chore: consolidate dependabot updates and fix OS build CI

[rplunger]

Summary

Single PR replacing the stack of open Dependabot PRs (#109–#123) plus the failing nightly OS build (run #81).

Docs (docs/)

• astro ^6.3.2, @astrojs/starlight ^0.38.3, react/react-dom ^19.2.5
• @excalidraw/excalidraw ^0.18.1, mermaid ^11.15.0
• Transitive bumps from those PRs: postcss 8.5.15, devalue 5.8.1, dompurify, uuid, etc. (package-lock.json)

CI workflows

• actions/setup-node@v6 in ci.yml (replaces chore(ci)(deps): bump actions/setup-node from 4 to 6 #109)
• actions/upload-pages-artifact@v5 in rustdoc.yml (replaces chore(ci)(deps): bump actions/upload-pages-artifact from 4 to 5 #114)
• OS Build (os-build.yml): fix debos fakemachine mount error (--disable-fakemachine), correct .deb path in recipe; disable nightly schedule until a manual/tag build is green
• Not applied: chore(ci)(deps): bump docker/setup-qemu-action from 3 to 4 #115 (setup-qemu-action@v4) — QEMU setup removed in favor of --disable-fakemachine

Test plan

• npm install in docs/
• npx astro build in docs/ (full npm run build needs rustdoc gen in CI)
• cargo build --release in engine/
• CI green on this PR
• After merge: close superseded Dependabot PRs chore(ci)(deps): bump actions/setup-node from 4 to 6 #109–chore(docs)(deps): bump postcss from 8.5.8 to 8.5.15 in /docs #123 (except chore(ci)(deps): bump docker/setup-qemu-action from 3 to 4 #115)

After merge

Close these open Dependabot PRs as superseded: #109, #110, #111, #112, #114, #116, #117, #118, #120, #121, #122, #123. Close #115 with a comment that OS build no longer uses setup-qemu-action.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated documentation site dependencies for improved performance and stability.
  • Enhanced CI and build infrastructure with updated GitHub Actions versions.
  • Improved ARM64 image build reliability and path handling.
  • Optimized build scheduling by pausing automatic nightly builds.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pai-os	Ready	Preview, Comment	Jun 3, 2026 7:57am

[coderabbitai]

Warning

Review limit reached

@rplunger, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c71272dc-1174-4998-80d8-76e7a266ffc3

📥 Commits

Reviewing files that changed from the base of the PR and between 8caa680 and 52fb7be.

⛔ Files ignored due to path filters (1)

• docs/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• docs/package.json

📝 Walkthrough

Walkthrough

This PR updates infrastructure across five files: three GitHub workflow files receive action version bumps and structural changes, the documentation build configuration receives dependency updates, and the ARM64 image build recipe corrects path resolution to avoid fakemachine-related issues.

Changes

Build Infrastructure and Dependency Updates

Layer / File(s)	Summary
GitHub Actions version updates .github/workflows/ci.yml, .github/workflows/rustdoc.yml	actions/setup-node@v4 is updated to @v6 in the CI workflow's documentation build step; actions/upload-pages-artifact@v4 is updated to @v5 in the Rust documentation workflow.
OS build workflow: disable fakemachine and update artifact action .github/workflows/os-build.yml	Nightly cron schedule is commented out, leaving tag and manual dispatch triggers. Debos image build step is rewritten to remove QEMU/binfmt setup and use --disable-fakemachine flag with inline comments about in-container debootstrap. Artifact upload action is downgraded from @v7 to @v4.
Documentation dependencies docs/package.json	Bump @astrojs/starlight, @excalidraw/excalidraw, astro, mermaid, react, and react-dom to newer patch/minor versions.
ARM64 recipe path resolution os/recipes/app/pai-engine-arm64.yaml	Update .deb path resolution in the install script by computing OSROOT from RECIPEDIR and using ${OSROOT}/packaging/dist/... instead of relative path ${RECIPEDIR}/../../packaging/dist/....

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• aurintex/pai-os#105: Both PRs modify .github/workflows/os-build.yml artifact upload action versions.
• aurintex/pai-os#83: Both PRs update CI/documentation workflows and bump docs/package.json dependencies in the same areas.
• aurintex/pai-os#108: Both PRs modify .github/workflows/os-build.yml around ARM64 debos/QEMU handling, though with opposite approaches to fakemachine configuration.

Poem

A rabbit hops through workflows with glee, 🐰
Action versions bumped, dependencies free,
Fakemachine disabled, paths now corrected,
Build scripts and docs all properly reflected! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR does not implement the main coding requirement from #115 (upgrading docker/setup-qemu-action to v4); instead it uses --disable-fakemachine to work around the OS build issue.	Consider whether the PR scope should include the docker/setup-qemu-action@v4 upgrade, or clarify if #115 should remain separate pending the resolution of this OS build approach.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: consolidating Dependabot updates and fixing OS build CI issues.
Out of Scope Changes check	✅ Passed	The PR contains changes aligned with stated objectives (Dependabot updates, CI workflow upgrades, OS build fixes), with no extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/consolidate-deps-and-os-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/os-build.yml (1)

45-45: ⚡ Quick win

Pin actions/upload-artifact to a full commit SHA (supply-chain hardening).
.github/workflows/os-build.yml uses actions/upload-artifact@v4 at line 45, which isn’t commit-SHA pinned. The repo’s DoD/Compliance text doesn’t explicitly mandate this, but pinning would further harden the workflow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/os-build.yml at line 45, The workflow step using the
third-party action string "actions/upload-artifact@v4" should be pinned to a
full commit SHA for supply-chain hardening: replace the tag
"actions/upload-artifact@v4" with the action repository at the specific commit
SHA (e.g., "actions/upload-artifact@<full-commit-sha>"), obtain the SHA from the
action repo's releases or commit history, and update the workflow step that
references "actions/upload-artifact" accordingly so the workflow uses the fixed
commit instead of a floating tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 72: The workflow currently references the floating tag "uses:
actions/setup-node@v6"; replace that with the full commit SHA for the
actions/setup-node action (e.g., actions/setup-node@<full-commit-sha>) to pin
the dependency and prevent supply-chain drift. Locate the "uses:
actions/setup-node@v6" entry in the CI workflow and update it to the
corresponding commit SHA from the actions/setup-node repository (you can get the
SHA from the action's GitHub tags or commits page), and apply the same pinning
approach to any other "uses: ...@v*" occurrences in the workflow.

In @.github/workflows/rustdoc.yml:
- Line 79: Replace the mutable tag for the GitHub Action by pinning the
actions/upload-pages-artifact usage to an exact commit SHA: find the line
containing "uses: actions/upload-pages-artifact@v5" and update it to use the
full commit SHA for the v5 release (e.g., "uses:
actions/upload-pages-artifact@<full-commit-sha>"), then verify the SHA
corresponds to the intended v5 release commit in the action's repository and
update any workflow documentation if needed.

---

Nitpick comments:
In @.github/workflows/os-build.yml:
- Line 45: The workflow step using the third-party action string
"actions/upload-artifact@v4" should be pinned to a full commit SHA for
supply-chain hardening: replace the tag "actions/upload-artifact@v4" with the
action repository at the specific commit SHA (e.g.,
"actions/upload-artifact@<full-commit-sha>"), obtain the SHA from the action
repo's releases or commit history, and update the workflow step that references
"actions/upload-artifact" accordingly so the workflow uses the fixed commit
instead of a floating tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2d08ca22-3c49-492d-8e8d-e609999506c3

📥 Commits

Reviewing files that changed from the base of the PR and between b465a03 and 8caa680.

⛔ Files ignored due to path filters (1)

• docs/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .github/workflows/os-build.yml
• .github/workflows/rustdoc.yml
• docs/package.json
• os/recipes/app/pai-engine-arm64.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

Pin actions/setup-node to a full commit SHA.

.github/workflows/ci.yml line 72 uses uses: actions/setup-node@v6; replace the @v6 tag with an exact commit SHA to prevent CI supply-chain drift. (The same @v* pattern exists for other actions in this repo too.)

🧰 Tools

🪛 zizmor (1.25.2)

[error] 72-72: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 72, The workflow currently references the
floating tag "uses: actions/setup-node@v6"; replace that with the full commit
SHA for the actions/setup-node action (e.g.,
actions/setup-node@<full-commit-sha>) to pin the dependency and prevent
supply-chain drift. Locate the "uses: actions/setup-node@v6" entry in the CI
workflow and update it to the corresponding commit SHA from the
actions/setup-node repository (you can get the SHA from the action's GitHub tags
or commits page), and apply the same pinning approach to any other "uses:
...@v*" occurrences in the workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflows
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+)?\s*$' .github/workflows

Repository: aurintex/pai-os

Length of output: 1198

---

Pin actions/upload-pages-artifact to an exact commit SHA in .github/workflows/rustdoc.yml.

.github/workflows/rustdoc.yml still uses uses: actions/upload-pages-artifact@v5, which is a mutable tag; pinning to a full commit SHA is needed for reproducible, provenance-stable Pages artifact publishing.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 79-79: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rustdoc.yml at line 79, Replace the mutable tag for the
GitHub Action by pinning the actions/upload-pages-artifact usage to an exact
commit SHA: find the line containing "uses: actions/upload-pages-artifact@v5"
and update it to use the full commit SHA for the v5 release (e.g., "uses:
actions/upload-pages-artifact@<full-commit-sha>"), then verify the SHA
corresponds to the intended v5 release commit in the action's repository and
update any workflow documentation if needed.