Stabilize Bun dependency installs in CI

Pin the Tuistory test dependency to the known-good 0.4.0 release and require frozen Bun installs in CI and release workflows so prepare jobs use the committed lockfile instead of floating to broken transitive ranges.

Co-authored-by: Autohand Evolve <code-noreply@autohand.ai>

Author: igorcosta

.github/workflows/ci.yml

@@ -28,7 +28,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y build-essential python3 make g++
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Type check
         run: bun run typecheck
@@ -58,7 +58,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y build-essential python3 make g++
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Build
         run: bun run build

.github/workflows/release.yml

@@ -67,7 +67,7 @@ jobs:
           bun-version: 1.2.22
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Get version
         id: version
@@ -117,7 +117,7 @@ jobs:
           bun-version: 1.2.22
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Type check
         run: bun run typecheck
@@ -157,7 +157,7 @@ jobs:
           bun-version: 1.2.22
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Update version before build
         run: |
@@ -557,7 +557,7 @@ jobs:
       - name: Build JS dist for npm
         if: needs.prepare.outputs.channel == 'release'
         run: |
-          bun install
+          bun install --frozen-lockfile
           bun run build
           ls -lh dist/
 

package.json

@@ -92,7 +92,7 @@
     "strip-ansi": "^7.2.0",
     "tsup": "^8.5.1",
     "tsx": "^4.21.0",
-    "tuistory": "^0.4.0",
+    "tuistory": "0.4.0",
     "typescript": "^6.0.3",
     "vitest": "^4.1.5"
   },

tests/installLocalScript.test.ts

@@ -45,3 +45,21 @@ describe('local install scripts', () => {
     expect(installScript).not.toContain('bun run "compile:');
   });
 });
+
+describe('dependency install guardrails', () => {
+  it('pins tuistory because its patch releases can introduce broken transitive ranges', () => {
+    const packageJson = JSON.parse(readFileSync('package.json', 'utf8')) as {
+      devDependencies?: Record<string, string>;
+    };
+
+    expect(packageJson.devDependencies?.tuistory).toBe('0.4.0');
+  });
+
+  it('uses the committed Bun lockfile in GitHub workflows', () => {
+    for (const workflow of ['.github/workflows/ci.yml', '.github/workflows/release.yml']) {
+      const content = readFileSync(workflow, 'utf8');
+
+      expect(content).not.toMatch(/\bbun install(?!\s+--frozen-lockfile)/);
+    }
+  });
+});