From 5c64bfa5e18de1234006cb27cced5f506fe02c93 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 14:40:07 -0700 Subject: [PATCH 1/2] fix(fix-dependabot-alerts): clean-rebuild for final verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `Final build verification` step ran `pnpm run build` which uses fluid-build incrementally. fluid-build's per-package fingerprint (and tsc's .tsbuildinfo) is keyed off the package's own sources plus the declared dep specs in package.json — it does not invalidate when a transitive dep is bumped within its existing semver range. As a result, a breaking .d.ts change in an upgraded dep can pass the script's verification while still failing CI's clean `build_ts` job, producing PRs that break main on merge. Example: PR #2421 bumped exifreader 4.30.1 → 4.40.3 (in-range under `^4.30.1`). The new `exifreader` `TypedTag` generic gained a second nullable-tuple type parameter, which broke `typechat-utils/src/image.ts`. The script's incremental build skipped re-checking typechat-utils and reported ✅; CI's fresh checkout caught it. Switch the final verification to `pnpm run rebuild` (= `fluid-build . -t build --rebuild`) so it matches CI's clean build. The per-package mid-loop incremental build is left as-is — the final rebuild is the backstop, and any package that does fail the rebuild gets recorded in the rollback-cooldown state for the next run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/fix-dependabot-alerts.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fix-dependabot-alerts.yml b/.github/workflows/fix-dependabot-alerts.yml index d0622a541..3a7317028 100644 --- a/.github/workflows/fix-dependabot-alerts.yml +++ b/.github/workflows/fix-dependabot-alerts.yml @@ -417,7 +417,15 @@ jobs: working-directory: ts run: | node tools/scripts/repo-policy-check.mjs --fix || true - pnpm run build + # Use `rebuild` (fluid-build --rebuild), not `build`, so the + # verification matches the clean-checkout CI build_ts job. + # fluid-build's incremental cache and tsc's .tsbuildinfo are + # keyed off the package's own sources + declared dep specs in + # package.json; an in-range transitive dep upgrade (e.g. + # exifreader 4.30.1 → 4.40.3 under "^4.30.1") doesn't bust the + # cache, so a breaking .d.ts change in a dep can pass the + # incremental build here while still failing CI's fresh build. + pnpm run rebuild echo "build_ok=true" >> "$GITHUB_OUTPUT" env: DEBUG_DEMB: true From 1a045f01ce6cf786104658f9ef13369e40270e59 Mon Sep 17 00:00:00 2001 From: Tal Zaccai Date: Mon, 1 Jun 2026 14:45:12 -0700 Subject: [PATCH 2/2] =?UTF-8?q?Generalize=20comment=20=E2=80=94=20drop=20s?= =?UTF-8?q?pecific=20package=20example?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fix-dependabot-alerts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/fix-dependabot-alerts.yml b/.github/workflows/fix-dependabot-alerts.yml index 3a7317028..e2e0dec04 100644 --- a/.github/workflows/fix-dependabot-alerts.yml +++ b/.github/workflows/fix-dependabot-alerts.yml @@ -421,10 +421,10 @@ jobs: # verification matches the clean-checkout CI build_ts job. # fluid-build's incremental cache and tsc's .tsbuildinfo are # keyed off the package's own sources + declared dep specs in - # package.json; an in-range transitive dep upgrade (e.g. - # exifreader 4.30.1 → 4.40.3 under "^4.30.1") doesn't bust the - # cache, so a breaking .d.ts change in a dep can pass the - # incremental build here while still failing CI's fresh build. + # package.json; an in-range transitive dep upgrade doesn't + # bust the cache, so a breaking .d.ts change in a dep can + # pass the incremental build here while still failing CI's + # fresh build. pnpm run rebuild echo "build_ok=true" >> "$GITHUB_OUTPUT" env: