fix/cloudflare deploy and other action fixes

[matheusfillipe]

• Fix Cloudflare Pages deployment workflow

And pin every action to hashes

and reduce dependabot action update frequency

Summary by CodeRabbit

• Chores
  • Improved CI/CD workflows and pull-request preview handling across Cloudflare Pages, Docker, GitHub Pages, and publish pipelines (third-party actions pinned to fixed revisions; trigger rules clarified).
  • Updated pull-request preview comment behavior and header for Pages previews.
  • Standardized Dependabot configuration and scheduling.
  • Released package version 0.3.1.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 95bcbbe7-4d03-43f0-85b0-6033f1bdacad

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Pin many GitHub Actions to fixed commit SHAs across workflows, tighten Cloudflare Pages push trigger and replace the PR preview comment action, normalize Dependabot schedules/ignore rules, and bump package version to 0.3.1.

Changes

Release v0.3.1

Layer / File(s)	Summary
Patch version increment package.json	Package version updated from 0.3.0 to 0.3.1.
Cloudflare Pages workflow updates .github/workflows/cloudflare_pages.yaml	Push deploys limited to main; checkout and wrangler actions pinned to commits; PR preview comment action switched to marocchino/sticky-pull-request-comment and comment inputs updated.
Dependabot config normalization .github/dependabot.yml	Reformatted schedules/quoting; standardized wildcard dependency-name: '*' ignore patterns across npm, cargo, github-actions, docker; added/normalized docker block.
Docker workflow pinning .github/workflows/docker.yaml	Normalized tag trigger block and pinned Docker-related actions (checkout, setup-qemu-action, setup-buildx-action, login-action, build-push-action) to specific commit SHAs.
GitHub Pages workflow pinning .github/workflows/github_pages.yaml	Pinned actions/checkout and peaceiris/actions-gh-pages to specific commit SHAs; added persist-credentials: false; build/deploy steps unchanged.
Publish workflows pinning & tweaks .github/workflows/publish.yaml	Pinned many publish-related actions to commit SHAs, normalized trigger/quoting, adjusted Linux ARM dependency install options and package list, and pinned Android/iOS/web publish steps and release uploads.
Main CI workflow pinning .github/workflows/workflow.yaml	Pinned actions/checkout and biomejs/setup-biome to commit SHAs; replaced tag-based checkout in build/i18n jobs with pinned revisions while keeping test/i18n steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ObsidianIRC/ObsidianIRC#119: Modifies .github/workflows/publish.yaml with publish-related workflow changes overlapping Android Google Play publishing steps.

Suggested reviewers

• ValwareIRC

Poem

🐰 A tiny patch hops through the trees,
Pins and schedules hum with ease,
Pages only push on main tonight,
Dependabot keeps settings tight,
Version bumped — the release feels light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: it references the Cloudflare deploy fix and broader GitHub Action pinning across multiple workflows, which are the primary objectives of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cloudflare-deploy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Preview URL: https://fix-cloudflare-deploy.obsidianirc.pages.dev

Automated deployment preview for the PR in the Cloudflare Pages.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

54-65: ⚡ Quick win

Remove redundant semver-major ignores for Tauri crates in Cargo

In .github/dependabot.yml (cargo updates for /src-tauri), ignore: - dependency-name: '*' already blocks version-update:semver-major for all Rust dependencies, so the additional version-update:semver-major entries for tauri, tauri-build, and tauri-plugin-* are redundant. Keeping only semver-minor for those packages clarifies intent.

♻️ Proposed simplification

     ignore:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
       - dependency-name: 'tauri'
         update-types:
           - version-update:semver-minor
-          - version-update:semver-major
       - dependency-name: 'tauri-build'
         update-types:
           - version-update:semver-minor
-          - version-update:semver-major
       - dependency-name: 'tauri-plugin-*'
         update-types:
           - version-update:semver-minor
-          - version-update:semver-major

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 54 - 65, The dependabot config lists
redundant ignores for full-major updates on specific Rust crates — remove the
"version-update:semver-major" entries under the dependency blocks for "tauri",
"tauri-build", and "tauri-plugin-*" so those blocks only include
"version-update:semver-minor"; this keeps the existing global "ignore: -
dependency-name: '*'" behavior that already blocks semver-major updates while
making intent clearer.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/github_pages.yaml:
- Line 17: Update the actions/checkout step used in the GitHub Pages deploy
workflow so it disables credential persistence: locate the checkout action line
(uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) and add the
input persist-credentials: false to that step so the workflow does not retain
the GITHUB_TOKEN after checkout.

In @.github/workflows/publish.yaml:
- Line 40: The checkout steps using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly set
persist-credentials: false to avoid leaving the GITHUB_TOKEN persisted when
those jobs do not perform git push; update each non-pushing actions/checkout
step (the occurrences of actions/checkout@de0fac2e45...) to add the
persist-credentials: false key under that step, and leave the checkout step that
performs the update-linux-nix commit/push unchanged (do not add
persist-credentials: false there).

In @.github/workflows/workflow.yaml:
- Line 12: The actions/checkout steps using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd are leaving credential
persistence enabled; update each checkout step to include a with block setting
persist-credentials: false so credentials are not stored in the runner (i.e.,
add "with: persist-credentials: false" to every checkout step that uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd).

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 54-65: The dependabot config lists redundant ignores for
full-major updates on specific Rust crates — remove the
"version-update:semver-major" entries under the dependency blocks for "tauri",
"tauri-build", and "tauri-plugin-*" so those blocks only include
"version-update:semver-minor"; this keeps the existing global "ignore: -
dependency-name: '*'" behavior that already blocks semver-major updates while
making intent clearer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 199952e5-4bd6-4d0a-9769-73fe28a1a7d1

📥 Commits

Reviewing files that changed from the base of the PR and between 39031f5 and 775808e.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/cloudflare_pages.yaml
• .github/workflows/docker.yaml
• .github/workflows/github_pages.yaml
• .github/workflows/publish.yaml
• .github/workflows/workflow.yaml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/workflow.yaml (1)

40-43: 💤 Low value

Consider aligning checkout action version with other jobs.

The i18n job uses actions/checkout@...v4.3.1 while the biome and build jobs use v6.0.2. This version mismatch within the same workflow could lead to subtle behavioral differences.

Suggested alignment

      - name: Checkout
-       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/workflow.yaml around lines 40 - 43, The checkout step in
the i18n job uses actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
(v4.3.1) while the biome and build jobs use v6.0.2 — update the i18n job's
actions/checkout reference to match the other jobs (actions/checkout@v6.0.2 or
the same commit hash used there) so all jobs use the same checkout version to
avoid behavioral inconsistencies.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/workflow.yaml:
- Around line 40-43: The checkout step in the i18n job uses
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1) while the
biome and build jobs use v6.0.2 — update the i18n job's actions/checkout
reference to match the other jobs (actions/checkout@v6.0.2 or the same commit
hash used there) so all jobs use the same checkout version to avoid behavioral
inconsistencies.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ef590294-3c7f-4c91-a50b-cca65e097418

📥 Commits

Reviewing files that changed from the base of the PR and between 775808e and 3f47990.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/cloudflare_pages.yaml
• .github/workflows/docker.yaml
• .github/workflows/github_pages.yaml
• .github/workflows/publish.yaml
• .github/workflows/workflow.yaml