Fabrica build issues.

[svogt0511]

Purpose

closes: #961

preview: https://bracco-lwbban6bp-datacite.vercel.app/

Approach

• Upgrade all github workflow actions that depend on node 20 or 22 to a version that uses node 24
• Upgrade Fabrica to use node 24 in package.json and wherever else is necessary.
• Had to temporarily disable css minification due to another build error. This is a temporary workaround so that we can fix deployment and continue development. This should be fixed soon.

Open Questions and Pre-Merge TODOs

• Update the vercel project settings to specify node.js version 24
  • https://vercel.com/datacite/bracco/settings/build-and-deployment#on-demand-concurrent-builds
  • https://vercel.com/datacite/bracco-test/settings/build-and-deployment#on-demand-concurrent-builds
• Write up a follow-on issue a remove the temporary workaround which disables css minification.

Learning

Types of changes

• Bug fix (non-breaking change which fixes an issue)

• New feature (non-breaking change which adds functionality)

• Breaking change (fix or feature that would cause existing functionality to change)

Reviewer, please remember our guidelines:

• Be humble in the language and feedback you give, ask don't tell.
• Consider using positive language as opposed to neutral when offering feedback. This is to avoid the negative bias that can occur with neutral language appearing negative.
• Offer suggestions on how to improve code e.g. simplification or expanding clarity.
• Ensure you give reasons for the changes you are proposing.

Summary by CodeRabbit

• Chores
  • Updated Node.js runtime requirement to version 24
  • Upgraded CI/CD workflow dependencies for improved compatibility and security

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request upgrades GitHub Actions workflow dependencies across ten workflow files and updates the Node.js runtime requirement in package.json from v22 to v24. The changes address compatibility requirements for the project with Node.js v24 by bumping action versions for checkout, setup, caching, artifact handling, and Vercel deployments.

Changes

Cohort / File(s)	Summary
Checkout & Node Setup Actions .github/workflows/build.yml, .github/workflows/cypress_test.yml, .github/workflows/ember_test.yml	Upgraded actions/checkout from v4 to v6, actions/setup-node from v4 to v6, and updated Node.js runtime from v22 to v24. Also bumped cache and artifact action versions (cache v4→v5, upload-artifact v4→v7, download-artifact v4→v8).
Vercel Deployment Workflows .github/workflows/branch_to_staging.yml, .github/workflows/deploy.yml, .github/workflows/preview-app-label.yml, .github/workflows/pull_request.yml, .github/workflows/release.yml	Upgraded actions/checkout from v4 to v6 and amondnet/vercel-action from v25.1.1 to v42.2.0 across all deployment-related workflows.
Other CI/Analysis Workflows .github/workflows/changelog.yml, .github/workflows/codeql-analysis.yml	Updated actions/checkout from v1/v4 to v6.
Package Configuration package.json	Updated engines.node requirement from ^22.11.0 to ^24.0.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hopping to newer grounds, we spring forward with cheer!
GitHub actions bloom fresh, from old versions we steer.
Node twenty-four calls, workflows updated with care,
Vercel sails higher, dependencies leap through the air! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Fabrica build issues' is vague and generic, using a non-descriptive phrase that doesn't convey the specific nature of the changes made (GitHub Actions upgrades and Node.js version bump).	Consider a more specific title such as 'Upgrade GitHub Actions and Node.js to v24' or 'Update Fabrica workflows to Node v24 and latest GitHub Actions' to clearly communicate the primary technical changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The pull request successfully upgrades all required components: amondnet/vercel-action upgraded to v42.2.0 across all workflows, actions/checkout upgraded to v6 across all workflows, and Node.js runtime updated from v22 to v24 in package.json and relevant workflow configurations.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the linked issue #961 requirements: GitHub Actions version updates (actions/checkout, amondnet/vercel-action, actions/setup-node, actions/cache, actions/upload-artifact, actions/download-artifact) and Node.js version upgrades from v22 to v24.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pb961-fabrica-build-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

.github/workflows/ember_test.yml (1)

13-26: ⚠️ Potential issue | 🟠 Major

Include the Node major in the node_modules cache key.

This job now runs Node 24, but the cache key can still restore a node_modules tree created under Node 22 when yarn.lock is unchanged. Add the Node major/version to force a clean cache boundary.

Proposed cache key update

           path: |
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
             ~/.cache/Cypress
-          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-24-yarn-${{ hashFiles('**/yarn.lock') }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ember_test.yml around lines 13 - 26, The cache key for the
cypress-cache step can restore node_modules built under a different Node major;
update the key used in the actions/cache@v5 step (id: cypress-cache) to include
the Node major/version (from the current job's node-version: '24') so caches are
separated by Node; for example append or insert a node identifier like
"-node-24" (or use a variable representing the Node major) into the existing key
expression `${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}` so it
becomes `${{ runner.os }}-node-24-yarn-${{ hashFiles('**/yarn.lock') }}` (or
equivalent using an env/matrix variable).

.github/workflows/codeql-analysis.yml (1)

38-67: ⚠️ Potential issue | 🟠 Major

Upgrade CodeQL actions to v4 for Node.js 24 compatibility.

This workflow upgraded actions/checkout to v6 but left github/codeql-action/init, autobuild, and analyze at the deprecated @v1. These must be upgraded to @v4 to align with the Node.js 24 migration and follow GitHub's deprecation guidance.

Proposed workflow update

     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}

     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v4

     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v4

Refs: GitHub CodeQL v1 deprecation: https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/ and CodeQL v4 Node 24 support: github/codeql-action#3271

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 38 - 67, The CodeQL
action steps still reference deprecated v1 releases
(github/codeql-action/init@v1, github/codeql-action/autobuild@v1,
github/codeql-action/analyze@v1); update those usages to the current v4 releases
(e.g., github/codeql-action/init@v4, github/codeql-action/autobuild@v4,
github/codeql-action/analyze@v4) to ensure Node.js 24 compatibility and follow
GitHub deprecation guidance, then run/validate the workflow to confirm there are
no input changes required by the v4 actions.

.github/workflows/preview-app-label.yml (1)

15-27: ⚠️ Potential issue | 🟠 Major

Declare the token permissions required by the Vercel deployment integration.

With github-deployment: true, v42 requires deployments: write in the workflow permissions. Without explicit permissions, this fails in orgs where GITHUB_TOKEN defaults to read-only. Also add pull-requests: write and issues: write for github.qkg1.topment: true.

Proposed permissions block

 jobs:
   deploy:
     if: ${{ github.event.label.name == 'create preview app' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      deployments: write
+      pull-requests: write
+      issues: write
     environment: vercel-bracco-preview

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/preview-app-label.yml around lines 15 - 27, Add an
explicit workflow-level permissions block so the Vercel action
(amondnet/vercel-action@v42.2.0) can create deployments and post comments: add a
top-level permissions: mapping that grants deployments: write, pull-requests:
write and issues: write (and any other minimal permissions your workflow needs)
because the job uses github-deployment: true and github.qkg1.topment: true; place
this permissions block at the workflow root (above jobs) so the GITHUB_TOKEN has
the required scopes.

.github/workflows/pull_request.yml (1)

37-45: ⚠️ Potential issue | 🟠 Major

Pin the Vercel deploy action to an immutable commit SHA.

This secret-bearing PR deploy step currently uses a mutable tag (v42.2.0). Replace it with the resolved commit SHA to prevent unintended action updates during PR deployments; dependency management tools can still keep it current.

Pinning example

       - name: Vercel deploy preview
-        uses: amondnet/vercel-action@v42.2.0
+        uses: amondnet/vercel-action@4b810e26f7bb2a331c698af186f890cbf20d5f72

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull_request.yml around lines 37 - 45, The GitHub Actions
step named "Vercel deploy preview" is using a mutable tag in the uses field
(amondnet/vercel-action@v42.2.0); update the uses value to the action's
immutable commit SHA (e.g., amondnet/vercel-action@<COMMIT_SHA>) to pin the
action, preserving the existing with inputs (vercel-token, vercel-org-id,
vercel-project-id, vercel-args, scope, vercel-project-name) exactly as-is;
replace only the tag with the resolved SHA in the uses line to lock the
dependency.

.github/workflows/branch_to_staging.yml (1)

41-49: ⚠️ Potential issue | 🟠 Major

Migrate from deprecated vercel-args and scope inputs to v42 typed inputs.

v42 changed from CLI-based to API-based deployments. While v42 still supports vercel-args and scope for backward compatibility (falling back to CLI mode), these inputs are deprecated and will be removed in a future version. The current setup should be migrated to use typed inputs for forward compatibility.

Migration needed:

• vercel-args: --force ... → force: true
• vercel-args: --build-env HANDLE_SERVER=... → build-env: (multiline)
• scope: ${{ secrets.TEAM_ID }} → vercel-org-id: ${{ secrets.TEAM_ID }}
• Move VERCEL_NOCACHE condition into the force input

Note: The current config uses ORG_ID for vercel-org-id and TEAM_ID for scope; verify which is the correct team/org identifier for your Vercel account before migrating, as v42 consolidates both into a single vercel-org-id.

🔧 Suggested migration to v42 typed inputs

       - name: Vercel deploy staging
         uses: amondnet/vercel-action@v42.2.0
         with:
           vercel-token: ${{ secrets.VERCEL_TOKEN }}
-          vercel-org-id: ${{ secrets.ORG_ID}}
+          vercel-org-id: ${{ secrets.TEAM_ID }}
           vercel-project-id: ${{ secrets.PROJECT_ID}}
-          vercel-args: ${{ vars.VERCEL_NOCACHE  == 'true' && '--force' || '' }}  --build-env HANDLE_SERVER=${{vars.HANDLE_SERVER}}
-          scope: ${{ secrets.TEAM_ID}}
+          force: ${{ vars.VERCEL_NOCACHE == 'true' }}
+          build-env: |
+            HANDLE_SERVER=${{ vars.HANDLE_SERVER }}
           vercel-project-name: 'bracco'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/branch_to_staging.yml around lines 41 - 49, The workflow
uses deprecated vercel-action inputs `vercel-args` and `scope` in the "Vercel
deploy staging" step; replace them with v42 typed inputs: remove `vercel-args`
and `scope`, add `force:` set programmatically from `${{ vars.VERCEL_NOCACHE ==
'true' }}` (true/false), add a multiline `build-env:` block containing
`HANDLE_SERVER: ${{ vars.HANDLE_SERVER }}`, and map the team/org value into
`vercel-org-id:` using the correct secret (verify whether `secrets.TEAM_ID` or
`secrets.ORG_ID` is the proper identifier) while keeping `vercel-project-id:`
and `vercel-token:` as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/branch_to_staging.yml:
- Around line 41-49: The workflow uses deprecated vercel-action inputs
`vercel-args` and `scope` in the "Vercel deploy staging" step; replace them with
v42 typed inputs: remove `vercel-args` and `scope`, add `force:` set
programmatically from `${{ vars.VERCEL_NOCACHE == 'true' }}` (true/false), add a
multiline `build-env:` block containing `HANDLE_SERVER: ${{ vars.HANDLE_SERVER
}}`, and map the team/org value into `vercel-org-id:` using the correct secret
(verify whether `secrets.TEAM_ID` or `secrets.ORG_ID` is the proper identifier)
while keeping `vercel-project-id:` and `vercel-token:` as-is.

In @.github/workflows/codeql-analysis.yml:
- Around line 38-67: The CodeQL action steps still reference deprecated v1
releases (github/codeql-action/init@v1, github/codeql-action/autobuild@v1,
github/codeql-action/analyze@v1); update those usages to the current v4 releases
(e.g., github/codeql-action/init@v4, github/codeql-action/autobuild@v4,
github/codeql-action/analyze@v4) to ensure Node.js 24 compatibility and follow
GitHub deprecation guidance, then run/validate the workflow to confirm there are
no input changes required by the v4 actions.

In @.github/workflows/ember_test.yml:
- Around line 13-26: The cache key for the cypress-cache step can restore
node_modules built under a different Node major; update the key used in the
actions/cache@v5 step (id: cypress-cache) to include the Node major/version
(from the current job's node-version: '24') so caches are separated by Node; for
example append or insert a node identifier like "-node-24" (or use a variable
representing the Node major) into the existing key expression `${{ runner.os
}}-yarn-${{ hashFiles('**/yarn.lock') }}` so it becomes `${{ runner.os
}}-node-24-yarn-${{ hashFiles('**/yarn.lock') }}` (or equivalent using an
env/matrix variable).

In @.github/workflows/preview-app-label.yml:
- Around line 15-27: Add an explicit workflow-level permissions block so the
Vercel action (amondnet/vercel-action@v42.2.0) can create deployments and post
comments: add a top-level permissions: mapping that grants deployments: write,
pull-requests: write and issues: write (and any other minimal permissions your
workflow needs) because the job uses github-deployment: true and github.qkg1.topment:
true; place this permissions block at the workflow root (above jobs) so the
GITHUB_TOKEN has the required scopes.

In @.github/workflows/pull_request.yml:
- Around line 37-45: The GitHub Actions step named "Vercel deploy preview" is
using a mutable tag in the uses field (amondnet/vercel-action@v42.2.0); update
the uses value to the action's immutable commit SHA (e.g.,
amondnet/vercel-action@<COMMIT_SHA>) to pin the action, preserving the existing
with inputs (vercel-token, vercel-org-id, vercel-project-id, vercel-args, scope,
vercel-project-name) exactly as-is; replace only the tag with the resolved SHA
in the uses line to lock the dependency.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 92274de3-8a55-4a9b-a12f-799463776603

📥 Commits

Reviewing files that changed from the base of the PR and between 7300741 and a76f141.

📒 Files selected for processing (11)

• .github/workflows/branch_to_staging.yml
• .github/workflows/build.yml
• .github/workflows/changelog.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/cypress_test.yml
• .github/workflows/deploy.yml
• .github/workflows/ember_test.yml
• .github/workflows/preview-app-label.yml
• .github/workflows/pull_request.yml
• .github/workflows/release.yml
• package.json