fix: pin NodeJS version explicitly & use consistently in CI

[comatory]

Caution

Our previous semver for NodeJS specified anything 22.11.0 and above, but the
actual version 22.11.00 would fail to compile. That's why I opted for explicit
version

This PR modifies CI action for setting NodeJS + pnpm versions to use package.json
as the source of truth, instead of hard-coding different values in CI scripts. On top of this, I removed working-directory input which was unused and does not completely make sense in monorepo setup I think.

The consequence of this change is for local development, you must have explicit 22.22.2 installed.

This change was tested by manually modifying pnpm-lock.yaml (appending a comment) which triggered all CI pipelines related to TS packages, see here. That commit was removed to not pollute the file as it was only intended for testing.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated. (n/a)
• Documentation has been updated on https://github.com/wundergraph/docs-website. (n/a)
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The Node setup action now derives Node and pnpm versions from the repository root package.json (engines.node and packageManager), exposes them as outputs, and uses those outputs for actions/setup-node and pnpm/action-setup. The action’s node-version input default was removed (input still declared); workflows stopped passing a working-directory argument to the local action. pnpm-workspace.yaml bumps TypeScript to 5.7.3.

Changes

Dynamic Version Detection from package.json

Layer / File(s)	Summary
Action Inputs .github/actions/node/action.yaml	node-version input no longer has a default value; working-directory input remains declared with its default.
Version Extraction Logic .github/actions/node/action.yaml	New runtime-versions composite step reads repo root package.json, extracts engines.node and packageManager, strips comparison prefixes (>=, <=, >, <, =) and writes node-version and pnpm-version to GITHUB_OUTPUT.
Core Step Integration .github/actions/node/action.yaml	actions/setup-node now uses steps.runtime-versions.outputs.node-version; pnpm/action-setup uses steps.runtime-versions.outputs.pnpm-version (removing the previous hard-coded pnpm version).
Workflow Wiring .github/workflows/release.yaml, .github/workflows/release-preview.yaml	Calls to the local ./.github/actions/node action no longer pass working-directory. release-preview.yaml updated actions/checkout@v4 to add token: ${{ secrets.GH_TOKEN_WORKFLOW_PUBLISH }} and removed the working-directory entry from that step’s with:.

TypeScript Dependency Update

Layer / File(s)	Summary
Catalog Bump pnpm-workspace.yaml	catalog.typescript version updated from 5.6.2 → 5.7.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: drop NodeJS 20 support #2805: Also changes .github/actions/node/action.yaml node-version handling (that PR set a default to "22.x" while this PR removes the default and adds runtime detection).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'fix: pin NodeJS version explicitly & use consistently in CI' accurately summarizes the main changes: pinning Node versions and ensuring consistent CI setup through the new runtime-versions step.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/actions/node/action.yaml (1)

85-87: ⚠️ Potential issue | 🟠 Major

Update the pnpm cache key to use the resolved pnpm version.

Lines 85–87 hardcode pnpm-8-store, but the action now installs pnpm dynamically from package.json (currently pnpm@9.12.3). This mismatch means pnpm major upgrades will restore/save under the old cache namespace instead of creating a clean cache boundary when the pnpm version changes.

Suggested fix

-        key: ${{ runner.os }}-pnpm-8-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+        key: ${{ runner.os }}-pnpm-${{ steps.runtime-versions.outputs.pnpm-version }}-store-${{ hashFiles('**/pnpm-lock.yaml') }}
         restore-keys: |
-          ${{ runner.os }}-pnpm-8-store-
+          ${{ runner.os }}-pnpm-${{ steps.runtime-versions.outputs.pnpm-version }}-store-

The steps.runtime-versions.outputs.pnpm-version output is already defined in the action (line 63) and used elsewhere (line 72).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/node/action.yaml around lines 85 - 87, The cache key
currently hardcodes "pnpm-8-store" so cache scope doesn't change when pnpm is
updated; update the cache key to incorporate the resolved pnpm version by using
the existing output steps.runtime-versions.outputs.pnpm-version (the same output
used elsewhere) instead of the literal "pnpm-8" token, and likewise update the
restore-keys prefix to match so caches separate by pnpm version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/actions/node/action.yaml:
- Around line 85-87: The cache key currently hardcodes "pnpm-8-store" so cache
scope doesn't change when pnpm is updated; update the cache key to incorporate
the resolved pnpm version by using the existing output
steps.runtime-versions.outputs.pnpm-version (the same output used elsewhere)
instead of the literal "pnpm-8" token, and likewise update the restore-keys
prefix to match so caches separate by pnpm version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 672f112e-157a-4de2-952b-5418950c55c5

📥 Commits

Reviewing files that changed from the base of the PR and between 0c39bc2 and fdadd60.

📒 Files selected for processing (3)

• .github/actions/node/action.yaml
• .github/workflows/release-preview.yaml
• .github/workflows/release.yaml

💤 Files with no reviewable changes (2)

• .github/workflows/release.yaml
• .github/workflows/release-preview.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 115: Remove the stray root-level "test" property from package.json:
delete the top-level "test": 1 entry so the package.json contains only valid
configuration fields (do not replace or alter existing scripts or other
properties); locate the literal "test" key at the package root and remove that
key/value pair.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c21c55a0-ceac-415d-8058-b9ae7d5a60b9

📥 Commits

Reviewing files that changed from the base of the PR and between fdadd60 and dbe5ec9.

📒 Files selected for processing (1)

• package.json

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-ef3f5c16e516c39d970001798c343bb5436077b4

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/node/action.yaml:
- Around line 19-35: Change the GitHub Actions step to use the correct shell
template "node {0}", import the node modules and remove top-level await by
wrapping the script in an async IIFE: add "const path = require('path'); const
fs = require('fs').promises;" near the top, keep using
process.env.nodeVersionOverride and pkgPath/pk g variables as-is, and wrap the
code that uses await (the file read and any subsequent await calls that
reference nodeVersion/node parsing) in "(async () => { ... })().catch(err => {
console.error(err); process.exit(1); });" so the script runs in CommonJS without
top-level await.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 67905679-b46a-4e1f-bc54-c01014bba1b5

📥 Commits

Reviewing files that changed from the base of the PR and between 011880f and 77e7bf7.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/actions/node/action.yaml
• .github/workflows/release-preview.yaml
• .github/workflows/release.yaml
• pnpm-workspace.yaml

💤 Files with no reviewable changes (2)

• .github/workflows/release.yaml
• .github/workflows/release-preview.yaml

✅ Files skipped from review due to trivial changes (1)

• pnpm-workspace.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.39%. Comparing base (6f43c77) to head (a6057e2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2818       +/-   ##
===========================================
- Coverage   65.92%   47.39%   -18.54%     
===========================================
  Files         254     1104      +850     
  Lines       26527   149552   +123025     
  Branches        0    10246    +10246     
===========================================
+ Hits        17489    70875    +53386     
- Misses       7639    76861    +69222     
- Partials     1399     1816      +417     

see 861 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}