Fix dependabot CI; bump actions and safe deps

[hasparus]

Dependabot PRs all fail CI because dependabot-triggered runs can't read repo secrets, so the build dies on OG_IMAGE_SECRET is missing (and the case(...) expression in the Build env isn't a valid Actions function).

• OG_IMAGE_SECRET: ${{ secrets.OG_IMAGE_SECRET || 'placeholder' }} — placeholder for fork PRs and dependabot runs.
• Actions bumps: checkout v6, setup-node v6, pnpm/action-setup v6, upload-artifact v7, EndBug/add-and-commit v10 (= chore(deps): bump pnpm/action-setup from 4 to 6 #80 chore(deps): bump actions/setup-node from 4 to 6 #81 chore(deps): bump actions/checkout from 4 to 6 #82 chore(deps): bump actions/upload-artifact from 4 to 7 #83 chore(deps): bump EndBug/add-and-commit from 9 to 10 #84).
• Safe dep bumps: @types/node 25.6.0, prettier ^3.8.3, prettier-plugin-tailwindcss ^0.8.0, @fontsource-variable/{inter,brygada-1918} ^5.2.8 (= chore(deps-dev): bump prettier from 3.3.0 to 3.8.3 #85 chore(deps): bump @fontsource-variable/brygada-1918 from 5.0.19 to 5.2.8 #86 chore(deps): bump @fontsource-variable/inter from 5.0.18 to 5.2.8 #89 chore(deps-dev): bump @types/node from 20.13.0 to 25.6.0 #91 chore(deps-dev): bump prettier-plugin-tailwindcss from 0.6.1 to 0.8.0 #92).

Deliberately NOT taken (majors needing migration): shiki/twoslash 4 (#87 #94), @astrojs/solid-js 6 (#93), @types/react 19 (#88; React is 18 here). #90 (@playwright/test 1.59) is obsolete — main is already on 1.60.

Verified locally: pnpm typecheck and pnpm build green with the bumps.

Summary by CodeRabbit

• Chores
  • Updated font packages for more consistent text rendering across the app.
  • Upgraded development tooling (type definitions and formatters) for improved stability.
  • Modernized CI workflows and pinned action revisions to make builds and artifact uploads more reliable and resilient.
• Tests
  • Improved visual-regression setup to produce more stable, consistent screenshots and catch visual issues more reliably.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Pins several GitHub Actions to fixed revisions, changes OG_IMAGE_SECRET to use a conditional placeholder for fork PRs and Dependabot runs, updates Playwright screenshot stabilization helper, and bumps font and dev-tool dependency versions in package.json.

Changes

Maintenance: CI workflow and dependency updates

Layer / File(s)	Summary
CI action revisions pinned .github/workflows/ci.yml	Pinned actions/checkout, pnpm/action-setup, and actions/setup-node to explicit revisions in the build-and-deploy job; updated Playwright test command to run visual-regression --update-snapshots, added artifact upload for regenerated snapshots, and pinned Playwright/Upload and deployment actions to immutable revisions.
OG_IMAGE_SECRET conditional handling .github/workflows/ci.yml	Changed OG_IMAGE_SECRET usage so the workflow supplies 'placeholder' when the run is from a fork PR or dependabot[bot], otherwise it uses secrets.OG_IMAGE_SECRET; applied the same conditional to the EndBug/add-and-commit step and build environment.
Package dependency bumps package.json	Updated @fontsource-variable/brygada-1918 and @fontsource-variable/inter to ^5.2.8; updated devDependencies including @types/node, prettier, and prettier-plugin-tailwindcss.
Playwright visual-regression stabilization e2e/visual-regression.spec.ts	Replaced ensureFontsLoaded with ensurePageStable(page) which scrolls the page, waits for networkidle, awaits document.fonts.ready and explicitly loads fonts, ensures images are decoded/complete, performs extra animation-frame waits, and uses a short final delay to stabilize screenshots.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through CI to pin each tiny action,
Fonts stretched their paws and settled in position,
Secrets wear placeholders when forks come to play,
Snapshots refreshed, then kept their calm all day,
A bunny's nod to builds that pass our way.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Accessible E2e Tests	❌ Error	e2e/site.spec.ts selects by CSS classes via page.locator('pre.astro-code') and page.locator("pre.astro-code span[style*='color']").	Update e2e/site.spec.ts to avoid class-based CSS locators; use accessible selectors like getByRole/getByText (or other semantic attributes) instead of pre.astro-code-based queries.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing dependabot CI issues and bumping GitHub Actions and safe dependencies, which aligns with the substantial changes across CI configuration, package versions, and visual regression tests.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ci-fix-and-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

package.json (1)

61-61: Align @types/node with engines.node (or document why).

package.json sets engines.node to >=22 but devDependencies.@types/node is 25.6.0 (line 61 vs line 8). Neither tsconfig.json nor api/tsconfig.json overrides compilerOptions.types, so this newer type surface is used by tsc. Current usage imports Node built-ins (node:fs/promises, node:crypto, node:child_process, etc.) and uses Buffer, with no obvious Node-25-only APIs in the codebase; the main risk is future type/runtime drift. Pin @types/node to the 22.x major (or add a short rationale + guardrail if intentionally targeting a newer type surface).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 61, package.json currently lists "engines.node": ">=22"
but devDependencies["`@types/node`"] is set to "25.6.0", causing TypeScript to
compile against Node 25 types; update devDependencies["`@types/node`"] to a 22.x
major (e.g., "^22.0.0") to match engines.node, or if you intentionally want
newer type surface, add a short rationale in package.json or README and add an
explicit override in tsconfig.json (compilerOptions.types or typeRoots) to guard
the repository; make the change by editing the package.json entry for
"`@types/node`" and, if keeping 25.x, add the rationale and a tsconfig override
referencing the desired types.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 60-61: Remove the unconditional fallback for OG_IMAGE_SECRET and
require the real secret for protected runs; set OG_IMAGE_SECRET to the secret by
default (OG_IMAGE_SECRET: ${{ secrets.OG_IMAGE_SECRET }}) and only inject the
'placeholder' fallback when the run is a fork/Dependabot PR (detect via
github.event.pull_request.head.repo.fork == true or github.actor ==
'dependabot[bot]') so push/workflow_dispatch and trusted PRs fail fast if the
secret is missing.
- Around line 22-30: Replace mutable major-version refs with immutable
full-length commit SHAs for all GitHub Actions usages to satisfy security
hardening: locate each `uses:` entry for actions/checkout, pnpm/action-setup,
actions/setup-node, EndBug/add-and-commit, actions/upload-artifact,
chrnorm/deployment-action, and treosh/lighthouse-ci-action in the workflow and
change the tag (e.g., `@v6`, `@v10`, `@v7`, `@v2`, `@v12`) to the corresponding full
commit SHA for the exact release you want to pin; ensure every occurrence
(including the other actions/checkout instances) is updated and commit the
updated ci.yml so the workflow references immutable action SHAs.
- Around line 22-26: The workflow currently uses actions/checkout@v6 without
persist-credentials:false which leaves GITHUB_TOKEN/git creds available to later
steps; update the two actions/checkout@v6 steps (the one at the top of the
workflow and the one near line ~135) to set persist-credentials: false for the
install/build/test steps in the build-and-deploy job, and ensure
EndBug/add-and-commit@v10 still has credentials by either creating a separate
job that grants write permissions or performing a second checkout just before
the lockfile commit with persist-credentials: true; target the
actions/checkout@v6 steps and the build-and-deploy job and
EndBug/add-and-commit@v10 step when making these changes.

---

Nitpick comments:
In `@package.json`:
- Line 61: package.json currently lists "engines.node": ">=22" but
devDependencies["`@types/node`"] is set to "25.6.0", causing TypeScript to compile
against Node 25 types; update devDependencies["`@types/node`"] to a 22.x major
(e.g., "^22.0.0") to match engines.node, or if you intentionally want newer type
surface, add a short rationale in package.json or README and add an explicit
override in tsconfig.json (compilerOptions.types or typeRoots) to guard the
repository; make the change by editing the package.json entry for "`@types/node`"
and, if keeping 25.x, add the rationale and a tsconfig override referencing the
desired types.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b4148089-ce5d-4cd6-8e02-bbf8d3451942

📥 Commits

Reviewing files that changed from the base of the PR and between 31f92de and d94c6ea.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 43-50: The YAML step using EndBug/add-and-commit@... has an
invalid inline flow mapping in the with: block; replace the curly-braced flow
mapping with standard YAML block mapping by removing the surrounding { } and
placing each key (add, fetch, github_token, message) as its own indented key:
value pair under with: so the action's with: uses proper block notation.
- Around line 22-27: The CI checkout currently sets persist-credentials: false
which removes git push credentials and breaks the subsequent
EndBug/add-and-commit step; update the actions/checkout step (the use of
actions/checkout@...) to only disable persist-credentials for non-dependabot
runs by making persist-credentials conditional (e.g., tied to an IS_DEPENDABOT
env flag) or alternatively set up git auth immediately before the
EndBug/add-and-commit step so that the EndBug/add-and-commit action has push
credentials available when creating the pnpm-lock.yaml commit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ba5d9389-e8a8-4763-bf8c-fe721c882dd8

📥 Commits

Reviewing files that changed from the base of the PR and between d94c6ea and 6f1460a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check EndBug/add-and-commit documentation on credential requirements

rg -n "EndBug/add-and-commit|persist-credentials" .github/workflows/ci.yml

Repository: hasparus/zaduma

Length of output: 220

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant workflow sections around checkout + EndBug/add-and-commit
sed -n '1,120p' .github/workflows/ci.yml | cat -n

# Show the second checkout region around persist-credentials: false at ~141
sed -n '120,200p' .github/workflows/ci.yml | cat -n

Repository: hasparus/zaduma

Length of output: 7465

---

🌐 Web query:

EndBug/add-and-commit github_token authentication push persist-credentials

💡 Result:

The EndBug/add-and-commit GitHub Action does not use the github_token input to authenticate push operations [1][2]. Instead, it relies on the credentials already configured in the local git repository [1][3]. By default, this configuration is handled by the actions/checkout step [1][4]. If you disable credential persistence using persist-credentials: false in actions/checkout, the add-and-commit action will fail with a "fatal: could not read Username" error because the repository lacks the necessary authentication for git operations [5][6][7]. To resolve this when you must use persist-credentials: false, you must manually configure the git credentials before running add-and-commit [5][7]. Common approaches include: 1. Providing a token to actions/checkout instead of disabling persistence: You can use a Personal Access Token (PAT) in the token input of actions/checkout. This ensures the repository is correctly authenticated for both checkout and subsequent push operations while allowing you to control permissions [1][8][2]. 2. Manually configuring git credentials: If you must set persist-credentials: false, you can manually run git configuration commands in a preceding step to set up authentication (e.g., configuring the credential helper or using a PAT in the remote URL) [5][7]. Note that the github_token input for add-and-commit is exclusively used for accessing the GitHub API (e.g., to fetch user information for commit attribution) and does not affect the git authentication used for pushing [1][2][3]. If your goal is to trigger CI workflows with the commits made by this action, ensure you are using a PAT in your actions/checkout step, as the default GITHUB_TOKEN is intentionally restricted to prevent recursive workflow loops [1][8][4].

Citations:

• 1: https://github.com/EndBug/add-and-commit/blob/main/README.md
• 2: chore(docs): Update explanation for token input EndBug/add-and-commit#125
• 3: https://github.com/EndBug/add-and-commit
• 4: https://github.com/marketplace/actions/add-commit
• 5: persist-credentials: false on actions/checkout causes EndBug/add-and-commit action to fail EndBug/add-and-commit#385
• 6: Using persist-credentials: false leads to could not read Username for 'https://github.com': No such device or address EndBug/add-and-commit#673
• 7: Username not found for Github EndBug/add-and-commit#160
• 8: https://github.com/marketplace/actions/add-commit?version=v9.0.0

---

Fix dependabot lockfile push: persist-credentials: false breaks EndBug/add-and-commit.

actions/checkout sets persist-credentials: false (line 25), so the repo has no git credentials for subsequent pushes. The Commit lockfile step (EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321) only provides github_token for GitHub API/attribution, not git push auth, so it can fail when trying to push the updated pnpm-lock.yaml.

Set checkout credentials only for dependabot (or configure git auth right before the EndBug/add-and-commit step), e.g.:

- name: Checkout
  uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  with:
    fetch-depth: 0
    persist-credentials: ${{ env.IS_DEPENDABOT == 1 }}
    ref: "${{ github.event.pull_request.merge_commit_sha }}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 22 - 27, The CI checkout currently
sets persist-credentials: false which removes git push credentials and breaks
the subsequent EndBug/add-and-commit step; update the actions/checkout step (the
use of actions/checkout@...) to only disable persist-credentials for
non-dependabot runs by making persist-credentials conditional (e.g., tied to an
IS_DEPENDABOT env flag) or alternatively set up git auth immediately before the
EndBug/add-and-commit step so that the EndBug/add-and-commit action has push
credentials available when creating the pnpm-lock.yaml commit.

[hasparus]

add-and-commit v10 does accept a github_token input (verified in its action.yml) and uses it to push, so the lockfile push works with persist-credentials: false. Keeping both.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify EndBug/add-and-commit v10 action.yml to check github_token push behavior
curl -s "https://raw.githubusercontent.com/EndBug/add-and-commit/v10/action.yml" | grep -A5 -i "github_token\|push\|credential\|token"

Length of output: 1288

---

---

@hasparus, the action.yml for v10 actually contradicts that — it explicitly says github_token is not used for commits/pushes:

github_token:
  description: The token used to make requests to the GitHub API. It's NOT used to make commits and should not be changed.
  required: false
  default: ${{ github.token }}

So push auth still relies on the credentials persisted by actions/checkout, and setting persist-credentials: false will break the lockfile commit step. The original concern stands — the dependabot lockfile push will fail with a "could not read Username" error.

The conditional approach from the suggestion would fix this:

persist-credentials: ${{ github.actor == 'dependabot[bot]' }}

Or alternatively, drop the persist-credentials: false line (accepting slightly reduced security for pushes from GITHUB_TOKEN, which is already scoped to the repo).