[#2567] Posted a yarn.lock dependency changes summary as a PR comment in GitHub Actions.

[AlexSkrypnyk]

Closes #2567

Summary

Wires the maintained Simek/yarn-lock-changes GitHub Action (pinned to 59f47ee499424d2c2437c5aebf863b5c6d50a5bc # v0.14.1) into the build-test-deploy.yml workflow to post a sticky PR comment summarising root yarn.lock dependency changes (added, removed, and updated packages). The step is scoped to GitHub Actions only, mirroring the approach taken for code-coverage PR comments in #2564. It is guarded by hashFiles('yarn.lock'), runs on PR events only, uses continue-on-error, and can be suppressed via VORTEX_CI_DEPS_PR_COMMENT_SKIP=1.

Changes

CI wiring - New step "Post yarn.lock changes as a PR comment" added to .github/workflows/build-test-deploy.yml, positioned after the test-results upload step and before the artifact upload. Runs only when: the job is not cancelled, the event is a pull request, the run is the first matrix instance (or a single-instance run), yarn.lock exists at the repo root, and VORTEX_CI_DEPS_PR_COMMENT_SKIP is not 1.

Documentation - Added a "Dependency changes summary" section to .vortex/docs/content/continuous-integration/github-actions.mdx explaining the behaviour and the skip variable. Added VORTEX_CI_DEPS_PR_COMMENT_SKIP to .vortex/docs/.utils/variables/extra/ci.variables.sh (with description) and regenerated into .vortex/docs/content/development/variables.mdx.

Maintenance guide - Added a hard rule to .vortex/CLAUDE.md requiring ahoy update-snapshots to run in the foreground only, documenting why backgrounding it causes partial-state commits and hidden failures.

Fixtures - The _baseline installer fixture has been updated to include the new step. The remaining diff-style fixtures (deploy_types_none_gha, provision_profile, tools_groups_no_be_tests, tools_no_phpunit, tools_none) have been updated to account for the shifted line numbers and/or the new step appearing in their diff windows. Note: only the baseline fixture received a full regeneration on this branch; a complete ahoy update-snapshots pass covering all ~130 scenarios is still pending and will be needed before or shortly after merge.

Before / After

# Before
      - name: Upload exported codebase as an artifact
        uses: actions/upload-artifact@...

# After
      - name: Post yarn.lock changes as a PR comment
        if: ${{ !cancelled() && github.event_name == 'pull_request' && (matrix.instance == 0 || strategy.job-total == 1) && hashFiles('yarn.lock') != '' && vars.VORTEX_CI_DEPS_PR_COMMENT_SKIP != '1' }}
        uses: Simek/yarn-lock-changes@59f47ee499424d2c2437c5aebf863b5c6d50a5bc # v0.14.1
        continue-on-error: true
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload exported codebase as an artifact
        uses: actions/upload-artifact@...

Summary by CodeRabbit

• New Features

  • Automatic PR comments that summarize dependency (yarn.lock) changes on pull requests, updated in place and removed when no longer applicable.

• Documentation

  • Added docs describing the dependency-change summary behavior and the environment variable to disable it.

• Chores

  • Added strict guidance forbidding background snapshot update commands; requires running snapshot updates in the foreground.

[coderabbitai]

Need the big picture first? Review this PR in Change Stack to see what changed before going file by file.

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (6)

• .vortex/installer/tests/Fixtures/handler_process/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/deploy_types_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/tools_groups_no_be_tests/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/tools_no_phpunit/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/tools_none/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 300bcbd2-13aa-4a01-a099-7db0c4993870

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds a GitHub Actions step to detect and post root yarn.lock dependency changes as a sticky PR comment, adds an opt-out CI variable and documentation, and inserts a hard rule forbidding background execution of ahoy update-snapshots.

Changes

CI Enhancements and Maintenance

Layer / File(s)	Summary
Yarn.lock changes PR comment step .github/workflows/build-test-deploy.yml	A new CI step in the build job posts yarn.lock changes as a PR comment using Simek/yarn-lock-changes, gated by pull_request context, matrix-primary/single-job logic, non-empty yarn.lock hash, cancellation status, and an opt-out variable; step allows failures.
Feature configuration and documentation .vortex/docs/.utils/variables/extra/ci.variables.sh, .vortex/docs/content/continuous-integration/github-actions.mdx, .vortex/docs/content/development/variables.mdx	Introduces VORTEX_CI_DEPS_PR_COMMENT_SKIP (default 0) and documents the dependency-change PR comment behavior, in-place updates/removal across pushes, and the opt-out variable.
Snapshot execution hard rule .vortex/CLAUDE.md	Adds a HARD RULE requiring ahoy update-snapshots to run as a blocking foreground command and forbids backgrounding/indirection patterns that risk partial commits or hidden failures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• drevops/vortex#2537: Both PRs modify .vortex/CLAUDE.md to forbid background execution of ahoy update-snapshots and align on the same HARD RULE wording.

Suggested labels

A4

🐰 A tiny hop on CI tonight,
yarn.lock changes brought to light.
Comments stick, updates stay neat,
Snapshots wait—no background sleight.
Hooray for clearer PRs and tidy feet! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: adding a yarn.lock dependency changes summary as a PR comment in GitHub Actions, directly corresponding to issue #2567.
Linked Issues check	✅ Passed	The PR fully implements the linked issue #2567 objectives: adds a CI step diffing yarn.lock changes, posts a sticky PR comment via Simek/yarn-lock-changes, and includes documentation for the VORTEX_CI_DEPS_PR_COMMENT_SKIP variable.
Out of Scope Changes check	✅ Passed	All changes are in scope: CI workflow step integration, documentation updates, CI variable declaration, and a maintenance rule in CLAUDE.md about snapshot execution—all directly supporting the yarn.lock PR comment feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/2567-js-lockfile-diff

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.11%. Comparing base (3beb8fe) to head (87cc480).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2581      +/-   ##
==========================================
- Coverage   86.56%   86.11%   -0.46%     
==========================================
  Files          94       87       -7     
  Lines        4661     4502     -159     
  Branches       47        3      -44     
==========================================
- Hits         4035     3877     -158     
+ Misses        626      625       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-test-deploy.yml:
- Around line 572-577: The "Post yarn.lock changes as a PR comment" step using
Simek/yarn-lock-changes@59f47ee499424d2c2437c5aebf863b5c6d50a5bc does not remove
a previously posted PR comment when yarn.lock stops changing; add a separate
cleanup step after that job to find and delete the stale comment (e.g., a new
step named "Remove stale yarn.lock comment" using actions/github-script or an
Octokit-based script) that runs on pull_request and targets comments created by
the Simek action (match by author/unique text), and guard it with the same
conditionals (github.event_name == 'pull_request' and matrix.instance == 0 ||
strategy.job-total == 1) so stale comments are explicitly removed when yarn.lock
changes cease.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4d4c7333-0cdc-4f4b-9c31-362dc18c01bc

📥 Commits

Reviewing files that changed from the base of the PR and between 8d71827 and a49f834.

📒 Files selected for processing (5)

• .github/workflows/build-test-deploy.yml
• .vortex/CLAUDE.md
• .vortex/docs/.utils/variables/extra/ci.variables.sh
• .vortex/docs/content/continuous-integration/github-actions.mdx
• .vortex/docs/content/development/variables.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the pinned commit matches the v0.14.1 tag in the upstream repository
echo "Checking if commit 59f47ee499424d2c2437c5aebf863b5c6d50a5bc corresponds to v0.14.1..."
gh api repos/Simek/yarn-lock-changes/git/refs/tags/v0.14.1 --jq '.object.sha'

Repository: drevops/vortex

Length of output: 185

---

🌐 Web query:

Does the Simek/yarn-lock-changes GitHub Action remove the PR comment when the yarn.lock file no longer has changes in subsequent pushes?

💡 Result:

The Simek/yarn-lock-changes GitHub Action does not automatically remove the PR comment if the yarn.lock file no longer has changes in subsequent pushes [1][2][3]. The action's primary function is to report changes to the yarn.lock file [1][3]. While it offers an updateComment input (which defaults to true) to overwrite an existing comment with new information on subsequent commits [1][2][3], it does not include logic to delete the comment if no changes are detected. Consequently, if the yarn.lock file stops having changes, any previously posted comment will remain in the pull request conversation. To remove such comments, users would need to employ a separate utility, such as a dedicated PR comment deletion action, or handle the cleanup manually [4].

Citations:

• 1: https://github.com/Simek/yarn-lock-changes
• 2: https://github.com/Simek/yarn-lock-changes/blob/main/README.md
• 3: https://github.com/marketplace/actions/yarn-lock-changes
• 4: https://github.com/marketplace/actions/delete-pr-comments-during-subsequent-ci

---

Adjust PR-comment removal expectation for yarn-lock-changes step (lines 572-577)

• The pinned Simek/yarn-lock-changes@59f47ee499424d2c2437c5aebf863b5c6d50a5bc matches upstream tag v0.14.1.
• Simek/yarn-lock-changes does not automatically delete/clear the existing PR comment when yarn.lock stops changing; if you need stale-comment cleanup, add a separate comment-deletion step.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test-deploy.yml around lines 572 - 577, The "Post
yarn.lock changes as a PR comment" step using
Simek/yarn-lock-changes@59f47ee499424d2c2437c5aebf863b5c6d50a5bc does not remove
a previously posted PR comment when yarn.lock stops changing; add a separate
cleanup step after that job to find and delete the stale comment (e.g., a new
step named "Remove stale yarn.lock comment" using actions/github-script or an
Octokit-based script) that runs on pull_request and targets comments created by
the Simek action (match by author/unique text), and guard it with the same
conditionals (github.event_name == 'pull_request' and matrix.instance == 0 ||
strategy.job-total == 1) so stale comments are explicitly removed when yarn.lock
changes cease.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.56% (205/208)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.56% (205/208)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)