cloak_ecto vault; no MT library; no Igniter
- FEATURES: table stakes from Clerk/Auth0/WorkOS/GitHub/Jetstream/FIDO;
anti-features list (no auto personal org, no PG schema-per-tenant)
- ARCHITECTURE: 13 phases, two parallelizable tracks; 12 v1.2 forward-compat
load-bearing decisions identified (reserved impersonating_from scope field,
audit_events real org_id + effective_user_id columns, subdir feature
manifest pattern, etc.)
- PITFALLS: 26 pitfalls with CVE/post-mortem citations; top 5 criticals are
cross-tenant leak, invite hijack, last-owner lockout, WebAuthn challenge
replay, stolen-session passkey enrollment
- SUMMARY: single coherent view with top 10 prioritized pitfalls, phase
ordering with pitfall mitigations as phase requirements, and 12 open
questions for discuss-phase
No cross-researcher contradictions except backfill default (flagged in
open questions #1).
szTheory
added a commit
that referenced
this pull request
Apr 12, 2026
* docs(10.1.1-08): complete CI rename + branch protection plan
- Write SUMMARY.md covering rename, RUNBOOK update, and branch-protection checkpoint
- Document ruleset introspection via gh api and deletion of duplicate ruleset
- Mark plan 08 complete in ROADMAP (phase 10.1.1 now 8/8)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(10.1.1): verify phase 10.1.1 complete — 23/23 must-haves passed
- All 9 UAT bugs (B1-B9) closed in example + installer template
- All 15 CONTEXT decisions (D-01..D-15) satisfied with evidence
- CI harness live: 5 required checks on main via ruleset 14941512
- Example app compiles cleanly with --warnings-as-errors
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(v1.0): re-audit milestone — status passed after phase 10.1.1
- 7 of 19 HUMAN-UAT items resolved by Playwright golden-path + CI smoke jobs
- 4 partially resolved; 8 remain genuinely human-only (email visual, OAuth creds, UX)
- Zero wiring gaps, zero unsatisfied requirements, traceability table updated
- Nyquist 5/12 compliant, 6/12 partial, 1/12 missing — non-blocking
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(v1.0): capture v1.0 tech debt as 2 seeds + 2 backlog items
Seeds (trigger-conditioned, surface during /gsd-new-milestone):
- SEED-001: Run 8 remaining human-only UAT items before v1.0 GA announce
(email visual × 4, OAuth real-credential × 4)
- SEED-002: Convert phase 9 log_safe/3 hybrid to atomic Ecto.Multi
(C-1 caveat followup — trigger on customer report or compliance review)
Backlog (999.x parking lot):
- 999.1: Retroactive Nyquist validation pass for 6 draft + 1 missing
- 999.2: Dependabot major-version bumps (setup-node 4→6, upload-artifact
4→7, checkout 4→6) — requires per-bump CI verification
Nothing blocks v1.0 close; everything is tracked.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: complete v1.0 milestone — Phoenix Auth Library initial release
Archive:
- ROADMAP.md → milestones/v1.0-ROADMAP.md (full phase details preserved)
- REQUIREMENTS.md → milestones/v1.0-REQUIREMENTS.md (85/85 complete)
- v1.0-MILESTONE-AUDIT.md → milestones/v1.0-MILESTONE-AUDIT.md
Updated:
- MILESTONES.md — v1.0 entry with 9 key accomplishments
- ROADMAP.md — collapsed to milestone-grouped format + backlog section
- PROJECT.md — all requirements → Validated v1.0, Key Decisions updated
with outcomes, Current State section added
- STATE.md — v1.0 marked complete
Scope: 12 phases, 60 plans, 117 tasks. 1249 tests + 33 doctests +
3 properties, 0 failures. 85/85 requirements satisfied. 5 required
CI checks green on main.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: scope v1.1 foundations + earmark v1.2 admin dashboard
Rewrite MILESTONE-CONTEXT.md for v1.1 "Foundations" scope (Organizations +
Passkeys). Organizations comes first because it's architecturally
foundational — retrofitting org-scoping into an admin UI later would be
painful. Passkeys pairs with it because it's self-contained.
Create v1.2-DIRECTION.md capturing full direction on admin UI +
impersonation + audit views, including all user-provided context
(Django-admin-loved vibe, mobile-first, light+dark mode, branding,
UX principles, impersonation security model, research assignments).
Dormant until v1.1 completes.
Scope decision logged in .claude/plans/breezy-beaming-beacon.md.
* docs: start milestone v1.1 Foundations — Organizations + Passkeys
Update PROJECT.md with Current Milestone v1.1 section and Active
requirements list. Reset STATE.md for new milestone. Remove consumed
MILESTONE-CONTEXT.md. Clear 12 v1.0 phase directories from
.planning/phases/ (contents remain in git history; milestone-level
v1.0 docs preserved in .planning/milestones/). 999.x backlog phases
left in place.
Next: spawn 4 parallel research agents (STACK, FEATURES, ARCHITECTURE,
PITFALLS) covering multi-tenancy org patterns, passkey UX, invite flow
failure modes, and WebAuthn/MT CVEs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(v1.1): complete research phase — stack, features, architecture, pitfalls, summary
Four parallel research tracks + synthesis, all focused on v1.1 Foundations
(Organizations + Passkeys):
- STACK: add {:wax_, "~> 0.7"} only; SimpleWebAuthn 13 in generator JS;
reuse cloak_ecto vault; no MT library; no Igniter
- FEATURES: table stakes from Clerk/Auth0/WorkOS/GitHub/Jetstream/FIDO;
anti-features list (no auto personal org, no PG schema-per-tenant)
- ARCHITECTURE: 13 phases, two parallelizable tracks; 12 v1.2 forward-compat
load-bearing decisions identified (reserved impersonating_from scope field,
audit_events real org_id + effective_user_id columns, subdir feature
manifest pattern, etc.)
- PITFALLS: 26 pitfalls with CVE/post-mortem citations; top 5 criticals are
cross-tenant leak, invite hijack, last-owner lockout, WebAuthn challenge
replay, stolen-session passkey enrollment
- SUMMARY: single coherent view with top 10 prioritized pitfalls, phase
ordering with pitfall mitigations as phase requirements, and 12 open
questions for discuss-phase
No cross-researcher contradictions except backfill default (flagged in
open questions #1).
* docs(v1.1): define milestone requirements — 69 REQs across 11 categories
REQUIREMENTS.md covers organizations (foundation + scope + UX + upgrade),
invitations, audit integration, passkeys (foundation + UX), generator
feature-manifest system, and DX. Every REQ is user-centric and testable.
Decisions embedded from /gsd-discuss-phase answers:
- No auto personal orgs on signup; opt-in backfill for v1.0 upgraders
- Passkey-as-primary is opt-in config with mandatory magic-link fallback
- Conditional UI autofill ships in v1.1 (progressive enhancement)
- Sign-count regression defaults to :warn (Apple iCloud / Google compat)
- Challenge storage in signed+encrypted Plug session
- Per-session active-org on user_sessions
- Nullable audit_events.organization_id (library events outside org ctx)
- Marker-based JS injection with manual fallback for custom bundlers
- 7d invite TTL configurable, >30d warning
- Credo custom check time-boxed, ship if <=300 lines
- 12 v1.2 forward-compat decisions locked in v1.1
v1.2-DIRECTION.md updated with Q0 on packaging shape (single sigra
package vs separate sigra_admin package / monorepo) for v1.2 kickoff
discussion.
* docs(v1.1): create milestone roadmap — 13 phases (11-23)
Phase breakdown for v1.1 Foundations:
- 11. Generator Feature System (subdir + behaviour pattern, load-bearing v1.2)
- 12. Scope + Session Foundation (reserved impersonating_from field)
- 13. Org schemas + context (last-owner guard, for_org/2, reserved slugs)
- 14. Org plugs + scope hydration (stale-pointer reset, 0/1/2+ login)
- 15. Audit integration (real org_id + effective_user_id columns, Sigra.Workers)
- 16. Org LiveViews + switcher (create/switch/settings/members, no auto personal)
- 17. Invitation flow (email-bound HMAC, mismatch page, rate-limited)
- 18. Backfill + --organizations wiring (upgrade test, org-axis smoke)
- 19. Passkey schema + contexts (wax_, Cloak pubkey, credential-confusion defense)
- 20. Passkey challenge plug + runtime + JS hooks (Plug session, marker injection)
- 21. Passkey LiveViews (sudo-gated, 2FA + opt-in primary, Conditional UI)
- 22. --passkeys generator wiring (combinatorial matrix)
- 23. Docs + CI smoke + upgrade guide (3 guides, Playwright, test helpers)
79/79 requirements mapped. Phases 13/15/17/19/20/21 ship pitfall
mitigations as phase requirements (not follow-ups). Org track and
passkey track parallelizable after foundation phases 11+12. Phases 18
and 22 are serialization points; phase 23 is the release gate.
Phase numbering continues from v1.0 (last phase was 10.1.1). 999.x
backlog phases preserved in place.
* docs(11): capture phase context
* docs(state): record phase 11 context session
* docs(11): research generator feature system phase
* docs(11): add validation strategy
* test(11-01): add InstallFixture helper for golden-diff harness
- scaffolds fresh mix phx.new tmp app
- patches mix.exs to use path: sigra dep
- runs mix sigra.install capturing stdout
- provides normalize_tree/1 + normalize_stdout/2 for golden diffing
* test(11-01): add golden-diff test harness (regression barrier)
- asserts generated tree + stdout match committed fixture
- fails loudly with runbook pointer if fixture missing/empty
- normalizes migration timestamps + ANSI + absolute paths
- tagged :golden + :integration, 300s timeout for mix phx.new
* test(11-01): filter dep noise + normalize config secrets + delta tree
- pre-compile deps before sigra.install run to silence dep compile output
- snapshot baseline tree so only installer-touched files are captured
- normalize Phoenix-generated random salts in config/*.exs files
- strip macOS /private path prefix + dep compile noise lines from stdout
- golden_diff_test passes the baseline paths into normalize_tree/2
* test(11-01): capture pre-refactor golden fixture (42 files)
Captured from pre-refactor monolith lib/mix/tasks/sigra.install.ex via
mix sigra.install Accounts User users --yes against a fresh mix phx.new
(--no-assets --no-mailer --no-install) app with --live default.
Contents:
- 41 delta files under tree/ (lib/, priv/repo/migrations/, config/, test/support/)
- STDOUT.txt (3.5KB, normalized)
Migration filenames normalized to TIMESTAMP_ prefix (D-05). Migration
file contents are byte-identical. Phoenix-generated random salts in
config/*.exs replaced with deterministic placeholders. Dep compile
output and absolute paths stripped from STDOUT.txt.
This fixture is the Phase 11 regression barrier — every subsequent
wave's commits are gated against mix test test/sigra/install/golden_diff_test.exs.
* docs(11-01): complete golden-diff harness plan
SUMMARY captures the Wave 0 regression barrier: InstallFixture helper +
golden_diff_test harness + committed pre-refactor fixture (41 delta files
+ STDOUT.txt). Notes the 45-file threshold spec mismatch (installer
generates 41 files on --live default path) and the two Rule 2 fixes
applied inline during capture (baseline-diff tree + dep compile
noise filtering).
* docs(11): create phase plans + resolve research/validation revisions
Adds 6 PLAN.md files for Phase 11 (generator feature system), applies
planner revisions to RESEARCH.md (Open Questions → RESOLVED) and
VALIDATION.md (per-task map extensions for stdout byte-gate and
Oban/Swoosh post_instructions tests). Updates ROADMAP.md Phase 11
entry with the 6-plan list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(11-02): add Feature behaviour + Injection struct + Injector.apply/2
- New Sigra.Install.Feature behaviour with 5 callbacks (enabled?/1,
files/1, injections/1, migrations/1, post_instructions/2) per D-01
- New %Sigra.Install.Injection{} struct (target/marker/anchor/content)
with enforced keys per D-02
- New Sigra.Install.Injector.apply/2 adapter — thin idempotent wrapper
over the existing marker-based injector; returns {:ok, :injected} or
{:ok, :already_present} — GEN-04 idempotency primitive
- Sigra.Install.Report struct pre-defined so Feature typespec compiles
(public API + tests land in Task 2)
- Unit tests: feature_test (behaviour shape), injection_test (struct
construction + idempotency on two consecutive apply/2 calls)
- Monolith lib/mix/tasks/sigra.install.ex UNTOUCHED (Wave 0 golden-diff
regression barrier intact)
* feat(11-02): add Report tests + MigrationTimestamps slot allocator
- New Sigra.Install.MigrationTimestamps.allocate/2 — deterministic
slot-based timestamp allocator per D-04/GEN-07. Walks features in
canonical order; assigns base_time + N seconds globally across all
slots so Features.Core always precedes Features.Organizations
regardless of wall-clock. Replaces offset_timestamp/1 in the
monolith (wired up in Wave 4).
- Report unit tests: new/0, record_*, render_summary/1 (header row,
sort stability, empty-report guard, long-path padding without
trailing empty row per plan-checker info-level fix)
- MigrationTimestamps unit tests: monotonic-within-feature,
cross-feature order, determinism (same input = same output),
14-digit timestamp format, empty feature list guard
- Monolith untouched; golden-diff regression barrier intact
* docs(11-02): complete generator primitives plan summary
* refactor(11-03): relocate v1.0 templates into core/ subdirectory
Mechanical content-preserving move of all 45 v1.0 templates from
priv/templates/sigra.install/*.{ex,exs} to priv/templates/sigra.install/core/
to prepare for Wave 3 feature-module extraction (GEN-02, D-03).
- git-mv every template file (45 pure renames, 0 content changes)
- find_template/1: both override path and library fallback now include
the core/ prefix (CD-01: breaking change for pre-1.0 override consumers)
- Update every test helper that reads raw template files to point at core/:
api_token/email/mfa/reset/wiring generator tests, session/settings template
tests, installer_drift_test, application_cookie_warning_test,
auth_fixtures_scenario_test, guides_dx02_test
- Add test/sigra/install/templates_layout_test.exs asserting the new
manifest: 45 files under core/, 0 files at the flat top level
Golden-diff test stays green: rendered output paths are unchanged,
only the template source location moved.
* docs(11-03): complete template relocation plan summary
* test(11-04): add failing Features.Core behaviour contract tests
* feat(11-04): implement Features.Core behaviour with files/migrations/enabled?
Task 1 of Plan 11-04 (Wave 3): extract v1.0 installer file catalog into
Sigra.Install.Features.Core as a pure addition. The 785-line monolith at
lib/mix/tasks/sigra.install.ex is UNCHANGED in this wave — Features.Core
is defined, unit-tested, and ready but not yet wired into the install path.
Wave 4 will flip the walker to use it.
Callback coverage in this commit:
- enabled?/1: always true (Phase 11 Success Criterion #4)
- files/1: 25 base + 9 live UI (or 3 controller-mode UI) + 2 api + 1 jwt
— matches the monolith's rendered template set byte-for-byte across
every --live/--api/--jwt combination
- migrations/1: 3 slots (:primary, :api_token, :audit_events)
- injections/1 and post_instructions/2: stub returns populated in Task 2
Binding contract documented in moduledoc; isolation invariant (Pitfall X-1)
mechanically enforced by CoreTest — zero references to Organizations/
Passkeys/Admin in the non-moduledoc source.
* test(11-04): add Features.Core injection + Oban/Swoosh fixture tests
Task 2 of Plan 11-04 (Wave 3): lock in the full injection and
post-instruction contract of Sigra.Install.Features.Core.
Tests added to core_test.exs:
- injections/1 returns non-empty list of %Injection{} records
- (target, marker) pairs are unique — the monolith uses one shared
'# Sigra authentication' marker across router/config/test.exs targets
and that is fine because idempotency is per-file
- every anchor is supported by Injector.apply_anchor/3
- router injection content contains the mandatory plug pipeline + routes
for both --live and --no-live modes
- config injection content interpolates otp_app + context module correctly
- --api adds api-router + api-config injections
- --jwt adds an additional jwt-router injection on top of --api
Tests added to core_post_instructions_test.exs (new file, async: false):
- Oban detected in config/config.exs emits queue instruction
- Oban detected in config/runtime.exs is preferred over config/config.exs
- Oban already-configured (sigra_mailer queue present) emits the yellow
'already configured' line
- Oban absent emits the synchronous-mode warning
- No config files at all also emits Oban-absent warning
- Swoosh already-configured in config/dev.exs emits already-configured
line and does NOT mutate the file
- Swoosh absent mutates config/dev.exs with Swoosh.Adapters.Local block
(side effect preserved for byte-identity with v1.0 monolith)
- Missing config/dev.exs produces no Swoosh output (no-op)
- app_module binding routes to the raw <App>.Mailer module, not the
Sigra.Mailer behaviour wrapper
base instruction tests also moved into the post_instructions file
because they share the required temp-dir cd (Features.Core.post_instructions
reads real files from cwd).
post_instructions tests strip ANSI atoms (:yellow/:green/:reset) via
IO.ANSI.format(false) before IO.iodata_to_binary/1.
Monolith still untouched (git diff lib/mix/tasks/sigra.install.ex == 0).
Golden-diff test still green. All 322 install tests pass.
* docs(11-04): complete wave 3 Features.Core extraction plan summary
* refactor(11-05): extract generic walker into Sigra.Install.Runner
Shrink the 795-line Mix.Tasks.Sigra.Install monolith to 139 LOC of
pure arg parsing + binding build + Runner.run invocation. The new
Sigra.Install.Runner walks a canonical feature list (currently just
[Sigra.Install.Features.Core]) and is completely feature-agnostic —
adding Features.Organizations / Features.Passkeys / Features.Admin
in a later phase requires ZERO edits to the runner.
Key changes:
- lib/sigra/install/runner.ex (new, 187 LOC): walks features, filters
by enabled?/1, allocates migration timestamps via
MigrationTimestamps.allocate/2 up-front, overlays existing on-disk
migrations for re-run idempotency (GEN-04), then for each feature
renders files, applies injections via Injector.apply/2, and prints
post_instructions chunks.
- lib/mix/tasks/sigra.install.ex (139 LOC, was 795): only arg parse,
binding build, and Runner.run invocation. Zero Core-specific
logic; @features [Sigra.Install.Features.Core] is the only
reference to the Core module.
- lib/sigra/install/injector.ex: extend apply_anchor/3 with
:elixir_config, :append_eof, and :conn_case_helpers so
Injection records targeting non-module files (config.exs,
test.exs, conn_case.ex) produce byte-identical output to the v1.0
monolith's specialized inject_config / inject_test_config /
inject_conn_case helpers.
- lib/sigra/install/features/core.ex:
* files/1 inlines primary and audit_events migration entries at
their monolith positions so the walker's create_file loop emits
them byte-identical to the pre-refactor output. api_token
migration is similarly inlined in the --api/--jwt branch. Slot
metadata remains in migrations/1 for MigrationTimestamps.
* post_instructions/2 returns a list of per-info-call chunks
(oban → swoosh → base instructions) in the monolith's ordering
so the walker's Mix.shell().info loop reproduces the exact
trailing-newline topology the golden STDOUT.txt fixture captured.
* router_injection heredocs reindented to match the monolith's
4-space nested-route stripping so router.ex output is byte-
identical.
* config/test_config/conn_case injections updated to use the new
dedicated anchors.
- Tests:
* test/sigra/install/features/core_test.exs: length assertions
updated (34→36 default, 28→30 --no-live) for inlined migrations;
anchor-support list extended for the new anchors.
* test/sigra/install/generator_{mfa,wiring}_test.exs,
test/sigra/install/api_token_generator_test.exs: legacy
white-box asserts that grep the monolith's source re-pointed
at lib/sigra/install/features/core.ex since Features.Core now
owns the content.
Verification:
- mix test test/sigra/install/golden_diff_test.exs → 2/2 green
(both tree byte-identity AND STDOUT.txt byte-identity). The
test/fixtures/install_golden/ directory is UNCHANGED.
- mix test test/sigra/install → 322/322 green.
- mix test test/sigra → 1296/1296 green.
- mix compile --warnings-as-errors → clean.
- wc -l lib/mix/tasks/sigra.install.ex → 139 (target ≤150).
Phase 11 / Plan 05 / Wave 4. GEN-01, GEN-05, GEN-07.
Enables GEN-04 idempotency test in the next commit.
* test(11-05): add GEN-04 re-run idempotency proof
New test/sigra/install/idempotency_test.exs uses the Wave 0
InstallFixture helper to scaffold a fresh Phoenix tmp app, runs
mix sigra.install once (via setup_tmp_app/0), then runs it a second
time and asserts:
* sha256 snapshot of the tracked tree is byte-identical before
and after the second run (no content changes, no new files)
* on-disk mtimes are stable (stronger: proves the runner did not
even re-open existing files)
* second-run stdout contains "already exists" or "already
injected" skip markers emitted by Sigra.Install.Runner
This mechanically locks GEN-04: any future regression that causes
the walker to overwrite existing files on a second invocation
fails this test immediately. Runtime ~22s (dominated by the
shared setup_all phx.new + deps.get + first install run).
Phase 11 / Plan 05 / Wave 4. GEN-04.
* docs(11-05): complete wave 4 walker refactor plan summary
Capture the per-task commit log, the 3-iteration golden-diff
convergence, deviation rules applied (Rule 3 migration inlining,
Rule 1 :before_last_end bug fix + router indent fix, Rule 2
post_instructions chunking, Rule 3 white-box test re-pointing), and
final LOC + test counts.
Phase 11 / Plan 05 / Wave 4.
* test(11-06): add V-PA-01 purely-additive + V-ISOLATION-01 boundary guardrails
- purely_additive_test.exs: FakeFeature implementing Sigra.Install.Feature
is walked by Runner.run/3 against a tmp dir with ZERO source edits to
runner.ex or sigra.install.ex — mechanical proof of the Phase 11
purely-additive invariant (V-PA-01).
- Plus two grep assertions: sigra.install.ex has no per-feature case
branches and declares @features; runner.ex executable code has no
feature-specific references (docstring-stripped scan).
- isolation_test.exs: features/core.ex source and all 45 core/ templates
contain zero references to forbidden future-feature symbols
(Features.{Organizations,Passkeys,Admin}, UserPasskey, AdminUser, …) —
enforcing Pitfall X-1/X-3 at the source level.
- Both tests strip @moduledoc/@doc heredocs before scanning so docs
can name the invariant without failing the grep.
- 6 tests green in 0.05s; full test/sigra/install/ still 330/330 green.
* docs(11-06): finalize 11-VALIDATION.md — flip nyquist_compliant, populate per-task map
- Frontmatter: status draft→approved, nyquist_compliant false→true,
wave_0_complete false→true, updated to 2026-04-11.
- Per-task verification map: replaced skeleton rows (which referenced
nonexistent plans 07/08) with 12 real rows — one per task across
Plans 11-01..11-06. Each Automated Command is copied verbatim from
the task's <verify><automated> block.
- Wave 0 requirements checklist: all boxes now ticked (Wave 0 shipped
via Plans 11-01 and 11-02).
- Validation sign-off: all 6 boxes checked; Approval updated from
pending to approved (2026-04-11, Wave 5 completion).
- Phase 11 is now audit-ready for /gsd-verify-work.
* docs(11-06): complete validation guardrails plan summary
- V-PA-01 + V-ISOLATION-01 guardrails ship (6 tests, 0.05s).
- Full test/sigra/install/ suite: 330/330 green in 62.8s.
- Walker files (runner.ex, sigra.install.ex) unmodified vs Wave 4 base.
- 11-VALIDATION.md finalized: nyquist_compliant true, 12 task rows.
* docs(11): complete phase 11 — verification passed, state updated
All 5 phase success criteria achieved, all 5 GEN requirements satisfied.
Golden-diff regression barrier byte-identical end-to-end. Monolith shrunk
795→139 LOC. V-PA-01 purely-additive + V-ISOLATION-01 boundary guardrails
mechanically enforced. Phase 11 ready to close.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: clear ephemeral auto-chain flag after phase 11 run
* docs(11): ship phase 11 — PR #7
* fix(ci): exclude test/fixtures/ from test_load_filters
Mix 1.19 auto-discovers .ex/.exs files under test/ for compilation when
running `mix test`. The golden-diff snapshot tree at
test/fixtures/install_golden/tree/ references ephemeral project modules
(e.g., SigraInstallGoldenTmpWeb) that don't exist in the library compile
env, causing CompileError on clean CI builds.
Local runs worked because `_build/test` held stale compiled artifacts
from earlier runs. CI starts fresh and hits the undefined-module error
immediately during test file loading.
The fixture tree is a captured output, not source — Mix should never
try to compile it. Extends the existing negative lookahead (which
already skips test/example/) to also skip test/fixtures/.
This resolves the flag noted in Plan 11-03 SUMMARY.md as "Deferred:
Pre-existing Mix 1.19 auto-compilation issue with test/fixtures/
install_golden/tree/**/*.ex".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(11-03): update sigra.install_test template paths to core/ subdir
Plan 11-03 relocated all v1.0 templates from priv/templates/sigra.install/
to priv/templates/sigra.install/core/ and updated 11 test helpers, but
missed test/mix/tasks/sigra.install_test.exs which has 15 hardcoded
Path.join references. Failed locally only with a clean _build/test
(stale bytecode masked it); failed on CI immediately.
Mechanical insert of "core" component into all 15 Path.join lists.
Verified: mix test test/mix/tasks/sigra.install_test.exs → 19/19 green;
full mix test suite → 1323 tests, 0 failures.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci: install phx_new archive in library_tests job
test/sigra/install/golden_diff_test.exs and idempotency_test.exs use
InstallFixture.setup_tmp_app/1 which shells out to `mix phx.new` to
scaffold a fresh Phoenix app for byte-identity regression testing.
Locally the archive is always installed; on CI the library_tests job
was missing it (only install_smoke had it), causing these Phase 11
tests to fail with "The task phx.new could not be found".
Adds Install Hex + Rebar + Install phx_new archive steps to
library_tests, mirroring the existing install_smoke job setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(11-01): filter OTP version warnings from normalized stdout
Mix on OTP 28.0 prints a 3-line warning to stdout about regex
recompilation at runtime (fixed in 28.1+). This is environment-
dependent noise, not part of the installer's own output — it must
not affect byte-identity against the committed golden fixture.
Local machine had a patch version that didn't print the warning when
the fixture was captured. CI ubuntu-latest has 28.0, which does
print it, causing STDOUT.txt divergence.
Fix: extend dep_compile_noise?/1 to drop three specific line
patterns (version-agnostic regexes so future OTP warnings about
other issues don't need new filters).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs(11): fix ExDoc warnings for broken function references
Phase 11 moduledocs referenced:
- Callback refs (Feature.injections/1) that ExDoc can't resolve as
functions — @callback declarations aren't runtime functions
- @impl-hidden refs (Features.Core.enabled?/1, migrations/1) — ExDoc
treats @impl true callbacks as hidden and rejects links to them
- Deleted refs (Mix.Tasks.Sigra.Install.generate/4 and
offset_timestamp/1) — removed by Wave 4 walker refactor, no longer
exist in the compiled module
Fix: split fully-qualified references into Module + separate fun/n
so ExDoc doesn't auto-link them as functions. Replace deleted-function
references with prose descriptions of the new walker architecture.
Local: `mix docs --warnings-as-errors` now clean. CI library_tests
job's "Check docs build cleanly" step should now pass.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6.3.0
branch
2 times, most recently
from
3f0fc72 to
bce2dd5
Compare
dependabot
Bot
changed the title
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.4 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@0a44ba7...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6.3.0
branch
from
bce2dd5 to
998b8f5
Compare
dependabot
Bot
deleted the
dependabot/github_actions/actions/setup-node-6.3.0
branch
This was referenced Apr 20, 2026
szTheory
added a commit
that referenced
this pull request
May 2, 2026
- Documents 5/5 tests passing, 3 auto-fix deviations found and applied - Closes 93-VERIFICATION.md Open Gap #1 - D-AUD-07/08/10 and D-93-22 anchors now executable
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 6.0.0 to 6.3.0.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)621ac41README.md: bump to latest released checkout version v6 (#1446)2951748Bump@actions/cacheto v5.0.1 (#1449)