Harden Bun dependency installs

[AnthonyRonning]

Summary:

• Freeze Bun installs by default with frozenLockfile and a 7-day minimumReleaseAge in bunfig.toml
• Require CI Bun installs to use --frozen-lockfile --ignore-scripts
• Disable the floating bunx shadcn-ui@latest helper and declare no trusted dependency lifecycle scripts
• Point Bun cache keys at the committed text lockfile

Verification:

• jq empty frontend/package.json
• git diff --check
• pre-commit hook ran bun build and bun test successfully

No dependency install, update, or lockfile rewrite was performed manually for this PR.

---

Summary by CodeRabbit

• Chores

  • Upgraded the JS runtime across CI/CD to a newer version for consistency.
  • Enforced deterministic installs in CI by requiring the lockfile and skipping install-time scripts.
  • Improved dependency cache keys to align with the lockfile and reduce cache mismatches.
  • Adjusted frontend package config to mark trusted dependencies (empty) and disable a scaffold script.

• Documentation

  • Updated package manager version reference in docs.

[coderabbitai]

📝 Walkthrough

Walkthrough

CI and frontend config changes: Bun version bumped to 1.3.5 where pinned, bunfig.toml adds an install section, cache keys now reference frontend/bun.lock, frontend installs use bun install --frozen-lockfile --ignore-scripts, package.json disables the add script, and Claude Code model is updated.

Changes

Bun frozen-lockfile configuration and CI standardization

Layer / File(s)	Summary
Bun frozen-lockfile configuration frontend/bunfig.toml	New [install] section configures Bun to use a frozen lockfile and sets minimumReleaseAge; test configuration unchanged.
Package.json configuration adjustments frontend/package.json	Adds trustedDependencies as an empty array and replaces the scripts.add command with a disabled-message exit.
CI workflow Bun version, cache, and install standardization .github/workflows/android-build.yml, .github/workflows/claude.yml, .github/workflows/desktop-build.yml, .github/workflows/frontend-tests.yml, .github/workflows/mobile-build.yml, .github/workflows/release.yml, .github/workflows/testflight-on-comment.yml	Workflows pin or bump Bun to 1.3.5 where applicable, change Bun cache keys to hash frontend/bun.lock (replacing frontend/bun.lockb), and standardize frontend installs to bun install --frozen-lockfile --ignore-scripts.
Claude Code model version update .github/workflows/claude.yml	Updates claude_args model to claude-sonnet-4-5-20250929.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OpenSecretCloud/Maple#400: Updates .github/workflows/frontend-tests.yml to change Bun cache key and frontend bun install behavior, overlapping workflow changes.
• OpenSecretCloud/Maple#86: Modifies .github/workflows/claude.yml around Bun setup and install behavior, overlapping the Claude workflow edits.

Poem

🐰 I hopped through lockfiles neat,

Frozen installs keep builds fleet,
Cache keys set in tidy rows,
Bun bumped up where CI goes,
Claude gets wiser — off I leap!

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden Bun dependency installs' accurately summarizes the main objectives of the pull request, which center on freezing Bun installs, requiring deterministic dependency installation in CI, and disabling floating version helpers.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch harden/bun-dependency-freeze

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	b44cb63
Status:	✅  Deploy successful!
Preview URL:	https://63960954.maple-ca8.pages.dev
Branch Preview URL:	https://harden-bun-dependency-freeze.maple-ca8.pages.dev

View logs

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 6: Update the package manager declaration in package.json: change the
"packageManager" field value from "bun@1.3.5" to "bun@1.3.14" so the project
uses the latest stable Bun release; ensure the string is exactly "bun@1.3.14" in
the packageManager key and commit the update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2ac27899-7f56-4b03-94a9-29dcd680b3dd

📥 Commits

Reviewing files that changed from the base of the PR and between 232ef3c and b44cb63.

📒 Files selected for processing (9)

• .github/workflows/android-build.yml
• .github/workflows/claude.yml
• .github/workflows/desktop-build.yml
• .github/workflows/frontend-tests.yml
• .github/workflows/mobile-build.yml
• .github/workflows/release.yml
• .github/workflows/testflight-on-comment.yml
• CLAUDE.md
• frontend/package.json

✅ Files skipped from review due to trivial changes (1)

• CLAUDE.md