build: upgrade turbo to 2.7.6 and optimize CI with affected task filtering

[Newbie012]

Summary by CodeRabbit

• Chores
  • Upgraded build orchestration with improved task consolidation for faster CI/CD pipelines.
  • Updated GitHub Actions and build tool dependencies to latest stable versions.
  • Optimized build process configuration for enhanced performance and consistency across environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: c842bf3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
safeql	Ignored		Jan 26, 2026 7:30pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes modernize CI/CD and build infrastructure by consolidating separate npm scripts into unified Turbo commands, upgrading GitHub Actions checkout from v3 to v4, bumping Turbo dependency from 2.4.4 to 2.7.6, and introducing new task dependencies and schema updates in turbo.json configuration.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/ci.yml, .github/workflows/release.yml	CI workflow now uses fixed Node.js 20.x and consolidates separate build/typecheck/lint/test steps into unified turbo run commands with --affected flag. Release workflow upgraded from actions/checkout@v3 to v4.
Build Configuration package.json, turbo.json	Package.json updated: dev script simplified to turbo run dev and turbo bumped from ^2.4.4 to ^2.7.6. Turbo.json: schema URL updated to v2, new transit task introduced with dependsOn chain, typecheck now depends on transit instead of ^typecheck, new lint and lint! tasks added, and new dev task with cache disabled and persistent flag enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Turbo's gears now spin as one,
No more scattered tasks to run,
Transit flows through lint and build,
With v2 schema, promises fulfilled!
Faster hops, cleaner deps—
This workflow takes confident steps! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading turbo to 2.7.6 and optimizing CI with affected task filtering, which aligns with the core modifications across package.json, turbo.json, and CI workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c842bf326e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid --affected on main pushes to keep CI coverage

The new --affected runs here mean CI will skip build/typecheck/lint/test on pushes to main, because Turbo’s help text says --affected “Filter[s] to only packages that are affected by changes between the current branch and main”; on a push to main, the current branch is main, so the diff is empty and no packages are considered affected, leaving these checks as no-ops on main. This risks regressions landing on main without any of these tasks running; consider gating --affected to PRs only or passing an explicit base/head range for main builds.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR upgrades Turbo from 2.4.4 to 2.7.6 and optimizes the CI workflow to only run tasks on affected packages using the --affected flag. The changes also fix a bug where ${{ matrix.node-version }} was referenced but never defined in the CI matrix, now hardcoded to 20.x which matches the engine requirement in package.json.

Key changes:

• Upgraded Turbo to 2.7.6 with updated schema (turborepo.dev/schema.v2.json)
• CI now uses pnpm turbo run build typecheck lint --affected instead of running all tasks sequentially
• Tests now use pnpm turbo run test --affected for faster CI on incremental changes
• Fixed CI bug: replaced undefined ${{ matrix.node-version }} with hardcoded 20.x
• Updated actions/checkout to v4 in release workflow
• Simplified dev script to use turbo run dev instead of pnpm parallel execution
• Added new turbo tasks: transit, dev, and lint! with proper dependency chains

Critical issue:
The transit task is referenced as a dependency for typecheck, lint, and lint! tasks in turbo.json, but this task is not defined in any package's package.json scripts. This will cause these tasks to fail when executed.

Confidence Score: 2/5

• This PR has a critical configuration error that will break the build system
• The transit task is referenced in turbo.json but not implemented in any package, causing typecheck, lint, and lint! tasks to fail. While the Turbo upgrade and CI optimization are sound improvements, this missing dependency blocks core functionality.
• Pay close attention to turbo.json - the transit task must be either implemented in all packages or removed from the dependency chain

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Optimized CI workflow with affected task filtering and fixed node-version bug
package.json	Upgraded turbo to 2.7.6 and simplified dev script to use turbo
turbo.json	Updated schema and added new tasks, but references undefined transit task

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant CI as CI Workflow
    participant Turbo as Turbo (2.7.6)
    participant Tasks as Build/Test Tasks
    
    GHA->>CI: Trigger on PR/Push
    CI->>CI: Checkout code
    CI->>CI: Setup Node 20.x
    CI->>CI: Install dependencies (pnpm)
    CI->>CI: Run setup script
    
    Note over CI,Turbo: Old: Sequential execution<br/>New: Affected tasks only
    
    CI->>Turbo: run build typecheck lint --affected
    Turbo->>Turbo: Analyze git changes
    Turbo->>Tasks: Execute only affected tasks
    Tasks-->>Turbo: Build/typecheck/lint results
    Turbo-->>CI: Task results
    
    CI->>CI: Run format check
    
    CI->>Turbo: run test --affected
    Turbo->>Turbo: Analyze git changes
    Turbo->>Tasks: Execute only affected tests
    Tasks-->>Turbo: Test results
    Turbo-->>CI: Test results
    
    CI-->>GHA: CI Complete

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

transit task is not defined in any package.json scripts. Tasks that depend on this (typecheck, lint, lint!) will fail when executed.

Check that all packages have a transit script defined, or remove this task and its dependencies from turbo.json.

Prompt To Fix With AI

This is a comment left during a code review.
Path: turbo.json
Line: 9:10

Comment:
`transit` task is not defined in any package.json scripts. Tasks that depend on this (`typecheck`, `lint`, `lint!`) will fail when executed.

Check that all packages have a `transit` script defined, or remove this task and its dependencies from turbo.json.

How can I resolve this? If you propose a fix, please make it concise.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Line 15: The checkout step currently uses "uses: actions/checkout@v4" with the
default shallow fetch; update the checkout action to pass the fetch-depth option
so changesets can inspect full history and tags (i.e., add fetch-depth: 0 as an
input for the actions/checkout@v4 step). Locate the step using "uses:
actions/checkout@v4" and add the fetch-depth: 0 input beneath it so the workflow
performs a full clone for changesets compatibility.

In `@package.json`:
- Line 15: The dev script currently runs "turbo run dev" which only executes in
workspaces that define a "dev" script; confirm whether demos and docs should
participate and if so, add a "dev" script to each missing package (notably
docs/package.json and the 15 demo packages) that starts the local dev server
(e.g., "dev": "next dev" or the appropriate framework command), or explicitly
exclude them by documenting this in the root package.json or replacing "turbo
run dev" with a workspace filter (e.g., "turbo run dev --filter=...") to target
only intended packages; locate the root "dev" script and the individual
package.json files for demos and docs to apply the change.

In `@turbo.json`:
- Around line 9-24: The turbo.json references a missing "transit" task which
breaks dependent tasks; either define a "transit" script in the relevant
package.json files or remove "transit" from the dependency lists of "typecheck",
"lint", and "lint!" (or remove the "transit" entry entirely from turbo.json).
Locate the symbols "transit", "typecheck", "lint", and "lint!" in turbo.json and
then either add a corresponding "transit" script to the packages that require it
or update the dependency arrays to no longer include "transit" so Turbo can run
without errors.
- Line 2: Update the "$schema" value in turbo.json to point to the correct Turbo
schema URL: replace "https://turborepo.dev/schema.v2.json" with either the
canonical domain "https://turborepo.com/schema.v2.json" for general v2
validation, or pin to your exact Turbo release (e.g.,
"https://v2-7-6.turborepo.dev/schema.json") so editor/schema validation exactly
matches your installed Turbo version.

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

51-53: --affected needs a reliable git base in CI.

Turbo’s affected calculation can be incorrect with shallow history. Consider fetching full history or explicitly setting the base/head refs.

♻️ Suggested checkout adjustment for accurate affected runs

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yml

Repository: ts-safeql/safeql

Length of output: 973

---

🌐 Web query:

actions/checkout@v4 migration breaking changes new defaults requirements github actions

💡 Result:

actions/checkout@v4 migration: breaking changes, new defaults, requirements

Breaking / potentially breaking changes (vs @v3)

• Runtime bumped to Node.js 20 (actions/checkout@v4 runs as using: node20). This can break older self-hosted runners and/or runner OS images that don’t support Node 20. [1]
• Self-hosted runner requirement: update GitHub Actions Runner to v2.308.0+ to run Node 20–based JavaScript actions reliably. [2]
  • If you don’t, you can see errors like “'using: node20' is not supported…”. [5]
• Runner OS support impact (self-hosted): GitHub announced removal of runner support for several older OSes that don’t have official Node 20 support (e.g., CentOS/RHEL 7, Debian 9, Ubuntu 16.04, Windows 7/8.1, etc.). If you’re on these, checkout@v4 may not be viable without upgrading OS/runner. [3]

Notable behavior / defaults to be aware of

These aren’t new to v4, but commonly surprise people during upgrades:

• Shallow fetch by default: fetch-depth: 1 (only the triggering commit). Use fetch-depth: 0 for full history/tags. [4]
• Credentials persisted by default: auth token is written to git config so subsequent authenticated git commands work; set persist-credentials: false to opt out. [4]

Minimal migration change

- uses: actions/checkout@v4

Quick upgrade checklist

• GitHub-hosted runners: usually fine (runner is managed by GitHub). [3]
• Self-hosted runners:
  1. Upgrade runner to ≥ v2.308.0. [2]
  2. Ensure the host OS supports Node 20 (avoid the deprecated/removed OS list). [3]
  3. Re-run workflows and watch for Node20/runtime errors. [5]

---

🌐 Web query:

changesets action shallow fetch-depth git history requirements commit analysis

💡 Result:

• actions/checkout is shallow by default: it fetches only 1 commit (fetch-depth: 1). If your workflow needs more Git history (older commits, tags, branch merge-base, etc.), you must increase depth or fetch everything with fetch-depth: 0. [1][2]
• changesets/action itself doesn’t state a hard requirement for full Git history; it’s primarily creating/updating a release PR and committing version/changelog updates (via Git CLI or GitHub API modes). [3]
• When full history is effectively required: any “commit analysis” or logic that depends on history beyond HEAD—e.g., comparing against the base branch, finding merge-base, reading tags to determine the last release, generating release notes from commit ranges—will fail or behave incorrectly with a shallow clone. In those cases, use:

  - uses: actions/checkout@v4
    with:
      fetch-depth: 0

  This is also a common pattern in Changesets-related workflows. [1][4]

Rule of thumb: if you’re only running changeset version and committing results, shallow may work; if you’re doing any history/tag-based analysis, set fetch-depth: 0. [1][3]

References: [1] actions/checkout README, [2] GitHub Marketplace: Checkout, [3] changesets/action README, [4] GitHub Marketplace: “Changeset Action” example showing fetch-depth: 0.

---

Add fetch-depth: 0 to checkout@v4 for changesets compatibility.

The default shallow fetch (fetch-depth: 1) prevents changesets from analyzing commit history, tags, and merge-base—all needed to determine version bumps and detect package changes. Update line 15:

Diff

      - uses: actions/checkout@v4
+       with:
+         fetch-depth: 0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v4
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

🤖 Prompt for AI Agents

In @.github/workflows/release.yml at line 15, The checkout step currently uses
"uses: actions/checkout@v4" with the default shallow fetch; update the checkout
action to pass the fetch-depth option so changesets can inspect full history and
tags (i.e., add fetch-depth: 0 as an input for the actions/checkout@v4 step).
Locate the step using "uses: actions/checkout@v4" and add the fetch-depth: 0
input beneath it so the workflow performs a full clone for changesets
compatibility.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all package.json files and check which ones have dev scripts
find . -name "package.json" -type f | head -20 | while read pf; do
  echo "=== $pf ==="
  grep -A 2 '"scripts"' "$pf" | grep -A 10 '"dev"' | head -3
done

Repository: ts-safeql/safeql

Length of output: 974

---

🏁 Script executed:

#!/bin/bash
# Simpler approach: list all package.json files and count dev scripts
echo "All package.json files:"
find . -name "package.json" -type f | sort

echo -e "\n\nPackage.json files with 'dev' script:"
rg -l '"dev"\s*:' --glob 'package.json'

echo -e "\n\nTotal dev scripts found:"
rg -c '"dev"\s*:' --glob 'package.json' | wc -l

Repository: ts-safeql/safeql

Length of output: 1135

---

Confirm Turbo dev script coverage across workspaces.

turbo run dev only executes in packages that define a dev script. Currently, only 7 of 23 workspaces have one:

• ✓ Root, packages (ast-types, eslint-plugin, generate, shared, sql-tag, test-utils)
• ✗ All 15 demos and docs/package.json lack dev scripts

If demos are intentionally excluded from turbo run dev, this is fine. However, verify whether the docs package should have a dev script.

🤖 Prompt for AI Agents

In `@package.json` at line 15, The dev script currently runs "turbo run dev" which
only executes in workspaces that define a "dev" script; confirm whether demos
and docs should participate and if so, add a "dev" script to each missing
package (notably docs/package.json and the 15 demo packages) that starts the
local dev server (e.g., "dev": "next dev" or the appropriate framework command),
or explicitly exclude them by documenting this in the root package.json or
replacing "turbo run dev" with a workspace filter (e.g., "turbo run dev
--filter=...") to target only intended packages; locate the root "dev" script
and the individual package.json files for demos and docs to apply the change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the turbo.json file
fd turbo.json -type f

Repository: ts-safeql/safeql

Length of output: 230

---

🌐 Web query:

Turbo 2.7.6 schema v2 compatibility turborepo

💡 Result:

Turbo 2.7.6 (i.e., Turborepo 2.x) is compatible with the turbo.json schema v2.

What to use in turbo.json:

• Major-version schema (v2):

  { "$schema": "https://turborepo.com/schema.v2.json" }

  This is the v2 config schema. [1]

• Best-practice for Turbo 2.7.6: pin the schema to your exact Turbo version (so editor validation always matches what your installed turbo understands):

  { "$schema": "https://v2-7-6.turborepo.dev/schema.json" }

  Version-pinned schemas are available (format shown in docs; available since Turbo 2.5.7). [2]

Note: Turborepo’s docs for 2.7.x also mention updating the $schema recommendation toward versioned schema URLs. [3]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Fix the fd command - remove type flag with hyphen
fd turbo.json

Repository: ts-safeql/safeql

Length of output: 70

---

🏁 Script executed:

cat turbo.json

Repository: ts-safeql/safeql

Length of output: 677

---

Update schema URL to use correct domain or pin to Turbo version.

Turbo 2.7.6 supports schema v2, but the current URL uses .dev instead of .com. Use either https://turborepo.com/schema.v2.json for the major-version schema, or better yet, pin to your exact version: https://v2-7-6.turborepo.dev/schema.json for editor validation that exactly matches your installed Turbo version.

🤖 Prompt for AI Agents

In `@turbo.json` at line 2, Update the "$schema" value in turbo.json to point to
the correct Turbo schema URL: replace "https://turborepo.dev/schema.v2.json"
with either the canonical domain "https://turborepo.com/schema.v2.json" for
general v2 validation, or pin to your exact Turbo release (e.g.,
"https://v2-7-6.turborepo.dev/schema.json") so editor/schema validation exactly
matches your installed Turbo version.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# List packages defining transit/lint/lint! scripts
rg -n --glob 'package.json' '"transit"\s*:|"lint!"\s*:|"lint"\s*:'

Repository: ts-safeql/safeql

Length of output: 2778

---

🏁 Script executed:

#!/bin/bash
# Search specifically for "transit" script in all package.json files
echo "=== Searching for transit scripts ==="
rg -n '"transit"' --glob 'package.json'

# Also check turbo.json to understand the transit task dependencies
echo -e "\n=== Checking turbo.json transit configuration ==="
cat turbo.json

Repository: ts-safeql/safeql

Length of output: 766

---

Remove or define transit script - currently missing but required as a dependency.

The transit task is configured in turbo.json with dependents (typecheck, lint, lint! all depend on it), but no transit script is defined in any package.json file across the workspace. This will cause turbo to fail when attempting to run those tasks. Either add a transit script to the relevant packages, remove the transit task from turbo.json, or remove transit from the dependencies of typecheck, lint, and lint!.

The lint and lint! scripts are properly defined across all packages.

🤖 Prompt for AI Agents

In `@turbo.json` around lines 9 - 24, The turbo.json references a missing
"transit" task which breaks dependent tasks; either define a "transit" script in
the relevant package.json files or remove "transit" from the dependency lists of
"typecheck", "lint", and "lint!" (or remove the "transit" entry entirely from
turbo.json). Locate the symbols "transit", "typecheck", "lint", and "lint!" in
turbo.json and then either add a corresponding "transit" script to the packages
that require it or update the dependency arrays to no longer include "transit"
so Turbo can run without errors.