fix: pin Node version, fix action tags, harden CI (#328)

[ng]

Summary

• Create .node-version (22) referenced by all 5 workflows for consistent Node version
• Fix actions/checkout@v6 → @v4 and actions/setup-node@v6 → @v4 (v6 doesn't exist)
• Fix actions/upload-artifact@v7 → @v4
• Use xargs -d '\n' in lint task to handle filenames with spaces
• Add BIOMETRICS_DATABASE_URL to .env.dev and .env.prod templates

Test plan

• CI workflows run successfully with pinned Node 22
• Lint task handles filenames with spaces correctly
• YAML syntax validated

Closes #328

Summary by CodeRabbit

• New Features

  • Introduced biometrics database configuration for development and production environments.

• Chores

  • Updated GitHub Actions workflow versions across CI/CD pipelines.
  • Standardized Node.js version management via centralized configuration file.

[coderabbitai]

Warning

Rate limit exceeded

@ng has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 38 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 16 minutes and 38 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e80c0b26-d4c3-40ce-922e-3246460a0a06

📥 Commits

Reviewing files that changed from the base of the PR and between 7e76b20 and 0762b47.

📒 Files selected for processing (1)

• .github/workflows/test.yml

📝 Walkthrough

Walkthrough

Added new biometrics database environment variables to dev and prod configurations, introduced a .node-version file specifying Node.js version 22, downgraded GitHub Actions step versions from v6/v7 to v4 across multiple workflows, and updated workflows to read Node.js version from .node-version file instead of hardcoded values.

Changes

Cohort / File(s)	Summary
Environment Configuration .env.dev, .env.prod, .node-version	Added BIOMETRICS_DATABASE_URL environment variable in dev and prod configs pointing to environment-specific SQLite databases. Created .node-version file with value 22 for tooling-based Node.js version management.
GitHub Actions Workflows .github/workflows/build.yml, .github/workflows/dev-release.yml, .github/workflows/openapi.yml, .github/workflows/release.yml, .github/workflows/test.yml	Downgraded actions/checkout (v6 → v4), actions/setup-node (v6 → v4), and actions/upload-artifact (v7 → v4) across workflows. Standardized Node.js version selection to use node-version-file: '.node-version' instead of hardcoded or lts values. Minor adjustment to test.yml Lint task to use xargs -d '\n' for file passing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hops of joy with database care,
Biometrics configured everywhere!
Versions downgraded, workflows flow,
With .node-version seeds we sow. 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: pinning Node version, correcting GitHub Action tags, and hardening CI—all central objectives of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/328-ci-cd-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.node-version (1)

1-1: Pin a full Node 22 patch version for deterministic CI.

Line 1 uses 22, which can silently move across newer 22.x releases. For stricter reproducibility/hardening, pin an exact patch and update intentionally.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.node-version at line 1, The .node-version currently contains the loose
major "22"; update that single-line value to a full Node 22 patch version (e.g.,
22.20.2 or your chosen exact 22.x.y) so CI uses a deterministic runtime; replace
the "22" token with the exact patch version and commit the change.

.env.prod (1)

1-2: Optional: normalize env formatting to clear dotenv-linter warnings.

Lines 1-2 currently trigger quote/order/newline warnings in static analysis. Consider normalizing this template to keep lint output clean.

♻️ Suggested cleanup

-DATABASE_URL="file:./db/sleepypod.core.prod.db"
-BIOMETRICS_DATABASE_URL="file:./biometrics.prod.db"
+BIOMETRICS_DATABASE_URL=file:./biometrics.prod.db
+DATABASE_URL=file:./db/sleepypod.core.prod.db

Also ensure a trailing newline at EOF.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.prod around lines 1 - 2, Normalize the .env.prod template by removing
unnecessary surrounding quotes from the values for DATABASE_URL and
BIOMETRICS_DATABASE_URL, ensure keys are consistently ordered (e.g.,
alphabetical: BIOMETRICS_DATABASE_URL then DATABASE_URL) and add a single
trailing newline at EOF to satisfy dotenv-linter; update the lines containing
the DATABASE_URL and BIOMETRICS_DATABASE_URL entries accordingly.

.env.dev (1)

1-2: Optional: align this env template with dotenv-linter warnings.

Static analysis indicates quote-character/order/newline warnings on Lines 1-2. If dotenv-linter is part of CI quality gates, this will stay noisy until normalized.

♻️ Suggested cleanup

-DATABASE_URL="file:./db/sleepypod.core.dev.db"
-BIOMETRICS_DATABASE_URL="file:./biometrics.dev.db"
+BIOMETRICS_DATABASE_URL=file:./biometrics.dev.db
+DATABASE_URL=file:./db/sleepypod.core.dev.db

Also ensure a trailing newline at EOF.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.dev around lines 1 - 2, The .env.dev template triggers dotenv-linter
warnings for quote usage, ordering, and missing EOF newline; update the two
entries by removing the unnecessary surrounding double quotes from DATABASE_URL
and BIOMETRICS_DATABASE_URL values, reorder the keys alphabetically if you
follow the repo convention (place BIOMETRICS_DATABASE_URL before DATABASE_URL),
and add a trailing newline at EOF so the file ends with a newline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test.yml:
- Line 19: The lint step invokes "pnpm eslint" with filenames piped from CHANGED
via xargs but omits the "--" separator, so any filename starting with "-" is
parsed as an option; update the Lint command (the string assigned to the step
named "Lint" that builds CHANGED and calls xargs) to pass "--" before file
arguments (e.g., use "pnpm eslint --") so ESLint treats all xargs inputs as file
paths rather than CLI flags.

---

Nitpick comments:
In @.env.dev:
- Around line 1-2: The .env.dev template triggers dotenv-linter warnings for
quote usage, ordering, and missing EOF newline; update the two entries by
removing the unnecessary surrounding double quotes from DATABASE_URL and
BIOMETRICS_DATABASE_URL values, reorder the keys alphabetically if you follow
the repo convention (place BIOMETRICS_DATABASE_URL before DATABASE_URL), and add
a trailing newline at EOF so the file ends with a newline.

In @.env.prod:
- Around line 1-2: Normalize the .env.prod template by removing unnecessary
surrounding quotes from the values for DATABASE_URL and BIOMETRICS_DATABASE_URL,
ensure keys are consistently ordered (e.g., alphabetical:
BIOMETRICS_DATABASE_URL then DATABASE_URL) and add a single trailing newline at
EOF to satisfy dotenv-linter; update the lines containing the DATABASE_URL and
BIOMETRICS_DATABASE_URL entries accordingly.

In @.node-version:
- Line 1: The .node-version currently contains the loose major "22"; update that
single-line value to a full Node 22 patch version (e.g., 22.20.2 or your chosen
exact 22.x.y) so CI uses a deterministic runtime; replace the "22" token with
the exact patch version and commit the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f9df3050-7f87-4995-b266-578d958dfd1a

📥 Commits

Reviewing files that changed from the base of the PR and between 9f6cb24 and 7e76b20.

📒 Files selected for processing (8)

• .env.dev
• .env.prod
• .github/workflows/build.yml
• .github/workflows/dev-release.yml
• .github/workflows/openapi.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .node-version

[github-actions]

🎉 This PR is included in version 1.6.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀