ci: daily fresh-install unit tests to catch dep range breakage

[nperez0111]

Summary

Adds a scheduled GitHub Actions workflow that runs the full unit test suite daily against freshly resolved dependencies (no lockfile), to catch breakage when a new release of a dependency lands within BlockNote's declared version ranges.

Rationale

When BlockNote declares @tiptap/core: ^3.0.0, a new tiptap patch or minor release could silently break things for users doing a fresh npm install @blocknote/react. Our normal CI uses a frozen lockfile and wouldn't catch this. This workflow simulates exactly the install experience a new user has.

Changes

• Added .github/workflows/fresh-install-tests.yml: runs on a daily cron (0 2 * * *) and on workflow_dispatch, deletes pnpm-lock.yaml before installing so pnpm resolves all prod/peer deps to their latest versions within declared ranges, then builds and runs the full unit test suite with NX_SKIP_NX_CACHE=true.

Impact

No impact on existing workflows or functionality. The new workflow is additive and runs independently on a schedule.

Testing

Steps were verified locally: lockfile deleted → pnpm install --no-frozen-lockfile resolved fresh deps (tiptap 3.15.3 etc.) → pnpm run build passed for all 18 projects → pnpm run test passed for all 12 test targets with 0 errors.

Screenshots/Video

N/A

Checklist

• Code follows the project's coding standards.
• Unit tests covering the new feature have been added.
• All existing tests pass.
• The documentation has been updated to reflect the new feature

Additional Notes

DevDependencies (vitest, vite, typescript, etc.) are still bounded by their declared ranges in package.json even without a lockfile — only prod/peer deps get freshly resolved. NX_SKIP_NX_CACHE is set to prevent stale Nx task cache from masking failures.

Summary by CodeRabbit

• Chores
  • Added automated daily testing to verify package builds and unit tests work with fresh dependencies, ensuring compatibility with latest package versions.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blocknote	Ready	Preview	Mar 20, 2026 3:53pm
blocknote-website	Ready	Preview	Mar 20, 2026 3:53pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new GitHub Actions workflow for daily fresh install testing scheduled at 02:00 UTC and on manual dispatch. The workflow checks out the repository, sets up Node.js and pnpm, installs system dependencies, deletes the lock file to force dependency re-resolution, performs a clean installation, and runs build and unit test commands with caching disabled.

Changes

Cohort / File(s)	Summary
Fresh Install Testing Workflow .github/workflows/fresh-install-tests.yml	New GitHub Actions workflow for automated fresh dependency installation and testing on a daily schedule and manual trigger, with lock file deletion to ensure clean dependency resolution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Fresh installs spring forth each day at two,
No locked-in paths, just dependencies new,
Build and test in ubuntu's embrace,
A clean slate workflow, at perfect pace! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a daily CI workflow to test with fresh dependency resolution to catch breakage.
Description check	✅ Passed	The description comprehensively covers all major sections with relevant details: summary, rationale, changes, impact, and testing—though documentation and feature-specific unit tests are not applicable here.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/periodic-fresh-install-ci

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@blocknote/ariakit

npm i https://pkg.pr.new/@blocknote/ariakit@2579

@blocknote/code-block

npm i https://pkg.pr.new/@blocknote/code-block@2579

@blocknote/core

npm i https://pkg.pr.new/@blocknote/core@2579

@blocknote/mantine

npm i https://pkg.pr.new/@blocknote/mantine@2579

@blocknote/react

npm i https://pkg.pr.new/@blocknote/react@2579

@blocknote/server-util

npm i https://pkg.pr.new/@blocknote/server-util@2579

@blocknote/shadcn

npm i https://pkg.pr.new/@blocknote/shadcn@2579

@blocknote/xl-ai

npm i https://pkg.pr.new/@blocknote/xl-ai@2579

@blocknote/xl-docx-exporter

npm i https://pkg.pr.new/@blocknote/xl-docx-exporter@2579

@blocknote/xl-email-exporter

npm i https://pkg.pr.new/@blocknote/xl-email-exporter@2579

@blocknote/xl-multi-column

npm i https://pkg.pr.new/@blocknote/xl-multi-column@2579

@blocknote/xl-odt-exporter

npm i https://pkg.pr.new/@blocknote/xl-odt-exporter@2579

@blocknote/xl-pdf-exporter

npm i https://pkg.pr.new/@blocknote/xl-pdf-exporter@2579

commit: f6edc1e

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/fresh-install-tests.yml (1)

38-43: Make lockfile deletion resilient with rm -f.

Using plain rm can fail the workflow if the file is absent in some branches/runs. rm -f keeps the intent but avoids brittle failures.

Small reliability tweak

-        run: rm pnpm-lock.yaml
+        run: rm -f pnpm-lock.yaml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/fresh-install-tests.yml around lines 38 - 43, Update the
workflow step named "Remove lockfile to force fresh dep resolution" to use a
non-failing remove command: replace the current run command `rm pnpm-lock.yaml`
with `rm -f pnpm-lock.yaml` so the step is resilient when the lockfile is absent
and does not cause the job to fail.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/fresh-install-tests.yml:
- Around line 17-23: The workflow currently inherits token scope; add an
explicit least-privilege permissions block for the fresh-install-unit-tests job
(job name: fresh-install-unit-tests) that grants only what is needed (e.g.,
permissions: contents: read) by inserting a permissions mapping under that job
(or at workflow root) so the checkout/tests run with a read-only token instead
of repo/org defaults.

---

Nitpick comments:
In @.github/workflows/fresh-install-tests.yml:
- Around line 38-43: Update the workflow step named "Remove lockfile to force
fresh dep resolution" to use a non-failing remove command: replace the current
run command `rm pnpm-lock.yaml` with `rm -f pnpm-lock.yaml` so the step is
resilient when the lockfile is absent and does not cause the job to fail.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d6f3dbe6-a12a-4800-9ec5-489a7133fbd9

📥 Commits

Reviewing files that changed from the base of the PR and between 3ed8b53 and f6edc1e.

📒 Files selected for processing (1)

• .github/workflows/fresh-install-tests.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Set explicit least-privilege permissions for this workflow.

Right now token scope is inherited from repo/org defaults. Since this job only checks out code and runs tests, you can reduce risk by explicitly granting read-only access.

Suggested hardening

 name: Fresh Install Tests
+permissions:
+  contents: read
 
 on:
   schedule:
     - cron: "0 2 * * *" # Daily at 02:00 UTC

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/fresh-install-tests.yml around lines 17 - 23, The workflow
currently inherits token scope; add an explicit least-privilege permissions
block for the fresh-install-unit-tests job (job name: fresh-install-unit-tests)
that grants only what is needed (e.g., permissions: contents: read) by inserting
a permissions mapping under that job (or at workflow root) so the checkout/tests
run with a read-only token instead of repo/org defaults.