CI changes

.github/workflows/build.yml

@@ -0,0 +1,155 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+
+  # Allow `uses: ...` in other workflows, used by `release.yml`
+  workflow_call:
+
+  # Allow users with repo write to run the workflow from the GitHub Actions UI
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: [20, 22, 24]
+
+    steps:
+      # Prevent LF→CRLF conversion on Windows checkout (causes prettier to warn).
+      # Linux and macOS are false by default.  TODO: gitattributes
+      - name: Set git to use LF
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - run: node scripts/validate-platform-dependencies.js
+
+      - run: npm clean-install
+
+      - name: Check version consistency
+        run: npm run check-version
+
+      - name: Check formatting and linting
+        run: npm run lint
+
+      - name: Run client tests
+        working-directory: ./client
+        run: npm test
+
+      - run: npm run build
+
+  #  When users `npm install` the Inspector, npm will try to flatten/deduplicate dependencies across
+  #  their entire project, and could choose newer versions than our lock file (within our semver
+  #  constraints). This test helps catch when those newer versions break the build.
+  dependency-range-test:
+    runs-on: ubuntu-latest
+
+    # Don't block if this fails - it's informational
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+          # Omit cache to test with freshly-resolved dependencies
+
+      - name: Install dependencies with fresh resolution
+        run: npm install --no-package-lock
+
+      - name: Check version consistency
+        run: npm run check-version
+
+      - name: Check formatting and linting
+        run: npm run lint
+
+      - name: Run client tests
+        working-directory: ./client
+        run: npm test
+
+      - run: npm run build
+
+  e2e-tests:
+    # Installing Playwright dependencies can take quite awhile, and also depends on GitHub CI load.
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwoff1
+
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        id: setup_node
+        with:
+          node-version-file: package.json
+          cache: npm
+
+      # Cache Playwright browsers
+      - name: Cache Playwright browsers
+        id: cache-playwright
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright # The default Playwright cache path
+          key: ${{ runner.os }}-playwright-${{ hashFiles('package-lock.json') }} # Cache key based on OS and package-lock.json
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install Playwright dependencies
+        run: npx playwright install-deps
+
+      - name: Install Playwright and browsers unless cached
+        run: npx playwright install --with-deps
+        if: steps.cache-playwright.outputs.cache-hit != 'true'
+
+      - name: Run Playwright tests
+        id: playwright-tests
+        run: npm run test:e2e
+
+      - name: Upload Playwright Report and Screenshots
+        uses: actions/upload-artifact@v4
+        if: steps.playwright-tests.conclusion != 'skipped'
+        with:
+          name: playwright-report
+          path: |
+            client/playwright-report/
+            client/test-results/
+            client/results.json
+          retention-days: 2
+
+      - name: Publish Playwright Test Summary
+        uses: daun/playwright-report-summary@v3
+        if: steps.playwright-tests.conclusion != 'skipped'
+        with:
+          create-comment: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+          report-file: client/results.json
+          comment-title: "Playwright test results"
+          custom-info: |
+
+            **Environment:** Ubuntu Latest, Node.js ${{ steps.setup_node.outputs.node-version }}
+            **Browsers:** Chromium, Firefox
+
+            📊 [View Detailed HTML Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) (download artifacts)
+          test-command: "npm run test:e2e"

.github/workflows/claude.yml

@@ -28,7 +28,7 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/cli_tests.yml

@@ -15,10 +15,10 @@ jobs:
       run:
         working-directory: ./cli
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: package.json
           cache: npm

.github/workflows/main.yml → .github/workflows/release.yml

@@ -1,47 +1,16 @@
-on:
-  push:
-    branches:
-      - main
+name: Release
 
-  pull_request:
+on:
   release:
+    # `published` triggers for both `released` and `prereleased`, even from a saved draft
     types: [published]
 
 jobs:
   build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Check formatting
-        run: npx prettier --check .
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: npm
-
-      # Working around https://github.com/npm/cli/issues/4828
-      # - run: npm ci
-      - run: npm install --no-package-lock
-
-      - name: Check version consistency
-        run: npm run check-version
-
-      - name: Check linting
-        working-directory: ./client
-        run: npm run lint
-
-      - name: Run client tests
-        working-directory: ./client
-        run: npm test
-
-      - run: npm run build
+    uses: ./.github/workflows/build.yml
 
   publish:
     runs-on: ubuntu-latest
-    if: github.event_name == 'release'
     environment: release
     needs: build
 
@@ -50,16 +19,15 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
           cache: npm
           registry-url: "https://registry.npmjs.org"
 
-      # Working around https://github.com/npm/cli/issues/4828
-      # - run: npm ci
-      - run: npm install --no-package-lock
+      - run: npm clean-install
 
       # TODO: Add --provenance once the repo is public
       - run: npm run publish-all
@@ -68,16 +36,17 @@ jobs:
 
   publish-github-container-registry:
     runs-on: ubuntu-latest
-    if: github.event_name == 'release'
     environment: release
     needs: build
+
     permissions:
       contents: read
       packages: write
       attestations: write
       id-token: write
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3

.husky/pre-commit

@@ -1,2 +1,3 @@
 npx lint-staged
 git update-index --again
+.husky/scripts/validate-lockfile.sh

.husky/scripts/validate-lockfile.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# Only run if package-lock.json is being committed
+if ! git diff --cached --name-only | grep -q "^package-lock.json$"; then
+  exit 0
+fi
+
+# Check npm version
+NPM_VERSION=$(npm --version)
+NPM_MAJOR=$(echo "$NPM_VERSION" | cut -d. -f1)
+NPM_MINOR=$(echo "$NPM_VERSION" | cut -d. -f2)
+
+if [ "$NPM_MAJOR" -lt 11 ] || ([ "$NPM_MAJOR" -eq 11 ] && [ "$NPM_MINOR" -lt 3 ]); then
+  echo ""
+  echo "⚠️  You are using npm $NPM_VERSION"
+  echo "npm >= 11.3.0 is recommended to avoid lockfile issues."
+  echo "See: https://github.com/npm/cli/issues/4828"
+  echo ""
+fi
+
+# Validate lockfile
+node scripts/validate-platform-dependencies.js || {
+  echo ""
+  echo "❌ package-lock.json validation failed"
+  echo "Run with --add-missing to fix, or upgrade to npm >= 11.3.0 and regenerate."
+  exit 1
+}

package.json

@@ -76,7 +76,8 @@
     "get-intrinsic": "1.3.0"
   },
   "engines": {
-    "node": ">=22.7.5"
+    "node": "^20.17.0 || >=22.9.0",
+    "npm": ">=11.3.0"
   },
   "lint-staged": {
     "**/*.{js,ts,jsx,tsx,json,md}": [