ci: Add package.lock drift check CI step

[tkislan]

Example of failed CI run
https://github.com/deepnote/vscode-deepnote/actions/runs/18941121656/job/54079891655

Summary by CodeRabbit

• Chores
  • Added an automated CI check that detects package-lock drift to ensure lockfile consistency and catch unexpected dependency changes early, reducing merge surprises and improving CI reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions job named "Package Lock Drift Check" is added to the CI workflow, configured to run after the Spell Check job. The job checks out the repository (actions/checkout v5), sets up Node.js (setup-node v6) with an npm registry scoped to @deepnote and npm cache, installs dependencies via npm install (uses GITHUB_TOKEN), and runs git diff --exit-code HEAD to detect changes to lockfiles (failing on drift). The job timeout is 5 minutes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant WF as Workflow
    participant Spell as Spell Check Job
    participant Drift as Package Lock Drift Check
    participant Repo as Repository
    participant Checkout as actions/checkout@v5
    participant Node as actions/setup-node@v6
    participant Npm as npm install
    participant Git as git diff --exit-code HEAD
    Note over Drift: timeout 5 minutes

    WF->>Spell: run
    Spell-->>WF: success
    WF->>Drift: start (after Spell)
    Drift->>Checkout: checkout repo (v5)
    Checkout-->>Drift: code ready
    Drift->>Node: setup-node (v6) + set npm registry for @deepnote + cache
    Node-->>Drift: node/npm ready
    Drift->>Npm: npm install (uses GITHUB_TOKEN)
    Npm-->>Drift: deps installed (may modify lockfile)
    Drift->>Git: git diff --exit-code HEAD
    alt no changes
      Git-->>Drift: exit 0 (pass)
      Drift-->>WF: success
    else changes detected
      Git-->>Drift: exit non-zero (fail)
      Drift-->>WF: failure
    end

Loading

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "ci: Add package.lock drift check CI step" clearly and directly describes the main change in the pull request: adding a new GitHub Actions job that validates package-lock.json hasn't drifted after npm install. The title uses conventional commit format with the "ci:" prefix, is specific and concise, and a teammate scanning history would immediately understand the purpose of this change. While "package.lock" could be more precise than "package-lock.json", the meaning is unambiguous.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72%. Comparing base (b8c52a6) to head (b185341).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #140   +/-   ##
=====================================
  Coverage     72%     72%           
=====================================
  Files        545     545           
  Lines      41777   41777           
  Branches    5047    5047           
=====================================
  Hits       30431   30431           
  Misses      9665    9665           
  Partials    1681    1681           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 87e8346 and 855fa01.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

[jamesbhobbs]

Minor revision needed. Do this on other repos too please

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d5bf19c and 5d75213.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & Test

🔇 Additional comments (1)

.github/workflows/ci.yml (1)

193-217: Job structure and consistency look good.

The workflow setup mirrors other jobs (checkout v5, setup-node v6, scoped npm registry, cache). The 5-minute timeout is appropriate. Permissions inherit the workflow-level defaults, which are sufficient (contents: read for git operations).