Revert/main #18729
Revert/main #18729
Conversation
总体概述此PR涉及多项更新:降级GitHub Actions checkout版本(v6→v5),调整工作流矩阵配置(macos-13→macos-latest),在多个包中进行测试框架迁移(Vitest↔Jest),更新依赖版本,重命名内部变量,以及清理配置和文档。 变更详情
估计代码审查工作量🎯 3 (中等) | ⏱️ ~20 分钟 可能相关的 PR
建议审查人
庆祝诗
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
packages/taro-components/src/components/pull-to-refresh/pull-to-refresh.tsx (1)
133-149: 验证 child 元素存在性以防止运行时错误。第 136-139 行代码中,
child?.appendChild.bind(child)的模式存在问题:当child为null时,可选链?.会返回undefined,随后undefined.bind(child)会抛出TypeError。可选链未能保护后续的.bind()调用。建议在绑定方法前先验证
child是否存在,或确保该元素在组件初始化时总是被创建。packages/taro/package.json (1)
30-38: 保留 @tarojs/taro 中的 vite devDependency,以确保类型导入的正确解析。
packages/taro/types/compile/config/h5.d.ts中直接引入了 vite 类型:import type { ServerOptions as ViteServerOptions } from 'vite'。该类型被导出为公共 API 的一部分,供下游使用者使用。移除 @tarojs/taro 中的 vite devDependency 会导致 TypeScript 无法正确解析这些类型导入。虽然 @tarojs/vite-runner 有自己的 vite 依赖,但无法解决 @tarojs/taro 自身的类型解析需求。在 monorepo 中,每个包需要自己的依赖来支持其类型定义。
🤖 Fix all issues with AI agents
In @.github/workflows/auto-review.yml:
- Line 14: 确认为 actions/checkout@v5 的降级原因:检查 CI 运行环境的 Actions Runner 版本是否满足 v6
的最低要求 (>= v2.329.0); 如果满足,将 uses: actions/checkout@v5 更改为 uses:
actions/checkout@v6 并验证凭证行为;如果不满足,保留 uses: actions/checkout@v5,但在 PR 或 CI
配置中记录理由并添加一条任务以定期在 GitHub 安全公告或依赖扫描中监控 v5 的安全补丁。
In @.github/workflows/nodejs.yml:
- Around line 112-120: Update the test step that skips @tarojs/components on
macOS by creating a GitHub issue to track the macOS test failure and then
annotate the TODO with that issue link; in the workflow block where the step
name is "test" and the conditional checks matrix.host == "macos-latest" (and
runs the pnpm -r ... --filter=!@tarojs/components command), add a concise
comment that includes the issue number/URL, the observed failure symptoms, the
owner or assignee, and a target timeframe for resolution so the skip is clearly
tracked and can be removed once fixed.
- Line 66: The workflow currently pins actions/checkout to actions/checkout@v5
without explanation; add a short comment next to the uses: actions/checkout@v5
line (or a clear note in the PR description) stating why you intentionally
downgraded from v6 (e.g., self-hosted Runner version constraints, need to run
git auth inside Docker, or other compatibility reason), include the minimum
runner version or environment constraint that necessitates v5, and ensure the
comment references the exact symbol "uses: actions/checkout@v5" so reviewers can
see the rationale at a glance.
In @packages/taro-components-react/src/components/input/index.tsx:
- Line 51: Rename the misspelled flag onInputExcuted to onInputExecuted in the
component: update the constructor initialization (this.onInputExcuted), the
type/property declaration (onInputExcuted: boolean), and every usage/reference
of that symbol across the file (places where onInputExcuted is read/assigned or
checked). Keep the same boolean semantics and export/interface names if any, and
run a global search to update all occurrences to the correct identifier so the
Stencil and React variants stay consistent.
In @packages/taro-components/package.json:
- Line 59: Stencil was downgraded from v3.4.2 to "@stencil/core": "2.22.3"
without documenting the concrete failure scenarios or a migration plan; update
the PR description and CHANGELOG to list the specific compatibility failures
observed (referencing the original PR #18649 and the exact test failures/stack
traces), open a dedicated issue to track this technical debt that enumerates the
blocking problems (config/output-target differences, source map behavior, API
changes, Puppeteer/version constraints, etc.), and add a clear re-migration plan
and timeline for moving back to v3 (tasks, owners, test matrix, and date
targets) so reviewers can see what to unblock to upgrade safely.
In @packages/taro-components/src/components/input/input.tsx:
- Line 31: Rename the misspelled flag onInputExcuted to onInputExecuted across
the component and update every reference to it (including uses inside methods
and conditionals noted around the previous references), keeping the same
visibility and type (private boolean) and behavior; ensure any bindings,
initializations, tests or comments that reference onInputExcuted are updated to
the correct name so compilation and runtime logic remain unchanged.
In @packages/taro-components/src/components/pull-to-refresh/pull-to-refresh.tsx:
- Line 119: Update the inline comment that mentions
"添加this._isMounted的判断,否则组建一实例化,currSt就会是finish" by correcting the typo "组建" to
"组件" so it reads "添加this._isMounted的判断,否则组件一实例化,currSt就会是finish"; locate the
comment near the use of this._isMounted and currSt in the PullToRefresh
component (pull-to-refresh.tsx) and replace the incorrect character only.
🧹 Nitpick comments (3)
packages/taro-components/package.json (2)
41-41: 审查 puppeteer 安装步骤的必要性添加了
pretest:ci钩子来手动安装 puppeteer。这通常表明 puppeteer 的自动安装存在问题。建议:
- 验证 puppeteer 是否在 devDependencies 中(Line 86 显示已添加)
- 考虑使用
PUPPETEER_SKIP_DOWNLOAD环境变量配合显式安装来优化 CI 缓存- 确认此步骤在所有 CI 环境中都能正常工作
60-60: hammerjs 库已停止维护,考虑迁移到现代替代方案hammerjs 自 2019 年起已停止维护,最后一个 npm 发布版本 v2.0.8 距今已逾 9 年,目前处于低度维护状态。该库在
packages/taro-components/src/components/map/map.tsx中被使用。建议评估以下替代方案:
- 使用浏览器原生 Touch Events 和 Pointer Events API
- 迁移到 Hammer.js 的维护分支
@egjs/hammerjs- 根据实际需求评估是否必需手势库
packages/babel-plugin-transform-solid-jsx/jest.config.js (1)
1-8: Jest 配置看起来合理,但需注意覆盖率范围新的 Jest 配置基本正确。一些观察:
Line 4 -
collectCoverageFrom仅包含./index.js。如果插件有其他源文件(如dist/目录),考虑扩展覆盖率收集范围。Line 2 -
moduleDirectories包含'packages'有助于 monorepo 中的模块解析,与项目结构一致。Line 3 -
testEnvironment: 'jsdom'适合需要 DOM 环境的 JSX 转换测试。可选:扩展覆盖率收集范围
如果插件有额外的源文件,考虑更新 collectCoverageFrom:
- collectCoverageFrom: ['./index.js'], + collectCoverageFrom: ['./index.js', './dist/**/*.js'],
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (5)
packages/babel-plugin-transform-react-jsx-to-rn-stylesheet/tests/__snapshots__/index.spec.ts.snapis excluded by!**/*.snappackages/babel-plugin-transform-taroapi/tests/__snapshots__/harmony.spec.ts.snapis excluded by!**/*.snappackages/babel-plugin-transform-taroapi/tests/__snapshots__/index.spec.ts.snapis excluded by!**/*.snappackages/taro-cli-convertor/report/static/js/bundle.js.mapis excluded by!**/*.mappnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (36)
.github/workflows/auto-review.yml.github/workflows/build-rust-binding.yml.github/workflows/build-rust-wasm.yml.github/workflows/dependabot-update-lockfile.yml.github/workflows/issue-labeler.yml.github/workflows/nodejs.yml.github/workflows/publish.yml.github/workflows/sync-components-types.ymlpackage.jsonpackages/babel-plugin-transform-react-jsx-to-rn-stylesheet/package.jsonpackages/babel-plugin-transform-react-jsx-to-rn-stylesheet/vitest.config.tspackages/babel-plugin-transform-solid-jsx/jest.config.jspackages/babel-plugin-transform-solid-jsx/package.jsonpackages/babel-plugin-transform-solid-jsx/test/unique-transform.spec.jspackages/babel-plugin-transform-solid-jsx/vitest.config.mtspackages/babel-plugin-transform-taroapi/package.jsonpackages/babel-plugin-transform-taroapi/vitest.config.tspackages/babel-preset-taro/vitest.config.tspackages/css-to-react-native/vitest.config.tspackages/shared/vitest.config.tspackages/taro-components-react/src/components/input/index.tsxpackages/taro-components/__tests__/form.e2e.tspackages/taro-components/package.jsonpackages/taro-components/scripts/stencil/stencil.config.tspackages/taro-components/src/components/input/input.tsxpackages/taro-components/src/components/pull-to-refresh/pull-to-refresh.tsxpackages/taro-components/src/components/scroll-view/readme.mdpackages/taro-extend/vitest.config.tspackages/taro-framework-vue3/vitest.config.tspackages/taro-rn-runner/vitest.config.tspackages/taro-rn-style-transformer/vitest.config.tspackages/taro-router/src/tabbar.tspackages/taro-runtime/vitest.config.tspackages/taro/package.jsonscripts/download.mjsvitest.config.ts
💤 Files with no reviewable changes (5)
- packages/taro-components/tests/form.e2e.ts
- packages/babel-plugin-transform-react-jsx-to-rn-stylesheet/package.json
- packages/taro-components/src/components/scroll-view/readme.md
- scripts/download.mjs
- packages/babel-plugin-transform-solid-jsx/vitest.config.mts
🧰 Additional context used
🧠 Learnings (9)
📚 Learning: 2025-08-25T22:16:50.118Z
Learnt from: ianzone
Repo: NervJS/taro PR: 18150
File: packages/babel-plugin-transform-taroapi/tests/__mocks__/h5-definition.json:2356-2356
Timestamp: 2025-08-25T22:16:50.118Z
Learning: The file `packages/babel-plugin-transform-taroapi/tests/__mocks__/h5-definition.json` is auto-generated by the post-build script `packages/taro-platform-h5/scripts/post-build.mjs`, which copies content from `taro-platform-h5/dist/definition.json`. This file should not be manually edited.
Applied to files:
packages/babel-plugin-transform-taroapi/package.jsonpackages/taro-components/scripts/stencil/stencil.config.tspackages/babel-plugin-transform-solid-jsx/package.jsonpackages/babel-plugin-transform-solid-jsx/jest.config.jsvitest.config.tspackages/taro-components/package.jsonpackages/babel-plugin-transform-solid-jsx/test/unique-transform.spec.jspackages/taro/package.json
📚 Learning: 2025-08-08T02:32:58.265Z
Learnt from: ianzone
Repo: NervJS/taro PR: 18146
File: packages/babel-plugin-transform-react-jsx-to-rn-stylesheet/package.json:12-14
Timestamp: 2025-08-08T02:32:58.265Z
Learning: 在 Taro 项目的 pnpm 工作区中,Vitest 相关依赖(vitest 和 vitest/coverage-istanbul)被管理在根目录的 package.json 中,而不是各个子包的 devDependencies 中。这是 monorepo 中依赖提升的标准做法。
Applied to files:
packages/babel-plugin-transform-taroapi/package.jsonpackages/babel-plugin-transform-solid-jsx/package.json.github/workflows/nodejs.ymlvitest.config.tspackages/taro-components/package.jsonpackage.jsonpackages/taro/package.json
📚 Learning: 2025-05-25T18:02:31.387Z
Learnt from: ianzone
Repo: NervJS/taro PR: 17746
File: packages/taro-runtime/tsdown.config.ts:10-16
Timestamp: 2025-05-25T18:02:31.387Z
Learning: 在 taro-runtime 包的 tsdown 配置中,必须禁用 treeshake 来保留 dom-external/index.js 文件。
Applied to files:
packages/taro-components/scripts/stencil/stencil.config.tspackages/taro-components/package.jsonpackages/taro/package.json
📚 Learning: 2025-09-05T18:40:45.775Z
Learnt from: ianzone
Repo: NervJS/taro PR: 18150
File: packages/taro-platform-harmony-hybrid/package.json:43-45
Timestamp: 2025-09-05T18:40:45.775Z
Learning: 在 tarojs/plugin-platform-harmony-hybrid 包中,tarojs/components-library-react、tarojs/components-library-solid 和 tarojs/components-library-vue3 必须作为直接依赖(dependencies)而不能作为 peer 依赖,因为插件源码中有对这些包的直接引用,包括 componentAdapter* getter 方法和 webpack 别名配置。
Applied to files:
packages/taro-components/scripts/stencil/stencil.config.tspackages/taro-components/package.jsonpackages/taro/package.json
📚 Learning: 2025-11-21T07:15:22.634Z
Learnt from: ianzone
Repo: NervJS/taro PR: 18646
File: packages/taro/package.json:40-40
Timestamp: 2025-11-21T07:15:22.634Z
Learning: 在 tarojs/taro 包中添加 vite 作为 devDependency 是为了让 tarojs/vite-runner 能够依赖正确的 vite 类型版本,确保 monorepo 中的类型兼容性。
Applied to files:
packages/taro-components/scripts/stencil/stencil.config.tspackages/taro-components/package.jsonpackage.jsonpackages/taro/package.json
📚 Learning: 2025-07-01T15:46:08.457Z
Learnt from: ianzone
Repo: NervJS/taro PR: 17937
File: .github/workflows/issue-labeler.yml:31-31
Timestamp: 2025-07-01T15:46:08.457Z
Learning: stefanbuck/github-issue-parserv3 GitHub Action 的输出字段名称是 `jsonString`,不是 `json`。在工作流中应该使用 `${{ steps.issue-parser.outputs.jsonString }}` 来引用解析后的 JSON 数据。
Applied to files:
.github/workflows/issue-labeler.yml
📚 Learning: 2025-06-23T00:09:31.233Z
Learnt from: ianzone
Repo: NervJS/taro PR: 17842
File: packages/jest-helper/tsconfig.json:9-9
Timestamp: 2025-06-23T00:09:31.233Z
Learning: 在 jest-helper 包中,src 目录下没有 __tests__ 测试目录,只包含 resolver.ts、sequencer.ts 和 snapshot 目录。不要假设包中存在测试目录结构。
Applied to files:
packages/babel-plugin-transform-solid-jsx/jest.config.jsvitest.config.ts
📚 Learning: 2025-08-09T21:41:18.741Z
Learnt from: ianzone
Repo: NervJS/taro PR: 17842
File: .github/workflows/merged.yml:34-41
Timestamp: 2025-08-09T21:41:18.741Z
Learning: 在 NervJS/taro 项目中,merged.yml workflow 故意使用 actions/upload-artifact 而非 actions/cache/save 来保存公共 NX 缓存,因为 Artifact 具有更长的保留时间(最多 90 天),而 Actions Cache 仅保留 7 天。缓存键采用精确匹配策略,不使用 restore-keys 前缀匹配。
Applied to files:
.github/workflows/nodejs.yml
📚 Learning: 2025-07-22T09:16:21.180Z
Learnt from: ianzone
Repo: NervJS/taro PR: 18056
File: packages/taro-runtime/tsconfig.json:10-10
Timestamp: 2025-07-22T09:16:21.180Z
Learning: 在使用 rollup-plugin-dts 的项目中,rollup.config.ts 等构建配置文件会被自动排除,不需要在 tsconfig.json 中手动排除。
Applied to files:
vitest.config.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Build Rust Binding / stable - x86_64-pc-windows-msvc
- GitHub Check: Build Rust Binding / stable - x86_64-unknown-linux-gnu
- GitHub Check: Build Rust Binding / stable - x86_64-apple-darwin
- GitHub Check: Build Rust Binding / stable - aarch64-apple-darwin
🔇 Additional comments (21)
vitest.config.ts (1)
5-5: 所有子包已正确迁移至 .ts 扩展名验证完成:所有 10 个子包的 Vitest 配置文件已统一使用
.ts扩展名,无.mts文件存在。此更改安全,没有配置文件会被静默跳过。packages/taro-components/src/components/input/input.tsx (2)
121-121: 函数签名简化
handleInput的签名已简化,移除了InputEvent交叉类型。如果之前的代码没有使用InputEvent特定的属性,这个简化是合理的。
277-278: 事件绑定命名约定正确。在 Stencil 2.22.3 中,JSX 属性应使用 camelCase 前缀为 "on" 的事件名称处理原生 DOM 事件。onCompositionStart和onCompositionEnd是原生 DOM 事件compositionstart和compositionend在 JSX 中的标准命名。此代码实现符合 Stencil 的事件绑定约定,第 103-104 行的addEventListener使用小写事件名称也是正确的原生 API 用法。packages/taro-components/scripts/stencil/stencil.config.ts (2)
92-94: LGTM!注释清晰地说明了为何禁用 ES5 编译的原因,以及采用的替代方案(将包加入项目的 babel 编译)。这有助于后续维护者理解这一配置决策。
50-50: autoDefineCustomElements 配置选项验证无问题。
autoDefineCustomElements: false是 Stencil v2 的有效配置选项。项目使用 Stencil 2.22.3,此配置正确。该选项控制导入模块时是否自动定义自定义元素,设置为 false 表示消费者需手动定义。无已知副作用或兼容性问题。packages/taro-components/src/components/pull-to-refresh/pull-to-refresh.tsx (2)
151-159: LGTM!在
destroy方法中添加空行提高了代码可读性,将防护性检查与主要逻辑分隔开来。
199-199: LGTM!注释清晰地解释了边缘情况的处理逻辑,有助于代码维护。
.github/workflows/dependabot-update-lockfile.yml (1)
15-15: 确认 checkout action 版本降级的影响与 auto-review.yml 中的更改一致,这里也将 checkout action 从 v6 降级到 v5。请确保此降级不会影响 Dependabot 工作流的功能,特别是与
ref: ${{ github.head_ref }}结合使用时的行为。.github/workflows/build-rust-wasm.yml (1)
12-12: 验证降级对 Rust WASM 构建的影响此构建工作流也将 checkout action 降级到 v5。由于这是关键的构建流程,请确认此更改不会影响代码检出的完整性或缓存行为。
.github/workflows/build-rust-binding.yml (2)
48-48: 确认 checkout action 降级对构建矩阵的影响此工作流包含多个构建目标(Windows、Linux、macOS),请特别注意 checkout v5 是否在所有平台上都能正常工作,尤其是在 Docker 容器内的构建。
19-19:macos-latest兼容性确认已验证此变更安全可行。工作流使用
dtolnay/rust-toolchain@stable自动管理 Rust 版本,NAPI(v2.15.2)和其他依赖没有 macOS 版本特定的要求。x86_64 和 aarch64 构建目标在矩阵中正确配置,项目已成功发布这两个架构的 npm 包(darwin-x64 和 darwin-arm64)。无需担心交叉编译兼容性问题。.github/workflows/sync-components-types.yml (1)
14-14: 验证双 checkout 操作在 v5 下的行为此工作流包含两个 checkout 操作:
- 主仓库检出(第 14 行)
- 外部 taro-docs 仓库检出(第 17 行)
降级到 v5 后,请确认:
- 外部仓库的检出功能(使用
repository参数)是否正常fetch-depth: 1和path参数的行为是否一致- 文件复制操作(第 23-25 行)是否能正确执行
Also applies to: 17-17
.github/workflows/issue-labeler.yml (1)
20-20: 确认 GitHub Actions 版本降级的原因。将
actions/checkout从 v6 降级到 v5 是不常见的操作。通常情况下会升级到更新版本。由于这是 revert PR 的一部分,请确认:
- v6 是否存在已知问题导致需要回退
- 这个降级是否与其他工作流文件中的降级(如 publish.yml)保持一致
- 是否会影响工作流的功能
.github/workflows/publish.yml (1)
32-32: 确认所有 checkout action 降级的原因。该文件中三处将
actions/checkout从 v6 降级到 v5,与其他工作流文件的降级模式一致。请确认这是有意为之的 revert 操作,以及:
- 是否 v6 存在兼容性或功能问题
- 降级是否会影响子模块检出或其他 checkout 功能(特别是 Line 279 的 Harmony Project 检出包含 submodules: true)
Also applies to: 94-94, 279-279
packages/babel-plugin-transform-taroapi/package.json (1)
15-15: 修正了 Vitest 快照更新命令。将
--update修正为--updateSnapshot,这是 Vitest 的正确标志。之前的--update不是有效的 Vitest 参数,会导致命令执行失败。packages/taro-router/src/tabbar.ts (1)
1-1: 导入路径@tarojs/components/dist/components的验证结果。导入路径有效。Stencil 配置明确设置
customElementsDir: 'dist/components'为自定义元素输出目录,并在autoDefineCustomElements: false下为每个组件自动生成defineCustomElement*函数。对于taro-tabbar组件,Stencil 会生成defineCustomElementTaroTabbar导出。配置注释已说明"Taro内部有很多地方都直接引用了dist/components",且taro-router/types/component.d.ts已为该导出声明类型,确认此导入路径为设计的一部分。packages/babel-plugin-transform-solid-jsx/package.json (1)
25-27: Jest 迁移配置完整,无需处理验证确认 Jest 及其依赖已在根 package.json 中正确配置:jest ^29.7.0、babel-jest ^29.7.0 等均可用。jest.config.js 存在且配置正确(使用 babel-jest 转换器)。现有测试文件(test/unique-transform.spec.js)与 Jest 兼容,无 Vitest 配置残留。从 Vitest 回退到 Jest 的迁移已完整实施。
.github/workflows/nodejs.yml (1)
77-77:pnpm -r标志在根目录是冗余的根据 Taro 项目的 pnpm workspace 配置,在仓库根目录执行时,
pnpm install会因为 pnpm 的recursiveInstall默认为 true 而自动递归安装所有 workspace 包的依赖。因此,pnpm install和pnpm -r install在根目录是等效的。添加-r参数不会改变行为,--frozen-lockfile标志在两种情况下都能正确应用于所有包。Likely an incorrect or invalid review comment.
package.json (1)
112-112: 文档化 Vitest 降级的原因Vitest 和 @vitest/coverage-istanbul 从 v4.0.14 降级到 v3.2.4,涉及多个破坏性变更(reporter API 移除、config 选项变更、mock API 行为改变、coverage provider 重写等)。由于该项目使用 pnpm 工作区,根目录 package.json 的依赖版本对所有子包生效。
建议在 PR 描述或提交信息中明确说明降级(revert)的具体原因——是为了修复 v4 的某个问题,还是其他兼容性考量。
packages/taro-components/package.json (1)
86-94: Jest 27.5.1 是 Stencil 2.22.3 的必需版本Stencil v2 仅支持 Jest v24-v27,不支持 Jest v28+。taro-components 包使用 Stencil 2.22.3,因此必须指定 Jest 27.5.1。monorepo 中其他包使用 Jest 29 是合理的,这两个不同版本的共存是必要的兼容性配置。
packages/babel-plugin-transform-solid-jsx/test/unique-transform.spec.js (1)
1-3: 无需改动。导入路径和模块配置均正确:
插件导入路径
'../dist'正确:测试脚本在执行前会先运行 build,生成 dist 目录及其 index.js 文件。babel-plugin-tester 的 .default 访问正确:该包 v11.0.4 确实导出了 default 成员。
测试框架兼容性正确:jest 已配置,babel-jest transformer 能处理 .jsx? 文件。
代码按照 CommonJS 语法正确编写,所有导入都能正确解析。
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions checkout v5 v6 breaking changes differences
💡 Result:
Summary — main differences / breaking changes between actions/checkout v5 and v6
-
Credentials persistence: v6 no longer writes the auth token into .git/config; it stores credentials in a separate file under $RUNNER_TEMP and uses git includeIf to reference it. This improves credential security and isolates creds from repository git config. No workflow changes are required for most users — ordinary git fetch/push still work. [1][2]
-
Runner/minimum requirements: v5 bumped the action runtime to Node.js 24 and required Actions Runner >= v2.327.1; v6 also documents Node 24 support and requires Actions Runner >= v2.329.0 for running authenticated git commands from inside a Docker container action. If you run container actions that need authenticated git access, ensure your runner meets the v6 minimum. [1][2]
-
Behavior impact & migration: because v6 uses includeIf and a separate cred file, most existing workflows (including git push using the built-in token) continue to work without changes. Edge cases include custom SSH-key setups or nonstandard runner environments — verify those workflows and, for private secondary repos, continue to use a PAT when needed. v6 also added worktree support for the new persist-credentials includeIf in patch releases. [1][3]
References
- actions/checkout README (v6 changelog & usage notes). [1]
- Marketplace summary / v6 “what’s new” (credentials, runner notes). [2]
- v6.0.1 release notes (worktree support, README clarifications). [3]
🌐 Web query:
GitHub Actions checkout v5 security vulnerabilities maintenance status
💡 Result:
Short answer: actions/checkout@v5 is a maintained release (v5.0.0 published Aug 11, 2025) but the official repo says GitHub is not accepting general contributions and will focus internal resources while still providing security fixes and major-breaking-change fixes. For credential/security improvements you should consider moving to v6 (which adds improved credential storage). [1][2][3][4]
Details (concise)
- v5 release (node24 upgrade): v5.0.0 (released Aug 11, 2025). [2]
- Maintenance policy: README states GitHub isn’t taking general contributions to this repo but will continue to provide security updates and fix major breaking changes. [1]
- Security posture / advisories: GitHub tracks Actions advisories in the Advisory Database and Dependabot will surface alerts for vulnerable actions — check the Advisory Database / Dependabot for any CVEs/GHSAs affecting the action you use. [4]
- Practical recommendation: prefer actions/checkout@v6 if you want the latest credential-security improvements; otherwise pin to a specific patch release (or SHA) and monitor Dependabot/GitHub Advisory Database for updates. [3][4]
Sources:
- actions/checkout README (maintenance note). [1]
- actions/checkout v5 changelog / release. [2]
- Marketplace / v6 feature notes (credential improvements). [3]
- GitHub docs on monitoring Actions advisories / Dependabot. [4]
🌐 Web query:
GitHub Actions checkout version 5 end of support deprecated
💡 Result:
Short answer: actions/checkout@v5 is not marked as deprecated or end-of-support in the official repo/Marketplace, but v6 is available and contains security/credential improvements — you should upgrade to v6 when your runners meet the minimum version requirements. See the official repo and Marketplace release notes for v5→v6 details. [1][2]
Sources:
- actions/checkout repository (Changelog/README showing v5 and v6 notes). [1]
- GitHub Marketplace entry for actions/checkout (v6 and v5 "What's new" notes). [2]
确认 actions/checkout 版本降级的原因
从 v6 降级到 v5 可能源于运行环境限制。v5 仍在维护中并会收到安全更新,但 v6 需要 Actions Runner >= v2.329.0。建议确认:
- 当前运行环境的 Actions Runner 版本是否满足 v6 的最低要求(>= v2.329.0)
- 如果不满足,v5 是合理的选择,但应在 GitHub 安全公告中监控该版本的安全补丁
v6 相比 v5 的主要改进是凭证存储方式(独立于 git config),这在安全性上有所提升。如果运行环境支持,建议升级到 v6;否则 v5 作为临时方案是可接受的。
🤖 Prompt for AI Agents
In @.github/workflows/auto-review.yml at line 14, 确认为 actions/checkout@v5
的降级原因:检查 CI 运行环境的 Actions Runner 版本是否满足 v6 的最低要求 (>= v2.329.0); 如果满足,将 uses:
actions/checkout@v5 更改为 uses: actions/checkout@v6 并验证凭证行为;如果不满足,保留 uses:
actions/checkout@v5,但在 PR 或 CI 配置中记录理由并添加一条任务以定期在 GitHub 安全公告或依赖扫描中监控 v5 的安全补丁。
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/checkout GitHub Action latest stable version v6 v5 compatibility issues
💡 Result:
Short answer
- actions/checkout v6 is the current stable major release; it is compatible with most workflows that used v5 and does not require workflow changes. [1][2]
Key differences and compatibility notes
- Credentials handling: v6 stores persisted credentials in a separate file under $RUNNER_TEMP instead of writing them directly into .git/config. This is intended to improve security and should not break normal git commands because the action configures Git to include that file. No workflow edits are required for typical use. [1][2]
- Docker/container caveat: if you run authenticated git commands from inside a Docker container action, v6 requires GitHub Actions Runner v2.329.0 or later. Ensure self-hosted runners are upgraded if you rely on that pattern. [1][2]
- Runner minimums: v5 required newer runner support for its node runtime (node20) with a minimum Actions Runner noted in docs; v6 similarly documents runner requirements for specific features — check your runner version if you use older/self-hosted runners. [2][3]
If you want, tell me which workflows or runner types you use (hosted vs self-hosted, container vs standard) and I’ll check for any specific breaking issues.
Sources
[1] actions/checkout Marketplace listing — “Checkout v6” notes.
[2] actions/checkout GitHub repo README (v6 changelog + details).
[3] related actions release notes referencing runner minimums (example: setup-go/setup-node docs referencing runner versions).
🌐 Web query:
actions/checkout@v6 release notes breaking changes
💡 Result:
Short summary of breaking changes in actions/checkout@v6:
-
Credentials handling changed — persist-credentials now writes credentials to a separate file under $RUNNER_TEMP (not directly to .git/config). For most workflows this is transparent and git fetch/push continue to work without changes. [1][2]
-
Running authenticated git commands from inside a Docker container action may require a minimum Actions Runner version (v2.329.0 or later). Check your runner version if you rely on in-container authenticated git. [2]
-
Runtime update / runner minimums noted in the v6 release (Node.js 24 runtime support and related runner requirements). Confirm runner compatibility if you run self-hosted or older GHES versions. [1][4]
Notes: the maintainers describe this as non-breaking for typical workflows, but some platform-specific or custom SSH/PAT setups may need review; see the discussion/issue threads for edge cases. [3]
Sources: [1] actions/checkout README (v6) — GitHub. [2] GitHub Marketplace listing for Checkout (v6). [3] GitHub issue discussion about v6 behavior. [4] v6 release notes.
应该有文档说明为什么从 v6 降级到 v5
根据官方文档,actions/checkout@v6 是当前的稳定主版本,与 v5 工作流广泛兼容。v6 的主要变更(凭证存储方式)对典型工作流是透明的,不需要修改工作流。
降级到 v5 不是常见做法,请补充说明原因。可能的原因包括:
- 自托管 Runner 版本限制
- 需要在 Docker 容器内运行认证的 git 命令(v6 需要 Runner v2.329.0+)
请在代码注释或 PR 描述中说明这个版本选择的具体原因。
🤖 Prompt for AI Agents
In @.github/workflows/nodejs.yml at line 66, The workflow currently pins
actions/checkout to actions/checkout@v5 without explanation; add a short comment
next to the uses: actions/checkout@v5 line (or a clear note in the PR
description) stating why you intentionally downgraded from v6 (e.g., self-hosted
Runner version constraints, need to run git auth inside Docker, or other
compatibility reason), include the minimum runner version or environment
constraint that necessitates v5, and ensure the comment references the exact
symbol "uses: actions/checkout@v5" so reviewers can see the rationale at a
glance.
| - name: test | ||
| run: pnpm run pretest:ci && pnpm test | ||
| #TODO: 需要优化测试流程,目前 macos 无法正常执行测试,暂时跳过,等待后续优化 | ||
| shell: bash | ||
| run: | | ||
| if [ "${{ matrix.host }}" = "macos-latest" ]; then | ||
| pnpm -r --aggregate-output --filter=./packages/* --filter=./tests --filter=!@tarojs/components test:ci | ||
| else | ||
| pnpm test | ||
| fi |
There was a problem hiding this comment.
macOS 测试绕过方案需要更明确的文档和跟踪
当前的条件测试逻辑为 macOS 排除了 @tarojs/components 包。虽然 TODO 注释提到"等待后续优化",但缺少:
- 具体失败原因的文档说明
- 跟踪此技术债的 issue 链接
- 明确的时间表或负责人
建议:
- 创建专门的 GitHub issue 跟踪此问题
- 在注释中添加 issue 链接
- 记录 macOS 测试失败的具体原因
您是否需要我帮助创建跟踪此技术债的 issue?
🤖 Prompt for AI Agents
In @.github/workflows/nodejs.yml around lines 112 - 120, Update the test step
that skips @tarojs/components on macOS by creating a GitHub issue to track the
macOS test failure and then annotate the TODO with that issue link; in the
workflow block where the step name is "test" and the conditional checks
matrix.host == "macos-latest" (and runs the pnpm -r ...
--filter=!@tarojs/components command), add a concise comment that includes the
issue number/URL, the observed failure symptoms, the owner or assignee, and a
target timeframe for resolution so the skip is clearly tracked and can be
removed once fixed.
| this.handleBeforeInput = this.handleBeforeInput.bind(this) | ||
| this.isOnComposition = false | ||
| this.onInputExecuted = false | ||
| this.onInputExcuted = false |
There was a problem hiding this comment.
严重:变量名拼写错误
与 Stencil 组件相同,onInputExcuted 是一个拼写错误,应该是 onInputExecuted。这个错误在构造函数(第 51 行)和类型声明(第 56 行)中都存在。
为了代码库的一致性和可维护性,建议在恢复此 PR 后,创建一个新的 PR 来修正两个组件中的这个拼写错误。
🔤 修正拼写错误的建议
constructor (props) {
super(props)
// ...
this.isOnComposition = false
- this.onInputExcuted = false
+ this.onInputExecuted = false
}
inputRef: HTMLInputElement
isOnComposition: boolean
- onInputExcuted: boolean
+ onInputExecuted: boolean同时需要更新所有引用此标志的地方(第 93、96、118、125、137、162 行)。
Also applies to: 56-56
🤖 Prompt for AI Agents
In @packages/taro-components-react/src/components/input/index.tsx at line 51,
Rename the misspelled flag onInputExcuted to onInputExecuted in the component:
update the constructor initialization (this.onInputExcuted), the type/property
declaration (onInputExcuted: boolean), and every usage/reference of that symbol
across the file (places where onInputExcuted is read/assigned or checked). Keep
the same boolean semantics and export/interface names if any, and run a global
search to update all occurrences to the correct identifier so the Stencil and
React variants stay consistent.
| }, | ||
| "dependencies": { | ||
| "@stencil/core": "3.4.2", | ||
| "@stencil/core": "2.22.3", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Stencil v2.22.3 vs v3 major differences breaking changes
💡 Result:
Short answer — main breaking changes when moving from Stencil v2.22.3 → v3
- Upgrade guide / overview: Stencil published an “Upgrading to Stencil v3” guide with the full breaking-changes list. [1]
- New defaults and config changes
- Source maps enabled by default (previously opt-in). You can opt out with sourceMap: false. [1]
- Some config/output-targets changed/removed (legacy Angular output target removed; new output target behaviors added). [1][3]
- Compiler / output changes
- Custom types for props/events are exported from components.d.ts (affects how you import/re-export types). [1][5]
- Removed deprecated output target dist-custom-elements-bundle and other legacy output behaviors; added CustomElementExportBehavior for dist-custom-elements. [5]
- API/Node changes
- Some internal/CLI APIs changed (e.g., parseFlags() signature changed; fix for misspelled addDestroy/removeDestroy). Update any direct use of Stencil Node APIs. [1]
- Node version compatibility changes in the v3+ release cycle (refer to release notes for exact dropped Node versions). [5]
- Tooling / testing
- Puppeteer >= v10 required for e2e testing (drop @types/puppeteer usage). [1][5]
- Migration notes
- Remove use of removed/legacy output targets (migrate to @stencil/angular-output-target, @stencil/react-output-target, etc.).
- Review any code relying on previously-allowed loose typings (e.g., autocapitalize narrowed to string). [1]
If you want, I can:
- produce a concise actionable upgrade checklist for your repo (find typical places to change config, output targets, Node/Puppeteer versions), or
- scan your package.json/stencil.config.ts (paste them) and point exactly what to change.
Sources:
[1] Stencil “Upgrading to Stencil v3” / Breaking changes (docs).
[2] Stencil support/migration pages and release notes summarizing v3 changes.
[3] Stencil v3 release notes / changelog (npm/newreleases).
🏁 Script executed:
# Check git history for PR #18649 and related changes
git log --all --oneline --grep="18649" | head -20Repository: NervJS/taro
Length of output: 95
🏁 Script executed:
# Search for related issues or discussions about Stencil v3 migration
rg -i "stencil.*v3|18649" --type json --type md --type jsRepository: NervJS/taro
Length of output: 37
🏁 Script executed:
# Check if there are any comments or issues related to Stencil downgrade
rg -i "downgrade|rollback|revert.*stencil" --type md --type js -A 3Repository: NervJS/taro
Length of output: 1247
🏁 Script executed:
# Get more details about commit 4e186a349
git show 4e186a349 --stat | head -50Repository: NervJS/taro
Length of output: 877
🏁 Script executed:
# Search for any TODO, FIXME, or comments related to Stencil in package.json or related files
rg -i "TODO|FIXME|BUG" packages/taro-components/ -A 2 | grep -i stencil -A 2 -B 2Repository: NervJS/taro
Length of output: 609
🏁 Script executed:
# Check if there's a CHANGELOG or similar documentation
find . -name "CHANGELOG*" -o -name "HISTORY*" -o -name "RELEASE*" | head -10Repository: NervJS/taro
Length of output: 37
记录 Stencil v2 降级的具体失败场景和迁移计划
@stencil/core 从 v3.4.2 降级到 v2.22.3 缺乏文档记录。Web 搜索确认 Stencil v2 → v3 存在重大突破性变更(配置/输出目标变更、默认启用源映射、API 变更、Puppeteer 版本要求提升等),原始升级 PR #18649 包含多次测试修复,表明存在兼容性问题。
必须补充:
- 在 PR 描述、CHANGELOG 或相关 issue 中明确记录导致降级的具体失败场景
- 创建专项 issue 跟踪此技术债,记录阻塞 v3 升级的具体问题
- 制定重新迁移到 v3 的计划及时间表(v2.22.3 发布于 2022 年,缺少近两年的功能和安全更新)
🤖 Prompt for AI Agents
In @packages/taro-components/package.json at line 59, Stencil was downgraded
from v3.4.2 to "@stencil/core": "2.22.3" without documenting the concrete
failure scenarios or a migration plan; update the PR description and CHANGELOG
to list the specific compatibility failures observed (referencing the original
PR #18649 and the exact test failures/stack traces), open a dedicated issue to
track this technical debt that enumerates the blocking problems
(config/output-target differences, source map behavior, API changes,
Puppeteer/version constraints, etc.), and add a clear re-migration plan and
timeline for moving back to v3 (tasks, owners, test matrix, and date targets) so
reviewers can see what to unblock to upgrade safely.
| private isOnComposition = false | ||
| private isOnPaste = false | ||
| private onInputExecuted = false | ||
| private onInputExcuted = false |
There was a problem hiding this comment.
严重:变量名拼写错误
onInputExcuted 是一个拼写错误,应该是 onInputExecuted("Executed" 而非 "Excuted")。这个拼写错误会影响代码的可维护性和专业性。
由于这是一个 revert PR,如果此更改是为了恢复到之前的状态,建议在恢复后立即创建一个新的 PR 来修正这个拼写错误。
🔤 修正拼写错误的建议
- private onInputExcuted = false
+ private onInputExecuted = false同时需要更新所有引用此标志的地方(第 129、132、155、169、202 行)。
Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In @packages/taro-components/src/components/input/input.tsx at line 31, Rename
the misspelled flag onInputExcuted to onInputExecuted across the component and
update every reference to it (including uses inside methods and conditionals
noted around the previous references), keeping the same visibility and type
(private boolean) and behavior; ensure any bindings, initializations, tests or
comments that reference onInputExcuted are updated to the correct name so
compilation and runtime logic remain unchanged.
| triggerPullDownRefresh = (flag: boolean) => { | ||
| // 在初始化时、用代码 自动 触发 pullDownRefresh | ||
| // 添加 this._isMounted 的判断,否则组件一实例化,currSt 就会是 finish | ||
| // 添加this._isMounted的判断,否则组建一实例化,currSt就会是finish |
There was a problem hiding this comment.
修正注释中的错别字。
注释中的"组建"应为"组件"。"组建"是动词,表示组织建立,而此处应使用名词"组件"来指代 component。
📝 建议的修正
- // 添加this._isMounted的判断,否则组建一实例化,currSt就会是finish
+ // 添加this._isMounted的判断,否则组件一实例化,currSt就会是finish📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| // 添加this._isMounted的判断,否则组建一实例化,currSt就会是finish | |
| // 添加this._isMounted的判断,否则组件一实例化,currSt就会是finish |
🤖 Prompt for AI Agents
In @packages/taro-components/src/components/pull-to-refresh/pull-to-refresh.tsx
at line 119, Update the inline comment that mentions
"添加this._isMounted的判断,否则组建一实例化,currSt就会是finish" by correcting the typo "组建" to
"组件" so it reads "添加this._isMounted的判断,否则组件一实例化,currSt就会是finish"; locate the
comment near the use of this._isMounted and currSt in the PullToRefresh
component (pull-to-refresh.tsx) and replace the incorrect character only.
1 participant
这个 PR 做了什么? (简要描述所做更改)
这个 PR 是什么类型? (至少选择一个)
这个 PR 涉及以下平台:
Summary by CodeRabbit
发行说明
Chores
Tests
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.