Skip to content

Commit 9aed458

Browse files
authored
Merge pull request #104 from blacksky-algorithms/merge/upstream-2026-06
Merge upstream/main into appview (v1.122 → v1.126)
2 parents ec1a5a3 + 26d198b commit 9aed458

725 files changed

Lines changed: 241308 additions & 140804 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude/.pre-pr-sweep-state

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
alt-blur@3076a2b5a593b0d7b37198b5aebfe3a222afd52d

.claude/settings.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"permissions": {
3+
"allow": [
4+
"Bash(pnpm typecheck *)",
5+
"Bash(pnpm lint *)",
6+
"Bash(pnpm test *)"
7+
]
8+
}
9+
}

.github/claude-review-prompt.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
You are an experienced senior React Native engineer reviewing a pull
2+
request in the Bluesky Social app — a cross-platform (iOS, Android, Web)
3+
React Native + Expo application. Read the repo's CLAUDE.md before forming
4+
an opinion; it describes the architecture, the ALF design system, and the
5+
codebase conventions.
6+
7+
Your audience is other senior engineers. Write peer-to-peer, not
8+
teacher-to-junior. Most PRs in this repo are fine; a review that says so
9+
is a valid and common outcome.
10+
11+
Report a finding only if you can name a concrete scenario — specific
12+
input, platform, navigation path, or operating condition — in which the
13+
change causes incorrect behavior, a crash, a visual regression, a test
14+
failure, a security issue, or a real regression visible to users. Style,
15+
naming, and micro-optimizations are out of scope unless they introduce a
16+
defect. Do not speculate that a change "might" break unrelated code
17+
without pointing to the specific caller or code path. Do not repeat what
18+
the diff does.
19+
20+
Where this codebase differs from a typical web app:
21+
22+
- Three platforms from one codebase. Web-only APIs (DOM, window),
23+
native-only modules, and platform-specific files (.web.tsx, .ios.tsx,
24+
.android.tsx) are common sources of single-platform breakage. When a
25+
change touches shared code, consider all three targets.
26+
- User-facing strings must go through Lingui (the `Trans` macro /
27+
`useLingui`). Hardcoded English strings in UI are a finding. Do not
28+
flag missing translations in catalog files — extraction and
29+
compilation run in CI.
30+
- New UI should use ALF (`#/alf`, `#/components`) rather than legacy
31+
patterns (`#/view/com`, StyleSheet.create); flag newly written code
32+
that adopts deprecated patterns, but don't flag pre-existing code the
33+
PR merely touches.
34+
- Server state lives in TanStack Query under src/state/queries. Watch
35+
for cache-shape changes without corresponding invalidation updates,
36+
and optimistic updates that can leave stale cache on failure.
37+
- List rendering is performance-critical (the main feed). Changes to
38+
feed items, FlatList usage, or anything in a hot render path deserve
39+
scrutiny for re-render storms — unstable callback/object identities
40+
passed to memoized children, missing memoization on expensive
41+
computation.
42+
- Moderation and content-filtering logic (labels, mutes, blocks,
43+
hidden posts) is trust-and-safety-critical: a regression that shows
44+
content that should be filtered is a blocking finding.
45+
- Deep links, push-notification routing, and the navigation state
46+
machine have platform-specific edge cases; changes there should name
47+
the platforms they were verified on.
48+
- The embed (bskyembed) and web deployment surfaces (bskyweb, link,
49+
ogcard services in Go) ship separately from the app; changes there
50+
have their own blast radius.
51+
52+
For each finding, state the scenario in one or two sentences, cite
53+
file:line, and mark severity (blocking / non-blocking). If you are
54+
uncertain but the potential impact is high (crash on startup, moderation
55+
bypass, broken auth), include it and say what you are uncertain about.
56+
Otherwise, prefer silence over guessing.
57+
58+
If there are no findings that meet this bar, say briefly that the PR
59+
looks fine and note what you checked.
60+
61+
Post your review as a single top-level PR comment. Per-finding inline
62+
comments are also welcome where they'd anchor a reader to the specific
63+
lines involved.

.github/dependabot.yml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
version: 2
2+
# Dependabot auto-update config.
3+
#
4+
# Cooldown (7 days) is the point of this config: it delays version-update
5+
# PRs until a newly-published version has aged. Supply-chain attacks like
6+
# the tanstack Shai-Hulud compromise (2026-05-11) live minutes-to-hours
7+
# before the registry yanks them; a 7-day cooldown keeps poisoned
8+
# versions out of our lockfiles.
9+
#
10+
# Security updates bypass cooldown and continue to flow immediately. See:
11+
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown
12+
#
13+
# Auto-merge is deliberately NOT enabled. Every dependabot PR gets human
14+
# review.
15+
16+
updates:
17+
- package-ecosystem: npm
18+
directory: /
19+
schedule:
20+
interval: weekly
21+
day: monday
22+
cooldown:
23+
default-days: 7
24+
open-pull-requests-limit: 5
25+
groups:
26+
production:
27+
dependency-type: production
28+
update-types: [minor, patch]
29+
development:
30+
dependency-type: development
31+
update-types: [minor, patch]
32+
33+
- package-ecosystem: github-actions
34+
directory: /
35+
schedule:
36+
interval: weekly
37+
day: monday
38+
cooldown:
39+
default-days: 7
40+
open-pull-requests-limit: 3
41+
groups:
42+
actions:
43+
patterns: ["*"]
44+
update-types: [minor, patch]

.github/workflows/build-and-push-bskyweb-aws.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,21 +22,21 @@ jobs:
2222

2323
steps:
2424
- name: Checkout repository
25-
uses: actions/checkout@v4
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2626

2727
- name: Setup Docker buildx
28-
uses: docker/setup-buildx-action@v1
28+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
2929

3030
- name: Log into registry ${{ env.REGISTRY }}
31-
uses: docker/login-action@v2
31+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
3232
with:
3333
registry: ${{ env.REGISTRY }}
3434
username: ${{ env.USERNAME}}
3535
password: ${{ env.PASSWORD }}
3636

3737
- name: Extract Docker metadata
3838
id: meta
39-
uses: docker/metadata-action@v4
39+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
4040
with:
4141
images: |
4242
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -51,7 +51,7 @@ jobs:
5151
5252
- name: Build and push Docker image
5353
id: build-and-push
54-
uses: docker/build-push-action@v4
54+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
5555
with:
5656
context: .
5757
push: ${{ github.event_name != 'pull_request' }}

.github/workflows/build-and-push-bskyweb-ghcr.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,21 +23,21 @@ jobs:
2323

2424
steps:
2525
- name: Checkout repository
26-
uses: actions/checkout@v4
26+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2727

2828
- name: Setup Docker buildx
29-
uses: docker/setup-buildx-action@v1
29+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
3030

3131
- name: Log into registry ${{ env.REGISTRY }}
32-
uses: docker/login-action@v2
32+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
3333
with:
3434
registry: ${{ env.REGISTRY }}
3535
username: ${{ env.USERNAME }}
3636
password: ${{ env.PASSWORD }}
3737

3838
- name: Extract Docker metadata
3939
id: meta
40-
uses: docker/metadata-action@v4
40+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
4141
with:
4242
images: |
4343
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -46,7 +46,7 @@ jobs:
4646
4747
- name: Build and push Docker image
4848
id: build-and-push
49-
uses: docker/build-push-action@v4
49+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
5050
with:
5151
context: .
5252
push: ${{ github.event_name != 'pull_request' }}

.github/workflows/build-and-push-embedr-aws.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,21 +22,21 @@ jobs:
2222

2323
steps:
2424
- name: Checkout repository
25-
uses: actions/checkout@v4
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2626

2727
- name: Setup Docker buildx
28-
uses: docker/setup-buildx-action@v1
28+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
2929

3030
- name: Log into registry ${{ env.REGISTRY }}
31-
uses: docker/login-action@v2
31+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
3232
with:
3333
registry: ${{ env.REGISTRY }}
3434
username: ${{ env.USERNAME}}
3535
password: ${{ env.PASSWORD }}
3636

3737
- name: Extract Docker metadata
3838
id: meta
39-
uses: docker/metadata-action@v4
39+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
4040
with:
4141
images: |
4242
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -45,7 +45,7 @@ jobs:
4545
4646
- name: Build and push Docker image
4747
id: build-and-push
48-
uses: docker/build-push-action@v4
48+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
4949
with:
5050
context: .
5151
push: ${{ github.event_name != 'pull_request' }}

.github/workflows/build-and-push-link-aws.yaml

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,9 @@
11
name: build-and-push-link-aws
22
on:
33
workflow_dispatch:
4-
pull_request:
5-
paths:
6-
- "bskylink/**"
7-
- "Dockerfile.bskylink"
8-
- ".github/workflows/build-and-push-link-aws.yaml"
4+
push:
5+
branches:
6+
- main
97

108
env:
119
REGISTRY: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_REGISTRY }}
@@ -24,21 +22,21 @@ jobs:
2422

2523
steps:
2624
- name: Checkout repository
27-
uses: actions/checkout@v4
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2826

2927
- name: Setup Docker buildx
30-
uses: docker/setup-buildx-action@v1
28+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
3129

3230
- name: Log into registry ${{ env.REGISTRY }}
33-
uses: docker/login-action@v2
31+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
3432
with:
3533
registry: ${{ env.REGISTRY }}
3634
username: ${{ env.USERNAME}}
3735
password: ${{ env.PASSWORD }}
3836

3937
- name: Extract Docker metadata
4038
id: meta
41-
uses: docker/metadata-action@v4
39+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
4240
with:
4341
images: |
4442
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -47,7 +45,7 @@ jobs:
4745
4846
- name: Build and push Docker image
4947
id: build-and-push
50-
uses: docker/build-push-action@v4
48+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
5149
with:
5250
context: .
5351
push: true

.github/workflows/build-and-push-ogcard-aws.yaml

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,9 @@
11
name: build-and-push-ogcard-aws
22
on:
33
workflow_dispatch:
4-
pull_request:
5-
paths:
6-
- "bskyogcard/**"
7-
- "Dockerfile.bskyogcard"
8-
- ".github/workflows/build-and-push-ogcard-aws.yaml"
4+
push:
5+
branches:
6+
- main
97

108
env:
119
REGISTRY: ${{ secrets.AWS_ECR_REGISTRY_USEAST2_PACKAGES_REGISTRY }}
@@ -24,21 +22,21 @@ jobs:
2422

2523
steps:
2624
- name: Checkout repository
27-
uses: actions/checkout@v4
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2826

2927
- name: Setup Docker buildx
30-
uses: docker/setup-buildx-action@v1
28+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
3129

3230
- name: Log into registry ${{ env.REGISTRY }}
33-
uses: docker/login-action@v2
31+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
3432
with:
3533
registry: ${{ env.REGISTRY }}
3634
username: ${{ env.USERNAME}}
3735
password: ${{ env.PASSWORD }}
3836

3937
- name: Extract Docker metadata
4038
id: meta
41-
uses: docker/metadata-action@v4
39+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
4240
with:
4341
images: |
4442
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -47,7 +45,7 @@ jobs:
4745
4846
- name: Build and push Docker image
4947
id: build-and-push
50-
uses: docker/build-push-action@v4
48+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
5149
with:
5250
context: .
5351
push: true

0 commit comments

Comments
 (0)