CI

[softmarshmallow]

Summary by CodeRabbit

• Chores
  • Added canary branch support and a dedicated publish workflow for the canvas-wasm package, replacing the previous publish flow.
  • Improved CI artifact handling to upload/download built WASM and JS outputs and adjusted packaging to include those artifacts.
  • Updated packaging scripts to handle workspace-linked dependencies and updated VCS ignore rules; removed legacy tracking for WASM artifacts.
• Tests
  • Tests now skip gracefully when WASM build artifacts are absent.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blog	Ready	Preview, Comment	Mar 29, 2026 7:44pm
docs	Ready	Preview, Comment	Mar 29, 2026 7:44pm
grida	Ready	Preview, Comment	Mar 29, 2026 7:44pm
viewer	Ready	Preview, Comment	Mar 29, 2026 7:44pm

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
backgrounds	Ignored	Preview	Mar 29, 2026 7:44pm
code	Ignored		Mar 29, 2026 7:44pm
legacy	Ignored		Mar 29, 2026 7:44pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds artifact upload to the Canvas WASM build workflow, a new publish workflow that downloads and publishes @grida/canvas-wasm (canary/auto/latest with dry-run), updates CI to conditionally use prebuilt artifacts, adjusts packaging and workspace dependency handling, and removes the prior publish workflow and LFS rule for WASM outputs.

Changes

Cohort / File(s)	Summary
Build & Test CI / Artifacts .github/workflows/build-canvas.yml, .github/workflows/test.yml, .gitignore, crates/grida-canvas-wasm/lib/bin/.gitattributes	Build workflow now triggers on canary and uploads grida-canvas-wasm.js + grida_canvas_wasm.wasm as canvas-wasm-artifacts (30d). Test workflow downloads those artifacts (continue-on-error), sets an availability flag, and gates the WASM package build/test on artifact presence. Removed LFS rule and added gitignore entries for generated WASM/JS.
Publish workflow lifecycle .github/workflows/publish-canvas-wasm.yml (new), .github/workflows/publish-packages.yml (deleted)	Adds dedicated publish workflow (manual or triggered by canvas build) that downloads artifacts into crates/grida-canvas-wasm/lib/bin/, verifies dist files, computes VERSION/TAG (canary vs latest, supports manual override), updates package.json, and runs npm publish (supports dry-run). Deletes the older publish-packages workflow.
Package metadata & scripts crates/grida-canvas-wasm/package.json, packages/grida-canvas-sdk-render-figma/package.json, packages/grida-canvas-sdk-render-figma/scripts/prepack-publish.cjs	crates/.../package.json now includes dist/*.wasm and dist/*.js, removed prepack script, and its test skips when WASM missing. Figma SDK now depends on workspace:* for @grida/canvas-wasm. Prepack-publish script updated to resolve workspace:* runtime deps to concrete versions while stripping workspace devDeps.
Miscellaneous docs/format crates/grida-canvas-wasm/README.md	Minor trailing newline addition.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant BuildWF as Build Workflow
participant ArtifactStorage as GitHub Artifacts
participant PublishWF as Publish Workflow
participant Repo as Repository
participant NPM as npm Registry

BuildWF->>ArtifactStorage: upload `canvas-wasm-artifacts` (grida-canvas-wasm.js, grida_canvas_wasm.wasm)
Note over ArtifactStorage,BuildWF: retained 30 days
PublishWF-->>ArtifactStorage: download `canvas-wasm-artifacts` into `crates/grida-canvas-wasm/lib/bin/`
PublishWF->>Repo: read package, compute VERSION/TAG (canary vs latest; allow manual override)
PublishWF->>Repo: update `crates/grida-canvas-wasm/package.json` (no git tag on bump)
PublishWF->>Repo: build package dist and verify `dist` files
PublishWF->>NPM: `npm publish` (or `--dry-run`)
PublishWF->>Repo: if TAG==latest and not dry-run → commit & push updated package.json

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• emsdk 5.0.0 #506: Overlapping CI and canvas WASM packaging changes (workflows and package modifications).
• feat: add Rust toolchain configuration and update CI workflow #524: Modifies the same build workflow (build-canvas.yml) and interacts with WASM build publishing.
• Add stub workflow for publishing canvas-wasm #612: Adds or modifies a publish workflow for canvas-wasm; directly related to the new publish implementation.

Suggested labels

cg

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "CI" is extremely vague and generic, providing no meaningful information about what the pull request actually changes or accomplishes.	Replace with a more descriptive title that summarizes the main changes, such as 'Refactor canvas-wasm publishing workflow' or 'Add artifact-based publishing pipeline for canvas-wasm'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch canary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

packages/grida-canvas-sdk-render-figma/scripts/prepack-publish.cjs (1)

33-47: Consider adding error handling for workspace resolution failures.

The resolveWorkspaceDeps function will throw an uncaught exception if:

• require.resolve fails (package not found in workspace)
• The linked package.json is malformed

Since this runs during prepack (blocking publish), a cryptic error could be confusing. Consider wrapping in try/catch with a descriptive error message.

🛡️ Add error handling

 function resolveWorkspaceDeps(obj) {
   if (!obj || typeof obj !== "object") return;
   for (const key of Object.keys(obj)) {
     const val = obj[key];
     if (typeof val === "string" && val.startsWith("workspace:")) {
-      const linkedPkgJson = require.resolve(`${key}/package.json`, {
-        paths: [pkgDir],
-      });
-      const linkedPkg = JSON.parse(fs.readFileSync(linkedPkgJson, "utf8"));
-      obj[key] = linkedPkg.version;
+      try {
+        const linkedPkgJson = require.resolve(`${key}/package.json`, {
+          paths: [pkgDir],
+        });
+        const linkedPkg = JSON.parse(fs.readFileSync(linkedPkgJson, "utf8"));
+        obj[key] = linkedPkg.version;
+      } catch (err) {
+        throw new Error(`Failed to resolve workspace dependency "${key}": ${err.message}`);
+      }
     }
   }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/grida-canvas-sdk-render-figma/scripts/prepack-publish.cjs` around
lines 33 - 47, The resolveWorkspaceDeps function currently lets require.resolve
and JSON parsing errors bubble up; wrap the workspace resolution block (the
branch where val.startsWith("workspace:")) in a try/catch inside
resolveWorkspaceDeps and handle failures by throwing or logging a clearer,
actionable error that includes the package key and pkgDir and the original error
message (e.g., "Failed to resolve workspace dependency for '<key>' from
'<pkgDir>': <err>"). Ensure you catch both require.resolve and
JSON.parse/fs.readFileSync failures, and either leave obj[key] unchanged or
rethrow a new Error with that descriptive message so prepack fails with a
readable cause.

.github/workflows/test.yml (1)

20-29: Third-party action should be pinned to commit SHA for supply chain security.

dawidd6/action-download-artifact@v6 is a third-party action. For security hardening, consider pinning to a specific commit SHA rather than a mutable tag to prevent potential supply chain attacks.

Also note: downloading artifacts only from main branch (line 27) means PRs that modify WASM code won't have their changes tested until merged. This is acceptable if build-canvas.yml runs on PRs and produces artifacts, but currently PRs would use stale main artifacts.

🔒 Pin action to commit SHA

       - name: Download WASM artifacts
         id: wasm-download
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@<commit-sha>  # v6
         with:

You can find the latest commit SHA at: https://github.com/dawidd6/action-download-artifact/releases

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yml around lines 20 - 29, Replace the mutable action
tag with a pinned commit SHA for dawidd6/action-download-artifact (change the
uses entry for the wasm-download step from dawidd6/action-download-artifact@v6
to dawidd6/action-download-artifact@<commit-sha>) and update the artifact source
logic so PRs are tested against their branch instead of always using branch:
main (e.g., derive the branch from the PR head or allow build-canvas.yml to run
on PRs); modify the wasm-download step inputs (workflow: build-canvas.yml and
branch setting) accordingly to fetch artifacts produced for the current PR
rather than the main branch.

.github/workflows/publish-canvas-wasm.yml (2)

67-96: Version bump logic may cause conflicts on concurrent runs.

The version is calculated by incrementing the patch version in package.json. If multiple workflow runs execute concurrently (e.g., rapid merges to main), they could compute the same version and cause npm publish failures.

The concurrency group (lines 25-27) with cancel-in-progress: false helps, but doesn't fully serialize if the first run completes before the second checks. Consider adding a check for existing npm versions before publishing.

🛡️ Add version existence check

+      - name: Check if version exists on npm
+        working-directory: crates/grida-canvas-wasm
+        run: |
+          if npm view "@grida/canvas-wasm@${{ env.VERSION }}" version 2>/dev/null; then
+            echo "::error::Version ${{ env.VERSION }} already exists on npm"
+            exit 1
+          fi
+
       - name: Publish to npm

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-canvas-wasm.yml around lines 67 - 96, The current
version bump (variables BRANCH, CURRENT, BASE, MAJOR, MINOR, PATCH, NEXT_PATCH
and the npm version "$VERSION" call) can collide between concurrent runs; modify
the bump step to check the npm registry for an existing package before
publishing and loop to a new patch if it already exists: after computing VERSION
use a registry check (e.g., npm view or npm info for
`@grida/canvas-wasm`@$VERSION) and if it exists increment PATCH/NEXT_PATCH and
recompute VERSION until a non-existent version is found, then run npm version
"$VERSION" --no-git-tag-version and set GITHUB_ENV; keep the branch-based
canary/tag logic and the manual INPUT_TAG override intact.

---

121-128: Consider improving push resilience for future branch protection scenarios.

The workflow successfully pushes version bumps to main using the default GITHUB_TOKEN. While this currently works, if branch protection rules requiring PRs or status checks are added later, direct pushes will fail. Consider:

1. Creating a PR instead of pushing directly, allowing review/checks to run
2. Using a service account PAT with elevated permissions (if bypassing protection is intentional)
3. Documenting that branch protection must allow github-actions[bot] to push directly

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-canvas-wasm.yml around lines 121 - 128, The
"Commit version bump (stable only)" step currently pushes directly to main using
GITHUB_TOKEN which will break if branch protection is enabled; update this step
to create a pull request instead of a direct push (or switch to using a service
account PAT if direct push is intentional) — specifically, after committing the
version bump to the working branch, push that branch and open a PR via the
GitHub CLI or API (refer to the step conditional using env.TAG and
inputs.dry_run to preserve behavior), or replace GITHUB_TOKEN usage with a
preconfigured PAT and document this choice so future branch-protection rules are
accommodated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-canvas-wasm.yml:
- Around line 109-112: The "Publish to npm" step currently runs "npm publish"
without supplying the NODE_AUTH_TOKEN; add an env entry to that job step so
NODE_AUTH_TOKEN is set from the repository secret (e.g. NODE_AUTH_TOKEN: ${{
secrets.NPM_TOKEN }}) and do the same for the dry-run publish step (the step
guarded by inputs.dry_run == 'true') so both the working-directory:
crates/grida-canvas-wasm publish steps have the NODE_AUTH_TOKEN environment
variable available to authenticate npm publish.

---

Nitpick comments:
In @.github/workflows/publish-canvas-wasm.yml:
- Around line 67-96: The current version bump (variables BRANCH, CURRENT, BASE,
MAJOR, MINOR, PATCH, NEXT_PATCH and the npm version "$VERSION" call) can collide
between concurrent runs; modify the bump step to check the npm registry for an
existing package before publishing and loop to a new patch if it already exists:
after computing VERSION use a registry check (e.g., npm view or npm info for
`@grida/canvas-wasm`@$VERSION) and if it exists increment PATCH/NEXT_PATCH and
recompute VERSION until a non-existent version is found, then run npm version
"$VERSION" --no-git-tag-version and set GITHUB_ENV; keep the branch-based
canary/tag logic and the manual INPUT_TAG override intact.
- Around line 121-128: The "Commit version bump (stable only)" step currently
pushes directly to main using GITHUB_TOKEN which will break if branch protection
is enabled; update this step to create a pull request instead of a direct push
(or switch to using a service account PAT if direct push is intentional) —
specifically, after committing the version bump to the working branch, push that
branch and open a PR via the GitHub CLI or API (refer to the step conditional
using env.TAG and inputs.dry_run to preserve behavior), or replace GITHUB_TOKEN
usage with a preconfigured PAT and document this choice so future
branch-protection rules are accommodated.

In @.github/workflows/test.yml:
- Around line 20-29: Replace the mutable action tag with a pinned commit SHA for
dawidd6/action-download-artifact (change the uses entry for the wasm-download
step from dawidd6/action-download-artifact@v6 to
dawidd6/action-download-artifact@<commit-sha>) and update the artifact source
logic so PRs are tested against their branch instead of always using branch:
main (e.g., derive the branch from the PR head or allow build-canvas.yml to run
on PRs); modify the wasm-download step inputs (workflow: build-canvas.yml and
branch setting) accordingly to fetch artifacts produced for the current PR
rather than the main branch.

In `@packages/grida-canvas-sdk-render-figma/scripts/prepack-publish.cjs`:
- Around line 33-47: The resolveWorkspaceDeps function currently lets
require.resolve and JSON parsing errors bubble up; wrap the workspace resolution
block (the branch where val.startsWith("workspace:")) in a try/catch inside
resolveWorkspaceDeps and handle failures by throwing or logging a clearer,
actionable error that includes the package key and pkgDir and the original error
message (e.g., "Failed to resolve workspace dependency for '<key>' from
'<pkgDir>': <err>"). Ensure you catch both require.resolve and
JSON.parse/fs.readFileSync failures, and either leave obj[key] unchanged or
rethrow a new Error with that descriptive message so prepack fails with a
readable cause.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e32bbde9-0b70-44c4-9ca7-0a23d65c37b4

📥 Commits

Reviewing files that changed from the base of the PR and between bae069b and 6555ae1.

⛔ Files ignored due to path filters (2)

• crates/grida-canvas-wasm/lib/bin/grida_canvas_wasm.wasm is excluded by !**/*.wasm
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (10)

• .github/workflows/build-canvas.yml
• .github/workflows/publish-canvas-wasm.yml
• .github/workflows/publish-packages.yml
• .github/workflows/test.yml
• crates/grida-canvas-wasm/lib/bin/.gitattributes
• crates/grida-canvas-wasm/lib/bin/.gitignore
• crates/grida-canvas-wasm/lib/bin/grida-canvas-wasm.js
• crates/grida-canvas-wasm/package.json
• packages/grida-canvas-sdk-render-figma/package.json
• packages/grida-canvas-sdk-render-figma/scripts/prepack-publish.cjs

💤 Files with no reviewable changes (2)

• crates/grida-canvas-wasm/lib/bin/.gitattributes
• .github/workflows/publish-packages.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing NODE_AUTH_TOKEN environment variable for npm publish.

The npm publish command requires authentication. While actions/setup-node with registry-url sets up the .npmrc, you still need to provide NODE_AUTH_TOKEN as an environment variable for the publish step.

🔧 Add NODE_AUTH_TOKEN

       - name: Publish to npm
         if: inputs.dry_run != 'true'
         working-directory: crates/grida-canvas-wasm
         run: npm publish --tag ${{ env.TAG }} --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Apply the same fix to the dry-run publish step (lines 114-119).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish to npm
	if: inputs.dry_run != 'true'
	working-directory: crates/grida-canvas-wasm
	run: npm publish --tag ${{ env.TAG }} --access public --provenance
	- name: Publish to npm
	if: inputs.dry_run != 'true'
	working-directory: crates/grida-canvas-wasm
	run: npm publish --tag ${{ env.TAG }} --access public --provenance
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-canvas-wasm.yml around lines 109 - 112, The
"Publish to npm" step currently runs "npm publish" without supplying the
NODE_AUTH_TOKEN; add an env entry to that job step so NODE_AUTH_TOKEN is set
from the repository secret (e.g. NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}) and
do the same for the dry-run publish step (the step guarded by inputs.dry_run ==
'true') so both the working-directory: crates/grida-canvas-wasm publish steps
have the NODE_AUTH_TOKEN environment variable available to authenticate npm
publish.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish-canvas-wasm.yml (1)

29-35: Consider adding a job timeout.

The job has no timeout-minutes set. If the build or publish hangs, the job will run until GitHub's default timeout (6 hours). A reasonable timeout (e.g., 15-20 minutes) prevents resource waste.

  publish:
    if: >-
      github.event_name == 'workflow_dispatch' ||
      github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    environment: npm-publish

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-canvas-wasm.yml around lines 29 - 35, The publish
job currently lacks a timeout and can hang for GitHub's default period; add a
timeout-minutes key to the publish job (the top-level job named "publish") with
a reasonable value (e.g., 15 or 20) to bound execution time; update the
jobs.publish block to include timeout-minutes: 20 so the workflow cancels
long-running build/publish steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/publish-canvas-wasm.yml:
- Around line 29-35: The publish job currently lacks a timeout and can hang for
GitHub's default period; add a timeout-minutes key to the publish job (the
top-level job named "publish") with a reasonable value (e.g., 15 or 20) to bound
execution time; update the jobs.publish block to include timeout-minutes: 20 so
the workflow cancels long-running build/publish steps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e56a690-373a-48d9-8d9f-b38f596a3c23

📥 Commits

Reviewing files that changed from the base of the PR and between 6555ae1 and 5bcd281.

📒 Files selected for processing (3)

• .github/workflows/publish-canvas-wasm.yml
• .gitignore
• crates/grida-canvas-wasm/package.json

✅ Files skipped from review due to trivial changes (1)

• .gitignore

🚧 Files skipped from review as they are similar to previous changes (1)

• crates/grida-canvas-wasm/package.json