BjornMelin
diff --git a/‎.env.example‎
Lines changed: 5 additions & 0 deletions b/‎.env.example‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/actions/ci-setup/action.yml‎
Lines changed: 10 additions & 0 deletions b/‎.github/actions/ci-setup/action.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 4 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎.github/workflows/neon-auth-trusted-domains.yml‎
Lines changed: 14 additions & 1 deletion b/‎.github/workflows/neon-auth-trusted-domains.yml‎
Lines changed: 14 additions & 1 deletion
@@ -9,6 +9,10 @@ NEON_AUTH_COOKIE_DOMAIN=
 # App-side HMAC secret used to sign cached session data cookies (32+ chars).
 NEON_AUTH_COOKIE_SECRET=
 
+# Optional: local smoke test credentials (for scripts/neon-auth-local.ts)
+NEON_AUTH_LOCAL_AGENT_USER_EMAIL=
+NEON_AUTH_LOCAL_AGENT_USER_PASS=
+
 # App access policy (cost control)
 # "restricted": only allow authenticated users whose email is in AUTH_ALLOWED_EMAILS
 # "open": allow any authenticated user (use only after BYOK is implemented)
@@ -34,6 +38,7 @@ NEXT_PUBLIC_AUTH_SOCIAL_PROVIDERS=vercel
 APP_BASE_URL=
 
 # Database (Neon Postgres)
+# Prefer connection strings with `sslmode=verify-full`.
 DATABASE_URL=
 # Optional: unpooled connection string (recommended for migrations/DDL).
 DATABASE_URL_UNPOOLED=
 
@@ -31,6 +31,16 @@ runs:
       with:
         bun-version: ${{ inputs.bun-version }}
 
+    - name: Cache Bun install
+      uses: actions/cache@v5.0.3
+      with:
+        path: |
+          ~/.bun/install/cache
+        key: bun-${{ runner.os }}-${{ inputs.bun-version }}-${{ hashFiles('bun.lock') }}
+        restore-keys: |
+          bun-${{ runner.os }}-${{ inputs.bun-version }}-
+          bun-${{ runner.os }}-
+
     - name: Install dependencies
       run: bun install --frozen-lockfile
       shell: bash
@@ -6,6 +6,10 @@ updates:
       interval: "weekly"
       day: "friday"
       time: "04:00"
+    ignore:
+      # Keep typings aligned with Node LTS (we target Node 24.x).
+      - dependency-name: "@types/node"
+        update-types: ["version-update:semver-major"]
     groups:
       dependencies:
         patterns:
 
@@ -13,6 +13,9 @@ concurrency:
   group: ci-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+env:
+  NEXT_TELEMETRY_DISABLED: "1"
+
 jobs:
   lint:
     name: Lint (Biome + ESLint)
@@ -21,7 +24,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
 
       - name: Setup
         uses: ./.github/actions/ci-setup
@@ -36,7 +39,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
 
       - name: Setup
         uses: ./.github/actions/ci-setup
@@ -51,7 +54,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
 
       - name: Setup
         uses: ./.github/actions/ci-setup
@@ -67,10 +70,20 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
 
       - name: Setup
         uses: ./.github/actions/ci-setup
 
+      - name: Cache Next.js build cache
+        uses: actions/cache@v5.0.3
+        with:
+          path: |
+            ${{ github.workspace }}/.next/cache
+          key: nextcache-${{ runner.os }}-${{ hashFiles('bun.lock', 'package.json', 'tsconfig.json', 'postcss.config.mjs', 'next.config.ts', 'src/**/*.ts', 'src/**/*.tsx', 'src/**/*.js', 'src/**/*.jsx') }}
+          restore-keys: |
+            nextcache-${{ runner.os }}-${{ hashFiles('bun.lock', 'package.json', 'tsconfig.json', 'postcss.config.mjs', 'next.config.ts') }}-
+            nextcache-${{ runner.os }}-
+
       - name: Build
         run: bun run build
@@ -24,7 +24,15 @@ jobs:
     name: Ensure Neon Auth trusted domains
     runs-on: ${{ fromJSON(vars.ACTIONS_RUNNER_LABELS || '["ubuntu-latest"]') }}
     # Secrets are not available on forked PRs.
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    if: |
+      github.event_name != 'pull_request' ||
+      (
+        github.event.pull_request.head.repo.fork == false &&
+        github.event.pull_request.user.login != 'dependabot[bot]' &&
+        github.event.pull_request.user.login != 'renovate[bot]' &&
+        !startsWith(github.event.pull_request.head.ref, 'dependabot/') &&
+        !startsWith(github.event.pull_request.head.ref, 'renovate/')
+      )
     steps:
       - name: Checkout
         uses: actions/checkout@v6.0.2
@@ -61,6 +69,11 @@ jobs:
             GIT_BRANCH="${GITHUB_REF_NAME}"
           fi
 
+          if printf '%s' "${GIT_BRANCH}" | grep -Eq '^(dependabot/|renovate/)'; then
+            echo "::warning::Bot branch detected (${GIT_BRANCH}). Skipping trusted-domain allowlisting."
+            exit 0
+          fi
+
           # When using the Neon <-> Vercel integration with Preview Branching,
           # Neon creates branches named "preview/<git-branch>".
           NEON_BRANCH_NAME="preview/${GIT_BRANCH}"