ci: update dependency check for correct package

[thephez]

Checks for @dashevo/evo-sdk now and only opens PR if the stable version is a higher version than currently installed version.

Summary by CodeRabbit

• Chores
  • Updated CI workflow to target and manage the @dashevo/evo-sdk package (renamed job, branch, PR and logs to reference the SDK).
  • Improved version-checking to use semver comparisons so updates are applied only when a newer stable SDK is available.
  • Streamlined automated install, package.json updates, commit messages, and PR creation to reference the SDK and produce clearer update logs and PRs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9361dd8b-cbd2-4ffa-b08f-851da0d3c82e

📥 Commits

Reviewing files that changed from the base of the PR and between 3fe8cb2 and 438e720.

📒 Files selected for processing (1)

• .github/workflows/dependency-update.yml

---

📝 Walkthrough

Walkthrough

Replaces the GitHub Actions workflow to target @dashevo/evo-sdk instead of dash: renames workflow and job, swaps dependency lookups and npm queries to @dashevo/evo-sdk, adds semver-based update checks, updates install command, and revises PR creation details and messages.

Changes

Cohort / File(s)	Summary
Dependency Update Workflow .github/workflows/dependency-update.yml	Rebrands and modifies the dependency-update workflow to target @dashevo/evo-sdk (job/name changes). Switches package.json keys and npm queries to @dashevo/evo-sdk, uses semver comparison to decide updates, updates npm install command, and adjusts pull request branch/title/commit/message content.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudged the CI with nibbling paws,

swapped names and checks without a pause,
Semver hummed, the versions aligned,
A tiny PR, neat and signed,
Hooray — the rabbit fixed the cause!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the dependency check workflow to target the correct package (@dashevo/evo-sdk instead of dash).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/dep-update-check

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/dependency-update.yml (1)

56-66: ⚠️ Potential issue | 🟠 Major

Don't pass a package name to npm install here; refresh the lockfile from the edited manifest instead.

Line 56 sets the dependency version via jq, but npm install @dashevo/evo-sdk`` can rewrite that entry in package.json if npm resolves a different version. Even with `--package-lock-only`, supplying a package name lets npm's default `save` behavior still modify `package.json`. Omit the package name to update only the lockfile.

Suggested fix

-            npm install `@dashevo/evo-sdk`
+            npm install --package-lock-only

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-update.yml around lines 56 - 66, The script
sets dependency versions via jq (CURRENT_PACKAGE_VERSION, CURRENT_MAJOR_VERSION,
NEW_PACKAGE_VERSION) but then runs npm install `@dashevo/evo-sdk` which can
rewrite package.json; instead run npm install --package-lock-only (omit the
package name) after updating package.json so only the lockfile is refreshed from
the edited manifest and package.json stays unchanged. Ensure the npm command
replacing "npm install `@dashevo/evo-sdk`" uses the --package-lock-only flag and
no package argument.

🧹 Nitpick comments (1)

.github/workflows/dependency-update.yml (1)

77-77: Pin this third-party action to a full commit SHA.

GitHub's security guidance recommends pinning third-party actions to their full commit SHA instead of version tags like @v7. Tags are mutable—they can be moved or deleted even by trusted authors—whereas commit SHAs provide an immutable supply-chain boundary. This is particularly important for write-enabled, scheduled workflows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-update.yml at line 77, Replace the mutable tag
on the third-party action by pinning the "peter-evans/create-pull-request@v7"
reference to a full commit SHA: locate the "uses:
peter-evans/create-pull-request@v7" entry in the workflow and change it to
"uses: peter-evans/create-pull-request@<full-commit-sha>" where
<full-commit-sha> is the exact commit SHA from the action's repository (retrieve
the latest desired commit on the peter-evans/create-pull-request repo and paste
the 40-character SHA).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-update.yml:
- Around line 38-53: The script compares LATEST_DASH_VERSION against the
manifest floor (CURRENT_DASH_VERSION / DASH_VERSION_NUMBER) which can cause
false upgrades/downgrades; instead determine the resolved installed version via
npm ls (e.g., run npm ls `@dashevo/evo-sdk` --json and parse the installed
version) and use that resolved version in the semver comparison (replace
DASH_VERSION_NUMBER with the installed version variable) before computing
IS_HIGHER so updates only occur when the registry version is strictly greater
than the actually installed version.

---

Outside diff comments:
In @.github/workflows/dependency-update.yml:
- Around line 56-66: The script sets dependency versions via jq
(CURRENT_PACKAGE_VERSION, CURRENT_MAJOR_VERSION, NEW_PACKAGE_VERSION) but then
runs npm install `@dashevo/evo-sdk` which can rewrite package.json; instead run
npm install --package-lock-only (omit the package name) after updating
package.json so only the lockfile is refreshed from the edited manifest and
package.json stays unchanged. Ensure the npm command replacing "npm install
`@dashevo/evo-sdk`" uses the --package-lock-only flag and no package argument.

---

Nitpick comments:
In @.github/workflows/dependency-update.yml:
- Line 77: Replace the mutable tag on the third-party action by pinning the
"peter-evans/create-pull-request@v7" reference to a full commit SHA: locate the
"uses: peter-evans/create-pull-request@v7" entry in the workflow and change it
to "uses: peter-evans/create-pull-request@<full-commit-sha>" where
<full-commit-sha> is the exact commit SHA from the action's repository (retrieve
the latest desired commit on the peter-evans/create-pull-request repo and paste
the 40-character SHA).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad58ce7d-7222-4627-9043-3c38a5ae7f3a

📥 Commits

Reviewing files that changed from the base of the PR and between 728b7a3 and 535d6c0.

📒 Files selected for processing (1)

• .github/workflows/dependency-update.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/dependency-update.yml (1)

56-66: ⚠️ Potential issue | 🟠 Major

Don't re-resolve the package after editing package.json.

Line 56 edits the dependency using jq. Line 66 then runs npm install @dashevo/evo-sdk``, which by default saves to package.json using npm's configured `save-prefix`—potentially overwriting your specification with a different version constraint. Use `npm install --package-lock-only` to refresh the lockfile without modifying `package.json`.

Suggested fix

-            npm install `@dashevo/evo-sdk`
+            npm install --package-lock-only

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-update.yml around lines 56 - 66, The workflow
currently edits package.json via jq (see the jq lines that set the
`@dashevo/evo-sdk` dependency and compute CURRENT_PACKAGE_VERSION /
NEW_PACKAGE_VERSION) but then re-runs npm install `@dashevo/evo-sdk` which can
re-resolve and rewrite package.json; replace that npm install step with a
lockfile-only refresh (run npm install --package-lock-only) so package.json
changes made by jq are preserved while the lockfile is updated without
re-resolving the dependency.

♻️ Duplicate comments (1)

.github/workflows/dependency-update.yml (1)

38-53: ⚠️ Potential issue | 🟠 Major

Compare against the resolved installed version, not the manifest string.

This still doesn't implement the “currently installed version” part of the requirement. CURRENT_DASH_VERSION / DASH_VERSION_NUMBER come from package.json, so a ranged spec or a lockfile that already resolved a newer version can still trigger a bogus update PR.

Does `npm ls <package> --json` report the resolved installed version, and can a `package.json` range like `^x.y.z` or `~x.y.z` resolve to a newer installed version than the range floor?

Suggested fix

           CURRENT_DASH_VERSION=$(jq -r '.dependencies["@dashevo/evo-sdk"] // .devDependencies["@dashevo/evo-sdk"]' package.json)
+          INSTALLED_DASH_VERSION=$(npm ls `@dashevo/evo-sdk` --json --depth=0 | jq -r '.dependencies["@dashevo/evo-sdk"].version')
           
           # Extract the version prefix (e.g., ^, ~, or empty)
           DASH_PREFIX=$(echo "$CURRENT_DASH_VERSION" | grep -o '^[^0-9]*')
-          DASH_VERSION_NUMBER=$(echo "$CURRENT_DASH_VERSION" | grep -o '[0-9].*')
@@
-          IS_HIGHER=$(npx -y semver "$LATEST_DASH_VERSION" -r ">$DASH_VERSION_NUMBER" || true)
+          IS_HIGHER=$(npx -y semver "$LATEST_DASH_VERSION" -r ">$INSTALLED_DASH_VERSION" || true)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-update.yml around lines 38 - 53, The script is
comparing LATEST_DASH_VERSION against the package.json range
(CURRENT_DASH_VERSION / DASH_VERSION_NUMBER), which can be a ranged spec and
cause false positives; change it to compare against the actually
installed/resolved version by running npm ls `@dashevo/evo-sdk` --json (or reading
package-lock.json) to extract the resolved version (e.g., RESOLVED_DASH_VERSION)
and use that in the semver check instead of DASH_VERSION_NUMBER; update the
IS_HIGHER assignment to run npx semver "$LATEST_DASH_VERSION" -r
">$RESOLVED_DASH_VERSION" (or equivalent) and ensure you fall back gracefully if
npm ls fails.

🧹 Nitpick comments (1)

.github/workflows/dependency-update.yml (1)

45-46: Use npm view to explicitly fetch and filter non-prerelease versions instead of relying on dist-tag defaults.

npm show @dashevo/evo-sdk version queries the latest dist-tag, which can return a prerelease version (e.g., 3.1.0-dev.1) if the package publishes it with that tag. Since @dashevo/evo-sdk already publishes prerelease versions, this workflow risks selecting an unstable release as the "latest stable."

To reliably exclude prereleases, fetch all versions and filter explicitly:

npm view `@dashevo/evo-sdk` versions --json | jq '[.[] | select(test("-|[a-z]"; "i") | not)][-1]'

Or use node with semver to pick the maximum non-prerelease version programmatically.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-update.yml around lines 45 - 46, The workflow
uses `npm show `@dashevo/evo-sdk` version` to set LATEST_DASH_VERSION which can
return prerelease tags; change the logic that sets LATEST_DASH_VERSION /
LATEST_MINOR_PATCH to explicitly fetch all versions and select the greatest
non-prerelease release instead of relying on dist-tags (replace the `npm show`
invocation used to set LATEST_DASH_VERSION and the `cut` logic for
LATEST_MINOR_PATCH). Implement this by using `npm view ... versions --json` and
filtering out prerelease entries (e.g., via `jq` with a regex that removes
entries containing `-` or letters) or by piping the versions into a small Node
script that uses the semver module to pick the max non-prerelease version, then
derive LATEST_MINOR_PATCH from that stable version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/dependency-update.yml:
- Around line 56-66: The workflow currently edits package.json via jq (see the
jq lines that set the `@dashevo/evo-sdk` dependency and compute
CURRENT_PACKAGE_VERSION / NEW_PACKAGE_VERSION) but then re-runs npm install
`@dashevo/evo-sdk` which can re-resolve and rewrite package.json; replace that npm
install step with a lockfile-only refresh (run npm install --package-lock-only)
so package.json changes made by jq are preserved while the lockfile is updated
without re-resolving the dependency.

---

Duplicate comments:
In @.github/workflows/dependency-update.yml:
- Around line 38-53: The script is comparing LATEST_DASH_VERSION against the
package.json range (CURRENT_DASH_VERSION / DASH_VERSION_NUMBER), which can be a
ranged spec and cause false positives; change it to compare against the actually
installed/resolved version by running npm ls `@dashevo/evo-sdk` --json (or reading
package-lock.json) to extract the resolved version (e.g., RESOLVED_DASH_VERSION)
and use that in the semver check instead of DASH_VERSION_NUMBER; update the
IS_HIGHER assignment to run npx semver "$LATEST_DASH_VERSION" -r
">$RESOLVED_DASH_VERSION" (or equivalent) and ensure you fall back gracefully if
npm ls fails.

---

Nitpick comments:
In @.github/workflows/dependency-update.yml:
- Around line 45-46: The workflow uses `npm show `@dashevo/evo-sdk` version` to
set LATEST_DASH_VERSION which can return prerelease tags; change the logic that
sets LATEST_DASH_VERSION / LATEST_MINOR_PATCH to explicitly fetch all versions
and select the greatest non-prerelease release instead of relying on dist-tags
(replace the `npm show` invocation used to set LATEST_DASH_VERSION and the `cut`
logic for LATEST_MINOR_PATCH). Implement this by using `npm view ... versions
--json` and filtering out prerelease entries (e.g., via `jq` with a regex that
removes entries containing `-` or letters) or by piping the versions into a
small Node script that uses the semver module to pick the max non-prerelease
version, then derive LATEST_MINOR_PATCH from that stable version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f7c12ce8-4d0a-4f0d-ad2b-fecd3c55db65

📥 Commits

Reviewing files that changed from the base of the PR and between 535d6c0 and 3fe8cb2.

📒 Files selected for processing (1)

• .github/workflows/dependency-update.yml