Point webapp Vercel deploys to new v6 project

[hardyjosh]

Update vercel-prod.yaml and vercel-preview.yaml to use VERCEL_PROJECT_ID_V6 so main deploys go to the new v6 Vercel app, while the old VERCEL_PROJECT_ID secret remains for v4/v5 branches.

Motivation

v5 is currently deployed to production on the existing Vercel app. Our plan only allows one custom environment per app, so v6 needs its own Vercel project. The old VERCEL_PROJECT_ID secret must remain for v4/v5 branches that still deploy to the original app.

Solution

• Updated vercel-prod.yaml and vercel-preview.yaml to reference VERCEL_PROJECT_ID_V6 instead of VERCEL_PROJECT_ID
• The PR-target preview workflow (vercel-preview-pr-target.yaml) is unchanged — it uses its own isolated VERCEL_PROJECT_ID_PREVIEWS
• Docs workflows are unchanged

Checks

By submitting this for review, I'm confirming I've done the following:

• made this PR as small as possible
• unit-tested any new functionality
• linked any relevant issues or PRs
• included screenshots (if this involves a front-end change)

Summary by CodeRabbit

• Chores
  • Updated deployment configuration for production and preview environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Two GitHub Actions workflow files were updated to reference a new Vercel project ID secret. The environment variable VERCEL_PROJECT_ID now references secrets.VERCEL_PROJECT_ID_V6 instead of secrets.VERCEL_PROJECT_ID in both the preview and production deployment workflows.

Changes

Cohort / File(s)	Summary
Vercel Workflow Secret References .github/workflows/vercel-preview.yaml, .github/workflows/vercel-prod.yaml	Updated VERCEL_PROJECT_ID secret reference from secrets.VERCEL_PROJECT_ID to secrets.VERCEL_PROJECT_ID_V6 across GitHub Actions workflows for Vercel deployments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• thedavidmeister
• 0xgleb

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Point webapp Vercel deploys to new v6 project' directly and concisely describes the main change: updating Vercel deployment workflows to target a new v6 project instead of the existing one.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 2026-02-01-vercel-v6

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/vercel-prod.yaml (2)

18-18: 🧹 Nitpick | 🔵 Trivial

Outdated checkout action version.

This uses actions/checkout@v2 while the preview workflow uses @v4. Consider updating for consistency and to benefit from security/performance improvements.

Suggested fix

-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4

---

63-64: ⚠️ Potential issue | 🟡 Minor

Production workflow uses unpinned vercel@canary.

Using @canary in production deployments introduces unpredictability—canary releases can include breaking changes or bugs. The preview workflow correctly pins to vercel@33.4.1. Consider pinning to the same stable version here for reproducible, secure deployments.

Suggested fix (mirrors preview workflow pattern)

-      - name: Install Vercel CLI
-        run: npm install --global vercel@canary
-      - name: Pull Vercel Environment Information
-        run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
-      - name: Deploy Project Artifacts to Vercel
-        run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }} packages/webapp
+      - name: Install Vercel CLI (local, pinned)
+        shell: bash --noprofile --norc -euo pipefail {0}
+        run: |
+          VERCEL_DIR="$(mktemp -d)"
+          npm install --no-audit --no-fund --no-save --prefix "$VERCEL_DIR" vercel@33.4.1
+          echo "VERCEL_BIN=$VERCEL_DIR/node_modules/.bin/vercel" >> "$GITHUB_ENV"
+      - name: Pull Vercel Environment Information
+        shell: bash --noprofile --norc -euo pipefail {0}
+        env:
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_V6 }}
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+        run: |
+          "$VERCEL_BIN" pull --yes --environment=production --token="$VERCEL_TOKEN"
+      - name: Deploy Project Artifacts to Vercel
+        shell: bash --noprofile --norc -euo pipefail {0}
+        env:
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_V6 }}
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+        run: |
+          "$VERCEL_BIN" deploy --prebuilt --prod --token="$VERCEL_TOKEN" packages/webapp

🤖 Fix all issues with AI agents

In @.github/workflows/vercel-prod.yaml:
- Around line 1-4: Update the production workflow to match the preview
workflow's security hardening: upgrade the checkout action to the same version
used in preview (replace uses: actions/checkout@v2 with the preview pin, e.g.,
`@v4`), pin the Vercel CLI to the same fixed version (replace global `@canary` with
the pinned release used in preview) and install it locally so you can reference
its absolute path via the same $VERCEL_BIN variable when invoking the CLI, add
shell hardening flags (--noprofile --norc -euo pipefail) to relevant run steps,
and move VERCEL_* secrets from workflow-level env to the specific deployment
step-level env to match the preview workflow's secret scoping.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Secret reference updated correctly; consider aligning security hardening with the preview workflow.

The change to VERCEL_PROJECT_ID_V6 is correct. However, this production workflow lacks the security hardening present in vercel-preview.yaml:

Aspect	Preview	Production
Checkout action	@v4	@v2
Vercel CLI	Pinned 33.4.1, local install	Unpinned @canary, global install
Shell hardening	--noprofile --norc -euo pipefail	None
CLI invocation	$VERCEL_BIN (absolute path)	vercel via PATH
Secret scope	Step-level env	Workflow-level env

These are pre-existing issues, but since you're touching this file, it may be worth aligning both workflows for consistency and improved security posture—especially given the explicit security model documented in the preview workflow.

🤖 Prompt for AI Agents

In @.github/workflows/vercel-prod.yaml around lines 1 - 4, Update the production
workflow to match the preview workflow's security hardening: upgrade the
checkout action to the same version used in preview (replace uses:
actions/checkout@v2 with the preview pin, e.g., `@v4`), pin the Vercel CLI to the
same fixed version (replace global `@canary` with the pinned release used in
preview) and install it locally so you can reference its absolute path via the
same $VERCEL_BIN variable when invoking the CLI, add shell hardening flags
(--noprofile --norc -euo pipefail) to relevant run steps, and move VERCEL_*
secrets from workflow-level env to the specific deployment step-level env to
match the preview workflow's secret scoping.

[github-actions]

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

• Simple bug fixes, typos, or minor refactoring
• Single-purpose changes affecting 1-2 files
• Documentation updates
• Configuration tweaks
• Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

• Fix typo in variable name
• Update README with new instructions
• Adjust configuration values
• Simple one-line bug fixes
• Import statement cleanup

Medium (M)

Characteristics:

• Feature additions or enhancements
• Refactoring that touches multiple files but maintains existing behavior
• Breaking changes with backward compatibility
• Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

• Add new feature or component
• Refactor common utility functions
• Update dependencies with minor breaking changes
• Add new component with tests
• Performance optimizations
• More complex bug fixes

Large (L)

Characteristics:

• Major feature implementations
• Breaking changes or API redesigns
• Complex refactoring across multiple modules
• New architectural patterns or significant design changes
• Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

• Complete new feature with frontend/backend changes
• Protocol upgrades or breaking changes
• Major architectural refactoring
• Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

• Test coverage impact: More comprehensive test changes lean toward larger classification
• Risk level: Changes to critical systems bump up a size category
• Team familiarity: Novel patterns or technologies increase complexity

Notes:

• the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
• the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
• do not include any additional text, only the size classification
• your assessment comment must not include tips or additional sections
• do NOT tag me or anyone else on your comment

[coderabbitai]

The author of this PR is on the CodeRabbit Free Plan. In order to use the Chat feature, please upgrade the PR author to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.