build(deps): Bump go-task to 3.48.0 (fixes #1352); Fix webui dependency hoisting conflicts.

[Bill-hbrhbr]

• Remove orphan docs links to the fixed issue.
• Remove missing node_modules references from webui-related tasks.
• Replace {{.ROOT_DIR}}/taskfile.yaml with ROOT_TASKFILE.

Description

The upstream issues mentioned in #1352 have been resolved. It's now safe to remove the go-task version pin.

Fixes #1352

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

• CI passes.

Summary by CodeRabbit

• Chores

  • CI workflows updated to install go-task CLI 3.48.0.
  • Simplified task-runner checks/cleanup to target three node_modules areas (removed client/common checksum steps).
  • Task definitions updated to use a unified root taskfile reference for locating task sources.

• Documentation

  • Developer docs: Task requirement set to ">= 3.48.0", Python requirement formatting standardized, and an outdated reference removed.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Upgrades the Go Task CLI to >= 3.48.0 in multiple CI workflows and docs, replaces root taskfile references with {{.ROOT_TASKFILE}} across taskfiles, and removes client/common node_modules checksum and cleanup logic from the top-level taskfile.yaml.

Changes

Cohort / File(s)	Summary
GitHub Actions workflows .github/workflows/clp-docs-generated-code-checks.yaml, .github/workflows/clp-docs.yaml, .github/workflows/clp-lint.yaml, .github/workflows/clp-package-helm.yaml, .github/workflows/clp-rust-checks.yaml, .github/workflows/clp-s-generated-code-checks.yaml, .github/workflows/clp-uv-checks.yaml	Bumped global npm install -g @go-task/cli`` from 3.44.0 to `3.48.0`. No other workflow control-flow changes.
Documentation docs/README.md, docs/src/dev-docs/building-package.md, docs/src/dev-docs/components-core/index.md, docs/src/dev-docs/contributing-linting.md	Changed Python requirement formatting to >= 3.10, relaxed Task requirement from pinned 3.44.0 to >= 3.48.0, and removed references to y-scope/clp#1352.
Top-level Taskfile taskfile.yaml	Removed public checksum variables and cleanup commands for client and common node_modules; removed their checksum compute/validate steps and related outputs; adjusted notes to reflect three targeted node_modules directories (server, log-viewer, package).
Taskfiles — taskfile path refs taskfiles/codegen.yaml, taskfiles/docs.yaml, taskfiles/deps/utils.yaml, taskfiles/lint.yaml, taskfiles/toolchains.yaml	Replaced occurrences of {{.ROOT_DIR}}/taskfile.yaml with {{.ROOT_TASKFILE}} in task sources/refs to use the root taskfile variable consistently.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• #1352: Unlock task version once upstream issues Brace expansion broken in v3.44.1 due to over-escaping of curly braces go-task/task#2401 and 0 Exit code even if commands return non-zero exit code go-task/task#2440 are resolved — This PR updates workflows/docs to use >= 3.48.0, addressing the objective to move off the pinned 3.44.0.
• y-scope/log-archival-bench#16 — The CI install of @go-task/cli was moved from a pinned older version to >=3.48.0, aligning with that issue's intent to lift the pinned Task CLI version.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes two significant out-of-scope changes unrelated to the go-task version bump: removal of webui client/common node_modules checksum mechanism from taskfile.yaml, and replacement of ROOT_DIR/taskfile.yaml references with ROOT_TASKFILE variables across multiple taskfiles.	Consider splitting the PR into two focused changes: one for the go-task version bump and documentation updates, and a separate PR for the taskfile refactoring and checksum removal. This improves clarity and review focus.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the primary change: bumping go-task from 3.44.0 to 3.48.0 and addressing the linked issue #1352.
Linked Issues check	✅ Passed	The PR meets most objectives from #1352: updates all workflow files (clp-docs.yaml, clp-lint.yaml, clp-rust-checks.yaml, clp-s-generated-code-checks.yaml) and documentation to use go-task v3.48.0. Additional changes to taskfile.yaml and other task configuration files align with resolving version constraints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Bill-hbrhbr]

@coderabbitai Why can't I link issue #1352 to PR development?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if issue `#1352` exists and its current state
gh issue view 1352 --repo y-scope/clp --json number,title,state,url,closedBy

# Check the current PR for linked issues
gh pr view 1994 --repo y-scope/clp --json number,title,closingIssuesReferences,url

# Check if the issue is already linked in some way
gh issue view 1352 --repo y-scope/clp --json timelineItems --jq '.timelineItems[] | select(.source.number == 1994)' 2>/dev/null || echo "No direct timeline link found"

Length of output: 494

---

🏁 Script executed:

#!/bin/bash
# Get issue `#1352` details
gh issue view 1352 --repo y-scope/clp --json number,title,state,url

# Get PR body to see if it contains linking keywords
gh pr view 1994 --repo y-scope/clp --json body,url

Length of output: 1998

---

@Bill-hbrhbr: The issue isn't automatically linked because GitHub's auto-linking feature only recognizes keywords like fixes, closes, or resolves when they appear in the PR body, not in the title.

Your PR title includes "fixes #1352", but the PR body only mentions "#1352" in the description without a linking keyword. This is why the closingIssuesReferences field is empty.

Solutions:

Option 1: Update the PR description (recommended)
Add a linking keyword to your PR body. You can add a line like:

Fixes `#1352`

This will automatically link the issue and close it when the PR is merged.

Option 2: Manual UI linking
In the GitHub PR page, look for the "Development" section in the right sidebar. Click the gear icon next to it and search for issue #1352 to manually link it.

If you're experiencing issues with the UI's manual linking feature (e.g., the issue doesn't appear in the search or the link doesn't save), it could be due to:

• Repository permissions
• Browser caching issues
• A temporary GitHub UI glitch

Would you like me to help update the PR body to include the linking keyword?

---

🧠 Learnings used

Learnt from: haiqi96
Repo: y-scope/clp PR: 0
File: :0-0
Timestamp: 2025-08-04T18:38:33.130Z
Learning: User haiqi96 requested creating a GitHub issue to document a documentation discrepancy where Task version requirements in docs weren't updated after yscope-utils upgrade in PR `#1158`.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1242
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:39-41
Timestamp: 2025-08-25T00:45:05.464Z
Learning: Task v3.44.1 causes issues in the clp-ffi-js project (issue `#110`), so CLP should avoid upgrading to v3.44.1 and stick with v3.44.0 for now.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1242
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:39-41
Timestamp: 2025-08-25T00:45:05.464Z
Learning: Task v3.44.1 has a regression that breaks shell command processing, particularly rsync commands with brace expansion (e.g., `file.{d.ts,js,wasm}`). This causes CI failures in clp-ffi-js project (issue `#110`), so CLP should avoid v3.44.1 and use v3.44.0 instead, which fixes the dynamic variable bug without the shell processing regression.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 0
File: :0-0
Timestamp: 2025-10-22T21:02:31.113Z
Learning: Repository y-scope/clp: Maintain deterministic CI/builds for Rust; add a check to verify Cargo.lock is in sync with Cargo.toml without updating dependencies (non-mutating verification in clp-rust-checks workflow).

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1405
File: components/clp-package-utils/pyproject.toml:5-15
Timestamp: 2025-10-13T03:24:35.074Z
Learning: In the y-scope/clp repository, the Python 3.9 to 3.10 version requirement change was intentionally deferred to a separate PR (after PR `#1405`) to reduce review effort, as decided in an offline discussion between junhaoliao and kirkrodrigues.

---

Learnt from: Bill-hbrhbr
Repo: y-scope/clp PR: 1122
File: components/core/src/clp/clp/CMakeLists.txt:175-195
Timestamp: 2025-07-23T09:54:45.185Z
Learning: In the CLP project, when reviewing CMakeLists.txt changes that introduce new compression library dependencies (BZip2, LibLZMA, LZ4, ZLIB), the team prefers to address conditional linking improvements in separate PRs rather than expanding the scope of focused migration PRs like the LibArchive task-based installation migration.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@taskfile.yaml`:
- Around line 354-358: Delete the now-orphaned checksum variables
G_WEBUI_CLIENT_NODE_MODULES_CHECKSUM_FILE and
G_WEBUI_COMMON_NODE_MODULES_CHECKSUM_FILE (they’re no longer produced by
webui-node-modules) and remove those two symbols from the sources list of the
webui task so the webui task no longer references non-existent checksum files;
locate the variable declarations and the webui task's sources block and remove
the two entries.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

taskfiles/lint.yaml (1)

889-889: ⚠️ Potential issue | 🟡 Minor

Inconsistent: venv task still references {{.ROOT_DIR}}/taskfile.yaml instead of {{.ROOT_TASKFILE}}.

Every other task across the codebase has been migrated to {{.ROOT_TASKFILE}}, but this venv task's sources list was missed.

Proposed fix

-      - "{{.ROOT_DIR}}/taskfile.yaml"
+      - "{{.ROOT_TASKFILE}}"

[junhaoliao]

shall we fix this as well?

clp/components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh

Lines 12 to 13 in 969b515

	# We lock to version 3.44.0 to avoid https://github.com/y-scope/clp/issues/1352
	readonly required_version="3.44.0"

[junhaoliao]

with the webui lock file fixed, i believe we can further remove the webui server node_modules checksum mechanism. that said, the issue is not strictly related to the go-task upgrade. shall we apply the suggestions and then split the changes into a separate PR?

[Bill-hbrhbr]

with the webui lock file fixed, i believe we can further remove the webui server node_modules checksum mechanism. that said, the issue is not strictly related to the go-task upgrade. shall we apply the suggestions and then split the changes into a separate PR?

Checksum used to run on these non-existent node modules directory. Task v3.44 lets it go but v3.48 catches these errors. See the failed workflow: https://github.com/y-scope/clp/actions/runs/22021684927/job/63631740536

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@taskfile.yaml`:
- Around line 350-353: Update the comment that currently states "two different
node_modules directories" to accurately list all three directories used by the
tasks: LOG_VIEWER_OUTPUT_DIR, PACKAGE_OUTPUT_DIR, and SERVER_OUTPUT_DIR; modify
the paragraph to say there are three directories and mention the corresponding
checksum files and validate/compute pairs are generated for each of those three
output dirs so the comment matches the actual logic in the task definitions.

[Bill-hbrhbr]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[junhaoliao]

for the title, how about:

build(deps): Bump go-task to 3.48.0 (fixes #1352); Fix webui dependency hoisting conflicts.

[junhaoliao]

Suggested change

	if "${package_preinstalled}"; then
	echo "Please uninstall Task and then re-run the install script."
	else
	echo "pipx failed to install the required version of Task."
	fi
	echo "To uninstall, run:"
	echo " pipx uninstall go-task-bin"

[Bill-hbrhbr]

We will be removing package_preinstalled in #1320

[junhaoliao]

Suggested change

	package_preinstalled=0
	if ! command -v task >/dev/null 2>&1; then
	package_preinstalled=1
	package_preinstalled=false
	if command -v task >/dev/null 2>&1; then
	package_preinstalled=true
	else

[Bill-hbrhbr]

We will be removing package_preinstalled in #1320

[junhaoliao]

Could we add a note to the PR description for developers who have previously built the webui? They may have stale node_modules directories that will cause the new hoisting assertions to fail. Something like the warning block above with the rm -rf commands should help them resolve it quickly.

> [!WARNING]
> If you previously compiled the webui, stale node_modules directories may remain in `components/webui/client/` , `components/webui/common/`, or components/webui/server/. These will cause the new hoisting assertions to fail with a non-zero exit code.
> To resolve, remove them manually:
> 
> ```sh
> rm -rf components/webui/client/node_modules
> rm -rf components/webui/common/node_modules
> rm -rf components/webui/server/node_modules
> ```
> 
> Then re-run the build as usual.

if the code block is removed, it should be rendered like

Warning

If you previously compiled the webui, stale node_modules directories may remain in components/webui/client/ , components/webui/common/, or components/webui/server/. These will cause the new hoisting assertions to fail with a non-zero exit code.
To resolve, remove them manually:

rm -rf components/webui/client/node_modules
rm -rf components/webui/common/node_modules
rm -rf components/webui/server/node_modules

Then re-run the build as usual.

[Bill-hbrhbr]

I restored the clean-webui task to clean all 5 possible node_modules directories. I think the long comment above the test ! d will give enough context.

[junhaoliao]

sounds reasonable. in the future, i feel this check shall be moved into another dep:lock task to be run in a CI workflow, and we won't have to do such assertions at project build time

@coderabbitai create an feature request issue to track

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Create a feature request issue to track moving webui node_modules hoisting checks to CI
gh issue create \
  --title "Move webui node_modules hoisting checks to CI workflow" \
  --body "## Context

Currently, the \`webui-node-modules\` task in \`taskfile.yaml\` performs hoisting assertions at build time using \`test ! -d\` checks to verify that npm has fully hoisted all workspace packages to the root node_modules directory (lines 382-383):

\`\`\`yaml
- for: [\"client\", \"common\", \"server\"]
  cmd: \"test ! -d '{{.G_WEBUI_SRC_DIR}}/{{.ITEM}}/node_modules'\"
\`\`\`

These assertions ensure that peer dependency conflicts haven't forced npm to create per-workspace node_modules directories.

## Proposed Enhancement

Move these hoisting verification checks into a separate \`dep:lock\` task that runs in a CI workflow, similar to the existing Rust Cargo.lock verification (see \`deps:lock:check-rust\` task and the \`clp-rust-checks\` workflow).

## Benefits

- Separates deterministic dependency validation from project build steps
- Aligns with the existing pattern established for Rust dependency lock verification
- Keeps CI workflows focused on validation tasks
- Avoids unnecessary checks during local development builds

## References

- PR `#1994`: https://github.com/y-scope/clp/pull/1994
- Original discussion: https://github.com/y-scope/clp/pull/1994#discussion_r2815461745
- Requested by: `@junhaoliao`" \
  --assignee junhaoliao

Length of output: 42

---

@junhaoliao, I've created issue #2002 to track moving the webui node_modules hoisting checks into a separate CI workflow task, similar to the existing Rust dependency lock verification pattern. The issue is assigned to you and includes backlinks to this PR and discussion.

---

🧠 Learnings used

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1119
File: taskfile.yaml:429-433
Timestamp: 2025-08-14T18:23:39.476Z
Learning: In the webui workspace, the exclude patterns ".tmp" and ".vite-temp" are Vite-specific temporary directories that only apply to the client package. The common and server packages use TypeScript compiler (tsc) directly and don't generate these Vite temporary files, so these exclude patterns should not be applied to their node_modules checksum computations.

---

Learnt from: jackluo923
Repo: y-scope/clp PR: 1996
File: components/core/tools/packaging/build.sh:86-94
Timestamp: 2026-02-15T04:15:22.260Z
Learning: In CLP build scripts (e.g., components/core/tools/packaging/build.sh), prefer simple grep/sed pipelines over adding dependencies like yq for single-use version extraction from taskfile.yaml. The existing error handling catches extraction failures, and the format is stable enough to not warrant additional tooling.

---

Learnt from: haiqi96
Repo: y-scope/clp PR: 0
File: :0-0
Timestamp: 2025-08-04T18:38:33.130Z
Learning: User haiqi96 requested creating a GitHub issue to document a documentation discrepancy where Task version requirements in docs weren't updated after yscope-utils upgrade in PR `#1158`.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 0
File: :0-0
Timestamp: 2025-10-22T21:01:31.391Z
Learning: In y-scope/clp, for the clp-rust-checks workflow (GitHub Actions) and the Taskfile target deps:lock:check-rust, we should verify Rust Cargo.lock is in sync with Cargo.toml using a non-mutating method (e.g., cargo metadata --locked / cargo check --locked) to keep CI deterministic and avoid updating dependencies during validation.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 0
File: :0-0
Timestamp: 2025-10-22T21:02:31.113Z
Learning: Repository y-scope/clp: Maintain deterministic CI/builds for Rust; add a check to verify Cargo.lock is in sync with Cargo.toml without updating dependencies (non-mutating verification in clp-rust-checks workflow).

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1242
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:39-41
Timestamp: 2025-08-25T00:45:05.464Z
Learning: Task v3.44.1 has a regression that breaks shell command processing, particularly rsync commands with brace expansion (e.g., `file.{d.ts,js,wasm}`). This causes CI failures in clp-ffi-js project (issue `#110`), so CLP should avoid v3.44.1 and use v3.44.0 instead, which fixes the dynamic variable bug without the shell processing regression.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1242
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:39-41
Timestamp: 2025-08-25T00:45:05.464Z
Learning: Task v3.44.1 causes issues in the clp-ffi-js project (issue `#110`), so CLP should avoid upgrading to v3.44.1 and stick with v3.44.0 for now.

---

Learnt from: Bill-hbrhbr
Repo: y-scope/clp PR: 1122
File: components/core/src/clp/clp/CMakeLists.txt:175-195
Timestamp: 2025-07-23T09:54:45.185Z
Learning: In the CLP project, when reviewing CMakeLists.txt changes that introduce new compression library dependencies (BZip2, LibLZMA, LZ4, ZLIB), the team prefers to address conditional linking improvements in separate PRs rather than expanding the scope of focused migration PRs like the LibArchive task-based installation migration.

---

Learnt from: Bill-hbrhbr
Repo: y-scope/clp PR: 1156
File: components/core/CMakeLists.txt:772-772
Timestamp: 2025-08-09T04:07:27.083Z
Learning: In the CLP project's CMakeLists.txt, when reviewing changes related to the ${zstd_TARGET} variable usage in test linking, the team is planning a refactoring PR to improve this mechanism. Guards for undefined target variables should be deferred to that separate PR rather than being added in focused dependency migration PRs.

---

Learnt from: junhaoliao
Repo: y-scope/clp PR: 1405
File: components/clp-package-utils/pyproject.toml:5-15
Timestamp: 2025-10-13T03:24:35.074Z
Learning: In the y-scope/clp repository, the Python 3.9 to 3.10 version requirement change was intentionally deferred to a separate PR (after PR `#1405`) to reduce review effort, as decided in an offline discussion between junhaoliao and kirkrodrigues.