Merge pull request #4 from wasp-lang/main

Merge from upstream

Author: Genyus

.gitattributes

@@ -6,3 +6,5 @@
 /examples/** linguist-documentation
 
 **/package-lock.json linguist-generated=true
+
+*.snap linguist-generated

.github/actions/compute-artifact-names/action.yaml

@@ -0,0 +1,66 @@
+name: Compute artifact names
+description: Central place for computing the artifact names in the CI builds.
+
+inputs:
+  build-name:
+    description: >
+      The build name (e.g., linux-x86_64, macos-aarch64, etc.). The special
+      value "all" can be used to receive a glob that matches all of the build
+      names.
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Check valid build name
+      if: >
+        ! contains(
+          fromJson('[
+            "all",
+            "linux-x86_64",
+            "linux-x86_64-static",
+            "macos-x86_64",
+            "macos-aarch64",
+            "macos-universal"
+          ]'),
+          inputs.build-name
+        )
+      shell: sh
+      run: |
+        echo '::error::Invalid build name provided: ${{ inputs.build-name }}.'
+        exit 1
+
+    - name: Set artifact names
+      id: set-artifact-names
+      shell: sh
+      env:
+        BUILD_NAME: ${{ inputs.build-name == 'all' && '*' || inputs.build-name }}
+      run: |
+        echo "artifact-name=wasp-cli-${BUILD_NAME}" >> $GITHUB_OUTPUT
+        echo "tarball-name=wasp-${BUILD_NAME}.tar.gz" >> $GITHUB_OUTPUT
+
+    - name: Set npm target
+      id: set-npm-target
+      if: inputs.build-name != 'all' && inputs.build-name != 'macos-universal'
+      shell: sh
+      run: |
+        case '${{ inputs.build-name }}' in
+            linux-x86_64) npm_target='{"os":"linux","cpu":"x64","libc":"glibc"}' ;;
+            linux-x86_64-static) npm_target='{"os":"linux","cpu":"x64","libc":"musl"}' ;;
+            macos-x86_64) npm_target='{"os":"darwin","cpu":"x64"}' ;;
+            macos-aarch64) npm_target='{"os":"darwin","cpu":"arm64"}' ;;
+        esac
+
+        echo "npm-target=$npm_target" >>"$GITHUB_OUTPUT"
+
+outputs:
+  artifact-name:
+    value: ${{ steps.set-artifact-names.outputs.artifact-name }}
+    description: "The name of the artifact attached to the CI build."
+  tarball-name:
+    value: ${{ steps.set-artifact-names.outputs.tarball-name }}
+    description: "The name of the tarball inside the artifact."
+  npm-target:
+    value: ${{ steps.set-npm-target.outputs.npm-target }}
+    description: "A JSON-encoded object of {os, cpu, libc?} for this build."

.github/actions/fetch-nightly-cli/README.md

@@ -0,0 +1,53 @@
+# `fetch-nightly-cli` action
+
+A GitHub Action that fetches the latest nightly CLI build from Wasp's CI runs. This action enables testing against the latest version of Wasp from `main` or from a specific branch/PR.
+
+> [!TIP]
+> This action is intended for internal usage only. If you have a Wasp app and you're just looking to install Wasp in your CI, you can use this step instead:
+>
+> ```yaml
+> - run: curl -sSL https://get.wasp.sh/installer.sh | sh -- -v [version]
+> ```
+
+## Background
+
+This action provides an internal "nightly" system for Wasp, allowing other repositories and workflows to download and install the binary from the latest successful CI run. The action:
+
+- Fetches the most recent successful build from the specified branch (defaults to `main`).
+- Downloads the appropriate binary for the current OS and architecture.
+- Can be used to test against PRs by specifying a different branch.
+
+## Usage
+
+### Basic example
+
+Fetch the latest nightly build from `main` and install it:
+
+```yaml
+- uses: wasp-lang/wasp/.github/actions/fetch-nightly-cli@main
+- run: curl -sSL https://get.wasp.sh/installer.sh | sh -- -f wasp-*.tar.gz
+```
+
+The wildcard `wasp-*.tar.gz` is used because the artifact has a different name depending on the OS and architecture. The `-f` flag tells the installer to use the locally downloaded file.
+
+### Fetch from a specific branch
+
+To test against a specific branch or PR:
+
+```yaml
+- uses: wasp-lang/wasp/.github/actions/fetch-nightly-cli@main
+  with:
+    branch: my-feature-branch
+- run: curl -sSL https://get.wasp.sh/installer.sh | sh -- -f wasp-*.tar.gz
+```
+
+### Custom output directory
+
+Download the CLI package to a specific directory:
+
+```yaml
+- uses: wasp-lang/wasp/.github/actions/fetch-nightly-cli@main
+  with:
+    output-dir: ./bin
+- run: curl -sSL https://get.wasp.sh/installer.sh | sh -- -f bin/wasp-*.tar.gz
+```

.github/actions/fetch-nightly-cli/action.yaml

@@ -19,6 +19,12 @@ runs:
   using: composite
 
   steps:
+    - name: Compute artifact names
+      uses: ./.github/actions/compute-artifact-names
+      id: compute-artifact-names
+      with:
+        build-name: ${{ runner.os == 'Linux' && 'linux' || 'macos' }}-${{ runner.arch == 'ARM64' && 'aarch64' || 'x86_64' }}
+
     - name: Get latest successful run ID
       id: get_run_id
       shell: bash
@@ -32,6 +38,14 @@ runs:
             --json databaseId \
             --jq '.[0].databaseId'
         )
+
+        if [ -z "$run_id" ]; then
+          # Using the ::error:: prefix lets GitHub handle it as a special string, and shows up as a red error in the logs.
+          # https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-commands#setting-an-error-message
+          echo "::error::No successful workflow runs found for branch '$BRANCH'."
+          exit 1
+        fi
+
         echo "run_id=$run_id" >> $GITHUB_OUTPUT
       env:
         GH_REPO: wasp-lang/wasp
@@ -53,7 +67,9 @@ runs:
         GH_TOKEN: ${{ inputs.token }}
         RUN_ID: ${{ steps.get_run_id.outputs.run_id }}
         OUTPUT_DIR: ${{ inputs.output-dir }}
-        ARTIFACT_NAME:
-          # This is the name of the artifact (not the file), which must be in sync with:
-          # /.github/workflows/ci-waspc-build.yaml
-          "wasp-cli-${{ runner.os == 'Linux' && 'linux' || 'macos' }}-${{ runner.arch == 'ARM64' && 'aarch64' || 'x86_64' }}"
+        ARTIFACT_NAME: ${{ steps.compute-artifact-names.outputs.artifact-name }}
+
+outputs:
+  artifact-path:
+    description: "The path to the downloaded artifact directory."
+    value: ${{ inputs.output-dir }}/${{ steps.compute-artifact-names.outputs.artifact-name }}

.github/actions/setup-haskell/action.yaml

@@ -9,13 +9,13 @@ inputs:
     description: |
       The version of GHC to install.
     required: false
-    default: "9.0.2"
+    default: "9.6.7"
 
   cabal-version:
     description: |
       The version of Cabal to install.
     required: false
-    default: "3.10.2.0"
+    default: "3.12.1.0"
 
   cabal-project-dir:
     description: |

.github/pull_request_template.md

@@ -1,62 +1,59 @@
-### Description
+<!--
+  Thanks for contributing to Wasp!
+  Make sure to follow this PR template, so that we can speed up the review process.
+  It will also help you not forget important steps when making a change.
+  If you don't know how to fill any of the sections below, it's okay to leave
+  them blank and ask for help.
+-->
 
-> Describe your PR! If this PR closes an issue, use “Fixes #(issue_number)" syntax so GitHub will auto-close it when merged.
+## Description
 
-### Select what type of change this PR introduces:
+Replace this message here, and write a high-level overview with any additional
+context (motivation, trade-offs, approaches considered, concerns, ...).
 
-1. [ ] **Just code/docs improvement** (no functional change).
-2. [ ] **Bug fix** (non-breaking change which fixes an issue).
-3. [ ] **New feature** (non-breaking change which adds functionality).
-4. [ ] **Breaking change** (fix or feature that would cause existing functionality to not work as expected).
+## Type of change
 
-### Update Waspc ChangeLog and version if needed
+<!-- Select just one with [x] -->
 
-If you did a **bug fix, new feature, or breaking change**, that affects `waspc`, make sure you satisfy the following:
+- [ ] **🔧 Just code/docs improvement** <!-- no functional change -->
+- [ ] **🐞 Bug fix** <!-- non-breaking change which fixes an issue -->
+- [ ] **🚀 New/improved feature** <!-- non-breaking change which adds functionality -->
+- [ ] **💥 Breaking change** <!-- fix or feature that would cause existing functionality to not work as expected -->
 
-1. [ ] I updated [`ChangeLog.md`](https://github.com/wasp-lang/wasp/blob/main/waspc/ChangeLog.md) with description of the change this PR introduces.
-2. [ ] I bumped `waspc` version in [`waspc.cabal`](https://github.com/wasp-lang/wasp/blob/main/waspc/waspc.cabal) to reflect changes I introduced, with regards to the version of the latest wasp release, if the bump was needed.
+## Checklist
 
-### Add a regression test if needed
+<!--
+  Check all the applicable boxes with [x], and leave the rest empty.
+  If you're unsure about any of them, don't hesitate to ask for help.
+-->
 
-If you did a **bug fix**, make sure you satisfy the following:
+- [ ] I tested my change in a Wasp app to verify that it works as intended.
 
-1. [ ] I added a regression test that reproduces the bug and verifies the fix.
+- 🧪 Tests and apps:
 
-If you're unable to add a regression test, please explain why.
-This likely indicates that our current testing setup needs improvement.
+  - [ ] I added **unit tests** for my change. <!-- If not, explain why. -->
+  - [ ] _(if you fixed a bug)_ I added a **regression test** for the bug I fixed. <!-- If not, explain why. -->
+  - [ ] _(if you added/updated a feature)_ I added/updated **e2e tests** in `examples/kitchen-sink/e2e-tests`.
+  - [ ] _(if you added/updated a feature)_ I updated the **starter templates** in `waspc/data/Cli/templates`, as needed.
+  - [ ] _(if you added/updated a feature)_ I updated the **example apps** in `examples/`, as needed.
+    - [ ] _(if you updated `examples/tutorials`)_ I updated the tutorial in the docs (and vice versa).
 
-### Test Coverage
+- 📜 Documentation:
 
-Please ensure your changes are adequately tested:
+  - [ ] _(if you added/updated a feature)_ I **added/updated the documentation** in `web/docs/`.
 
-1. [ ] **My changes are covered by tests** (unit, integration, or e2e tests as appropriate).
+- 🆕 Changelog: _(if change is more than just code/docs improvement)_
+  - [ ] I updated `waspc/ChangeLog.md` with a **user-friendly** description of the change.
+  - [ ] _(if you did a breaking change)_ I added a step to the current **migration guide** in `web/docs/migration-guides/`.
+  - [ ] I **bumped the `version`** in `waspc/waspc.cabal` to reflect the changes I introduced.
 
-If you're unable to add tests or if coverage is partial, please explain why below:
+<!--
+  Bumping the version on `waspc/waspc.cabal`:
 
-<!-- Provide explanation here if tests are missing or incomplete -->
+  We still haven't reached 1.0, so the version bumping follows these rules:
+    - Bug fix:            0.X.+1    (e.g. 0.16.3 bumps to 0.16.4)
+    - New feature:        0.X.+1    (e.g. 0.16.3 bumps to 0.16.4)
+    - Breaking change:    0.+1.0    (e.g. 0.16.3 bumps to 0.17.0)
 
-### Update example apps if needed
-
-If you did code changes and **added a new feature**, make sure you satisfy the following:
-
-1. [ ] I updated [`waspc/examples/todoApp`](https://github.com/wasp-lang/wasp/tree/main/waspc/examples/todoApp) and its e2e tests as needed and manually checked it works correctly.
-
-If you did code changes and **updated an existing feature**, make sure you satisfy the following:
-
-1. [ ] I updated [`waspc/examples/todoApp`](https://github.com/wasp-lang/wasp/tree/main/waspc/examples/todoApp) and its e2e tests as needed and manually checked it works correctly.
-
-### Update starter apps if needed
-
-If you did code changes and **updated an existing feature**, make sure you satisfy the following:
-
-1. [ ] I updated [starter skeleton](https://github.com/wasp-lang/wasp/tree/main/waspc/data/Cli/templates/skeleton) as needed and manually checked it works correctly.
-2. [ ] I updated [`basic` starter](https://github.com/wasp-lang/wasp/tree/main/waspc/data/Cli/templates/basic) as needed and manually checked it works correctly.
-3. [ ] I updated [`todo-ts` starter](https://github.com/wasp-lang/starters/tree/dev/todo-ts) as needed and manually checked it works correctly.
-4. [ ] I updated [`embeddings` starter](https://github.com/wasp-lang/starters/tree/dev/embeddings) as needed and manually checked it works correctly.
-5. [ ] I updated [`saas` starter](https://github.com/wasp-lang/open-saas/tree/main/template) as needed and manually checked it works correctly.
-
-### Update e2e tests if needed
-
-If you did code changes and changed Wasp's code generation logic, make sure you satisfy the following:
-
-1. [] I updated [e2e tests](https://github.com/wasp-lang/wasp/tree/main/waspc#end-to-end-e2e-tests) as needed and manually checked they are correct.
+  If the version has already been bumped on `main` since the last release, skip this.
+-->

.github/workflows/automation-cache-evict.yaml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Evict caches
         shell: bash

.github/workflows/automation-pr-label-external.yaml

@@ -1,50 +1,39 @@
 name: "Automation - Label external PRs"
 
+############################################################
+# CAUTION: This workflow should not check out the PR code! #
+############################################################
+# The `pull_request_target` event is only intended for simple automations on the
+# PRs themselves (e.g., labeling, commenting). If we checked out the PR code here,
+# we would be running untrusted code and giving it access to our repository
+# secrets, which is a major security risk.
+#
+# More info at:
+# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
-
-env:
-  internal_team_name: "eng"
-  external_label_name: "external"
+      - ready_for_review
 
 jobs:
-  label-external-pr:
+  label-external-prs:
     name: Label external PRs
-
     runs-on: ubuntu-latest
 
     permissions:
       pull-requests: write
 
-    steps:
-      # We're dealing with untrusted input, so we pass inputs as environment
-      # variables instead of interpolation, following GitHub's advice:
-      # https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable
-
-      - name: Check if PR is internal
-        id: check_pr
-        run: |
-          pr_is_internal=$(
-            gh api "/orgs/$GITHUB_ORG/teams/$TEAM_NAME/members" |
-              jq --arg author "$AUTHOR_LOGIN" 'map(.login) | contains([$author])'
-          )
-
-          # Output is a JSON boolean
-          echo "pr_is_internal=$pr_is_internal" >>"$GITHUB_OUTPUT"
-
-        env:
-          AUTHOR_LOGIN: ${{ github.event.sender.login }}
-          GITHUB_ORG: ${{ github.repository_owner }}
-          TEAM_NAME: ${{ env.internal_team_name }}
-          GH_TOKEN: ${{ secrets.WASP_LANG_READ_MEMBERS }}
+    # We check if the PR comes from a different repo than ours:
+    if: github.event.pull_request.head.repo.full_name != github.repository
 
+    steps:
       - name: Label external PR
-        if: steps.check_pr.outputs.pr_is_internal == 'false'
         run: gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME"
         env:
+          LABEL_NAME: "external"
           PR_NUMBER: ${{ github.event.pull_request.number }}
-          LABEL_NAME: ${{ env.external_label_name }}
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}

.github/workflows/ci-deploy-test.yaml

@@ -26,11 +26,11 @@ jobs:
       name: fly-deploy-test
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: ./.github/actions/setup-haskell
 
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
         with:
           cache: "npm"
           node-version: "22"

.github/workflows/ci-examples-test.yaml

@@ -23,13 +23,13 @@ jobs:
           - kitchen-sink
 
     steps:
-      - uses: "actions/checkout@v5"
+      - uses: "actions/checkout@v6"
 
       - uses: ./.github/actions/setup-haskell
         with:
           cabal-project-dir: waspc
 
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: lts/*