Skip to content

Monorepo refactoring#619

Open
herber wants to merge 69 commits into
devfrom
chore/monorepo-refactoring
Open

Monorepo refactoring#619
herber wants to merge 69 commits into
devfrom
chore/monorepo-refactoring

Conversation

@herber

@herber herber commented May 22, 2026

Copy link
Copy Markdown
Member

Note

High Risk
Large CI architecture change affects how every service is built and tested on every push/PR; misconfiguration could block merges or miss regressions until the new matrix is validated.

Overview
This PR replaces many per-service GitHub Actions workflows (Ares, Cargo, Forge, Function Bay, Origin, Shuttle, Signal, Slates, Subspace, Synthesis, etc.) with a single Control pipeline that drives builds and tests through bun run control and a new reusable-control.yml.

The new flow warms an Nx remote cache, runs unit tests per service in a matrix, builds Docker images (including test-runner variants) and saves them as short-lived artifacts, then runs E2E jobs that download and load those prebuilt images instead of rebuilding in each job. app-api gets a dedicated E2E job with modules: all. Image names are standardized on ghcr.io/metorial/mte-* (and metorial-api for app-api); pushes stay off in CI (push_image: false).

test.yml drops Turbo and bun i --linker=hoisted in favor of plain bun i and nx run-many for Prisma generate, build, and test, with a long exclude list so system apps are covered by Control instead.

.gitignore switches .turbo.nx, adds exceptions so shared cache package paths are not ignored, and ignores Rust target/ for object-storage.

Reviewed by Cursor Bugbot for commit 4b3e020. Bugbot is set up for automated code reviews on this repo. Configure here.

@herber herber self-assigned this May 22, 2026
@socket-security

socket-security Bot commented May 22, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​lowerdeck/​delay@​1.0.4621007391100
Addednpm/​@​metorial-io/​pages@​1.0.0721006584100
Addednpm/​@​lowerdeck/​sentry@​1.0.2651007490100
Addednpm/​@​lowerdeck/​shadow-id@​1.0.7661007792100
Addednpm/​@​lowerdeck/​forwarded-for@​1.0.4681007891100
Addednpm/​@​lowerdeck/​random-number@​1.0.4681007391100
Addednpm/​@​lowerdeck/​unique@​1.0.4681007591100
Addednpm/​@​metorial-io/​ui-product@​1.0.0751006984100
Addednpm/​@​lowerdeck/​telemetry@​1.1.1691009991100
Addednpm/​@​lowerdeck/​join-paths@​1.0.4691007891100
Addednpm/​@​lowerdeck/​env@​1.0.6701008791100
Addednpm/​@​lowerdeck/​once@​1.0.4701007891100
Addednpm/​@​lowerdeck/​api-mux@​1.0.4701008492100
Addednpm/​@​lowerdeck/​programmable-promise@​1.0.6701008392100
Addednpm/​@​lowerdeck/​slugify@​1.0.6701008791100
Addednpm/​@​lowerdeck/​cron@​1.1.3701008894100
Addednpm/​@​lowerdeck/​service@​1.0.7711008992100
Addednpm/​@​metorial-io/​layout@​1.0.1761007188100
Addednpm/​@​dnd-kit/​utilities@​3.2.21001007180100
Addednpm/​@​lowerdeck/​hono@​1.0.10711008693100
Addednpm/​@​lowerdeck/​lock@​1.0.6711008791100
Addednpm/​@​metorial-io/​data-hooks@​1.0.1761007188100
Addednpm/​@​lowerdeck/​encryption@​1.0.8711008192100
Addednpm/​@​lowerdeck/​emitter@​1.0.4711008491100
Addednpm/​@​lowerdeck/​event@​1.0.3721009892100
Addednpm/​@​lowerdeck/​ip-info@​1.0.4721008091100
Addednpm/​@​ai-sdk/​google@​3.0.72721008898100
Addednpm/​@​lowerdeck/​cache@​1.0.2721009490100
Addednpm/​@​lowerdeck/​snowflake@​1.0.27210010090100
Addednpm/​@​lowerdeck/​execution-context@​1.1.1721008592100
Updatednpm/​@​lowerdeck/​id@​1.0.5 ⏵ 1.0.87210096 +193 +2100
Addednpm/​@​ai-sdk/​openai@​3.0.63731008898100
Addednpm/​@​lowerdeck/​api-key@​1.0.3731008690100
See 40 more rows in the dashboard

View full report

Comment thread .github/workflows/control.yml Outdated
Comment thread .github/workflows/control.yml
Comment thread .github/workflows/reusable-control.yml Outdated
Comment thread .github/workflows/reusable-control.yml
@socket-security

socket-security Bot commented May 22, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

Comment thread .github/workflows/reusable-control.yml Outdated
Comment thread .github/workflows/control.yml
Comment thread .github/workflows/control.yml
Comment thread .github/workflows/reusable-control.yml Outdated
if [ -f .control/cache/nx-server.log ]; then
cat .control/cache/nx-server.log >&2
fi
exit 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dead GITHUB_OUTPUT write without step id

Low Severity

The "Start Nx cache bridge" step writes server=${SERVER_URL} to GITHUB_OUTPUT but the step lacks an id: attribute, making this output inaccessible to any downstream step. The server URL is hardcoded as http://127.0.0.1:43191 in all other steps that need it, so this write is dead code that could confuse future maintainers into thinking the output is used somewhere.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 8ceb6a4. Configure here.

Comment thread .github/workflows/test.yml
Comment thread .github/workflows/test.yml

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 5 total unresolved issues (including 4 from previous reviews).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit fa57ab4. Configure here.

docker save \
-o ".control/image-artifacts/${SERVICE}.tar" \
"control/${SERVICE}:${IMAGE_TAG}" \
"control/${SERVICE}-test:${IMAGE_TAG}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Save image step fails without test runner image

Low Severity

The "Save image archive" step unconditionally runs docker tag "${IMAGE}-test:${IMAGE_TAG}" and includes it in docker save, but the -test image only exists when build_test_runner is true. There's no guard condition checking inputs.build_test_runner before attempting to tag/save the test image. If this reusable workflow is ever called with save_image_artifact: true but build_test_runner: false, the step will fail because the -test image doesn't exist.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit fa57ab4. Configure here.

herber and others added 8 commits June 1, 2026 08:59
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant