* [AI] Replace superfluous actions flagged by zizmor
Address zizmor's `superfluous-actions` audit by replacing actions whose
functionality is already provided by the runner's pre-installed `gh` CLI:
- `actions-ecosystem/action-add-labels` -> `gh issue edit --add-label`
- `peter-evans/create-or-update-comment` -> `gh issue comment`
- `softprops/action-gh-release` -> `gh release create` / `gh release upload`
For the Electron release workflow, the create step is race-safe across
the three matrix OS jobs that share the same draft release.
* [AI] Simplify electron release upload script
- Drop the `gh release view` existence check; `gh release create ... || true`
already handles the matrix-job race against the same draft release.
- Use `extglob` to exclude `Actual-windows.exe` inline instead of looping
over `.exe` separately.
* Add release notes for PR #7852
* [AI] Narrow error suppression on gh release create
Only swallow the "already_exists" error from the parallel-matrix race;
propagate any other failure (auth, network, API) instead of masking it.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Stabilize size-compare job by pinning downloads to run_id
The compare job in .github/workflows/size-compare.yml was flaky because
fountainhead/action-wait-for-check matched a check by name from any run
on the branch, while dawidd6/action-download-artifact with branch:/pr:
filters and workflow_conclusion: '' resolved to the latest run regardless
of completion. When a new master build started in the seconds between
waiting and downloading, the action picked up the in-progress run and
failed with "artifact not found".
Replaces the eight wait-for-check steps with one actions/github-script
step that polls listWorkflowRuns for a successful build.yml run on
master and the PR head SHA in parallel via Promise.all, then pins all
eight downloads to those run_ids.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7780
* Change category to Maintenance in release notes
Updated category from 'Enhancements' to 'Maintenance'.
* [AI] Clean up comment to remove reference to previous implementation
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Require @actual-app/crdt version bump and auto-publish
Adds two workflows:
- crdt-version-check: fails PRs that modify files in packages/crdt/
without bumping the version in packages/crdt/package.json.
- publish-crdt: publishes @actual-app/crdt to npm when the version in
packages/crdt/package.json changes on master, tagging the release as
crdt-v<version>.
* [AI] Skip git tagging in @actual-app/crdt publish workflow
Remove the tag-and-push step and the now-unused version output;
downgrade contents permission to read.
* [AI] Simplify crdt version-bump workflows
- Drop the redundant explicit base-branch fetch (fetch-depth: 0 already
retrieves all remote branches).
- Remove the unreachable "no changes" guard; the pull_request paths
filter already scopes the workflow to packages/crdt changes.
- Replace the embedded Node semver comparison with `sort -V`.
- Read versions with `jq` instead of inline Node.
* [AI] Add release notes for crdt publish workflows
* [AI] Restrict GITHUB_TOKEN permissions in crdt workflows
Add top-level `permissions: contents: read` to both crdt workflows so
the implicit jobs no longer inherit overly broad permissions (flagged by
zizmor).
---------
Co-authored-by: Claude <noreply@anthropic.com>
The Merge VRT Patches job collects shard patches with the glob
`/tmp/shard-patches/*/vrt-shard.patch`, which assumes every downloaded
artifact lands in its own `path/<artifact-name>/` subdirectory. But
actions/download-artifact only does that when 2+ artifacts match the
pattern; when exactly one matches it unpacks the artifact directly into
`path`. So whenever a `/update-vrt` run touches snapshots in a single
shard (the common case) the patch ends up at
`/tmp/shard-patches/vrt-shard.patch`, the glob matches nothing, and the
job reports "No shard patches to merge" despite a patch having been
generated (e.g. run 25679233565).
Replace the glob with a recursive `find` so the patches are located
under either layout. `merge-multiple: true` is not an option here
because every shard artifact contains a file literally named
`vrt-shard.patch` and they would overwrite each other.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Merge VRT Patches job runs inside the Playwright container where
the default GitHub Actions shell is `sh -e {0}`, not bash. The merge
step uses bash-only constructs (`shopt -s nullglob`, array literals,
`${#patches[@]}`, `"${patches[@]}"`), so every /update-vrt run that
reaches the merge stage now exits 127 with `shopt: not found` (e.g.
run 25609625260).
Pin this step to `shell: bash` to match the explicit `shell: bash` we
already use elsewhere in the workflow. The sibling shard-patch creation
steps stay on the default sh because they only use POSIX features.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The build-web job in vrt-update-generate.yml invoked
`yarn workspace @actual-app/core build:browser`, but #7602 removed that
script when it routed the browser pipeline through
`lage build:browser --to=@actual-app/web` (orchestrated by
bin/package-browser). The recent /update-vrt parallelization (#7641)
preserved the now-stale per-workspace invocations, so every comment
trigger fails with "Couldn't find a script named build:browser".
Match the working e2e-test.yml build-web step exactly:
`yarn build:browser --skip-translations`. lage's `^build` edge handles
the upstream graph (crdt, plugins-service, loot-core) automatically, and
`--skip-translations` keeps the captured snapshots aligned with regular
VRT runs (which also strip Weblate locale chunks for determinism).
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Parallelize and shard /update-vrt workflow
Mirror the pre-built bundle + 3-way sharding pattern that #7503 applied
to e2e-test.yml, plus split desktop VRT into its own job so it runs
concurrently with the browser passes instead of sequentially on the
same runner.
- New `build-web` job compiles the browser bundle once and uploads it
as an artifact (REACT_APP_NETLIFY=true so the "Create test file"
button survives tree-shaking).
- `browser-vrt` runs as a 3-shard matrix, each downloading the prebuilt
artifact and using `E2E_USE_BUILD=1` so `serve-build.mjs` replaces
per-shard Vite startup.
- `desktop-vrt` runs in parallel with the browser shards.
- Each shard produces its own PNG-only `git format-patch` and
validates it before upload; `merge-patch` re-validates and applies
every shard patch to produce the single `vrt-patch-<pr>` artifact
that `vrt-update-apply.yml` already consumes unchanged.
- Keeps `permissions: contents: read, pull-requests: read`,
`persist-credentials: false` on every checkout, and env-indirection
for fork-controlled values (zizmor-friendly).
Expected wall-clock drop from ~50 min to ~15-20 min.
* Add release notes for PR #7641
* [AI] Fix vacuous PNG-only patch validation regex
`git format-patch` emits a `GIT binary patch` block for PNGs and does
not produce `+++ b/foo.png` / `--- a/foo.png` text-diff headers. The
existing validation `grep -E '^(\+\+\+|---) [ab]/' patch | grep -v
'\.png$'` therefore matches zero lines for any legitimate PNG-only
patch, and the guard passes vacuously — meaning a crafted binary patch
naming a non-PNG file would also pass undetected.
Match `diff --git` headers instead. Those are present for both text
and binary patches, and naming both source and destination paths gives
us a clean `^diff --git a/<path>.png b/<path>.png$` shape to enforce.
Updated all four validation points in vrt-update-generate.yml (per
shard, in the merge-patch re-validation loop, and on the final merged
patch) plus the pre-existing third defense layer in
vrt-update-apply.yml. Also fixed FILES_CHANGED counter in apply
workflow since it relied on the same broken `+++` pattern.
Verified the new regex with binary patches: legit PNG-only ACCEPTED,
single non-PNG REJECTED, mixed PNG+non-PNG REJECTED.
Reported by CodeRabbit on PR #7641.
* [AI] Move workspace-trust step before setup in browser-vrt and desktop-vrt
Master's #7699 moved the safe.directory git config to a separate step
that runs before the setup composite action, because the setup action
performs git operations (yarn --immutable + checkout of the
translations repo) that fail when the workspace isn't trusted in
container environments.
The merge resolution kept the trust step before setup in build-web (as
master had it) but left the trust step after setup in the new
browser-vrt and desktop-vrt jobs. They have the same setup composite
and would hit the same failure mode — apply the same fix.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Replace Support contact link with auto-closing tech-support issue template
Convert the external Discord "Support" contact link into a proper GitHub issue
form so users who skip the redirect still land somewhere useful. The new form
has a single "Describe your problem" field and a prominent notice that tech
support tickets are auto-closed and Discord is the place to get help. A new
workflow watches for the `tech-support` label, posts a friendly Discord pointer
and closes the issue, mirroring the existing feature-request auto-close flow.
* Add release notes for PR #7670
* [AI] Replace create-or-update-comment action with gh CLI
The peter-evans/create-or-update-comment action is unnecessary since GitHub's gh CLI (pre-installed on all GitHub-hosted runners) provides the same functionality natively via 'gh issue comment' and 'gh issue close' commands. This change addresses the zizmor security scanner warning about using an action when the functionality is already included by the runner.
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Update 7670.md
* [AI] Fix formatting in workflow file
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Update issues-close-tech-support.yml
Co-authored-by: Stephen Brown II <Stephen.Brown2@gmail.com>
* Update tech-support.yml
Co-authored-by: Stephen Brown II <Stephen.Brown2@gmail.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
Co-authored-by: Stephen Brown II <Stephen.Brown2@gmail.com>
* [AI] Fix publish-npm-packages workflow setup-node input
The `cache` input on actions/setup-node expects a package-manager
string ('npm'/'yarn'/'pnpm'), not a boolean. Passing `cache: false`
caused the publish job on the v26.5.1 release to fail with
"Caching for 'false' is not supported". Caching is off by default,
so the input is removed entirely.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Add release notes for PR #7755
* Change category from Bugfixes to Maintenance
Fix npm dependency caching in the publish workflow by removing the cache disabling setting.
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Simplify desktop client browser build
* [AI] Move browser build orchestration into vite config and lage
Moves loot-core worker build, public/ staging (migrations, default-db,
sql-wasm, data-file-index), and build-stats wiring from the deleted
packages/desktop-client/bin/build-browser shell script into a
lootCoreBackend vite plugin in packages/desktop-client/vite.config.mts.
Adds a build:browser target to lage.config.js so bin/package-browser
runs as a single `lage build:browser --to=@actual-app/web` call, with
crdt + loot-core built via lage's ^build dependency before the
desktop-client build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Refactor e2e-test workflow and update desktop-client configurations
* [AI] Move plugins-service staging into desktop-client vite config
Declares plugins-service as a workspace devDependency of @actual-app/web
so lage's ^build edge picks it up automatically in the build:browser
pipeline, and moves the cross-package file staging (production copy +
dev serving) into vite.config.mts, mirroring the lootCoreBackend
pattern. Drops the plugins-service shell wrapper script and simplifies
its package.json scripts to invoke vite build directly. Updates root
start:browser to run plugins-service watch in parallel with the dev
server instead of pre-building once.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Sync tsconfig project references for plugins-service edge
Follow-up to the plugins-service workspace edge: adds the
../plugins-service project reference in packages/desktop-client/tsconfig.json
via yarn sync:tsconfig-references.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Release notes
* [AI] Ignore .venv/ so lage's git hasher skips Electron CI's Python venv
Electron CI provisions a Python virtualenv at the repo root for
setuptools. With browser builds now routed through lage, lage's
git hash-object pass walks untracked-not-ignored files and fails on
the venv's broken lib64 symlink ("fatal: Unable to hash .../.venv/lib64").
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Bake Weblate translations back into VRT/e2e bundle
build-web set download-translations: false and relied on bin/package-browser's
ad-hoc git clone + git pull. That path is fragile inside the playwright
container, so vite's import.meta.glob('/locale/*.json') frequently produced an
empty languages map and the bundle shipped with no en.json. VRTs then rendered
source-code English and diffed against snapshots authored from Weblate strings.
Route translation provisioning back through actions/checkout (download-translations: true)
in build-web and vrt-update-generate, and add --skip-translations to bin/package-browser
(mirroring bin/package-electron) so the in-script git pull is bypassed when CI
has already staged the locale dir.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Skip translation cloning in build-web bundle for VRT determinism
bin/package-browser used to unconditionally clone actualbudget/translations
before vite ran, baking Weblate en.json into the build artifact. With the
e2e-test pipeline now serving that artifact via serve-build.mjs, VRT
screenshots ended up rendering Weblate strings — drifting from the snapshots,
which were authored against source-code English (master VRTs ran on vite dev
without a locale dir).
Pass --skip-translations to bin/package-browser from build-web so the bundle
ships with no locale chunks. download-translations stays 'false' across the
e2e-test and vrt-update-generate workflows, matching the prior behavior.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Notify Discord when nightly theme catalog scan fails
Adds an if: failure() step to the validate-theme-catalog job that posts a
minimal alert to the DISCORD_WEBHOOK_URL webhook with a link back to the
failing workflow run. Fires on both theme validation failures (script exits
1) and earlier step failures (checkout/setup), so infrastructure breakage
is also surfaced. nofail: true keeps a Discord outage from cascading into
a red job.
* [AI] Drop setup comment from Discord notify step
* [AI] Move Discord notify to its own job gated by an environment
Splits the notify step into a separate notify-failure job that depends on
validate-theme-catalog and runs only on failure. The new job binds to the
nightly-alerts GitHub Environment so the DISCORD_WEBHOOK_URL secret is
scoped to a dedicated environment rather than inherited at the repo level
(zizmor secrets-without-environment).
* [AI] Add release notes for 7595
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Add nightly CI scan for custom theme catalog
Adds a scheduled GitHub Actions workflow that fetches `actual.css` from
every repo in `customThemeCatalog.json` and runs it through the same
`embedThemeFonts` + `validateThemeCss` pipeline the app uses at install
time. Failing themes fail the job so maintainers get an alert when a
third-party repo introduces a regression.
The scan treats fetched CSS as opaque text: never executed, never
injected into a DOM, size-capped at 512 KB per file, 15s per fetch,
restricted to raw.githubusercontent.com with redirects disabled, and
run with `contents: read` permissions only. Each catalog `repo` is
schema-checked against `owner/repo` before being interpolated into
the URL.
* [AI] Simplify theme catalog scan
- Reuse `CatalogTheme` type from customThemes instead of duplicating as
`CatalogEntry` in the script.
- Hoist `appendFileSync` to the static `node:fs` import; drop the dynamic
import inside `writeStepSummary`.
- Drop the narrative header docstring and the trailing `// ...` comments
that just restated constant names.
- Drop the redundant URL-prefix re-check inside the CSS fetch helper;
the single call site constructs the URL from a pinned literal.
- Drop the 250 ms inter-request delay (GitHub Raw rate limits are not
relevant for 21 requests, and the trailing delay was idle wall-clock
against the 10-min job budget).
- Give each font fetch inside `embedThemeFonts` its own 15 s timeout
via `AbortSignal.any`, instead of sharing one signal across every
font in a theme. Drop the now-unnecessary caller-supplied signal
from the CI call site.
* [AI] Fix lint on theme catalog scan imports
* [AI] Speed up and stabilize Playwright e2e tests
- Serve the prebuilt browser bundle via bin/serve-build.mjs in CI to
skip per-shard Vite startup; 3-shard matrix with 4 workers each.
- Disable CSS animations in non-VRT runs via a fixture-level init
script; bump expect timeout to 10s for AutoSizer-bound assertions.
- Use page.evaluate() for React Aria button clicks and a native value
setter + single input event for controlled-input fills to eliminate
React Aria re-render races in createAccount and Payee/Category
autocompletes.
- Click the matching option directly (instead of Enter on a not-yet-
highlighted list) in mobile transaction and schedule autocompletes.
- FocusableAmountInput.applyText reads the DOM input value so the
typed amount survives a blur that fires before React flushes the
onChange state update under CPU contention.
- MobileTransactionEntryPage.fillAmount waits for the outer display
button (reads parent props.value) so async rules-run completes
before the next fillField snapshots the transaction.
- MobileNavigation dispatches nav link clicks through evaluate() to
bypass Playwright's viewport-stability check against the navbar's
react-spring transforms.
- MobileBudgetPage summary-button lookups use locator.or().waitFor()
instead of an isVisible() cascade.
- ConfigurationPage.startFresh/createTestFile wait for the account
header / budget table to mount before returning.
- Workflow hardening: persist-credentials=false on all actions/checkout
and top-level permissions: contents: read (zizmor findings).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* [AI] Apply animation-disable init script to browser.newPage pages
The previous implementation extended the test-scoped `page` fixture,
but every test creates its own page via `browser.newPage()` and never
uses the fixture-provided page — so the init script was a no-op in
every test.
Move the wrap to the worker-scoped `browser` fixture: intercept
`browser.newPage` so each page created that way has `addInitScript`
applied before the caller can navigate to it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The `Publish nightly npm packages` workflow started failing at the
"Pack the core package" step with:
Cannot find module '@actual-app/crdt' or its corresponding type declarations.
PR #7541 switched `@actual-app/crdt`'s package.json to conditional
exports (`types` → `./dist/index.d.ts`). `yarn pack` for
`@actual-app/core` triggers a prepack that runs `tsgo -b`, which now
resolves `@actual-app/crdt` via the `types` condition and expects
`packages/crdt/dist/index.d.ts`. Nothing was building crdt first
because loot-core's tsconfig didn't declare it as a project
reference.
Fix: declare the project reference so `tsgo -b` walks the graph and
builds crdt before loot-core. Sibling packages already do this.
Also adopt `@monorepo-utils/workspaces-to-typescript-project-references`
to keep each package's tsconfig `references` in sync with its
`workspace:*` deps, and wire it into a new `yarn check:tsconfig-references`
step in the `check` CI job plus lint-staged. Running the tool added
`../desktop-client` references to sync-server and desktop-electron
(both declare `@actual-app/web` as a workspace dep even though they
only use it at runtime via `require.resolve`); the extra references
are harmless — in CI the corresponding build is already cached by
earlier steps.
https://claude.ai/code/session_01AA2gEMqX24GWeq5BovNmaz
* [AI] Run setup once per workflow and fan out via needs
Add a prep `setup` job at the top of `check.yml` and `build.yml`, and
make every other job in those workflows declare `needs: setup`.
The composite action in `.github/actions/setup` caches `node_modules`
keyed on `yarn.lock`. When that hash changes (dep-bump PRs, master after
a merge), the cache is cold and every fan-out job races to run
`yarn --immutable` in parallel — one wins the cache save, the rest do
redundant work. Serialising through a single `setup` job warms the
cache once so downstream jobs restore instantly and skip yarn install
via the existing `if: steps.cache.outputs.cache-hit != 'true'` guard.
No changes to the composite action or cache keys. `e2e-test.yml` is
intentionally left alone.
* [AI] Harden setup jobs and add release note
Address zizmor code-scanning findings on the new `setup` jobs added in
the previous commit:
- Scope `permissions: contents: read` so the job no longer inherits
workflow-default write permissions.
- Pass `persist-credentials: false` to `actions/checkout` so the GitHub
token isn't left on disk for later steps that don't need it.
Add `upcoming-release-notes/7551.md` to satisfy the release-notes PR
check.
* [AI] Disable credential persistence on build.yml checkouts
Each of `api`, `crdt`, `web`, `cli`, `server` in build.yml does
`actions/checkout` (which writes the GitHub token into `.git/config`)
and then uploads build artifacts in the same job. Zizmor flags this as
"credential persistence through GitHub Actions artifacts" because a
misconfigured upload path could capture `.git/config` and leak the
token.
None of these jobs push or write to git, so drop the credential
persistence via `persist-credentials: false` on the checkout.
* [AI] Disable credential persistence on check.yml checkouts
None of the jobs in check.yml (`constraints`, `lint`, `typecheck`,
`validate-cli`, `test`, `migrations`) push or write to git, so pass
`persist-credentials: false` to their `actions/checkout` calls to
resolve the zizmor "credential persistence" finding. Mirrors the fix
just applied to build.yml.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Disable fail-fast for Electron build matrices
Prevents cancellation of in-progress platform builds when one fails, so
Windows/macOS/Linux results are all visible on a single run.
* Add release notes for PR #7547
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Emit bundle stats from the crdt package
The crdt package was the only published library without a stats.json
artifact. Migrate its build to Vite (mirroring the api/cli setup), wire
in rollup-plugin-visualizer to emit dist/stats.json, and upload it from
the CRDT CI job. Declarations are still produced by tsgo via
--emitDeclarationOnly.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* Add release notes for PR #7537
* [AI] crdt: drop redundant rm -rf dist from build script
Vite's build.emptyOutDir: true already clears the output directory
before writing, so the leading rm -rf dist is unnecessary.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
* [AI] Include crdt in the size-compare bundle stats table
Wait for the crdt build check on both the base branch and the PR,
download the crdt-build-stats artifact for each, and pass it to
bundle-stats-comment.mjs so the summary table rendered on the PR
includes a row for the crdt package alongside desktop-client,
loot-core, api, and cli.
https://claude.ai/code/session_01CDVAGLGu49q5YMHsRLkYLQ
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Fix type errors for API consumers by shipping .d.ts declarations from loot-core
Downstream consumers of @actual-app/api with strict: true get type errors
because @actual-app/core exports raw .ts source files. Consumers' tsc
follows the import chain into core's source (compiled with strict: false),
and skipLibCheck doesn't help since it only skips .d.ts files.
Add "types" conditions to all imports/exports entries in loot-core's
package.json, pointing to the pre-built declarations in lib-dist/decl/.
Add .npmignore to include lib-dist/decl/ in the published package.
Fixes#7410
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Use prepack/postpack scripts instead of inflating package.json
Replace the inline "types" conditions in imports/exports with a prepack
script that adds them at pack/publish time. This keeps the checked-in
package.json clean while still shipping .d.ts declarations to npm
consumers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Convert prepack/postpack scripts to TypeScript
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add release notes for #7468
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Fix recursive ExportValue type and remove redundant comment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Rename scripts to .mts and inline types conditions
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Make backup/restore scripts safer
- Check if backup exists before creating it in prepack
- Make restore idempotent by checking if backup exists in postpack
- Prevents overwriting existing backups from interrupted runs
- Addresses CodeRabbit review feedback
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Type api-handlers.ts fields to drop implicit any
The `fields` / export-args slots in the ApiHandlers contract were
untyped, surfacing as TS7008 errors in strict consumers. Replace them
with the `Partial<APIXxxEntity>` shapes the `@actual-app/api` wrappers
already pass, and annotate the matching call sites in `api.ts` with
`@ts-expect-error` where the legacy helpers still declare full-entity
parameters despite accepting partial updates at runtime.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Replace vite-plugin-dts with tsgo for api types
Drops vite-plugin-dts in favor of running tsgo --emitDeclarationOnly
after the vite bundle, eliminating a heavy dev dependency tree
(api-extractor, volar, vue language-core) from the api package build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Add build script to loot-core to emit declarations via lage
`yarn build:cli` failed in CI with TS6305 because api's
`tsgo --emitDeclarationOnly` depends on loot-core's pre-built
`lib-dist/decl/*.d.ts`, but loot-core had no `build` script, so lage's
`^build` cascade silently skipped it. Add `"build": "tsgo -b"` so loot-core
slots into the dependency chain; its tsconfig already has
`emitDeclarationOnly: true`, so the output is declarations only.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Simplify API build
* [AI] Document TypeScript moduleResolution requirement for @actual-app/api
The published declarations rely on package.json exports conditions, which
classic node / node10 resolvers don't honor. Document the supported modes
(bundler / nodenext / node16) in the package README and in the Getting
Started section of the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Type-guard default value in add-types-conditions prepack
`value.default` is typed `ExportValue | undefined`, which allows nested
conditional objects. The previous truthy check fell through to
`shouldSkip(defaultValue)` and would crash on `.endsWith()` if that shape
ever appeared. Replace with a `typeof === 'string'` narrowing and drop a
now-redundant "Insert types as the first key" comment.
No runtime change on current package.json — no nested `default` values
exist today — but the script is not covered by loot-core's tsconfig
include, so the latent type issue was silent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Allow "nodenext" in docs spellcheck expect list
Referenced in the new TypeScript moduleResolution note in the API docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Move loot-core declarations to @types and whitelist publish with files
Relocate loot-core's composite TypeScript output from lib-dist/decl to the
top-level @types directory, matching the api package's convention. Replace
the old .npmignore blacklist with an explicit package.json files whitelist.
- tsconfig.json: outDir @types, exclude test/mock dirs from decl emission
- scripts/add-types-conditions.mts: rewrite paths to ./@types/src/...
- package.json: files whitelist shipping only src, @types, migrations,
typings, default-db.sqlite; drop legacy typesVersions (docs now require
moduleResolution bundler/nodenext/node16, so the classic-resolution
fallback is unused)
- .gitignore: ignore the new @types build artifact
- lage.config.js: factor outputGlob into a shared BUILD_OUTPUT_GLOBS
constant and add @types/** so lage caches loot-core's decl output
- root tsconfig.json: tighten exclude from packages/api/@types to
packages/*/@types to cover both api and loot-core
- delete .npmignore entirely
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* [AI] Build loot-core declarations inside prepack
yarn workspace @actual-app/core pack is the first non-setup step in the
publish workflow, running before any build. Without a build chained into
prepack the @types/ tree is empty at pack time, so the tarball shipped a
transformed package.json pointing at ./@types/src/... paths that didn't
exist. npm publish doesn't re-run hooks on a pre-packed tarball, so the
frozen snapshot must be self-contained; prepack now runs yarn build first
to populate @types/ before add-types-conditions rewrites the exports.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Harden GitHub Actions workflows against low-severity security issues
- generate-release-pr.yml: replace `eval` with an associative array for
per-package version tracking. The version input was already moved to an
env var in #7433, so this removes the remaining defense-in-depth concern
of `eval`ing subshell output.
- create-release-notes-file.js: validate the OpenAI-returned category
against the known allow-list (Features, Bugfixes, Enhancements,
Maintenance), validate the author against the GitHub username regex,
and collapse the summary to a single line before embedding it in the
markdown body. Prevents indirect prompt-injection via CodeRabbit
comments from producing malformed YAML frontmatter.
- generate-summary.js: stop logging the full CodeRabbit comment body to
CI logs.
- netlify-release.yml, i18n-string-extract-master.yml: pass secrets via
`env:` blocks rather than as CLI arguments, so they do not appear in
argv / process listings.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* Add release notes for PR #7448
* [AI] Address review feedback on security hardening
- create-release-notes-file.js: stop logging the full fileContent body.
Only log the target filename plus the (already-validated) category and
author metadata, so the model-generated release-note text doesn't end
up in CI logs.
- create-release-notes-file.js: validate summaryData.prNumber as a
positive integer before using it in the file path or commit message,
and switch both usages to the validated numeric value.
- i18n-string-extract-master.yml: write the Weblate API key into
~/.config/weblate under a [keys] section in a new "Configure Weblate
API credentials" step, then drop the per-step env blocks and the
--key CLI flag from every wlc invocation so the secret is no longer
visible in process listings at all.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
* [AI] Remove debug console.log statements for category in release notes script
Remove the four "Debug - ..." console.log calls that printed the raw
category env var (value/type/JSON-stringified form) plus the cleanCategory
value. They were clutter in CI logs; the existing info-level
"Creating release notes file: ... (category: ..., author: ...)" log
already surfaces the sanitized category.
https://claude.ai/code/session_012pZSkUBbabmmuaxbwysW33
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Fix script injection in vrt-update-apply.yml workflow
Use environment variables instead of direct expression interpolation
in the github-script step to prevent potential script injection via
artifact-sourced values (steps.apply.outputs.error and
steps.metadata.outputs.pr_number).
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Fix script injection in generate-release-pr.yml workflow
Use environment variable instead of direct expression interpolation
for github.event.inputs.version in the shell script context to
prevent potential command injection.
https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
* [AI] Add release notes for #7433https://claude.ai/code/session_01V28NTQAXTvSfwyoDhWpWo9
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix github actions inconsistencies
* fix pinning of transitive deps in eslint-plugin
* drop use of node-fetch in api
* drop md5 dependency in favour of node:crypto
* drop slash
* drop unused top level packages
* add note about node-polyfills warning
* remove unused deps from desktop-client
* drop pegjs types
* note
* drop node-jq
* [AI] Add @actual-app/cli package
New CLI tool wrapping the full @actual-app/api surface for interacting with
Actual Budget from the command line. Connects to a sync server and supports
all CRUD operations across accounts, budgets, categories, transactions,
payees, tags, rules, schedules, and AQL queries.
* Refactor CLI options: replace `--quiet` with `--verbose` for improved message control. Update related configurations and tests to reflect this change. Adjust build command in workflow for consistency.
* Refactor tests: streamline imports in connection and accounts test files for improved clarity and consistency. Remove dynamic imports in favor of static imports.
* Enhance package.json: Add exports configuration for module resolution and publish settings. This includes specifying types and default files for better compatibility and clarity in package usage.
* Update package.json exports configuration to support environment-specific module resolution. Added 'development' and 'default' entries for improved clarity in file usage.
* Enhance CLI functionality: Update configuration loading to support additional search places for config files. Refactor error handling in command options to improve validation and user feedback. Introduce new utility functions for parsing boolean flags and update related commands to utilize these functions. Add comprehensive tests for new utility functions to ensure reliability.
* Update CLI TypeScript configuration to include Vitest globals and streamline test imports across multiple test files for improved clarity and consistency.
* Update CLI dependencies and build workflow
- Upgrade Vite to version 8.0.0 and Vitest to version 4.1.0 in package.json.
- Add rollup-plugin-visualizer for bundle analysis.
- Modify build workflow to prepare and upload CLI bundle stats.
- Update size comparison workflow to include CLI stats.
- Remove obsolete vitest.config.ts file as its configuration is now integrated into vite.config.ts.
* Enhance size comparison workflow to include CLI build checks and artifact downloads
- Added steps to wait for CLI build success in both base and PR workflows.
- Included downloading of CLI build artifacts for comparison between base and PR branches.
- Updated failure reporting to account for CLI build status.
* Update documentation to replace "CLI tool" with "Server CLI" for consistency across multiple files. This change clarifies the distinction between the command-line interface for the Actual Budget application and the sync-server CLI tool.
* Refactor configuration to replace "budgetId" with "syncId" across CLI and documentation
* Enhance configuration validation by adding support for 'ACTUAL_ENCRYPTION_PASSWORD' and implementing a new validation function for config file content. Update documentation to clarify error output format for the CLI tool.
* Enhance configuration tests to include 'encryptionPassword' checks for CLI options and environment variables, ensuring proper priority handling in the configuration resolution process.
* Update nightly versioning script to use yarn
* Align versions
---------
Co-authored-by: Claude <noreply@anthropic.com>
* [AI] Add yarn constraints to enforce consistent dependency versions
Adds a `yarn.config.cjs` that uses Yarn 4's built-in constraints feature
to detect when the same dependency is declared with different version
ranges across workspaces. Workspace protocol references and
peerDependencies are excluded from the check.
Also adds a `yarn constraints` convenience script and the `@yarnpkg/types`
dev dependency for type-checked constraint authoring.
https://claude.ai/code/session_01B1xRjZXn6b18anZjo8cbqb
* Add release notes for PR #7229
* Add constraints job to GitHub Actions workflow
* Fix constraints
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
