ci: migrate GitHub Actions workflows to Vite+ (vp)

[toddeTV]

Summary by CodeRabbit

• Chores
  • Renamed Cloudflare deployment workflow and improved per-branch concurrency while preserving cancel-in-progress behavior.
  • Migrated build and test orchestration to Vite-aligned tooling and a new installer (uses Node 24).
  • Pinned CI actions and runner setup to fixed revisions for more reproducible workflows.
  • No user-facing functionality changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrate two GitHub Actions workflows from pnpm/setup-node to voidzero VP tooling: Cloudflare deploy now uses setup-vp + VP CLI with a ref-scoped concurrency group; validation-and-tests pins actions and runs checks via vp run after vp install.

Changes

Workflow migration to voidzero VP tooling

Layer / File(s)	Summary
Cloudflare deployment workflow migration .github/workflows/cloudflare-deploy.yml	Workflow name changed to "Cloudflare Build & Deploy"; concurrency.group switched to cloudflare-pages-${{ github.ref }}; deploy job updated to use pinned actions/checkout, voidzero-dev/setup-vp (pinned) with Node 24, vp install, vp run build:ssg, and pinned cloudflare/wrangler-action commit.
Validation and tests workflow migration .github/workflows/validation-and-tests.yml	validate-pr action pinned to a commit SHA; run-checks matrix commands changed from pnpm test:lint|test:redirects|test:types to vp run test:lint|test:redirects|test:types; job setup replaced with pinned actions/checkout and voidzero-dev/setup-vp (pinned) plus vp install --frozen-lockfile --prefer-offline; Run Check still runs matrix.command.

Sequence Diagram(s)

sequenceDiagram
  participant PR as Pull Request
  participant GH as GitHub Actions
  participant Checkout as actions/checkout
  participant SetupVP as voidzero-dev/setup-vp
  participant VP as VP_CLI
  participant Cloudflare as CloudflarePages

  PR->>GH: trigger workflow
  GH->>Checkout: checkout@<pinned-commit>
  GH->>SetupVP: setup-vp@<pinned-commit> (node:24)
  GH->>VP: vp install --frozen-lockfile --prefer-offline
  GH->>VP: vp run build:ssg
  VP->>Cloudflare: deploy artifacts via wrangler-action (pinned)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• toddeTV/todde.tv#5: Related migration of run-checks to use vp run and setup-vp instead of pnpm.
• toddeTV/todde.tv#39: Also modifies validation-and-tests workflow around redirect checks and CI test matrix.
• toddeTV/todde.tv#26: Previous Cloudflare Pages workflow changes and Node-related CI tweaks.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title clearly and concisely describes the main change: migrating GitHub Actions workflows from pnpm to Vite+ (vp), which aligns with the modifications to both workflow files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cloudflare-deploy.yml:
- Around line 29-30: The workflow uses the mutable action reference
"voidzero-dev/setup-vp@v1" in the "Setup Vite+" step; replace that tag with a
pinned full commit SHA for the voidzero-dev/setup-vp action (e.g.,
voidzero-dev/setup-vp@<full-commit-sha>) so the step named "Setup Vite+"
references an immutable commit SHA instead of the `@v1` tag.
- Around line 37-38: The CI step uses the command "vp install" which allows
lockfile drift; change that command to "vp install --frozen-lockfile" to enforce
deterministic installs during the Cloudflare deploy workflow so the exact
versions from the lockfile are used; update the job step that currently runs "vp
install" to include the "--frozen-lockfile" flag and verify the workflow still
runs successfully in CI.

In @.github/workflows/validation-and-tests.yml:
- Around line 47-48: Replace the mutable tag for the GitHub Action used in the
workflow (the line that currently reads "uses: voidzero-dev/setup-vp@v1") with a
pinned full commit SHA; update the "uses" reference to
"voidzero-dev/setup-vp@<full-commit-sha>" (use the repository’s commit SHA you
want to pin) so the action is immutable and supply-chain safe, and commit that
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4e3a5666-1cec-4dfb-b855-98242552557b

📥 Commits

Reviewing files that changed from the base of the PR and between 4e92d3e and 1a1df9e.

📒 Files selected for processing (2)

• .github/workflows/cloudflare-deploy.yml
• .github/workflows/validation-and-tests.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/validation-and-tests.yml (1)

21-21: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin remaining GitHub Actions to immutable SHAs.

Lines 21 and 44 reference mutable tags (@v6). Pin both to full commit SHAs:

Suggested changes

-      - uses: amannn/action-semantic-pull-request@v6
+      - uses: amannn/action-semantic-pull-request@<FULL_40_CHAR_COMMIT_SHA>

-        uses: actions/checkout@v6
+        uses: actions/checkout@<FULL_40_CHAR_COMMIT_SHA>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/validation-and-tests.yml at line 21, The workflow is using
mutable action tags (amannn/action-semantic-pull-request@v6) which should be
pinned to immutable commit SHAs; update both occurrences that reference `@v6` (the
one shown as "amannn/action-semantic-pull-request@v6" and the other occurrence
at the second `@v6` usage) to the corresponding full commit SHA for that action so
the workflow is pinned to a specific commit instead of a moving tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cloudflare-deploy.yml:
- Around line 27-28: The checkout step named "Checkout the Codebase" is using
the mutable action reference actions/checkout@v6 and lacks the
persist-credentials setting; change the uses value to the action's full commit
SHA (pin to an immutable SHA) and add persist-credentials: false under that step
to disable credential persistence and harden the workflow.

---

Outside diff comments:
In @.github/workflows/validation-and-tests.yml:
- Line 21: The workflow is using mutable action tags
(amannn/action-semantic-pull-request@v6) which should be pinned to immutable
commit SHAs; update both occurrences that reference `@v6` (the one shown as
"amannn/action-semantic-pull-request@v6" and the other occurrence at the second
`@v6` usage) to the corresponding full commit SHA for that action so the workflow
is pinned to a specific commit instead of a moving tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3943f973-1326-4275-96c9-c204ee3ad3c7

📥 Commits

Reviewing files that changed from the base of the PR and between 1a1df9e and 0f714cd.

📒 Files selected for processing (2)

• .github/workflows/cloudflare-deploy.yml
• .github/workflows/validation-and-tests.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cloudflare-deploy.yml (1)

56-61: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin cloudflare/wrangler-action to a full commit SHA for consistency.

In .github/workflows/cloudflare-deploy.yml (lines 56-61), actions/checkout and voidzero-dev/setup-vp are pinned to commit SHAs, but cloudflare/wrangler-action@v3 is a mutable tag. The v3 tag resolves to 9acf94ace14e7dc412b076f2c5c20b8ce93c79cd, so pin to that SHA:

      - name: Deploy to Cloudflare Pages
        uses: cloudflare/wrangler-action@9acf94ace14e7dc412b076f2c5c20b8ce93c79cd
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          command: pages deploy .output/public --project-name=todde-tv

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cloudflare-deploy.yml around lines 56 - 61, Replace the
mutable tag cloudflare/wrangler-action@v3 in the Deploy to Cloudflare Pages step
with the resolved commit SHA to ensure reproducible builds; update the uses
entry for cloudflare/wrangler-action to use the commit SHA
9acf94ace14e7dc412b076f2c5c20b8ce93c79cd while leaving the with block (apiToken,
accountId, command) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cloudflare-deploy.yml:
- Around line 56-61: Replace the mutable tag cloudflare/wrangler-action@v3 in
the Deploy to Cloudflare Pages step with the resolved commit SHA to ensure
reproducible builds; update the uses entry for cloudflare/wrangler-action to use
the commit SHA 9acf94ace14e7dc412b076f2c5c20b8ce93c79cd while leaving the with
block (apiToken, accountId, command) unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 0d245363-0ae6-47d2-be7d-207b6edf9355

📥 Commits

Reviewing files that changed from the base of the PR and between 0f714cd and 1a0bdf9.

📒 Files selected for processing (2)

• .github/workflows/cloudflare-deploy.yml
• .github/workflows/validation-and-tests.yml