Skipped app version bump check for dependency-only changes

[9larsons]

Summary

Check app version bump fails any PR that changes a file under apps/{portal,sodo-search,comments-ui,announcement-bar,signup-form} without bumping that app's version field. Renovate never bumps app versions when it updates dependencies, so every dep bump that touches one of those apps' package.json files dies on this check — including current security PRs (postcss, vite, others).

This change exempts diffs whose only change inside a monitored app is package.json. A human PR that edits both source and package.json in the same app still trips the check, so the cache-busting guarantee for actual code changes is preserved.

Test plan

• Trigger the workflow on this PR — script touches no monitored app files, so the check should report no app changes detected.
• Rebase one of the stuck Renovate security PRs (e.g. Update dependency postcss to v8.5.10 [SECURITY] #27595, Update dependency vite to v6 [SECURITY] - autoclosed #27354) onto this branch and confirm Check app version bump passes.
• Open a synthetic test PR that edits a source file under apps/portal/src without bumping apps/portal/package.json and confirm the check still fails.

[coderabbitai]

Walkthrough

The PR modifies a GitHub Actions script that validates version bumps for monitored applications. It introduces two utility functions: getChangedAppFiles() filters changed files scoped to a specific app's directory, and isDependencyOnlyChange() detects when only the app's package.json has been modified. The script now skips version-bump verification when an app's sole change is dependency-related, logging an informational message instead. All other version comparison logic for structural changes remains unchanged.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: skipping version bump verification for dependency-only changes to monitored apps.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem, solution, and test plan for the version-bump check exemption.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch version-bump-skip-renovate-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/scripts/check-app-version-bump.js (1)

188-191: ⚡ Quick win

Rename isDependencyOnlyChange to reflect what it actually checks.

This function detects “package.json-only file changes,” not actual dependency-only diffs. The current name can cause future misuse.

Proposed rename for clarity

-function isDependencyOnlyChange(app, changedFiles) {
+function isPackageJsonOnlyChange(app, changedFiles) {
     const filesInApp = getChangedAppFiles(app, changedFiles);
     return filesInApp.length > 0 && filesInApp.every(file => file === `${app.path}/package.json`);
 }
...
-        if (isDependencyOnlyChange(app, changedFiles)) {
+        if (isPackageJsonOnlyChange(app, changedFiles)) {
             console.log(`${app.key} only has dependency changes in package.json; skipping version bump check.`);
             continue;
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/check-app-version-bump.js around lines 188 - 191, Rename the
function isDependencyOnlyChange to a clearer name like isPackageJsonOnlyChange
(or isPackageJsonOnlyDiff) because it actually checks for package.json-only file
changes; update the function declaration and all references/usages (e.g., any
import, call sites) to the new name, keep the implementation using
getChangedAppFiles and the same equality check `${app.path}/package.json`, and
update any tests or comments that reference the old name to avoid future misuse.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/scripts/check-app-version-bump.js:
- Around line 188-191: Rename the function isDependencyOnlyChange to a clearer
name like isPackageJsonOnlyChange (or isPackageJsonOnlyDiff) because it actually
checks for package.json-only file changes; update the function declaration and
all references/usages (e.g., any import, call sites) to the new name, keep the
implementation using getChangedAppFiles and the same equality check
`${app.path}/package.json`, and update any tests or comments that reference the
old name to avoid future misuse.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bc47e13f-df79-4006-af4e-87ce4e9c7dcc

📥 Commits

Reviewing files that changed from the base of the PR and between 1174382 and 648163f.

📒 Files selected for processing (1)

• .github/scripts/check-app-version-bump.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.76%. Comparing base (b23cea8) to head (648163f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #27865      +/-   ##
==========================================
- Coverage   73.76%   73.76%   -0.01%     
==========================================
  Files        1515     1515              
  Lines      127534   127534              
  Branches    15260    15261       +1     
==========================================
- Hits        94080    94077       -3     
- Misses      32507    32529      +22     
+ Partials      947      928      -19     

Flag	Coverage Δ
admin-tests	53.43% <ø> (-0.03%)	⬇️
e2e-tests	73.76% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.