GHA Overhaul

[delphiactual]

This PR is a comprehensive GitHub Actions workflow modernization and consolidation effort. Here's the breakdown:

Major Changes

1. Composite Action for Setup

Created .github/actions/setup-pnpm/action.yml - a reusable composite action that:

• Sets up pnpm with proper caching
• Configures Node.js from .nvmrc
• Optionally installs dependencies with frozen lockfile
• Reduces duplication across workflows

2. Workflow Consolidation

Deleted workflows:

• pr-build.yml - merged into pr-validation.yml
• pr-test-and-lint.yml - merged into pr-validation.yml
• test-report.yml - functionality moved to pr-reports.yml
• relative-ci.yml - functionality moved to pr-reports.yml
• d2ai-auto-merge.yml - merged into unified auto-merge.yml
• dependabot-auto-merge.yml - merged into unified auto-merge.yml

New workflows:

• pr-validation.yml - Unified test, lint, and build validation
• pr-reports.yml - Handles all PR reporting (tests, eslint, bundle analysis)
• auto-merge.yml - Single auto-merge workflow for both bots with security checks

3. Security Improvements

In auto-merge.yml:

• Added PR code checkout for security review before auto-merging
• Uses pull_request_target with careful permissions
• Only auto-merges patch/minor for dependabot (blocks major versions)
• 10-minute timeout

Throughout workflows:

• Added timeout-minutes to all jobs (prevents runaway jobs)
• Better permission scoping
• Proper error handling with set -e

4. Workflow Architecture Improvements

pr-validation.yml (replaces 2 workflows):

• Runs test, lint, and build in parallel
• Better artifact handling with retention policies
• Improved ESLint caching strategy (based on config + source files)
• Fork-friendly (cannot use composite actions for forks)
• Final validation-complete job checks all results

pr-reports.yml (workflow_run trigger):

• Triggered after pr-validation completes
• Single artifact check job to reduce API calls
• Conditional jobs based on artifact existence
• Works with fork PRs (uses workflow_run permissions)
• Handles test reports, ESLint annotations, and bundle analysis

5. i18n Workflow Improvements

i18n-bot-download.yml:

• Better error handling with set -e
• Atomic file operations for JSON sorting
• Only commits if actual changes detected
• Better logging and error messages

i18n-bot-upload.yml:

• Simplified workflow
• Better commit message

i18n-update.yml:

• Uses composite action
• Better commit message format

6. Deployment Workflow Updates

deploy-beta.yml & deploy-prod.yml:

• Use composite action for setup
• Improved RelativeCI integration (direct upload vs artifact-based)
• Better structure and comments
• Consistent formatting

changelog-updater.yml:

• Added proper error handling
• Only commits if changes detected
• Atomic operations with temp files
• 10-minute timeout

Key Benefits

1. Reduced Duplication: Composite action eliminates ~50+ lines of duplicated setup code
2. Better Organization: 6 workflows → 3 core workflows (validation, reports, auto-merge)
3. Improved Security: Timeouts, better permissions, PR checkout before auto-merge
4. Fork-Friendly: Proper separation allows fork PRs to work correctly
5. Better Observability: Clearer job names, better logging, error messages
6. More Robust: Atomic operations, error handling, change detection

Potential Concerns

1. Large PR: This is a substantial change touching 16 files
2. Testing: Workflow changes are hard to test without merging
3. Migration Risk: Moving from separate workflows to consolidated ones could cause issues if not properly configured

[bhollis]

Some generally good changes in here, though it might have been better as separate PRs. It's especially hard to tell what changed in the consolidated workflows.

I've definitely seen the same sort of "overcooked" results from trying to use AI tools to drive changes, btw.