chore: docs deps sweep and pin actions

[odgrim]

Summary by CodeRabbit

• Chores

  • Updated documentation dependencies including Astro, Starlight, analytics, and image processing libraries.
  • Pinned GitHub Actions in release and test workflows to specific commit SHAs.
  • Updated documentation sidebar configuration structure.

• Bug Fixes

  • Fixed file path resolution in documentation components.
  • Improved route pathname handling for documentation content.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
runbooks	Ready	Preview, Comment	May 30, 2026 5:29am

[coderabbitai]

Walkthrough

This PR bundles two independent improvements: hardening CI/CD by pinning GitHub Actions to commit SHAs across release and test workflows for supply-chain security, and modernizing the documentation build system with Astro/Starlight updates, sidebar restructuring, and route-resolution fixes.

Changes

CI/CD Workflow Hardening

Layer / File(s)	Summary
Release workflow GitHub Actions pinning .github/workflows/release.yml	Pins actions/checkout, jdx/mise-action, actions/upload-artifact, and actions/download-artifact to commit SHAs across validate, build (macOS/Linux/Windows), and upload-assets jobs; job logic and step order remain unchanged.
Test workflow GitHub Actions pinning .github/workflows/test.yml	Pins actions/checkout, jdx/mise-action, actions/cache, actions/upload-artifact, and aws-actions/configure-aws-credentials to commit SHAs across all test jobs; no changes to test logic or commands.

Documentation System Modernization

Layer / File(s)	Summary
Astro and Starlight dependency updates docs/package.json	Bumps Astro to 6.4.2, @astrojs/starlight to 0.39.2, @vercel/analytics to 2.0.1, sharp to 0.34.5; pins dev tools cspell and linkinator.
Astro sidebar configuration restructuring docs/astro.config.mjs	Sidebar entries for "Intro", "App & CLI", "Blocks", "Security", "Development", and "Runbooks Pro" refactored from autogenerate: { directory: ... } to items: [{ autogenerate: { directory: ... } }] with repositioned collapsed flags.
Starlight route resolution and path utilities docs/src/lib/llms-content.ts, docs/src/components/SourceFile.astro	llms-content.ts imports slugToPathname from Starlight and rebuilds the route lookup map to use pathname keys; SourceFile.astro switches path resolution to anchor on process.cwd() for proper Astro bundling behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

📌 Actions pinned to safety's solid ground,
Docs get a modern Astro/Starlight sound,
Sidebar redesigned, route maps now true—
Infrastructure hardened, fresh code shines through! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: updating documentation dependencies and pinning GitHub Actions across workflows.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/docs-deps-sweep-pin-actions

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

docs/src/lib/llms-content.ts (1)

7-8: ⚡ Quick win

slugToPathname is exported and uses trailing slashes, so the sidebar lookup mismatch risk is low

• slugToPathname is part of Starlight’s utils/slugs exports, and it formats non-root slugs as /<param>/ (including the trailing /), matching sidebar href values like /intro/overview/.
• The remaining “quiet failure” risk is future internal API changes since the import is @ts-ignore’d; consider removing the ignore if TS allows, or add a sanity check that the generated output isn’t empty.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/lib/llms-content.ts` around lines 7 - 8, The import of
slugToPathname from Starlight is being ts-ignored and may change or return an
empty string; remove the ts-ignore if TypeScript allows so the import is
tracked, and/or add a runtime sanity check in the code that calls slugToPathname
(in docs/src/lib/llms-content.ts) to verify the returned pathname is non-empty
and normalized (e.g., ensure it starts with "/" and includes trailing "/" for
non-root slugs) and log or throw a clear error if the value is invalid to avoid
quiet failures when matching sidebar hrefs.

docs/src/components/SourceFile.astro (1)

28-34: ⚡ Quick win

Process cwd → repoRoot assumption matches this repo’s build pipeline (but clarify the expectation).

Vercel/automation runs the docs build from docs/ (vercel.json uses cd docs && bun run build, and justfile also cd docs && ... bun run build), and the repo root does contain testdata/. The only time process.cwd() would “overshoot” is if someone runs astro build/dev from a different working directory (e.g., repo root) outside these scripts—so the comment should explicitly state it expects cwd to be docs/ (optional: add a small sanity-check like “testdata exists” to fail loudly if that ever changes).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/components/SourceFile.astro` around lines 28 - 34, The comment
assumes process.cwd() is the docs project root which can be fragile; update the
comment near repoRoot, process.cwd(), and absolutePath to explicitly state we
expect the build to run with cwd set to "docs/" (per vercel.json/justfile), and
add a small runtime sanity check after computing repoRoot/absolutePath that
verifies the expected testdata path exists (e.g., check fs.existsSync on
path.resolve(repoRoot, 'testdata')) and throw or log a clear error if it does
not so builds fail loudly when cwd is different.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 37: The checkout steps are currently persisting the GitHub token; for
each actions/checkout@... occurrence (the uses: actions/checkout entries at the
five checkout steps) add persist-credentials: false to stop credential
persistence — for steps without a with: block add a with: section containing
persist-credentials: false, and for steps that already have a with: block (the
other actions/checkout occurrences) add persist-credentials: false as another
property under that with: block so all five checkout steps include
persist-credentials: false.

In @.github/workflows/test.yml:
- Line 17: Update every GitHub Actions checkout step that invokes "uses:
actions/checkout@..." to explicitly set persist-credentials: false so the runner
does not leave the GITHUB_TOKEN in .git/config; for each checkout step (all
occurrences of the uses: actions/checkout steps in this workflow) add the
persist-credentials: false input alongside any existing with: or inputs to
prevent token leakage to later steps or artifacts.

---

Nitpick comments:
In `@docs/src/components/SourceFile.astro`:
- Around line 28-34: The comment assumes process.cwd() is the docs project root
which can be fragile; update the comment near repoRoot, process.cwd(), and
absolutePath to explicitly state we expect the build to run with cwd set to
"docs/" (per vercel.json/justfile), and add a small runtime sanity check after
computing repoRoot/absolutePath that verifies the expected testdata path exists
(e.g., check fs.existsSync on path.resolve(repoRoot, 'testdata')) and throw or
log a clear error if it does not so builds fail loudly when cwd is different.

In `@docs/src/lib/llms-content.ts`:
- Around line 7-8: The import of slugToPathname from Starlight is being
ts-ignored and may change or return an empty string; remove the ts-ignore if
TypeScript allows so the import is tracked, and/or add a runtime sanity check in
the code that calls slugToPathname (in docs/src/lib/llms-content.ts) to verify
the returned pathname is non-empty and normalized (e.g., ensure it starts with
"/" and includes trailing "/" for non-root slugs) and log or throw a clear error
if the value is invalid to avoid quiet failures when matching sidebar hrefs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2d8a2f4-5a42-4a51-91cf-af462db499ff

📥 Commits

Reviewing files that changed from the base of the PR and between 201431d and 938e47f.

⛔ Files ignored due to path filters (1)

• docs/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .github/workflows/release.yml
• .github/workflows/test.yml
• docs/astro.config.mjs
• docs/package.json
• docs/src/components/SourceFile.astro
• docs/src/lib/llms-content.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout actions to prevent token leakage.

By default, actions/checkout persists the GitHub token in .git/config, making it accessible to subsequent steps and potentially exposing it via uploaded artifacts. Since this PR is specifically about hardening CI/CD security, you should disable credential persistence.

🔐 Proposed fix

Add persist-credentials: false to each checkout step:

       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false

Apply this pattern to all five checkout actions in the file (lines 37, 62, 152, 187, 223). For the steps that already have a with block (lines 62, 152, 187, 223), add persist-credentials: false as an additional property under with:.

Also applies to: 62-62, 152-152, 187-187, 223-223

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 36-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 37, The checkout steps are currently
persisting the GitHub token; for each actions/checkout@... occurrence (the uses:
actions/checkout entries at the five checkout steps) add persist-credentials:
false to stop credential persistence — for steps without a with: block add a
with: section containing persist-credentials: false, and for steps that already
have a with: block (the other actions/checkout occurrences) add
persist-credentials: false as another property under that with: block so all
five checkout steps include persist-credentials: false.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout actions to prevent token leakage.

Same issue as in release.yml: the default behavior of actions/checkout persists the GitHub token in .git/config, which can be accessed by subsequent steps or exposed via artifacts. For a security-hardening PR, this is a gap worth closing.

🔐 Proposed fix

Add persist-credentials: false to each checkout step:

       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false

Apply this to all seven checkout actions in the file (lines 17, 35, 53, 68, 130, 170, 193).

Also applies to: 35-35, 53-53, 68-68, 130-130, 170-170, 193-193

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml at line 17, Update every GitHub Actions checkout
step that invokes "uses: actions/checkout@..." to explicitly set
persist-credentials: false so the runner does not leave the GITHUB_TOKEN in
.git/config; for each checkout step (all occurrences of the uses:
actions/checkout steps in this workflow) add the persist-credentials: false
input alongside any existing with: or inputs to prevent token leakage to later
steps or artifacts.