Skip to content

ci: daily fresh-install unit tests to catch dep range breakage #2579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nperez0111 merged 1 commit into from
Mar 20, 2026
+56 −0
Merged

ci: daily fresh-install unit tests to catch dep range breakage #2579

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions .github/workflows/fresh-install-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Fresh Install Tests

# Periodically tests BlockNote with the latest versions of its dependencies
# (within declared ranges), without a lockfile. This catches breakage when a
# new release of a dep like @tiptap/* or prosemirror-* ships and conflicts
# with BlockNote's declared ranges — the kind of failure a user would hit when
# running `npm install @blocknote/react` in a fresh project.
#
# DevDependencies (vitest, vite, typescript, etc.) are still bounded by their
# declared ranges in package.json; only prod/peer deps get freshly resolved.

on:
schedule:
- cron: "0 2 * * *" # Daily at 02:00 UTC
workflow_dispatch: # Allow manual runs

jobs:
fresh-install-unit-tests:
name: Unit Tests (Fresh Dep Resolution)
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
Comment on lines +17 to +23
Copy link

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Set explicit least-privilege permissions for this workflow.

Right now token scope is inherited from repo/org defaults. Since this job only checks out code and runs tests, you can reduce risk by explicitly granting read-only access.

Suggested hardening 
 name: Fresh Install Tests
+permissions:
+  contents: read
 
 on:
   schedule:
     - cron: "0 2 * * *" # Daily at 02:00 UTC
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/fresh-install-tests.yml around lines 17 - 23, The workflow
currently inherits token scope; add an explicit least-privilege permissions
block for the fresh-install-unit-tests job (job name: fresh-install-unit-tests)
that grants only what is needed (e.g., permissions: contents: read) by inserting
a permissions mapping under that job (or at workflow root) so the checkout/tests
run with a read-only token instead of repo/org defaults.

- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v4

- uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
# Intentionally no pnpm cache — we want a genuinely fresh install

# Required for the `canvas` native dependency
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev pkg-config

- name: Remove lockfile to force fresh dep resolution
# Removing pnpm-lock.yaml causes pnpm to resolve all dependencies to
# the latest versions that satisfy the ranges declared in package.json
# (including pnpm-workspace.yaml overrides). This is equivalent to what
# a new user experiences when installing BlockNote in a blank project.
run: rm pnpm-lock.yaml

- name: Install dependencies
run: pnpm install --no-frozen-lockfile

- name: Build packages
run: pnpm run build
env:
NX_SKIP_NX_CACHE: "true"

- name: Run unit tests
run: pnpm run test
env:
NX_SKIP_NX_CACHE: "true"
Loading