ci: update github workflows

[lachlancollins]

🎯 Changes

Sync changes from other TanStack projects

Add changeset version preview (see TanStack/router#6937 and TanStack/config#356)

✅ Checklist

• I have followed the steps in the Contributing guide.
• I have tested this code locally with pnpm run test:pr.

🚀 Release Impact

• This change affects published code, and I have generated a changeset.
• This change is docs/CI/dev-only (no release).

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions to latest versions for improved CI/CD reliability.
  • Enhanced development workflow configurations and updated development tooling dependencies.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ae541e6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions versions are bumped across three workflows (actions/checkout v6.0.2, changesets/action v1.7.0), action references are normalized to TanStack capitalization, @changesets/cli dependency is updated to ^2.30.0, a new version-preview job is added to the PR workflow, and a Commit Generated Docs step is added to the release workflow.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Bumps .github/workflows/autofix.yml, .github/workflows/pr.yml, .github/workflows/release.yml	Updated actions/checkout from v6.0.1 to v6.0.2 across all workflows. Upgraded changesets/action from v1.5.3 to v1.7.0 in release workflow.
Action Reference Normalization .github/workflows/autofix.yml, .github/workflows/pr.yml, .github/workflows/release.yml	Standardized casing from tanstack to TanStack for config setup and changeset-preview actions across all workflows.
PR Workflow Enhancements .github/workflows/pr.yml	Removed path ignore filters for docs/, media/, and **/*.md in PR trigger. Added permissions.pull-requests: write. Introduced new version-preview job with checkout, setup tools, and changeset preview steps.
Release Workflow Updates .github/workflows/release.yml	Upgraded changesets/action to v1.7.0, removed GITHUB_TOKEN env from changesets step, changed string literals to single quotes, added Commit Generated Docs step with PR creation flow.
Package Dependency Update package.json	Bumped @changesets/cli from ^2.29.8 to ^2.30.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A Rabbit's Delight

Version bumps and names aligned with care,
TanStack's case now shining bright and fair,
New preview jobs dance through the PR,
Docs committed bold—we've gone quite far! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'ci: update github workflows' is vague and generic, using non-descriptive phrasing that doesn't convey the specific nature of the changes beyond a broad reference to workflow updates.	Consider a more specific title that highlights the main objective, such as 'ci: update github actions and add changeset preview' to better reflect the key changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description follows the required template structure, includes all sections, and clearly explains the changes with references to related PRs and checklist items completed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-workflows

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit ae541e6

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/**	✅ Succeeded	2s	View ↗
nx affected --targets=test:sherif,test:knip,tes...	✅ Succeeded	2m 59s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-17 13:44:39 UTC

[pkg-pr-new]

Open in StackBlitz

@tanstack/ai

npm i https://pkg.pr.new/@tanstack/ai@382

@tanstack/ai-anthropic

npm i https://pkg.pr.new/@tanstack/ai-anthropic@382

@tanstack/ai-client

npm i https://pkg.pr.new/@tanstack/ai-client@382

@tanstack/ai-devtools-core

npm i https://pkg.pr.new/@tanstack/ai-devtools-core@382

@tanstack/ai-elevenlabs

npm i https://pkg.pr.new/@tanstack/ai-elevenlabs@382

@tanstack/ai-event-client

npm i https://pkg.pr.new/@tanstack/ai-event-client@382

@tanstack/ai-fal

npm i https://pkg.pr.new/@tanstack/ai-fal@382

@tanstack/ai-gemini

npm i https://pkg.pr.new/@tanstack/ai-gemini@382

@tanstack/ai-grok

npm i https://pkg.pr.new/@tanstack/ai-grok@382

@tanstack/ai-groq

npm i https://pkg.pr.new/@tanstack/ai-groq@382

@tanstack/ai-ollama

npm i https://pkg.pr.new/@tanstack/ai-ollama@382

@tanstack/ai-openai

npm i https://pkg.pr.new/@tanstack/ai-openai@382

@tanstack/ai-openrouter

npm i https://pkg.pr.new/@tanstack/ai-openrouter@382

@tanstack/ai-preact

npm i https://pkg.pr.new/@tanstack/ai-preact@382

@tanstack/ai-react

npm i https://pkg.pr.new/@tanstack/ai-react@382

@tanstack/ai-react-ui

npm i https://pkg.pr.new/@tanstack/ai-react-ui@382

@tanstack/ai-solid

npm i https://pkg.pr.new/@tanstack/ai-solid@382

@tanstack/ai-solid-ui

npm i https://pkg.pr.new/@tanstack/ai-solid-ui@382

@tanstack/ai-svelte

npm i https://pkg.pr.new/@tanstack/ai-svelte@382

@tanstack/ai-vue

npm i https://pkg.pr.new/@tanstack/ai-vue@382

@tanstack/ai-vue-ui

npm i https://pkg.pr.new/@tanstack/ai-vue-ui@382

@tanstack/preact-ai-devtools

npm i https://pkg.pr.new/@tanstack/preact-ai-devtools@382

@tanstack/react-ai-devtools

npm i https://pkg.pr.new/@tanstack/react-ai-devtools@382

@tanstack/solid-ai-devtools

npm i https://pkg.pr.new/@tanstack/solid-ai-devtools@382

commit: ae541e6

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/autofix.yml (1)

21-23: Pin workflow actions to immutable commit SHAs.

Both actions/checkout@v6.0.2 and TanStack/config/.github/setup@main should be pinned to specific commit SHAs instead of version tags or branch references. This hardens CI supply-chain integrity and prevents unexpected changes when branch heads or tags are updated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/autofix.yml around lines 21 - 23, Replace the floating
references in the workflow "uses" fields with immutable commit SHAs: change
actions/checkout@v6.0.2 to actions/checkout@<commit-sha> and
TanStack/config/.github/setup@main to TanStack/config/.github/setup@<commit-sha>
(use the exact commit SHAs for the versions you want to pin), update both uses
entries accordingly, and verify the chosen SHAs correspond to the expected
releases/commits before committing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr.yml:
- Around line 13-16: The workflow currently grants pull-requests: write at the
top-level permissions block (permissions: contents: read, pull-requests: write),
which over-privileges jobs; remove or revert the top-level pull-requests: write
so workflow-level permissions remain read-only and instead add a job-level
permissions entry granting pull-requests: write only to the version-preview job
(e.g., under the job named version-preview add permissions: pull-requests: write
and keep other jobs like test, preview, provenance without that write
permission). Ensure the top-level permissions block retains contents: read only
and that only the version-preview job contains the scoped pull-requests: write
permission.

---

Nitpick comments:
In @.github/workflows/autofix.yml:
- Around line 21-23: Replace the floating references in the workflow "uses"
fields with immutable commit SHAs: change actions/checkout@v6.0.2 to
actions/checkout@<commit-sha> and TanStack/config/.github/setup@main to
TanStack/config/.github/setup@<commit-sha> (use the exact commit SHAs for the
versions you want to pin), update both uses entries accordingly, and verify the
chosen SHAs correspond to the expected releases/commits before committing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5dfe3ac2-fbf3-4206-a704-0ef769ad2b69

📥 Commits

Reviewing files that changed from the base of the PR and between c2b2059 and ae541e6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/workflows/autofix.yml
• .github/workflows/pr.yml
• .github/workflows/release.yml
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Scope pull-requests: write to the job that needs it.

Setting write permission at workflow scope over-privileges test, preview, and provenance. Keep workflow-level permissions read-only and grant PR write only in version-preview.

Suggested permission scoping

 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
+  version-preview:
+    permissions:
+      contents: read
+      pull-requests: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: read
	pull-requests: write
	permissions:
	contents: read
	jobs:
	version-preview:
	permissions:
	contents: read
	pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr.yml around lines 13 - 16, The workflow currently grants
pull-requests: write at the top-level permissions block (permissions: contents:
read, pull-requests: write), which over-privileges jobs; remove or revert the
top-level pull-requests: write so workflow-level permissions remain read-only
and instead add a job-level permissions entry granting pull-requests: write only
to the version-preview job (e.g., under the job named version-preview add
permissions: pull-requests: write and keep other jobs like test, preview,
provenance without that write permission). Ensure the top-level permissions
block retains contents: read only and that only the version-preview job contains
the scoped pull-requests: write permission.