shpitdev · anand-testcompare · May 21, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,4 @@
+self-hosted-runner:
+  labels:
+    - depot-ubuntu-24.04
+    - depot-ubuntu-24.04-4
diff --git a/.github/workflows/cd-release.yml b/.github/workflows/cd-release.yml
@@ -18,14 +18,14 @@ concurrency:
 
 jobs:
   release:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     # Skip if commit message contains [skip-release] or is a version bump commit
     if: |
       !contains(github.event.head_commit.message, '[skip-release]') &&
       !contains(github.event.head_commit.message, 'chore: bump version')
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
@@ -191,7 +191,7 @@ jobs:
             exit 0
           fi
 
-          if printf '%s' "$MERGE_OUTPUT" | grep -q "in clean status"; then
+          if printf '%s' "$MERGE_OUTPUT" | grep -Eq "in clean status|Auto merge is not allowed"; then
             echo "Auto-merge not applicable, merging immediately."
             gh pr merge "$PR_URL" \
               --repo "$GITHUB_REPOSITORY" \

diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -27,13 +27,19 @@ jobs:
   convex-tests:
     if: |
       (github.event_name != 'pull_request' || (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        (
+          github.event.pull_request.author_association == 'OWNER' ||
+          github.event.pull_request.author_association == 'MEMBER' ||
+          github.event.pull_request.author_association == 'COLLABORATOR'
+        ) &&
         !startsWith(github.event.pull_request.title, 'chore: bump version') &&
         !startsWith(github.event.pull_request.head.ref, 'chore/bump-version')
       )) &&
       (github.event_name != 'push' || (
         !contains(github.event.head_commit.message, 'chore: bump version')
       ))
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    runs-on: depot-ubuntu-24.04-4
     env:
       AI_GATEWAY_API_KEY: ${{ secrets.AI_GATEWAY_API_KEY }}
       OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
@@ -42,7 +48,7 @@ jobs:
       BROWSERBASE_PROJECT_ID: ${{ secrets.BROWSERBASE_PROJECT_ID }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -86,7 +92,7 @@ jobs:
 
       - name: Upload test artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ env.BACKEND_ARTIFACT_NAME }}
           path: packages/backend/test-results

diff --git a/.github/workflows/e2e-api.yml b/.github/workflows/e2e-api.yml
@@ -18,22 +18,22 @@ jobs:
       (startsWith(github.event.deployment_status.environment_url, 'https://') ||
        startsWith(github.event.deployment_status.environment_url, 'http://')) &&
       (github.event.deployment.environment == 'Preview' || github.event.deployment.environment == 'preview')
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: depot-ubuntu-24.04
     timeout-minutes: 20
     steps:
-      - name: Check for doc-only changes
+      - name: Check preview test policy
         id: doc_check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const { owner, repo } = context.repo;
             const sha =
               context.payload.deployment?.sha ??
               context.payload.deployment_status?.deployment?.sha;
             if (!sha) {
-              core.warning("No deployment SHA found; running tests.");
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                "No deployment SHA found; cannot evaluate E2E API policy."
+              );
             }
             let prs = [];
             try {
@@ -42,20 +42,32 @@ jobs:
                   owner,
                   repo,
                   commit_sha: sha,
-                });
+              });
               prs = response.data ?? [];
             } catch (error) {
-              core.warning(`Failed to resolve PR for ${sha}: ${error.message}`);
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                `Failed to resolve PR for ${sha}: ${error.message}`
+              );
             }
             if (!prs.length) {
-              core.notice(`No PR found for ${sha}; running tests.`);
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                `No PR found for ${sha}; cannot evaluate E2E API policy.`
+              );
             }
             const pr = prs[0];
             const prNumber = pr.number;
+            const sameRepo = pr.head?.repo?.full_name === `${owner}/${repo}`;
+            const trustedAssociation = ["OWNER", "MEMBER", "COLLABORATOR"].includes(
+              pr.author_association
+            );
+            const isDependabot = pr.user?.login === "dependabot[bot]";
+            if (!sameRepo || !trustedAssociation || isDependabot) {
+              core.notice(
+                `PR #${prNumber} is not trusted for preview E2E; skipping API tests.`
+              );
+              core.setOutput("run_tests", "false");
+              return;
+            }
             const isBumpPr =
               pr.title?.startsWith("chore: bump version") ||
               pr.head?.ref?.startsWith("chore/bump-version");
@@ -84,7 +96,7 @@ jobs:
 
       - name: Checkout
         if: steps.doc_check.outputs.run_tests == 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         if: steps.doc_check.outputs.run_tests == 'true'
@@ -209,7 +221,7 @@ jobs:
 
       - name: Upload API test artifacts
         if: always() && steps.doc_check.outputs.run_tests == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: api-test-results-${{ github.run_id }}
           path: tests/api/results

diff --git a/.github/workflows/e2e-web.yml b/.github/workflows/e2e-web.yml
@@ -18,22 +18,22 @@ jobs:
       (startsWith(github.event.deployment_status.environment_url, 'https://') ||
        startsWith(github.event.deployment_status.environment_url, 'http://')) &&
       (github.event.deployment.environment == 'Preview' || github.event.deployment.environment == 'preview')
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: depot-ubuntu-24.04
     timeout-minutes: 35
     steps:
-      - name: Check for doc-only changes
+      - name: Check preview test policy
         id: doc_check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const { owner, repo } = context.repo;
             const sha =
               context.payload.deployment?.sha ??
               context.payload.deployment_status?.deployment?.sha;
             if (!sha) {
-              core.warning("No deployment SHA found; running tests.");
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                "No deployment SHA found; cannot evaluate E2E web policy."
+              );
             }
             let prs = [];
             try {
@@ -42,20 +42,32 @@ jobs:
                   owner,
                   repo,
                   commit_sha: sha,
-                });
+              });
               prs = response.data ?? [];
             } catch (error) {
-              core.warning(`Failed to resolve PR for ${sha}: ${error.message}`);
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                `Failed to resolve PR for ${sha}: ${error.message}`
+              );
             }
             if (!prs.length) {
-              core.notice(`No PR found for ${sha}; running tests.`);
-              core.setOutput("run_tests", "true");
-              return;
+              throw new Error(
+                `No PR found for ${sha}; cannot evaluate E2E web policy.`
+              );
             }
             const pr = prs[0];
             const prNumber = pr.number;
+            const sameRepo = pr.head?.repo?.full_name === `${owner}/${repo}`;
+            const trustedAssociation = ["OWNER", "MEMBER", "COLLABORATOR"].includes(
+              pr.author_association
+            );
+            const isDependabot = pr.user?.login === "dependabot[bot]";
+            if (!sameRepo || !trustedAssociation || isDependabot) {
+              core.notice(
+                `PR #${prNumber} is not trusted for preview E2E; skipping web tests.`
+              );
+              core.setOutput("run_tests", "false");
+              return;
+            }
             const isBumpPr =
               pr.title?.startsWith("chore: bump version") ||
               pr.head?.ref?.startsWith("chore/bump-version");
@@ -84,7 +96,7 @@ jobs:
 
       - name: Checkout
         if: steps.doc_check.outputs.run_tests == 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Bun
         if: steps.doc_check.outputs.run_tests == 'true'
@@ -235,7 +247,7 @@ jobs:
 
       - name: Comment Browserbase replay links on PR
         if: always() && steps.doc_check.outputs.run_tests == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const fs = require("fs");
@@ -361,7 +373,7 @@ jobs:
 
       - name: Upload E2E artifacts
         if: always() && steps.doc_check.outputs.run_tests == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: e2e-artifacts-${{ github.run_id }}
           path: tests/e2e/artifacts

diff --git a/.github/workflows/opencode-excalidraw-build.yml b/.github/workflows/opencode-excalidraw-build.yml
@@ -14,10 +14,10 @@ permissions:
 
 jobs:
   build:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: depot-ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Tooling
         uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd
@@ -34,7 +34,7 @@ jobs:
           mise run -C packages/opencode-excalidraw build
 
       - name: Upload dist artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: opencode-excalidraw-dist
           if-no-files-found: error

diff --git a/.github/workflows/opencode-excalidraw-bundle.yml b/.github/workflows/opencode-excalidraw-bundle.yml
@@ -8,10 +8,10 @@ permissions:
 
 jobs:
   bundle:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: depot-ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Tooling
         uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd
@@ -38,7 +38,7 @@ jobs:
           tar -czf opencode-excalidraw-bundle.tgz -C bundle .
 
       - name: Upload bundle
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: opencode-excalidraw-bundle
           if-no-files-found: error

diff --git a/.github/workflows/opencode-excalidraw-pr.yml b/.github/workflows/opencode-excalidraw-pr.yml
@@ -17,12 +17,21 @@ permissions:
 
 jobs:
   opencode-excalidraw:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    if: |
+      github.event_name != 'pull_request' || (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        (
+          github.event.pull_request.author_association == 'OWNER' ||
+          github.event.pull_request.author_association == 'MEMBER' ||
+          github.event.pull_request.author_association == 'COLLABORATOR'
+        )
+      )
+    runs-on: depot-ubuntu-24.04
     env:
       PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 

diff --git a/.github/workflows/opencode-excalidraw-publish.yml b/.github/workflows/opencode-excalidraw-publish.yml
@@ -22,7 +22,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/opencode-excalidraw-release.yml b/.github/workflows/opencode-excalidraw-release.yml
@@ -19,11 +19,11 @@ permissions:
 
 jobs:
   process:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     outputs:
       releases_created: ${{ steps.release_please.outputs.releases_created }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -37,7 +37,7 @@ jobs:
 
   dispatch-publish:
     needs: process
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     if: needs.process.result == 'success'
     steps:
       - name: Dispatch publish for releases

diff --git a/.vercelignore b/.vercelignore
@@ -1,4 +1,3 @@
-.git
 .github
 .memory
 .turbo

diff --git a/apps/web/vercel.json b/apps/web/vercel.json
@@ -2,5 +2,5 @@
   "$schema": "https://openapi.vercel.sh/vercel.json",
   "bunVersion": "1.x",
   "ignoreCommand": "bash ../../scripts/vercel-ignore-web-build.sh",
-  "buildCommand": "cd ../../packages/backend && npx convex deploy --cmd 'cd ../../apps/web && bun run --bun turbo run build' --cmd-url-env-var-name NEXT_PUBLIC_CONVEX_URL"
+  "buildCommand": "cd ../.. && bash scripts/prepare-convex-workos-auth.sh && cd packages/backend && npx convex deploy --cmd 'cd ../../apps/web && bun run --bun turbo run build' --cmd-url-env-var-name NEXT_PUBLIC_CONVEX_URL"
 }
-Original file line number
+Diff line change
@@ -1,4 +1,3 @@
-    .git
     .github
     .memory
     .turbo
@@ Expand Down @@