chore: more CI improvements

[imeyer]

What does this PR do?

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps use understand why this PR exists

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• Chores
  • Simplified and modularized CI workflows by replacing a combined install step with dedicated setup steps for Node.js, Go, and Wrangler environments.
  • Improved caching and dependency management for faster and more reliable builds.
  • Enhanced change detection in workflows, enabling more granular and efficient job execution.
  • Cleaned up redundant or obsolete workflow files and steps for better maintainability.
  • Added health checks to key services in the development environment for improved reliability.
  • Updated workflow schedules and formatting for better readability and maintainability.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 281ab84

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This change removes the monolithic .github/actions/install composite GitHub Action and replaces it with several specialized actions for setting up Go, Node.js, and Wrangler independently. All affected workflow files are updated to use these new modular actions, with workflow steps reorganized for clarity and explicit dependency setup. The workflows for change detection are expanded and refined.

Changes

Cohort / File(s)	Change Summary
Remove Monolithic Install Action .github/actions/install/action.yaml	Deleted the composite action responsible for conditional Go and Node.js environment setup and dependency installation.
Add Modular Setup Actions .github/actions/setup-go/action.yaml, .github/actions/setup-node/action.yaml, .github/actions/setup-wrangler/action.yaml	Added new composite actions: one for Go setup, one for Node.js (with pnpm), and one for installing Wrangler CLI with caching. Each action accepts an optional GitHub token and focuses on a single environment/tool.
Workflow Refactoring: Replace Install Action .github/workflows/build.yaml, .github/workflows/check_quotas.yml, .github/workflows/job_test_api_canary.yaml, .github/workflows/job_test_api_staging.yaml, .github/workflows/job_test_unit.yaml	Replaced the "Install" step using the old action with new steps using the appropriate modular setup actions. Removed ts: true and go: true inputs as they are no longer needed.
Workflow Refactoring: Node + Wrangler Deployments .github/workflows/job_deploy_api_canary.yaml, .github/workflows/job_deploy_api_enterprise.yaml, .github/workflows/job_deploy_api_production.yaml, .github/workflows/job_deploy_api_staging.yaml, .github/workflows/job_deploy_logdrain_production.yaml, .github/workflows/job_deploy_workflows.yaml	Replaced the single install step with two distinct steps: one for Node.js setup and one for Wrangler CLI setup, each using the new modular actions. Removed ts: true input from Wrangler setup.
Workflow Refactoring: Node + Go Setup .github/workflows/release.yaml, .github/workflows/job_test_api_local.yaml	Split installation into explicit Node.js and Go setup steps using the new modular actions. Added Goose installation step where relevant.
Workflow Refactoring: Node Setup Only .github/workflows/job_test_api_canary.yaml, .github/workflows/job_test_api_staging.yaml, .github/workflows/job_test_unit.yaml	Updated to use only the Node.js setup action for relevant steps.
Workflow Refactoring: Go Setup Only .github/workflows/job_test_go_api_local.yaml	Replaced install with Go setup action and added explicit tparse installation step. Reduced job timeout.
Workflow Refactoring: pnpm and Go Setup for Autofix .github/workflows/autofix.ci.yaml	Replaced install step with explicit pnpm and Node.js setup, added Go setup, and improved caching.
Workflow Refactoring: Minimal Node Setup .github/workflows/deploy_trigger.yaml	Simplified by removing redundant checkout and custom install; now uses only official Node.js setup for pnpx.
Workflow Deletion: Change Detection .github/workflows/job_changes.yaml	Deleted the workflow for detecting changes in ClickHouse schema.
Workflow Rename and Expansion: Change Detection .github/workflows/deploy.yaml, .github/workflows/job_detect_changes.yaml	Renamed job from changes to detect_changes, updated workflow file reference, and greatly expanded the change detection logic to cover more paths and outputs.
Workflow Logic Update: PR Gating .github/workflows/pr.yaml	Updated job dependencies and gating logic to use new outputs from the expanded change detection workflow.
No Exported Entity Changes (all files)	No changes to exported/public programmatic entities; all changes are to CI/CD configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Workflow
    participant Setup-Go
    participant Setup-Node
    participant Setup-Wrangler

    Workflow->>Setup-Go: Run Go setup (if needed)
    Workflow->>Setup-Node: Run Node.js setup (if needed)
    Workflow->>Setup-Wrangler: Install Wrangler CLI (if needed)
    Setup-Go->>Workflow: Go environment ready
    Setup-Node->>Workflow: Node.js environment ready
    Setup-Wrangler->>Workflow: Wrangler installed
    Workflow->>Workflow: Continue with build/test/deploy steps

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

Possibly related PRs

• ci: don't install Taskfile #3550: Removes the Taskfile installation step from the same install action that is deleted in this PR.
• fix: Uses GITHUB_TOKEN to authenticate the GH action to stop Ratelimits #3471: Adds github_token support to the same install action that is now removed and replaced by modular actions in this PR.
• feat: controlplane #3426: Introduces initial control plane POC with version creation and build/deploy workflows, related to infrastructure evolution.

Suggested labels

🕹️ oss.gg

Suggested reviewers

• chronark
• Flo4604
• perkinsjr

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73af859 and 281ab84.

📒 Files selected for processing (31)

• .github/actions/install/action.yaml (0 hunks)
• .github/actions/setup-go/action.yaml (1 hunks)
• .github/actions/setup-node/action.yaml (1 hunks)
• .github/actions/setup-wrangler/action.yaml (1 hunks)
• .github/workflows/agent_build_publish.yaml (0 hunks)
• .github/workflows/apply-issue-labels-to-pr.yml (0 hunks)
• .github/workflows/autofix.ci.yaml (1 hunks)
• .github/workflows/build.yaml (2 hunks)
• .github/workflows/check_quotas.yml (1 hunks)
• .github/workflows/deploy.yaml (2 hunks)
• .github/workflows/deploy_trigger.yaml (1 hunks)
• .github/workflows/ghcr_retention_policy.yaml (0 hunks)
• .github/workflows/job_build_agent_image.yaml (0 hunks)
• .github/workflows/job_changes.yaml (0 hunks)
• .github/workflows/job_deploy_api_canary.yaml (1 hunks)
• .github/workflows/job_deploy_api_enterprise.yaml (1 hunks)
• .github/workflows/job_deploy_api_production.yaml (1 hunks)
• .github/workflows/job_deploy_api_staging.yaml (1 hunks)
• .github/workflows/job_deploy_logdrain_production.yaml (1 hunks)
• .github/workflows/job_deploy_workflows.yaml (1 hunks)
• .github/workflows/job_detect_changes.yaml (1 hunks)
• .github/workflows/job_test_api_canary.yaml (1 hunks)
• .github/workflows/job_test_api_local.yaml (2 hunks)
• .github/workflows/job_test_api_staging.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (1 hunks)
• .github/workflows/job_test_unit.yaml (1 hunks)
• .github/workflows/pr.yaml (1 hunks)
• .github/workflows/release.yaml (1 hunks)
• .github/workflows/runbook-freshness-check.yaml (7 hunks)
• .github/workflows/semantic-pull-requests.yaml (0 hunks)
• deployment/docker-compose.yaml (3 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch push-vmrpmnsturum

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
dashboard	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 8, 2025 4:15pm
engineering	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Aug 8, 2025 4:15pm

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[coderabbitai]

Actionable comments posted: 28

🔭 Outside diff range comments (1)

.github/workflows/job_detect_changes.yaml (1)

8-135: Remove trailing spaces to satisfy yamllint.

A dozen lines (e.g., Lines 9, 72, 81 …) end with stray spaces; CI will flag. No functional change—just trim.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 258772f and d70854e.

📒 Files selected for processing (24)

• .github/actions/install/action.yaml (0 hunks)
• .github/actions/setup-go/action.yaml (1 hunks)
• .github/actions/setup-node/action.yaml (1 hunks)
• .github/actions/setup-wrangler/action.yaml (1 hunks)
• .github/workflows/autofix.ci.yaml (1 hunks)
• .github/workflows/build.yaml (1 hunks)
• .github/workflows/check_quotas.yml (1 hunks)
• .github/workflows/deploy.yaml (1 hunks)
• .github/workflows/deploy_trigger.yaml (1 hunks)
• .github/workflows/job_changes.yaml (0 hunks)
• .github/workflows/job_deploy_api_canary.yaml (1 hunks)
• .github/workflows/job_deploy_api_enterprise.yaml (1 hunks)
• .github/workflows/job_deploy_api_production.yaml (1 hunks)
• .github/workflows/job_deploy_api_staging.yaml (1 hunks)
• .github/workflows/job_deploy_logdrain_production.yaml (1 hunks)
• .github/workflows/job_deploy_workflows.yaml (1 hunks)
• .github/workflows/job_detect_changes.yaml (2 hunks)
• .github/workflows/job_test_api_canary.yaml (1 hunks)
• .github/workflows/job_test_api_local.yaml (1 hunks)
• .github/workflows/job_test_api_staging.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (1 hunks)
• .github/workflows/job_test_unit.yaml (1 hunks)
• .github/workflows/pr.yaml (1 hunks)
• .github/workflows/release.yaml (1 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/job_changes.yaml
• .github/actions/install/action.yaml

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• .github/workflows/job_test_api_local.yaml
• .github/workflows/check_quotas.yml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/vitest.{unit,integration}.ts : Separate Vitest configs: vitest.unit.ts and vitest.integration.ts

Applied to files:

• .github/workflows/job_test_unit.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.test.{ts,tsx} : Use Vitest for unit and integration tests in TypeScript projects

Applied to files:

• .github/workflows/job_test_unit.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/workflows/job_test_unit.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : Use Biome for formatting and linting in TypeScript/JavaScript projects

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions. No additional configuration is needed for this automatic masking behavior.

Applied to files:

• .github/actions/setup-go/action.yaml
• .github/actions/setup-wrangler/action.yaml
• .github/workflows/deploy.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions.

Applied to files:

• .github/actions/setup-go/action.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/job_detect_changes.yaml

🪛 YAMLlint (1.37.1)

.github/workflows/release.yaml

[error] 26-26: trailing spaces

(trailing-spaces)

.github/workflows/job_test_go_api_local.yaml

[error] 19-19: trailing spaces

(trailing-spaces)

.github/workflows/job_deploy_workflows.yaml

[error] 21-21: trailing spaces

(trailing-spaces)

.github/workflows/job_deploy_api_canary.yaml

[error] 21-21: trailing spaces

(trailing-spaces)

.github/workflows/job_deploy_logdrain_production.yaml

[error] 22-22: trailing spaces

(trailing-spaces)

.github/workflows/autofix.ci.yaml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

.github/actions/setup-go/action.yaml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 24-24: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/job_deploy_api_staging.yaml

[error] 21-21: trailing spaces

(trailing-spaces)

.github/actions/setup-node/action.yaml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 29-29: no new line character at the end of file

(new-line-at-end-of-file)

.github/actions/setup-wrangler/action.yaml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 27-27: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/job_detect_changes.yaml

[error] 9-9: trailing spaces

(trailing-spaces)

---

[error] 72-72: trailing spaces

(trailing-spaces)

---

[error] 81-81: trailing spaces

(trailing-spaces)

---

[error] 85-85: trailing spaces

(trailing-spaces)

---

[error] 91-91: trailing spaces

(trailing-spaces)

---

[error] 96-96: trailing spaces

(trailing-spaces)

---

[error] 100-100: trailing spaces

(trailing-spaces)

---

[error] 104-104: trailing spaces

(trailing-spaces)

---

[error] 108-108: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 122-122: trailing spaces

(trailing-spaces)

.github/workflows/job_deploy_api_production.yaml

[error] 22-22: trailing spaces

(trailing-spaces)

🔇 Additional comments (8)

.github/workflows/job_test_api_local.yaml (1)

18-20: Confirm container reuse is safe.

Dropping --force-recreate speeds things up but, on self-hosted runners, stale volumes or images could leak between runs. Double-check this job never runs on a persistent runner or add --renew-anon-volumes to stay safe.

.github/workflows/build.yaml (1)

18-21: Modularization LGTM

Switching to the local setup-node action improves clarity and reduces coupling. Nice.

.github/workflows/check_quotas.yml (1)

25-29: Setup-go composite action already pins Go version and caches modules

The .github/actions/setup-go/action.yaml composite action uses actions/setup-go@v5 with:

• go-version-file: ./go/go.mod
• cache-dependency-path: ./go/go.sum
• A go mod download step in working-directory: ./go

No additional changes are needed.

.github/workflows/job_test_go_api_local.yaml (1)

11-11: Confirm 15-minute timeout won’t flake under load

Tests previously had 60 minutes. On self-hosted runners, variance can be high; please verify typical/ P95 duration to ensure 15 minutes is safe.

If you have job duration metrics, validate P95 < 12 min with some headroom, else bump timeout.

.github/workflows/job_deploy_api_production.yaml (1)

18-26: No changes needed: setup-node already configures pnpm and installs dependencies; no trailing whitespace

• The custom .github/actions/setup-node action (action.yaml) uses pnpm/action-setup@v4, configures pnpm caching, and runs pnpm install --recursive, so pnpm is available and dependencies are installed.
• A scan of the workflow file shows no trailing spaces on line 22 (or elsewhere).

All checks pass—no edits required.

.github/workflows/release.yaml (1)

27-30: setup-go composite already scopes module downloads to ./go

The Download Go modules step in .github/actions/setup-go/action.yaml sets working-directory: ./go, so no additional adjustments are needed here.

.github/workflows/autofix.ci.yaml (1)

21-25: Verify Node 22 availability

Node 22 is currently in pre-release. Using a non-LTS major risks unexpected CI breakage when the image rotates.

Consider pinning to the latest LTS (--> 20) or referencing a .nvmrc / package.json engines field instead.

.github/workflows/pr.yaml (1)

20-24: Confirm dependencies output exists

The new condition relies on needs.detect_changes.outputs.dependencies. Ensure job_detect_changes.yaml actually sets outputs.dependencies to 'true'|'false'; otherwise this job will be skipped unintentionally.

[coderabbitai]

Actionable comments posted: 10

🔭 Outside diff range comments (1)

.github/workflows/runbook-freshness-check.yaml (1)

21-23: Cron comment contradicts actual schedule

Comment says “Run daily at 9 AM UTC”, but cron: '0 0 1 * *' runs once a month at 00:00 UTC on the 1st.
Align the comment or the cron expression to avoid confusion.

♻️ Duplicate comments (13)

.github/actions/setup-node/action.yaml (2)

4-8: Expose dedicated npm_token input and stop reusing GITHUB_TOKEN for npm auth

NPM auth usually requires a distinct token. Add npm_token input and use it for NPM_TOKEN, falling back to github_token if not provided.

 inputs:
   github_token:
     description: GitHub token for authentication
     required: false
+  npm_token:
+    description: Auth token for npm registry (optional)
+    required: false

@@
     - name: Install dependencies
       shell: bash
-      run: pnpm install --recursive
+      run: |
+        set -euo pipefail
+        pnpm install --recursive --frozen-lockfile
       env:
         GITHUB_TOKEN: ${{ inputs.github_token }}
-        NPM_TOKEN: ${{ inputs.github_token }}
+        NPM_TOKEN: ${{ inputs.npm_token != '' && inputs.npm_token || inputs.github_token }}

Also applies to: 25-30

---

11-11: Fix YAML lint errors: trailing spaces and EOF newline

Remove trailing spaces on Line 11 and ensure file ends with a single newline (yamllint).

   using: "composite"
-  
+
@@
-        NPM_TOKEN: ${{ inputs.github_token }}
+        NPM_TOKEN: ${{ inputs.github_token }}
+

Also applies to: 30-30

.github/workflows/release.yaml (1)

26-26: Remove trailing whitespace (yamllint)

There’s trailing space after the with block. Clean it up.

       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Setup Go

.github/workflows/job_deploy_api_staging.yaml (2)

21-21: Remove trailing whitespace (yamllint).

Blank line has trailing spaces; make it truly empty to keep CI lint green.

       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-      
+ 
       - name: Setup Wrangler

---

22-25: Pin Wrangler for deterministic deploys.

Unpinned CLIs cause surprise breakage. Pin to a known-good version.

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Fallback step if the composite lacks a version input:

- name: Pin Wrangler
  run: npm i -g wrangler@3.79.0

.github/workflows/job_deploy_api_canary.yaml (3)

17-21: Confirm Node pinning and pnpm guarantees in setup-node.

Dynamic Node (e.g., lts/*) can drift; ensure the composite uses a fixed version or node-version-file and that pnpm availability/caching is handled. Also confirm dependencies are installed before Build if the composite does not do it.

#!/bin/bash
set -euo pipefail

rg -n 'actions/setup-node' -A 3 -B 3 .github/actions/setup-node/action.yaml || true
rg -n 'node-version|node-version-file' .github/actions/setup-node/action.yaml || true
rg -n 'pnpm/action-setup|corepack' .github/actions/setup-node/action.yaml || true
rg -n 'pnpm install' .github/actions/setup-node/action.yaml || true

---

21-21: Remove trailing whitespace (yamllint).

Trim the trailing spaces on this blank line.

       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-      
+ 
       - name: Setup Wrangler

---

22-25: Pin Wrangler to avoid CI flakiness.

Lock to a specific version for reproducible deploys.

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Or add a separate pin step:

- name: Pin Wrangler
  run: npm i -g wrangler@3.79.0

.github/workflows/job_deploy_workflows.yaml (2)

21-21: Remove trailing whitespace (yamllint).

Trim the trailing spaces on this blank line.

       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-      
+ 
       - name: Setup Wrangler

---

22-25: Pin Wrangler for deterministic CI.

Lock the CLI to a specific version to avoid regressions.

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Or add a global install step pinned to that version.

.github/workflows/autofix.ci.yaml (1)

30-31: Include go.mod in Go cache key.

Only caching on go.sum misses cache busts triggered by go.mod changes.

-          cache-dependency-path: ./go/go.sum
+          cache-dependency-path: |
+            ./go/go.mod
+            ./go/go.sum

.github/workflows/job_deploy_logdrain_production.yaml (2)

23-26: Pin Wrangler to a known version for reproducible deploys.

Avoid surprises from upstream releases. Either pass a pinned version to the local action (if supported) or add an explicit install step.

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Alternative outside this step:

- name: Pin Wrangler
  run: npm i -g wrangler@3.79.0

---

22-22: Remove trailing whitespace (yamllint).

Blank line appears to contain spaces. Strip them to keep CI linters green.

#!/bin/bash
set -euo pipefail
file=".github/workflows/job_deploy_logdrain_production.yaml"
echo "Lines with trailing whitespace (if any):"
rg -n "[ \t]+$" "$file" || echo "None"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d70854e and 5251af8.

📒 Files selected for processing (13)

• .github/actions/setup-node/action.yaml (1 hunks)
• .github/workflows/autofix.ci.yaml (1 hunks)
• .github/workflows/job_deploy_api_canary.yaml (1 hunks)
• .github/workflows/job_deploy_api_production.yaml (1 hunks)
• .github/workflows/job_deploy_api_staging.yaml (1 hunks)
• .github/workflows/job_deploy_logdrain_production.yaml (1 hunks)
• .github/workflows/job_deploy_workflows.yaml (1 hunks)
• .github/workflows/job_detect_changes.yaml (2 hunks)
• .github/workflows/job_test_go_api_local.yaml (1 hunks)
• .github/workflows/job_test_unit.yaml (1 hunks)
• .github/workflows/pr.yaml (1 hunks)
• .github/workflows/release.yaml (1 hunks)
• .github/workflows/runbook-freshness-check.yaml (7 hunks)

🧰 Additional context used

🧠 Learnings (18)

📓 Common learnings

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions. No additional configuration is needed for this automatic masking behavior.

Applied to files:

• .github/workflows/job_deploy_api_canary.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_deploy_workflows.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/release.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_test_unit.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/vitest.{unit,integration}.ts : Separate Vitest configs: vitest.unit.ts and vitest.integration.ts

Applied to files:

• .github/workflows/job_test_unit.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.test.{ts,tsx} : Use Vitest for unit and integration tests in TypeScript projects

Applied to files:

• .github/workflows/job_test_unit.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/release.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.go : Use AIDEV-* comments for complex/important code in Go services

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.go : Follow comprehensive documentation guidelines for Go code as described in go/GO_DOCUMENTATION_GUIDELINES.md

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/release.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : All text, ASCII, and code files MUST end with a newline.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-07-16T17:51:57.297Z

Learnt from: chronark
PR: unkeyed/unkey#3617
File: go/apps/api/openapi/openapi.yaml:3309-3312
Timestamp: 2025-07-16T17:51:57.297Z
Learning: In the Unkey API OpenAPI schema, the permissions query regex for the verifyKey endpoint intentionally allows all whitespace characters (including tabs and newlines) via `\s`. Do not flag this as an error in future reviews.

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : Use Biome for formatting and linting in TypeScript/JavaScript projects

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions.

Applied to files:

• .github/actions/setup-node/action.yaml

📚 Learning: 2025-05-15T15:57:02.128Z

Learnt from: mcstepp
PR: unkeyed/unkey#3242
File: apps/dashboard/app/(app)/apis/[apiId]/api-id-navbar.tsx:47-50
Timestamp: 2025-05-15T15:57:02.128Z
Learning: When reviewing code for Unkey, prefer using `Boolean()` over the double negation (`!!`) operator for boolean coercion, as their linter rules favor this pattern.

Applied to files:

• .github/workflows/pr.yaml

🪛 YAMLlint (1.37.1)

.github/workflows/runbook-freshness-check.yaml

[error] 158-158: syntax error: expected alphabetic or numeric character, but found '*'

(syntax)

.github/actions/setup-node/action.yaml

[error] 11-11: trailing spaces

(trailing-spaces)

---

[error] 30-30: no new line character at the end of file

(new-line-at-end-of-file)

🪛 actionlint (1.7.7)

.github/workflows/runbook-freshness-check.yaml

158-158: could not parse as YAML: yaml: line 158: did not find expected alphabetic or numeric character

(syntax-check)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test API / API Test Local
• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (8)

.github/workflows/job_detect_changes.yaml (1)

60-72: Double-check API change filter overlap
The api detector currently includes go/** alongside a dedicated go filter, so any Go file change will fire both your API and Go workflows. Confirm whether this broad inclusion is intentional:

• .github/workflows/job_detect_changes.yaml lines 60–72 (and mirror at 86–91):

api:
  - 'apps/api/**'
  - 'go/**'           ← all Go files trigger API
  - 'internal/db/**'
  …  
go:
  – <your go-only patterns>

• In .github/workflows/pr.yaml, API jobs are gated on needs.detect_changes.outputs.api == 'true', and Go jobs on outputs.go == 'true'.

If you only want API workflows to run when API-specific Go code changes, remove or narrow the go/** entry under api: to just the paths owned by your API (e.g. apps/api/**).

.github/workflows/job_test_unit.yaml (1)

12-16: LGTM: modular setup + CI-friendly tests

Setup via local action looks good; adding CI=1 ensures non-interactive test runs.

Also applies to: 18-21

.github/workflows/job_deploy_api_production.yaml (2)

1-1: Rename workflow for clarity

The file deploys API to production, but name: ClickHouse Migration is misleading. Consider Deploy API (production) to match purpose.

---

18-26: Split setup steps look good

Separating Node and Wrangler setup improves modularity and cacheability.

.github/workflows/job_test_go_api_local.yaml (2)

11-11: LGTM on reduced timeout.

15 minutes is a sensible cap for local Go API tests.

---

20-23: LGTM on pinning tparse and normalizing working-directory.

Pinned version and consistent path improve reproducibility and readability.

.github/workflows/job_deploy_workflows.yaml (1)

17-21: No action needed: Setup-node composite already handles Node pinning, pnpm caching, and dependency installation

• In .github/actions/setup-node/action.yaml:
  • Uses actions/setup-node@v4 with node-version: lts/* and cache: 'pnpm'
  • Uses pnpm/action-setup@v4 (with run_install: false)
  • Runs pnpm install --recursive

The composite ensures Node is pinned to the latest LTS, pnpm is set up and cached, and dependencies are installed before build.

.github/workflows/pr.yaml (1)

22-24: Condition grouping here looks correct.

Good use of parentheses to ensure event gating happens before the success/output checks.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5251af8 and fe1ac07.

📒 Files selected for processing (1)

• .github/workflows/runbook-freshness-check.yaml (7 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build / Build
• GitHub Check: Test API / API Test Local
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

.github/workflows/runbook-freshness-check.yaml (1)

22-23: Schedule change looks good

Daily execution at 09:00 UTC is clear and the cron syntax is valid.

[coderabbitai]

Actionable comments posted: 6

♻️ Duplicate comments (4)

.github/actions/setup-node/action.yaml (4)

15-15: Remove trailing spaces (yamllint error)

There’s trailing whitespace on Line 15.

-  
+

---

35-35: Add EOF newline (yamllint error)

File is missing a newline at EOF.

-        NPM_TOKEN: ${{ inputs.github_token }}
+        NPM_TOKEN: ${{ inputs.github_token }}
+

---

4-11: Expose dedicated npm_token input

Avoid coupling npm auth to github_token; many users use separate NPM tokens.

 inputs:
   github_token:
     description: GitHub token for authentication
     required: false
+  npm_token:
+    description: Auth token for npm registry (optional)
+    required: false
   install:
     description: Whether to run pnpm install
     required: false
     default: 'true'

---

22-27: Make Node version configurable (default to LTS)

Let callers pin Node or read from .nvmrc if needed.

-    - name: Setup Node with pnpm cache
+    - name: Setup Node with pnpm cache
       uses: actions/setup-node@v4
       with:
-        node-version: lts/*
+        node-version: ${{ inputs.node_version || 'lts/*' }}
         cache: 'pnpm'
         cache-dependency-path: "**/pnpm-lock.yaml"

Add the input:

 inputs:
   github_token:
     description: GitHub token for authentication
     required: false
+  node_version:
+    description: Node.js version specifier (e.g., 'lts/*', '20', or read from .nvmrc in workflow)
+    required: false

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe1ac07 and b17d143.

📒 Files selected for processing (4)

• .github/actions/setup-node/action.yaml (1 hunks)
• .github/workflows/job_test_api_local.yaml (1 hunks)
• .github/workflows/release.yaml (1 hunks)
• deployment/docker-compose.yaml (3 hunks)

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/release.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• .github/workflows/release.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• .github/workflows/release.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions. No additional configuration is needed for this automatic masking behavior.

Applied to files:

• .github/workflows/release.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/workflows/release.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions.

Applied to files:

• .github/workflows/release.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-07-22T09:02:12.495Z

Learnt from: chronark
PR: unkeyed/unkey#3638
File: deployment/docker-compose.yaml:81-94
Timestamp: 2025-07-22T09:02:12.495Z
Learning: The docker-compose.yaml file in deployment/ is specifically for development environments, not production. Kafka and other service configurations in this file should be optimized for development convenience rather than production security/hardening.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-07T17:18:12.801Z

Learnt from: imeyer
PR: unkeyed/unkey#3750
File: deployment/docker-compose.yaml:15-15
Timestamp: 2025-08-07T17:18:12.801Z
Learning: In deployment/docker-compose.yaml, the MySQL service uses --skip-log-bin flag to disable binary logging for local development environments. This is intentional to reduce disk I/O and storage overhead during development, as there are no replication or CDC components that would require binlog in the local dev setup.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : All text, ASCII, and code files MUST end with a newline.

Applied to files:

• .github/actions/setup-node/action.yaml

🪛 YAMLlint (1.37.1)

.github/actions/setup-node/action.yaml

[error] 15-15: trailing spaces

(trailing-spaces)

---

[error] 35-35: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build

🔇 Additional comments (2)

.github/workflows/release.yaml (1)

22-29: Good: Node setup without installs

Using the composite with install: 'false' keeps this job lean while still enabling the npm auth step later.

.github/workflows/job_test_api_local.yaml (1)

25-34: Setup steps LGTM

Split Node/Go setup aligns with the modular actions. Defaults will install pnpm deps, which are needed for the build/test steps.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (23)

.github/actions/setup-node/action.yaml (2)

15-15: Fix trailing whitespace and ensure EOF newline

YAML linters are flagging a trailing-space on Line 15 and missing EOF newline.

   using: "composite"
-  
+
@@
-        NPM_TOKEN: ${{ inputs.github_token }}
+        NPM_TOKEN: ${{ inputs.github_token }}
+  # (ensure file ends with a single newline)

Also applies to: 36-36

---

22-27: Wire registry auth via setup-node; prefer NODE_AUTH_TOKEN over NPM_TOKEN

Leverage setup-node’s built-in registry wiring and standard token env. Keeps pnpm/npm auth consistent without changing your lts/* policy.

     - name: Setup Node with pnpm cache
       uses: actions/setup-node@v4
       with:
         node-version: lts/*
         cache: 'pnpm'
         cache-dependency-path: "**/pnpm-lock.yaml"
+        registry-url: 'https://registry.npmjs.org'
+        always-auth: true
@@
     - name: Install dependencies
       if: inputs.install == 'true'
       shell: bash
       run: pnpm install --recursive
       env:
         CI: 1
         GITHUB_TOKEN: ${{ inputs.github_token }}
-        NPM_TOKEN: ${{ inputs.github_token }}
+        NODE_AUTH_TOKEN: ${{ inputs.github_token }}

Note: This keeps node-version pinned to lts/* as requested in this repo.

.github/workflows/runbook-freshness-check.yaml (1)

151-167: Dedent and trim issueBody to prevent code-block rendering

The template literal on lines 151–167 includes leading spaces, so GitHub renders the entire body as a code block. Unindent the string and append .trim() to strip extra whitespace.

• File: .github/workflows/runbook-freshness-check.yaml
• Lines: 151–167

-              const issueBody = `## Runbook needs review
-
-            **File**: \`${sanitizedFile}\`
-            **Last updated**: ${sanitizedDate} (${sanitizedDays} days ago)
-
-            This runbook has not been updated in over 90 days. Please review and verify:
-
-            - Commands and procedures are accurate
-            - Links and URLs work correctly
-            - Service names and configurations are current
-            - Access requirements and credentials are up to date
-
-            After reviewing, update the runbook with any necessary changes and close this issue.
-
-            **Quick links:**
-            - [View file](https://github.com/${context.repo.owner}/${context.repo.repo}/blob/main/${sanitizedFile})
-            - [Edit file](https://github.com/${context.repo.owner}/${context.repo.repo}/edit/main/${sanitizedFile})`;
+              const issueBody = `
+## Runbook needs review
+
+**File**: \`${sanitizedFile}\`
+**Last updated**: ${sanitizedDate} (${sanitizedDays} days ago)
+
+This runbook has not been updated in over 90 days. Please review and verify:
+
+- Commands and procedures are accurate
+- Links and URLs work correctly
+- Service names and configurations are current
+- Access requirements and credentials are up to date
+
+After reviewing, update the runbook with any necessary changes and close this issue.
+
+**Quick links:**
+- [View file](https://github.com/${context.repo.owner}/${context.repo.repo}/blob/main/${sanitizedFile})
+- [Edit file](https://github.com/${context.repo.owner}/${context.repo.repo}/edit/main/${sanitizedFile})
+`.trim();

Validation: manually dispatch the workflow with a stale runbook and confirm headings & bullets render properly.

.github/workflows/job_detect_changes.yaml (3)

96-103: Docs detection is root-only; use recursive globs

Current patterns miss nested Markdown. Use recursive globs.

             docs:
               - 'apps/docs/**'
               - 'apps/engineering/**'
-              - '*.md'
-              - 'README*'
-              - 'CHANGELOG*'
+              - '**/*.md'
+              - '**/README*'
+              - '**/CHANGELOG*'

---

108-115: Dependency filter: include nested lockfiles

Monorepos often have multiple pnpm lockfiles; include recursive patterns.

             dependencies:
-              - 'pnpm-lock.yaml'
-              - 'go.sum'
-              - 'go.mod'
+              - 'pnpm-lock.yaml'
+              - '**/pnpm-lock.yaml'
+              - 'go.mod'
+              - 'go.sum'
               - '**/package.json'
               - '**/go.mod'
               - '**/go.sum'

---

121-133: Configs detection is root-only; expand to nested configs and Docker files

Capture configs anywhere in the repo.

             configs:
-              - '*.json'
-              - '*.yaml'
-              - '*.yml'
-              - '*.toml'
-              - '*.config.*'
-              - 'Dockerfile*'
-              - 'docker-compose*'
+              - '**/*.json'
+              - '**/*.yaml'
+              - '**/*.yml'
+              - '**/*.toml'
+              - '**/*.config.*'
+              - '**/Dockerfile*'
+              - '**/docker-compose*'
               - 'deployment/**'
               - 'biome.json'
               - 'turbo.json'
               - 'vitest.workspace.json'

.github/workflows/deploy.yaml (1)

89-90: Unused detect_changes job — remove or wire into downstream jobs

This job isn’t referenced by any other job (no needs: detect_changes, no outputs consumed). Either:

• Remove it to save CI time; or
• Gate jobs like docs/workflows with needs: detect_changes and if: based on its outputs.

If deferring, let me open a thorough issue and assign to imeyer per repo preference.

Run to confirm no consumers:

#!/bin/bash
rg -n "needs:\\s*-\\s*detect_changes|needs\\.detect_changes|detect_changes\\.outputs" .github/workflows

.github/workflows/job_test_api_canary.yaml (1)

31-35: Setup Node via composite looks good; ensure robust pnpm caching/install inside the action

Double-check the composite uses:

• cache: pnpm with cache-dependency-path: '**/pnpm-lock.yaml' (monorepo hit rate)
• pnpm install --recursive --frozen-lockfile (reproducibility)

If you want, I can adjust the composite to add these safeguards.

.github/workflows/deploy_trigger.yaml (1)

9-12: pnpx will fail without pnpm — switch to npx or enable Corepack

Current setup-node doesn’t install/activate pnpm, so pnpx isn’t on PATH.

Option A (simplest): use npm’s runner

-      - name: Deploy Trigger.dev
+      - name: Deploy Trigger.dev
         env:
           TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
-        run: pnpx trigger.dev@3.0.0-beta.23 deploy
+        run: npx -y trigger.dev@3.0.0-beta.23 deploy
         working-directory: apps/billing

Option B: enable Corepack and activate pnpm before using pnpx

       - name: Setup Node (minimal for pnpx)
         uses: actions/setup-node@v4
         with:
           node-version: lts/*
+      - name: Enable Corepack and activate pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@9 --activate
+      - name: Deploy Trigger.dev
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
+        run: pnpx trigger.dev@3.0.0-beta.23 deploy
+        working-directory: apps/billing

Also applies to: 16-16

.github/workflows/release.yaml (1)

19-25: Good call: Node with install: 'false' + Go setup

Avoids unnecessary pnpm installs while still enabling the npm auth step; Go setup remains separated and clear.

.github/workflows/job_deploy_api_production.yaml (1)

16-23: Same pin-version concerns as in earlier workflows – please pin the Node LTS version and the Wrangler CLI to a fixed release to keep deploys reproducible.

.github/workflows/job_test_api_staging.yaml (1)

35-38: Pin Node version for stability – same feedback as in other workflows.

.github/workflows/job_deploy_api_canary.yaml (1)

15-23: Pin Node & Wrangler versions – repeat of earlier advice to avoid surprise upgrades.

.github/workflows/job_deploy_logdrain_production.yaml (1)

16-23: Pin Node & Wrangler versions – identical concern already raised on sibling workflows.

.github/workflows/job_test_go_api_local.yaml (1)

13-20: Ensure setup-go pins Go and caches on both go.mod & go.sum – same recommendation previously given; please confirm or update the composite.

.github/workflows/job_deploy_api_staging.yaml (1)

19-22: Pin Wrangler for reproducible deploys.

Unpinned CLI can introduce CI flakes. Prefer pinning Wrangler in the setup action.

Apply this diff if .github/actions/setup-wrangler supports a version input:

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Fallback step if the action doesn’t expose a version input:

- name: Pin Wrangler
  run: npm i -g wrangler@3.79.0

.github/workflows/job_deploy_workflows.yaml (1)

19-22: Pin Wrangler for deterministic CI.

Same rationale as other deploy workflows: avoid surprises from upstream releases by pinning Wrangler.

       - name: Setup Wrangler
         uses: ./.github/actions/setup-wrangler
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          wrangler_version: "3.79.0"

Alternative:

- name: Pin Wrangler
  run: npm i -g wrangler@3.79.0

.github/workflows/job_test_api_local.yaml (2)

16-20: Make docker compose --wait effective by adding service healthchecks.

--wait only blocks on services with healthchecks. apiv2, api, agent, and planetscale likely lack them in deployment/docker-compose.yaml, causing premature test start.

Run to verify missing healthchecks:

#!/bin/bash
set -euo pipefail
file="deployment/docker-compose.yaml"
for svc in apiv2 api agent planetscale; do
  echo "== $svc =="
  awk "/^  $svc:/,/^[^ ]/" "$file" | sed -n '1,120p' | rg -n '^\s*healthcheck:' || echo "MISSING: $svc"
  echo
done

If missing, add minimal probes (example for api):

healthcheck:
  test: ["CMD-SHELL", "curl -sf http://localhost:8787/health || exit 1"]
  interval: 5s
  timeout: 2s
  retries: 5
  start_period: 5s

---

29-30: Pin Goose CLI version for reproducibility.

-      - name: Install Goose
-        run: go install github.com/pressly/goose/v3/cmd/goose@latest
+      - name: Install Goose
+        run: go install github.com/pressly/goose/v3/cmd/goose@v3.20.0

(Adjust to your known-good version.)

.github/workflows/autofix.ci.yaml (2)

29-32: Use frozen lockfile for deterministic installs.

-      - name: Install dependencies
-        run: pnpm install --recursive
+      - name: Install dependencies
+        run: pnpm install --recursive --frozen-lockfile

---

27-28: Include go.mod in Go cache key to bust cache on module changes.

-          cache-dependency-path: ./go/go.sum
+          cache-dependency-path: |
+            ./go/go.mod
+            ./go/go.sum

.github/workflows/pr.yaml (2)

25-25: Fix operator precedence: Build currently runs on all non-draft PRs

Without grouping, && binds tighter than ||, so the job runs for any non‑draft PR regardless of detect_changes. Mirror the grouping used in Test Packages.

Apply:

-    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name != 'pull_request' && needs.detect_changes.result == 'success' && (needs.detect_changes.outputs.api == 'true' || needs.detect_changes.outputs.packages == 'true')
+    if: ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name != 'pull_request') && needs.detect_changes.result == 'success' && (needs.detect_changes.outputs.api == 'true' || needs.detect_changes.outputs.packages == 'true')

If you’d like to defer, I can open a GitHub issue with full template (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assign it to imeyer.

---

30-30: Fix operator precedence: Test API currently runs on all non-draft PRs

Same issue as Build. Add grouping so detect_changes gates execution.

Apply:

-    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name != 'pull_request' && needs.detect_changes.result == 'success' && (needs.detect_changes.outputs.api == 'true' || needs.detect_changes.outputs.packages == 'true')
+    if: ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || github.event_name != 'pull_request') && needs.detect_changes.result == 'success' && (needs.detect_changes.outputs.api == 'true' || needs.detect_changes.outputs.packages == 'true')

I can file the follow-up issue (assigned to imeyer) if you want to land this PR first.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b17d143 and 4dfca7f.

📒 Files selected for processing (26)

• .github/actions/setup-node/action.yaml (1 hunks)
• .github/workflows/agent_build_publish.yaml (0 hunks)
• .github/workflows/apply-issue-labels-to-pr.yml (0 hunks)
• .github/workflows/autofix.ci.yaml (1 hunks)
• .github/workflows/build.yaml (2 hunks)
• .github/workflows/check_quotas.yml (1 hunks)
• .github/workflows/deploy.yaml (1 hunks)
• .github/workflows/deploy_trigger.yaml (1 hunks)
• .github/workflows/ghcr_retention_policy.yaml (0 hunks)
• .github/workflows/job_build_agent_image.yaml (0 hunks)
• .github/workflows/job_deploy_api_canary.yaml (1 hunks)
• .github/workflows/job_deploy_api_enterprise.yaml (1 hunks)
• .github/workflows/job_deploy_api_production.yaml (1 hunks)
• .github/workflows/job_deploy_api_staging.yaml (1 hunks)
• .github/workflows/job_deploy_logdrain_production.yaml (1 hunks)
• .github/workflows/job_deploy_workflows.yaml (1 hunks)
• .github/workflows/job_detect_changes.yaml (1 hunks)
• .github/workflows/job_test_api_canary.yaml (1 hunks)
• .github/workflows/job_test_api_local.yaml (2 hunks)
• .github/workflows/job_test_api_staging.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (1 hunks)
• .github/workflows/job_test_unit.yaml (1 hunks)
• .github/workflows/pr.yaml (1 hunks)
• .github/workflows/release.yaml (1 hunks)
• .github/workflows/runbook-freshness-check.yaml (7 hunks)
• .github/workflows/semantic-pull-requests.yaml (0 hunks)

💤 Files with no reviewable changes (5)

• .github/workflows/ghcr_retention_policy.yaml
• .github/workflows/semantic-pull-requests.yaml
• .github/workflows/apply-issue-labels-to-pr.yml
• .github/workflows/agent_build_publish.yaml
• .github/workflows/job_build_agent_image.yaml

🧰 Additional context used

🧠 Learnings (29)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-08-08T14:58:20.118Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Applied to files:

• .github/workflows/job_test_unit.yaml
• .github/workflows/job_test_api_canary.yaml
• .github/workflows/release.yaml
• .github/workflows/build.yaml
• .github/workflows/deploy_trigger.yaml
• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_test_api_staging.yaml
• .github/workflows/job_deploy_api_enterprise.yaml
• .github/workflows/job_deploy_logdrain_production.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_deploy_api_production.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_deploy_workflows.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/vitest.{unit,integration}.ts : Separate Vitest configs: vitest.unit.ts and vitest.integration.ts

Applied to files:

• .github/workflows/job_test_unit.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.test.{ts,tsx} : Use Vitest for unit and integration tests in TypeScript projects

Applied to files:

• .github/workflows/job_test_unit.yaml
• .github/workflows/job_test_api_canary.yaml
• .github/workflows/job_test_api_staging.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/workflows/job_test_unit.yaml
• .github/workflows/release.yaml
• .github/workflows/build.yaml
• .github/workflows/deploy_trigger.yaml
• .github/workflows/job_test_api_staging.yaml
• .github/workflows/job_deploy_api_enterprise.yaml
• .github/workflows/job_deploy_logdrain_production.yaml
• .github/workflows/autofix.ci.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-08T14:59:52.245Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Applied to files:

• .github/workflows/job_test_unit.yaml
• .github/workflows/job_test_api_canary.yaml
• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/pr.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/deploy.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_test_api_local.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_deploy_api_enterprise.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/pr.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_deploy_workflows.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions. No additional configuration is needed for this automatic masking behavior.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_test_api_staging.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/job_test_api_staging.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/pr.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/pr.yaml
• .github/workflows/job_test_api_local.yaml
• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.go : Use AIDEV-* comments for complex/important code in Go services

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/deploy.yaml
• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-05-15T16:09:49.243Z

Learnt from: mcstepp
PR: unkeyed/unkey#3242
File: apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/[keyId]/components/controls/components/logs-search/index.tsx:7-43
Timestamp: 2025-05-15T16:09:49.243Z
Learning: For type safety issues involving `any` type assertions, the team prefers to address these systematically with linter updates rather than fixing them individually in code reviews.

Applied to files:

• .github/workflows/runbook-freshness-check.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• .github/workflows/deploy.yaml

📚 Learning: 2024-10-15T19:57:16.520Z

Learnt from: Devansh-Baghel
PR: unkeyed/unkey#2452
File: oss.gg/7_create_a_template.md:42-42
Timestamp: 2024-10-15T19:57:16.520Z
Learning: In Hono & Cloudflare Workers templates, the 'Setup and Installation' section in the README serves as the quickstart guide.

Applied to files:

• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_deploy_api_enterprise.yaml
• .github/workflows/job_deploy_api_staging.yaml

📚 Learning: 2024-10-15T19:57:16.520Z

Learnt from: Devansh-Baghel
PR: unkeyed/unkey#2452
File: oss.gg/7_create_a_template.md:42-42
Timestamp: 2024-10-15T19:57:16.520Z
Learning: In projects using Cloudflare Workers, the `wrangler.toml` file in the project root is the configuration file.

Applied to files:

• .github/workflows/job_deploy_api_enterprise.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.go : Follow comprehensive documentation guidelines for Go code as described in go/GO_DOCUMENTATION_GUIDELINES.md

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/pr.yaml
• .github/workflows/job_test_api_local.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : All text, ASCII, and code files MUST end with a newline.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/autofix.ci.yaml
• .github/actions/setup-node/action.yaml

📚 Learning: 2025-07-16T17:51:57.297Z

Learnt from: chronark
PR: unkeyed/unkey#3617
File: go/apps/api/openapi/openapi.yaml:3309-3312
Timestamp: 2025-07-16T17:51:57.297Z
Learning: In the Unkey API OpenAPI schema, the permissions query regex for the verifyKey endpoint intentionally allows all whitespace characters (including tabs and newlines) via `\s`. Do not flag this as an error in future reviews.

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : Use Biome for formatting and linting in TypeScript/JavaScript projects

Applied to files:

• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-05-15T15:57:02.128Z

Learnt from: mcstepp
PR: unkeyed/unkey#3242
File: apps/dashboard/app/(app)/apis/[apiId]/api-id-navbar.tsx:47-50
Timestamp: 2025-05-15T15:57:02.128Z
Learning: When reviewing code for Unkey, prefer using `Boolean()` over the double negation (`!!`) operator for boolean coercion, as their linter rules favor this pattern.

Applied to files:

• .github/workflows/pr.yaml

📚 Learning: 2025-01-30T20:51:44.359Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#2825
File: apps/dashboard/app/(app)/logs-v2/hooks/use-bookmarked-filters.ts:0-0
Timestamp: 2025-01-30T20:51:44.359Z
Learning: The user (ogzhanolguncu) prefers to handle refactoring suggestions in separate PRs to maintain focus in the current PR.

Applied to files:

• .github/workflows/pr.yaml

📚 Learning: 2025-08-07T17:18:12.801Z

Learnt from: imeyer
PR: unkeyed/unkey#3750
File: deployment/docker-compose.yaml:15-15
Timestamp: 2025-08-07T17:18:12.801Z
Learning: In deployment/docker-compose.yaml, the MySQL service uses --skip-log-bin flag to disable binary logging for local development environments. This is intentional to reduce disk I/O and storage overhead during development, as there are no replication or CDC components that would require binlog in the local dev setup.

Applied to files:

• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-07-22T09:02:12.495Z

Learnt from: chronark
PR: unkeyed/unkey#3638
File: deployment/docker-compose.yaml:81-94
Timestamp: 2025-07-22T09:02:12.495Z
Learning: The docker-compose.yaml file in deployment/ is specifically for development environments, not production. Kafka and other service configurations in this file should be optimized for development convenience rather than production security/hardening.

Applied to files:

• .github/workflows/job_test_api_local.yaml

🪛 Checkov (3.2.334)

.github/workflows/build.yaml

[MEDIUM] 40-41: Basic Auth Credentials

(CKV_SECRET_4)

.github/workflows/job_test_api_local.yaml

[MEDIUM] 39-40: Basic Auth Credentials

(CKV_SECRET_4)

🪛 YAMLlint (1.37.1)

.github/actions/setup-node/action.yaml

[error] 15-15: trailing spaces

(trailing-spaces)

---

[error] 36-36: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (12)

.github/actions/setup-node/action.yaml (1)

25-26: Node pinned to lts/ — aligned with repo preference*

Keeping node-version at lts/* matches the stated preference. No need to expose a node_version input here.

.github/workflows/runbook-freshness-check.yaml (1)

20-20: Daily at 09:00 UTC — confirm intended cadence

Switch to daily 09:00 UTC looks deliberate. Confirm this is acceptable for issue volume and API rate limits.

.github/workflows/check_quotas.yml (1)

19-22: Modularization LGTM

Switching to ./.github/actions/setup-go aligns with the new modular CI strategy. No concerns here.

.github/workflows/job_test_unit.yaml (1)

12-19: Unit test workflow updates look good

• Using the composite setup-node and setting CI=1 for build/test is appropriate.
• No further changes needed here.

Also applies to: 21-24

.github/workflows/job_test_api_canary.yaml (1)

37-38: CI=1 env for build/test — good standardization

Setting CI=1 improves consistency across runners and tool behavior.

Also applies to: 43-43

.github/workflows/build.yaml (1)

14-17: Setup Node via composite — LGTM

Consistent with repo-wide changes and keeps Node installs centralized.

.github/workflows/job_test_api_staging.yaml (1)

35-42: Verify setup-node installs pnpm deps with corepack + cache

The build step will fail unless pnpm is available and dependencies are installed. Confirm that ./.github/actions/setup-node:

• Enables corepack
• Runs pnpm install --recursive --frozen-lockfile
• Caches the pnpm store

If any part is missing, please update the composite or add an explicit install step.

.github/workflows/job_test_api_local.yaml (3)

31-34: Verify Turbo filter intent (./apps/api...).

Other workflows use --filter='./apps/api' while this uses --filter=./apps/api.... If the ellipsis is meant to include dependents/graph, keep it; otherwise align for consistency.

---

20-20: Step-level timeout-minutes is supported
No changes needed—GitHub Actions enforces per-step timeouts, so your timeout-minutes: 8 on this step will work as intended.

---

39-40: DRIZZLE_DATABASE_URL is scoped to CI/local test workflows

We’ve confirmed that the only places setting
DRIZZLE_DATABASE_URL: "mysql://unkey:password@localhost:3306/unkey"
are in your CI test pipelines—not production deploys:

• .github/workflows/job_test_api_local.yaml (Load Schema into MySQL step)
• .github/workflows/build.yaml (same URL for CI build step)

Both workflows spin up local containers for integration tests. No production workflow injects these credentials, so this remains safely scoped to CI/local only.

.github/workflows/pr.yaml (2)

20-21: LGTM: correct change-gating for Test Packages

Good grouping and explicit dependency on detect_changes. Matches intended logic.

---

18-37: All referenced outputs are declared in job_detect_changes.yaml
The reusable workflow exposes api, packages, dependencies, and go as outputs, matching every needs.detect_changes.outputs.* reference in .github/workflows/pr.yaml. No further changes needed.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (6)

.github/actions/setup-node/action.yaml (2)

46-49: npm auth mapping noted; tracked in follow-ups.

Mapping NPM_TOKEN to github_token is suboptimal for private npm usage. Follow-ups exist (issues #3757, #3760) to introduce a dedicated npm_token and prefer NODE_AUTH_TOKEN/registry wiring. No action here; just confirming intent.

Please confirm we’ll keep this as-is in this PR and address via the linked issues.

---

13-17: Fix lint: trailing whitespace and missing EOF newline.

YAMLlint flags trailing spaces at Line 15 and missing newline at EOF.

 runs:
   using: "composite"
-  
+
   steps:
@@
-        NPM_TOKEN: ${{ inputs.github_token }}
+        NPM_TOKEN: ${{ inputs.github_token }}
+

Also applies to: 49-49

.github/workflows/job_detect_changes.yaml (4)

62-73: Avoid double-triggering: remove go/ from api filter**

Including go/** under api means any Go change flips both api and go. Unless intentional, drop it here and rely on the go filter.

 api:
   - 'apps/api/**'
-  - 'go/**'
   - 'internal/db/**'
   - 'internal/encoding/**'
   - 'internal/encryption/**'
   - 'internal/hash/**'
   - 'internal/id/**'
   - 'internal/keys/**'
   - 'internal/validation/**'
   - 'internal/vault/**'

---

103-111: Docs detection misses nested Markdown; add recursive globs (and optionally MDX)

Root-only patterns miss docs under subdirs. Use recursive globs; consider MDX if used.

 docs:
   - 'apps/docs/**'
   - 'apps/engineering/**'
-  - '*.md'
-  - 'README*'
-  - 'CHANGELOG*'
+  - '**/*.md'
+  - '**/README*'
+  - '**/CHANGELOG*'
+  - '**/*.mdx' # if applicable

---

115-123: Dependencies: include nested lockfiles; cover workspace file

Monorepos often have nested pnpm lockfiles. Include them; optionally include pnpm-workspace.yaml as it affects dependency graph.

 dependencies:
   - 'pnpm-lock.yaml'
+  - '**/pnpm-lock.yaml'
   - 'go.sum'
   - 'go.mod'
   - '**/package.json'
   - '**/go.mod'
   - '**/go.sum'
+  - 'pnpm-workspace.yaml' # optional but recommended

---

129-141: Configs detection is root-only; expand to nested configs and Docker files

Use recursive patterns so config changes anywhere are detected.

 configs:
-  - '*.json'
-  - '*.yaml'
-  - '*.yml'
-  - '*.toml'
-  - '*.config.*'
-  - 'Dockerfile*'
-  - 'docker-compose*'
+  - '**/*.json'
+  - '**/*.yaml'
+  - '**/*.yml'
+  - '**/*.toml'
+  - '**/*.config.*'
+  - '**/Dockerfile*'
+  - '**/docker-compose*'
   - 'deployment/**'
   - 'biome.json'
   - 'turbo.json'
   - 'vitest.workspace.json'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dfca7f and 73af859.

📒 Files selected for processing (3)

• .github/actions/setup-node/action.yaml (1 hunks)
• .github/workflows/deploy.yaml (2 hunks)
• .github/workflows/job_detect_changes.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (18)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/deploy.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• .github/workflows/deploy.yaml

📚 Learning: 2025-08-08T14:58:20.118Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Applied to files:

• .github/actions/setup-node/action.yaml

📚 Learning: 2025-08-08T15:37:14.711Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions. No additional configuration is needed for this automatic masking behavior.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-07T19:45:10.532Z

Learnt from: perkinsjr
PR: unkeyed/unkey#3471
File: .github/actions/install/action.yaml:9-12
Timestamp: 2025-07-07T19:45:10.532Z
Learning: GitHub Actions automatically masks tokens in logs when they come from secrets (like `${{ secrets.GITHUB_TOKEN }}`) or match recognized token patterns, regardless of any explicit sensitive marking in composite actions.

Applied to files:

• .github/actions/setup-node/action.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : All text, ASCII, and code files MUST end with a newline.

Applied to files:

• .github/actions/setup-node/action.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-08T14:59:52.245Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• .github/actions/setup-node/action.yaml
• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

Applied to files:

• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_detect_changes.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*.go : Use AIDEV-* comments for complex/important code in Go services

Applied to files:

• .github/workflows/job_detect_changes.yaml

🪛 YAMLlint (1.37.1)

.github/actions/setup-node/action.yaml

[error] 15-15: trailing spaces

(trailing-spaces)

---

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

.github/workflows/deploy.yaml (2)

12-16: Good integration: central change detection via workflow_call

Hooking detect_changes and gating build_agent_image on agent diffs is clean.

Optional: now that detect_changes is available, consider also gating docs deployment (see below) and any other component-specific jobs to reduce CI churn.

---

79-81: LGTM: logdrain deployment gated by logdrain changes

Conditional deploy is correct; avoids unnecessary runs.

[imeyer]

@chronark @Flo4604 can I get a 👍🏼 so we can reap the benefits-ish?

[chronark]

I trust you

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (08/08/25)

1 gif was posted to this PR based on Andreas Thomas's automation.