Skip to content

fix(ci): use npm-shrinkwrap.json for node_modules cache key#1325

Merged
Hweinstock merged 1 commit into
aws:mainfrom
Hweinstock:fix/ci-cache-key
May 20, 2026
Merged

fix(ci): use npm-shrinkwrap.json for node_modules cache key#1325
Hweinstock merged 1 commit into
aws:mainfrom
Hweinstock:fix/ci-cache-key

Conversation

@Hweinstock
Copy link
Copy Markdown
Contributor

@Hweinstock Hweinstock commented May 20, 2026
edited
Loading

Description

The Quality and Safety Checks workflow caches node_modules using hashFiles('package-lock.json') as the key, but package-lock.json is no longer tracked since it was replaced by npm-shrinkwrap.json. This causes hashFiles to return an empty string, so the cache key is always node-modules- (constant across all runs).

This means:

  1. The setup job's cache save races with itself and often fails ("another job may be creating this cache")
  2. Downstream jobs (lint, typecheck) restore a stale node_modules from a previous run with older SDK type definitions
  3. eslint's type-checked rules fail with "type that could not be resolved" errors that cannot be reproduced locally

The fix changes all hashFiles('package-lock.json') references to hashFiles('npm-shrinkwrap.json').

Related Issue

Closes #

Documentation PR

N/A

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@Hweinstock
fix(ci): use npm-shrinkwrap.json for node_modules cache key
6dfcd21 
hashFiles('package-lock.json') returns empty string since only
npm-shrinkwrap.json is tracked, causing all runs to share a single
stale cache key. This led to lint and typecheck failures when the
stale node_modules had outdated type definitions.
@github-actions github-actions Bot added the size/xs PR size: XS label May 20, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label May 20, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 20, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026

Package Tarball

aws-agentcore-0.14.1.tgz

How to install

gh release download pr-1325-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.14.1.tgz

@agentcore-devx-automation
Copy link
Copy Markdown
Contributor

agentcore-devx-automation Bot commented May 20, 2026

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label May 20, 2026
agentcore-cli-automation
agentcore-cli-automation approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@agentcore-cli-automation agentcore-cli-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the analysis: npm-shrinkwrap.json is the only lockfile tracked in the repo (package-lock.json is not committed), so hashFiles('package-lock.json') returns an empty string and the cache key collapses to a constant node-modules- across all runs — matching the symptoms described.

The fix replaces all 6 occurrences in .github/workflows/lint.yml consistently. Other references to package-lock.json in sync-preview.yml and pr-size.yml are intentional (sync-preview generates one from upstream; pr-size filters it from diff size) and correctly left alone.

Note: existing caches keyed as node-modules- will linger until they expire (7 days idle) or are manually evicted, but that's harmless — the new key simply won't match them and the setup job will populate the correct cache on first run after merge.

LGTM.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 20, 2026
@Hweinstock Hweinstock marked this pull request as ready for review May 20, 2026 18:13
@Hweinstock Hweinstock requested a review from a team May 20, 2026 18:13
@Hweinstock Hweinstock merged commit a6872ca into aws:main May 20, 2026
30 checks passed
@Hweinstock Hweinstock deleted the fix/ci-cache-key branch May 20, 2026 18:15
@padmak30 padmak30 linked an issue May 20, 2026 that may be closed by this pull request
CI Failure: Quality and Safety Checks #1324
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avi-alpert avi-alpert avi-alpert approved these changes

@padmak30 padmak30 padmak30 approved these changes

+1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI Failure: Quality and Safety Checks

4 participants

@Hweinstock @avi-alpert @padmak30 @agentcore-cli-automation