Skip workspace specifiers in dependency Version Check

[gtbuchanan]

Problem

The Version Check job iterates every newly-added dependency from GitHub's dependency-graph compare API. For pnpm catalog deps, the graph reports two entries per package: the manifest entry with version catalog: and the lockfile-resolved entry (e.g. 1.4.0).

The script could not parse catalog: as a semver, so it compared catalog: against deps.dev's latest, failed the match, and flagged the dep as stale. Any PR adding a catalog dependency fails this check even when the resolved version is at latest — first hit by #148 (the first catalog dep added since this check landed).

Fix

Skip pnpm/yarn manifest specifiers (catalog:, workspace:, link:, file:, npm: aliases, git/http URLs) before the version comparison. The resolved version is reported as a separate lockfile entry and is still checked, so coverage is unchanged for real versions and SHA-pinned actions.

Verified locally that catalog: entries are skipped while resolved versions and action SHA pins still route to their respective checks.

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c9ea10cb-bc7c-48f2-b6f4-cbe2bc5a0f64

📥 Commits

Reviewing files that changed from the base of the PR and between a419c8c and c571936.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: CI / Build
• GitHub Check: Pre-Commit / Pre-Commit Run

🧰 Additional context used

📓 Path-based instructions (2)

.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/*.yml: Reference GitHub Actions by full path (e.g., gtbuchanan/tooling/.github/actions/<name>@main``) instead of relative ./ paths in workflow files
Every job that needs Node, pnpm, or prek must prepend `mise-setup` to install exact versions pinned in `mise.toml` / `mise.lock`

Files:

• .github/workflows/dependency-review.yml

.github/workflows/{pr.yml,release.yml,cd.yml,ci.yml,changeset-check.yml,dependency-review.yml,pre-commit.yml,pre-commit-seed.yml}

📄 CodeRabbit inference engine (AGENTS.md)

Keep reusable workflows as workflow_call-only and define direct triggers (on pull_request, on push) in pipeline workflows (pr.yml, release.yml)

Files:

• .github/workflows/dependency-review.yml

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: gtbuchanan/tooling PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-04T20:00:49.800Z
Learning: Applies to .github/workflows/*.yml : Every job that needs Node, pnpm, or prek must prepend `mise-setup` to install exact versions pinned in `mise.toml` / `mise.lock`

📚 Learning: 2026-06-04T20:00:49.800Z

Learnt from: CR
Repo: gtbuchanan/tooling PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-04T20:00:49.800Z
Learning: Applies to .github/workflows/*.yml : Every job that needs Node, pnpm, or prek must prepend `mise-setup` to install exact versions pinned in `mise.toml` / `mise.lock`

Applied to files:

• .github/workflows/dependency-review.yml

📚 Learning: 2026-06-04T18:38:29.949Z

Learnt from: gtbuchanan
Repo: gtbuchanan/tooling PR: 141
File: .github/workflows/changeset-check.yml:15-15
Timestamp: 2026-06-04T18:38:29.949Z
Learning: In this repository (gtbuchanan/tooling), GitHub Actions used in workflows are intentionally referenced by moving tags/branches (e.g., `actions/checkoutv*`, `actions/upload-artifactv*`, `actions/cachev*`, `actions/create-github-app-tokenv*`, and other third-party actions like `rharkor/caching-for-turbov*`), and should never be pinned to a commit SHA. There is no repo-wide SHA-pinning policy; therefore, do not flag these as “unpinned” or suggest SHA-pinning (zizmor’s default `unpinned-uses` rule does not apply here). For in-repo composite actions referenced by reusable workflows, the deliberate documented convention is to use `main` (e.g., `gtbuchanan/tooling/.github/actions/mise-setupmain`), matching how consumers reference the reusable workflows themselves (`.../.github/workflows/<name>main`). Do not change `main` references to SHAs to avoid hash bumps and the self-reference paradox.

Applied to files:

• .github/workflows/dependency-review.yml

🔇 Additional comments (1)

.github/workflows/dependency-review.yml (1)

51-60: Extend git specifier coverage in dependency-review.yml skip guard

• The guard currently skips only git:* (e.g., git://...), but it doesn’t skip git+https://..., git+ssh://..., or shortcuts like github:user/repo, gitlab:user/repo, bitbucket:user/repo; if those show up in dependency-graph responses, they can fall through and cause false positives.

Proposed pattern tweak

-  catalog:*|workspace:*|link:*|file:*|npm:*|git:*|http:*|https:*)
+  catalog:*|workspace:*|link:*|file:*|npm:*|git:*|git+*|github:*|gitlab:*|bitbucket:*|http:*|https:*)

---

📝 Walkthrough

Walkthrough

The dependency-review.yml workflow adds an early skip guard in the version-check loop that detects manifest-style dependency specifiers and continues to the next iteration, preventing later semver resolution logic from processing non-resolvable version strings like catalog, workspace, link, file, npm alias, and git/http references.

Changes

Manifest Specifier Skip Guard

Layer / File(s)	Summary
Manifest specifier skip guard .github/workflows/dependency-review.yml	The version-check job adds a conditional guard that detects manifest specifiers (catalog/workspace/link/file/npm/git/http(s)) and skips them with a "manifest specifier, skipped" message, allowing only resolvable semver versions to proceed to the existing version-resolution switch/case logic.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: skipping workspace specifiers in the dependency version check workflow, which directly aligns with the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing clear context about the problem, the fix, and verification steps for the workflow modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}