chore(ci): add fresh-install failure Slack alert and ignore hono alerts

[nperez0111]

Summary

Add workflow-level Slack failure notifications for Fresh Install Tests (including the failed step), harden webhook payload/transport behavior, and update Dependabot configuration to ignore Hono-related dependencies used only by the demo AI server.

Rationale

The fresh install workflow is intended to surface dependency breakages early. A direct Slack notification shortens time-to-detection and includes enough context to triage immediately. Hardening payload generation and webhook delivery improves reliability and avoids malformed JSON issues. Separately, suppressing Hono alerts reduces noise for packages outside the primary editor/runtime surface.

Changes

• Updated .github/workflows/fresh-install-tests.yml:
  • Added stable id values to each key step.
  • Added a final Notify Slack on workflow failure step gated by if: ${{ failure() }}.
  • Notification includes repository, workflow, branch, run link, run attempt, and the specific failed step.
  • Replaced heredoc JSON construction with jq --null-input --arg text "$message" '{text: $text}' for safe JSON encoding.
  • Hardened webhook call with curl --fail --retry 4 --retry-all-errors --retry-max-time 60 --connect-timeout 10 --max-time 30.
  • Gracefully no-ops if SLACK_WEBHOOK_URL secret is not configured.
• Updated .github/dependabot.yml:
  • Added ignore rules for hono, @hono/node-server, and @hono/*.

Impact

• Better operational visibility for fresh dependency resolution failures.
• More robust Slack notification behavior under malformed-content and transient-network scenarios.
• Lower Dependabot noise from demo-server-only Hono packages.
• No runtime behavior changes to product code.

Testing

• Validated YAML parsing via Python (yaml.safe_load) for modified workflow and dependabot files.
• Verified git diff and branch push succeeded.

Screenshots/Video

N/A

Checklist

• Code follows the project's coding standards.
• Unit tests covering the new feature have been added.
• All existing tests pass.
• The documentation has been updated to reflect the new feature

Additional Notes

• Ensure repository secret SLACK_WEBHOOK_URL is set for notifications to send.
• Assumes jq is available on GitHub-hosted Ubuntu runners (it is preinstalled on ubuntu-latest).

  

Summary by CodeRabbit

• Chores
  • Prevented automatic dependency updates for Hono-related packages.
  • Improved CI test workflow to label steps explicitly and send Slack notifications on failures, including which step failed and a link to the run.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blocknote	Ready	Preview	Apr 16, 2026 2:54pm
blocknote-website	Ready	Preview	Apr 16, 2026 2:54pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8557de8d-59c9-439f-8582-33f25e59247f

📥 Commits

Reviewing files that changed from the base of the PR and between ba8523d and d727cef.

📒 Files selected for processing (1)

• .github/workflows/fresh-install-tests.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/fresh-install-tests.yml

---

📝 Walkthrough

Walkthrough

Dependabot is configured to ignore hono packages for npm updates. The fresh-install-tests GitHub Actions workflow now assigns explicit step IDs and adds a conditional Slack notification step that posts a failure message including run/branch/workflow metadata and the failed step name.

Changes

Cohort / File(s)	Summary
Dependabot configuration .github/dependabot.yml	Added an ignore entry to exclude hono, @hono/node-server, and @hono/* from Dependabot npm updates.
CI workflow updates .github/workflows/fresh-install-tests.yml	Assigned explicit id values to workflow steps and added a conditional if: ${{ failure() }} Slack notification step that computes the failed step and posts a JSON payload to SLACK_WEBHOOK_URL via curl with retries.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Steps as Workflow Steps (checkout, setup, install, build, test...)
    participant Slack as Slack Webhook

    Runner->>Steps: execute steps with explicit ids
    Steps-->>Runner: outcomes per step (success | failure)
    alt any step failed
        Runner->>Runner: compute failed_step from steps.<id>.outcome
        Runner->>Slack: POST failure payload (repo, workflow, run, branch, failed_step)
        Slack-->>Runner: 200/timeout (curl handles retries)
    else all steps succeeded
        Runner-->>Slack: no notification sent
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: daily fresh-install unit tests to catch dep range breakage #2579: Modifies/introduces the same fresh-install-tests workflow that this PR further adjusts (step IDs and Slack failure notification).

Poem

🐰 I hopped through YAML lines tonight,

Quieted hono from Dependabot's sight,
Steps now named, a failing bell will ring,
Slack gets a note—so we all can spring,
A carrot-toast to CI's bright light! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the two main changes: adding Slack failure alerts to the fresh-install workflow and ignoring Hono dependencies in Dependabot configuration.
Description check	✅ Passed	The description is comprehensive and follows the template structure with all major sections (Summary, Rationale, Changes, Impact, Testing, Checklist, Additional Notes) properly filled out with detailed information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/dependabot-slack-security-e654

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@blocknote/ariakit

npm i https://pkg.pr.new/@blocknote/ariakit@2648

@blocknote/code-block

npm i https://pkg.pr.new/@blocknote/code-block@2648

@blocknote/core

npm i https://pkg.pr.new/@blocknote/core@2648

@blocknote/mantine

npm i https://pkg.pr.new/@blocknote/mantine@2648

@blocknote/react

npm i https://pkg.pr.new/@blocknote/react@2648

@blocknote/server-util

npm i https://pkg.pr.new/@blocknote/server-util@2648

@blocknote/shadcn

npm i https://pkg.pr.new/@blocknote/shadcn@2648

@blocknote/xl-ai

npm i https://pkg.pr.new/@blocknote/xl-ai@2648

@blocknote/xl-docx-exporter

npm i https://pkg.pr.new/@blocknote/xl-docx-exporter@2648

@blocknote/xl-email-exporter

npm i https://pkg.pr.new/@blocknote/xl-email-exporter@2648

@blocknote/xl-multi-column

npm i https://pkg.pr.new/@blocknote/xl-multi-column@2648

@blocknote/xl-odt-exporter

npm i https://pkg.pr.new/@blocknote/xl-odt-exporter@2648

@blocknote/xl-pdf-exporter

npm i https://pkg.pr.new/@blocknote/xl-pdf-exporter@2648

commit: d727cef

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

43-48: Minor redundancy in ignore patterns.

The pattern @hono/* already matches @hono/node-server, so line 47 is redundant (though harmless). You could simplify to just hono and @hono/*.

Also note that ignore suppresses both version updates and security advisories. If the demo AI server is publicly accessible or processes any sensitive data, you may want to monitor Hono security advisories separately.

♻️ Optional simplification

    ignore:
      # Hono packages are used only in the demo AI server and are not part of
      # the main editor/runtime surface area.
      - dependency-name: "hono"
-     - dependency-name: "@hono/node-server"
      - dependency-name: "@hono/*"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 43 - 48, The ignore list contains a
redundant entry: "@hono/node-server" is already matched by "@hono/*"; remove the
specific "- dependency-name: "@hono/node-server"" entry and keep "-
dependency-name: "hono"" and "- dependency-name: "@hono/*"" instead, and
optionally document/consider monitoring Hono security advisories separately
since ignore suppresses advisories.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/fresh-install-tests.yml:
- Around line 98-108: The current heredoc assembly of the Slack JSON payload
into the variable payload and the plain curl call to "$SLACK_WEBHOOK_URL" are
fragile: build the JSON safely using jq (e.g., pass the message string variables
into jq to produce a proper {"text":...} JSON) instead of unescaped heredoc,
then replace the curl invocation to include --fail, --retry with backoff,
--connect-timeout and --max-time so HTTP 4xx/5xx and network hangs are surfaced
and transient errors retried; ensure you still pass the generated JSON as --data
"$payload" and keep using "$SLACK_WEBHOOK_URL".

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 43-48: The ignore list contains a redundant entry:
"@hono/node-server" is already matched by "@hono/*"; remove the specific "-
dependency-name: "@hono/node-server"" entry and keep "- dependency-name: "hono""
and "- dependency-name: "@hono/*"" instead, and optionally document/consider
monitoring Hono security advisories separately since ignore suppresses
advisories.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 44fa17f3-f171-45e3-bd8d-9b9ce1ca18ed

📥 Commits

Reviewing files that changed from the base of the PR and between 37df722 and ba8523d.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/fresh-install-tests.yml