Fix CI: Biome v2 schema + pin @actions/core to v1#7
Merged
Conversation
Two regressions came in via Dependabot bumps on trunk: - @biomejs/biome 1.x → 2.x renamed config keys (`files.ignore` → `files.includes` with negation patterns, `overrides[*].include` → `overrides[*].includes`, top-level `organizeImports` moved into `assist.actions.source.organizeImports`). Update biome.json to the v2 schema and reorder a stale import that the v2 organizer flagged. - @actions/core 1.x → 3.x is ESM-only and broke the CJS TypeScript build (TS1479). Pin it back to ^1.11.1 and ignore future major bumps in Dependabot until we migrate the project to ESM.
There was a problem hiding this comment.
Pull request overview
Fixes CI failures introduced by Dependabot upgrades by migrating the repo’s Biome configuration to the v2 schema and downgrading @actions/core to a CJS-compatible major version for the GitHub Action build/bundle pipeline.
Changes:
- Migrate
biome.jsonto Biome v2 schema (config key renames + organize imports setting relocation). - Pin
@actions/coreback to^1.11.1and update lockfile accordingly. - Add a Dependabot ignore rule to prevent future major bumps of
@actions/core.
Reviewed changes
Copilot reviewed 4 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/deploy.ts |
Applies Biome’s import organization output. |
package.json |
Pins @actions/core to v1 to restore CJS compatibility. |
package-lock.json |
Updates resolved dependency tree for the @actions/core downgrade. |
biome.json |
Updates Biome config to v2 schema and moves organize-imports to assist. |
.github/dependabot.yml |
Ignores major updates for @actions/core to avoid re-breaking CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "dependencies": { | ||
| "@actions/core": "^3.0.1", | ||
| "@actions/core": "^1.11.1", |
| interval: weekly | ||
| open-pull-requests-limit: 10 | ||
| ignore: | ||
| # Pin to v1.x — v2+ is ESM-only and breaks the current CJS bundle. Track |
5 tasks
lukekim
added a commit
that referenced
this pull request
May 2, 2026
Bundles the work from #7 and #8 into a single commit so trunk lands release-ready in one merge. CI / build - Migrate biome.json to the Biome 2.x schema (`files.includes` with negation patterns, `overrides[*].includes`, `assist.actions.source.organizeImports`). - Reorder a stale import in src/deploy.ts that the v2 organizer flagged. - Pin @actions/core to ^1.11.1 — 3.x is ESM-only and breaks the current CJS bundle. Add a Dependabot ignore for major bumps until the project is migrated to ESM. Action UX - `tags` input now accepts a YAML block mapping (the canonical workflow form) or a JSON object string, instead of the prior multi-line KEY=VALUE format. Tag keys still merge into the app's existing tags on every run. - Update action.yml description, README, and example workflows to the new tag form. Docs - Correct the GitHub slug from `spiceai/spice-cloud-deploy-action` to `spicehq/spice-cloud-deploy-action` everywhere it appeared (README badges + examples, package.json metadata, examples/), so a copy/pasted `uses:` line resolves to the published action at v1. - Replace the duplicated tail-of-document "Required scopes" table with a single "Scope cheat sheet" right under the OAuth client setup steps, including an "All-in (recommended for a single CI client)" row that spells out exactly which scopes to grant. Tests - New `parseTags` cases cover the YAML form, JSON form, quoted values, duplicates, and validation errors. - Total: 70 unit tests, all green.
lukekim
added a commit
that referenced
this pull request
May 2, 2026
* Prepare repo for v1.0.0 release Bundles the work from #7 and #8 into a single commit so trunk lands release-ready in one merge. CI / build - Migrate biome.json to the Biome 2.x schema (`files.includes` with negation patterns, `overrides[*].includes`, `assist.actions.source.organizeImports`). - Reorder a stale import in src/deploy.ts that the v2 organizer flagged. - Pin @actions/core to ^1.11.1 — 3.x is ESM-only and breaks the current CJS bundle. Add a Dependabot ignore for major bumps until the project is migrated to ESM. Action UX - `tags` input now accepts a YAML block mapping (the canonical workflow form) or a JSON object string, instead of the prior multi-line KEY=VALUE format. Tag keys still merge into the app's existing tags on every run. - Update action.yml description, README, and example workflows to the new tag form. Docs - Correct the GitHub slug from `spiceai/spice-cloud-deploy-action` to `spicehq/spice-cloud-deploy-action` everywhere it appeared (README badges + examples, package.json metadata, examples/), so a copy/pasted `uses:` line resolves to the published action at v1. - Replace the duplicated tail-of-document "Required scopes" table with a single "Scope cheat sheet" right under the OAuth client setup steps, including an "All-in (recommended for a single CI client)" row that spells out exactly which scopes to grant. Tests - New `parseTags` cases cover the YAML form, JSON form, quoted values, duplicates, and validation errors. - Total: 70 unit tests, all green. * fix: address PR review comments - parseBlockMap duplicate check now uses Object.hasOwn() so prototype- chain property names like `toString` and `constructor` aren't falsely rejected as duplicates. - Drop ':' from TAG_KEY_PATTERN. The block-map parser splits on the first ':', so a tag key containing ':' (e.g. `foo:bar`) couldn't be expressed in YAML form anyway. Aligning the JSON form keeps validation consistent across both input styles. Also rewords the validation error message to match the trimmed character set. - Rename the misleading "rejects JSON arrays" test to make clear it rejects non-string JSON values; add a separate case for a root-level JSON array (which falls through to the YAML parser); add a regression test for the prototype-chain dupe-check fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI on trunk went red after two Dependabot bumps landed:
@biomejs/biome1.x → 2.x renamed config keys, sonpm run lintfailed withFound an unknown key 'ignore'/'include'/'organizeImports'. Migratebiome.jsonto the v2 schema:files.ignore→files.includeswith negation patterns (["**", "!dist", ...])overrides[*].include→overrides[*].includesorganizeImports→assist.actions.source.organizeImports@actions/core1.x → 3.x is ESM-only, which the current CJS TypeScript build can'trequire(TS1479). Pin back to^1.11.1(the version we developed against) and ignore future major bumps in Dependabot until we migrate the action to ESM. Tracking the ESM move as a separate effort.While reorganizing imports, Biome v2's organizer also surfaced a stale unsorted import in
src/deploy.ts— applied the auto-fix.Rebuilt
dist/index.jsso thedist/freshness check stays green.Test plan
npm run allpasses locally (lint, typecheck, 61 tests, build).npm auditreports 0 vulnerabilities.Follow-ups
@actions/coremajor-version pin.