Merge branch 'main' into registry

Author: daflyinbed

.github/actions/build-upstream/action.yml

@@ -25,7 +25,7 @@ runs:
       id: cache-key
       shell: bash
       run: |
-        echo "key=napi-binding-v3-${INPUTS_TARGET}-${RELEASE_BUILD}-${DEBUG}-${VERSION}-${NPM_TAG}-${{ hashFiles('packages/tools/.upstream-versions.json', 'Cargo.lock', 'crates/**/*.rs', 'crates/*/Cargo.toml', 'packages/cli/binding/**/*.rs', 'packages/cli/binding/Cargo.toml', 'Cargo.toml', '.cargo/config.toml', 'packages/cli/package.json', 'packages/cli/build.ts', 'packages/cli/tsdown.config.ts') }}" >> $GITHUB_OUTPUT
+        echo "key=napi-binding-v3-${INPUTS_TARGET}-${RELEASE_BUILD}-${DEBUG}-${VERSION}-${NPM_TAG}-${{ hashFiles('packages/tools/.upstream-versions.json', 'rust-toolchain.toml', 'Cargo.lock', 'crates/**/*.rs', 'crates/*/Cargo.toml', 'packages/cli/binding/**/*.rs', 'packages/cli/binding/Cargo.toml', 'Cargo.toml', '.cargo/config.toml', 'packages/cli/package.json', 'packages/cli/build.ts', 'packages/cli/tsdown.config.ts') }}" >> $GITHUB_OUTPUT
       env:
         INPUTS_TARGET: ${{ inputs.target }}
 
@@ -81,11 +81,15 @@ runs:
       with:
         version: 0.15.2
 
+    # Rust nightly-2026-06-10 passes --fix-cortex-a53-843419 to the linker for
+    # aarch64-linux targets, which zig cc rejects. The filter for this arg
+    # (rust-cross/cargo-zigbuild#452) is merged but unreleased, so install from
+    # the pinned git commit. TODO: revert to taiki-e/install-action once
+    # cargo-zigbuild > 0.22.3 is released.
     - name: Install cargo-zigbuild (musl)
       if: steps.cache-restore.outputs.cache-hit != 'true' && contains(inputs.target, 'musl')
-      uses: taiki-e/install-action@4bc351f7f2614e48088386e2a0ad917ca3a7e4ba # v2.81.5
-      with:
-        tool: cargo-zigbuild
+      shell: bash
+      run: cargo install --locked --git https://github.com/rust-cross/cargo-zigbuild --rev 7e791b4be71b9870e0abccedf7885486803cd923 cargo-zigbuild
 
     # NAPI builds - only run on cache miss (slow, especially on Windows)
     # Must run before vite-plus TypeScript builds which depend on the bindings

.github/renovate.json

@@ -1,6 +1,9 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["github>Boshen/renovate"],
+  "description": "Skip lockfile artifact updates (npm and cargo): they fail in Renovate's clone because vite/ and rolldown/ are gitignored. The renovate-lockfiles workflow regenerates lockfiles on renovate/** pushes; gitIgnoredAuthors keeps Renovate managing branches with its commits.",
+  "gitIgnoredAuthors": ["278573678+voidzero-guard[bot]@users.noreply.github.com"],
+  "skipArtifactsUpdate": true,
   "ignorePaths": [
     "packages/cli/snap-tests/**",
     "packages/cli/snap-tests-global/**",
@@ -11,7 +14,7 @@
   ],
   "packageRules": [
     {
-      "description": "Ignore upstream toolchain npm packages (vendored via sync-remote or bumped by the proactive catalog workflow); everything else stays enabled so security alerts get fixed. Lockfile refresh fails because vite/ and rolldown/ are gitignored, so Renovate raises these PRs with an artifact-update warning and the lockfile is regenerated manually.",
+      "description": "Ignore upstream toolchain npm packages (vendored via sync-remote or bumped by the proactive catalog workflow); everything else stays enabled so security alerts get fixed.",
       "matchManagers": ["npm"],
       "matchPackageNames": [
         "rolldown",

.github/workflows/ci.yml

@@ -99,17 +99,14 @@ jobs:
         with:
           save-cache: ${{ github.ref_name == 'main' }}
           cache-key: test
+          tools: just
           target-dir: ${{ runner.os == 'Windows' && format('{0}/target', env.DEV_DRIVE) || '' }}
 
       - run: cargo check --all-targets --all-features
         env:
           RUSTFLAGS: '-D warnings --cfg tokio_unstable' # also update .cargo/config.toml
 
-      # Test all crates/* packages. New crates are automatically included.
-      # Also test vite-plus-cli (lives outside crates/) to catch type sync issues.
-      - run: cargo test $(for d in crates/*/; do echo -n "-p $(basename $d) "; done) -p vite-plus-cli
-        env:
-          RUST_MIN_STACK: 8388608
+      - run: just test
 
   test-musl:
     needs: detect-changes
@@ -133,7 +130,7 @@ jobs:
     steps:
       - name: Install Alpine dependencies
         shell: sh {0}
-        run: apk add --no-cache bash curl git musl-dev gcc g++ python3 cmake make
+        run: apk add --no-cache bash curl git just musl-dev gcc g++ python3 cmake make
 
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
       - uses: ./.github/actions/clone
@@ -148,12 +145,8 @@ jobs:
       - name: Install Rust toolchain
         run: rustup show
 
-      # Test all crates/* packages. New crates are automatically included.
-      # Also test vite-plus-cli (lives outside crates/) to catch type sync issues.
       # Skip separate cargo check — cargo test already compiles everything.
-      - run: cargo test $(for d in crates/*/; do echo -n "-p $(basename $d) "; done) -p vite-plus-cli
-        env:
-          RUST_MIN_STACK: 8388608
+      - run: just test
 
   lint:
     needs: detect-changes
@@ -168,19 +161,13 @@ jobs:
         with:
           save-cache: ${{ github.ref_name == 'main' }}
           cache-key: lint
-          tools: cargo-shear
+          tools: just,cargo-shear
           components: clippy rust-docs rustfmt
 
       - run: |
           cargo shear
           cargo fmt --check
-          # Allow new clippy lints from the toolchain that fire in upstream
-          # rolldown crates without a `[lints]` table.
-          cargo clippy --all-targets --all-features -- -D warnings \
-            -A clippy::byte_char_slices \
-            -A clippy::manual_assert_eq \
-            -A clippy::needless_return_with_question_mark \
-            -A clippy::useless_borrows_in_formatting
+          just lint
           # RUSTDOCFLAGS='-D warnings' cargo doc --no-deps --document-private-items
 
       - uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2

.github/workflows/e2e-test.yml

@@ -45,11 +45,12 @@ jobs:
   download-previous-rolldown-binaries:
     needs: detect-changes
     runs-on: ubuntu-latest
-    # Run if: not a PR, OR PR has 'test: e2e' label, OR PR is from deps/upstream-update branch, OR build.ts files changed
+    # Run if: not a PR, OR PR has 'test: e2e' label, OR PR is from the deps/upstream-update or a renovate/** dependency branch, OR build.ts files changed
     if: >-
       github.event_name != 'pull_request' ||
       contains(github.event.pull_request.labels.*.name, 'test: e2e') ||
       github.head_ref == 'deps/upstream-update' ||
+      startsWith(github.head_ref, 'renovate/') ||
       needs.detect-changes.outputs.related-files-changed == 'true'
     permissions:
       contents: read
@@ -244,9 +245,9 @@ jobs:
             node-version: 24
             directory: web
             command: |
-              vp run type-check:tsgo
+              vp run type-check
               vp run build
-              vp run test navigation-utils.test.ts real-browser-flicker.test.tsx workflow-parallel-limit.test.tsx
+              vp run test navigation-utils.test.ts real-browser-flicker.test.tsx workflow-onboarding-integration.test.tsx
           - name: viteplus-ws-repro
             node-version: 24
             command: |
@@ -326,8 +327,10 @@ jobs:
             node-version: 22
             command: |
               # scripts/bootstrap.mjs spawns `pnpm build` via tinyexec and needs
-              # pnpm on PATH (not exposed by the vp install itself).
-              vp i -g pnpm
+              # pnpm on PATH (not exposed by the vp install itself). corepack
+              # enable creates a pnpm launcher in the vp bin dir that resolves
+              # the project's pinned packageManager version (pnpm@9.15.9).
+              corepack enable
               node scripts/bootstrap.mjs
               # Report-only: oxlint 1.68.0 surfaces ts1038 ("A 'declare' modifier
               # cannot be used in an already ambient context.") on varlet's

.github/workflows/renovate-lockfiles.yml

@@ -0,0 +1,91 @@
+name: Renovate Lockfiles
+
+# Renovate cannot refresh lockfiles itself: pnpm-workspace.yaml and Cargo.toml
+# reference the gitignored vite/ and rolldown/ checkouts (patched dependencies,
+# workspace importers, path crates), so artifact updates fail in Renovate's
+# clone. This workflow checks out the vendored repos at their pinned hashes and
+# regenerates the lockfiles on every Renovate branch push instead. Renovate
+# ignores the resulting commits via gitIgnoredAuthors in .github/renovate.json.
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - renovate/**
+
+# Queue instead of cancel: this workflow's own lockfile push retriggers it in
+# the same group, and cancel-in-progress would cancel the effective run at its
+# final step, leaving a misleading "cancelled" conclusion.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  update-lockfiles:
+    # Skip the retriggered run for this workflow's own lockfile commit.
+    if: github.event.repository.fork == false && github.actor != 'voidzero-guard[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/clone
+
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version-file: .node-version
+
+      # Not oxc-project/setup-node: it runs `pnpm install --frozen-lockfile`,
+      # which fails on Renovate branches because the lockfile is stale here.
+      - name: Update pnpm lockfiles
+        env:
+          # Resolution does not need lifecycle scripts; keep dependency scripts
+          # from running in a workflow that later pushes with a write token.
+          npm_config_ignore_scripts: 'true'
+        run: |
+          pnpm install --lockfile-only --no-frozen-lockfile
+          pnpm dedupe --check || pnpm dedupe
+          pnpm -C docs install --lockfile-only --no-frozen-lockfile
+
+      # cargo metadata syncs Cargo.lock to the bumped manifests without
+      # compiling or running build scripts. rustup auto-installs the pinned
+      # toolchain from rust-toolchain.toml.
+      - name: Update Cargo.lock
+        run: cargo metadata --format-version=1 > /dev/null
+
+      - name: Detect lockfile changes
+        id: diff
+        run: |
+          git diff --stat -- pnpm-lock.yaml docs/pnpm-lock.yaml Cargo.lock
+          if git diff --quiet -- pnpm-lock.yaml docs/pnpm-lock.yaml Cargo.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        if: steps.diff.outputs.changed == 'true'
+        id: app-token
+        with:
+          client-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Commit and push lockfiles
+        if: steps.diff.outputs.changed == 'true'
+        env:
+          APP_TOKEN: ${{ steps.app-token.outputs.token }}
+          BRANCH: ${{ github.ref_name }}
+        run: |
+          # Identity must stay in sync with gitIgnoredAuthors in
+          # .github/renovate.json so Renovate keeps managing the branch.
+          git config user.name "voidzero-guard[bot]"
+          git config user.email "278573678+voidzero-guard[bot]@users.noreply.github.com"
+          git add pnpm-lock.yaml docs/pnpm-lock.yaml Cargo.lock
+          git commit -m "chore: update lockfiles"
+          git push "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:refs/heads/${BRANCH}"

.github/workflows/test-vp-create.yml

@@ -46,11 +46,12 @@ jobs:
   download-previous-rolldown-binaries:
     needs: detect-changes
     runs-on: namespace-profile-linux-x64-default
-    # Run if: not a PR, OR PR has 'test: create-e2e' label, OR PR is from deps/upstream-update branch, OR create-related files changed
+    # Run if: not a PR, OR PR has 'test: create-e2e' label, OR PR is from the deps/upstream-update or a renovate/** dependency branch, OR create-related files changed
     if: >-
       github.event_name != 'pull_request' ||
       contains(github.event.pull_request.labels.*.name, 'test: create-e2e') ||
       github.head_ref == 'deps/upstream-update' ||
+      startsWith(github.head_ref, 'renovate/') ||
       needs.detect-changes.outputs.related-files-changed == 'true'
     permissions:
       contents: read

.github/workflows/upgrade-deps.yml

@@ -82,8 +82,9 @@ jobs:
             - Upgrade script: `./.github/scripts/upgrade-deps.ts`
             - Sync-remote tool: `pnpm tool sync-remote` (source in
               `packages/tools/src/sync-remote-deps.ts`) — clones rolldown/vite into the
-              working tree and merges their pnpm-workspace catalogs into the root
-              `pnpm-workspace.yaml`.
+              working tree, merges their pnpm-workspace catalogs into the root
+              `pnpm-workspace.yaml`, and syncs the root `Cargo.toml` oxc crate
+              versions to match `rolldown/Cargo.toml`.
             - Build-upstream action: `./.github/actions/build-upstream/action.yml`
             - Package manager: `pnpm`. Do NOT downgrade any dep — we want the latest.
 
@@ -105,7 +106,15 @@ jobs:
                then re-run `pnpm tool sync-remote` until it exits 0. Finish with
                `pnpm install --no-frozen-lockfile`.
             2. Re-run the steps in `./.github/actions/build-upstream/action.yml`; fix any
-               non-zero exits.
+               non-zero exits. If the Rust build fails inside a vendored `rolldown`
+               crate with an oxc API mismatch (e.g. `oxc_ast::template_element` taking
+               a different number of arguments, or any `oxc_*` type/signature error),
+               the root `Cargo.toml` oxc pins are out of sync with the bumped rolldown.
+               `pnpm tool sync-remote` should already reconcile them; if any `oxc_*`
+               entry in the root `Cargo.toml [workspace.dependencies]` still differs
+               from `rolldown/Cargo.toml`, bump it to match (the oxc same-version
+               family follows rolldown's umbrella `oxc` version), run `cargo update`,
+               and rebuild.
             3. If the rolldown hash changed, follow `.claude/agents/cargo-workspace-merger.md`
                to resync the workspace.
             4. Compare tsdown CLI options with `vp pack` and sync new/removed options per
@@ -182,6 +191,12 @@ jobs:
           pnpm dedupe
 
       - name: Format code
+        # `pnpm fmt` runs `vp fmt`, which loads the freshly built NAPI binding. When
+        # `build-upstream` fails (e.g. an upstream rolldown/oxc desync the in-workflow
+        # fixup could not resolve) the binding is never produced and `vp fmt` aborts.
+        # Keep going so the PR is still created with the broken state surfaced for review,
+        # matching the `continue-on-error` on the build steps above.
+        continue-on-error: true
         run: pnpm fmt
 
       - name: Enhance PR description with Claude

CONTRIBUTING.md

@@ -62,6 +62,45 @@ vp --version
 
 This builds all packages, compiles the Rust `vp` binary, and installs the CLI to `~/.vite-plus`.
 
+## Validate the local build against a real project
+
+Unit and snap tests don't cover everything. Interactive flows in particular (prompts, pickers, scaffolding) are easiest to validate by running your work-in-progress CLI inside a real Vite+ project.
+
+First, understand how `vp` picks which `vite-plus` to run: for JS-backed commands (such as `vp create`), the global `vp` binary resolves `vite-plus` from the project's `node_modules` first and only falls back to the global installation in `~/.vite-plus`. If your test project has `vite-plus` installed from npm, `pnpm bootstrap-cli` alone will not make it run your local code.
+
+Build the local CLI package after each change:
+
+```bash
+pnpm -F vite-plus build      # TypeScript + native NAPI binding
+pnpm -F vite-plus build-ts   # faster, when only TypeScript changed
+```
+
+### `pnpm link` the local package
+
+Link your checkout into the test project. The global `vp` then delegates to the project-local CLI, and re-entrant `vp` sub-commands (for example `vp create` running `vp install` and `vp fmt` after scaffolding) resolve back to the same linked checkout:
+
+```bash
+cd /path/to/test-project
+pnpm link /path/to/vite-plus/packages/cli
+
+vp create   # now runs your local checkout
+```
+
+Verify the link with `ls -l node_modules/vite-plus` (it should be a symlink into your checkout). Notes:
+
+- pnpm records the link as a `vite-plus: link:...` override (in `pnpm-workspace.yaml` for workspace projects, otherwise under `pnpm.overrides` in `package.json`), so it survives later installs. Don't commit that override in the test project.
+- `pnpm link` may also add a `packageManager` field to the test project's `package.json`; revert it if unwanted.
+- Undo with `pnpm unlink vite-plus`, or remove the override and run `pnpm install`.
+
+### Global CLI (Rust) changes
+
+`pnpm link` only swaps the JS side; the `vp` binary on `PATH` (and the Rust-backed commands it handles directly, such as package-manager commands) is still whatever is installed in `~/.vite-plus`. For changes to the Rust global CLI (`crates/`), install it from source, and combine with `pnpm link` when the change spans both layers:
+
+```bash
+pnpm bootstrap-cli
+vp --version
+```
+
 ## Workflow for build and test
 
 You can run this command to build, test and check if there are any snapshot changes: