From eebd537256d5a468780b724bf56af7d876a5bd14 Mon Sep 17 00:00:00 2001 From: kaitoyama Date: Fri, 19 Jun 2026 17:51:54 +0900 Subject: [PATCH] chore: harden setup scaffold review fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - rpc route: correct the misleading "lazy db" comment — oRPC resolves context.db on every request, so DATABASE_URL is required even for DB-free procedures like health.check - README: document that DATABASE_URL must be set before `pnpm dev` - packages/api: drop unused @orpc/client dependency (sync lockfile) - ci: pin actions/checkout, pnpm/action-setup, actions/setup-node to commit SHAs (supply-chain hardening) Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01VN8mBbNBEg6wBYt9T5zD1e --- .github/workflows/ci.yml | 6 +++--- README.md | 4 +++- apps/web/server/routes/rpc/[...].ts | 6 +++++- packages/api/package.json | 1 - pnpm-lock.yaml | 3 --- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca10bff..02d8c06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,11 +9,11 @@ jobs: ci: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22 cache: pnpm diff --git a/README.md b/README.md index 8c3dba2..7be7e3c 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Nuxt's Nitro server at `apps/web/server/routes/rpc/[...].ts`, and the typed clie ```bash pnpm install -cp .env.example .env +cp .env.example .env # required — DATABASE_URL must be set before `pnpm dev` docker compose up -d # start MariaDB pnpm db:migrate # apply migrations @@ -36,6 +36,8 @@ pnpm dev # Nuxt dev server → http://localhost:3000 ``` The home page calls the `health.check` oRPC procedure to confirm the front → Nitro → oRPC wiring. +`health.check` doesn't query the database, but every oRPC request resolves `context.db`, so a +missing `DATABASE_URL` surfaces as a 500 on the home page — copy `.env` first. ## Scripts diff --git a/apps/web/server/routes/rpc/[...].ts b/apps/web/server/routes/rpc/[...].ts index 684c508..9d2efb3 100644 --- a/apps/web/server/routes/rpc/[...].ts +++ b/apps/web/server/routes/rpc/[...].ts @@ -7,7 +7,11 @@ export default defineEventHandler(async (event) => { const { matched, response } = await handler.handle(toWebRequest(event), { prefix: '/rpc', context: { - // Lazy: only opens a DB connection when a procedure actually reads it. + // A single mysql2 pool is created on first use and cached per server + // instance (see useDatabase); the pool itself connects lazily. Note that + // oRPC reads context.db for *every* request, so DATABASE_URL must be set + // even for DB-free procedures like health.check — the getter only defers + // creation, it does not make it conditional on the procedure. get db() { return useDatabase() }, diff --git a/packages/api/package.json b/packages/api/package.json index abc0b5a..fd4ffc7 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -11,7 +11,6 @@ }, "dependencies": { "@checkin/db": "workspace:*", - "@orpc/client": "^1.14.0", "@orpc/server": "^1.14.0" }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index dbf0252..6b2910c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -54,9 +54,6 @@ importers: '@checkin/db': specifier: workspace:* version: link:../db - '@orpc/client': - specifier: ^1.14.0 - version: 1.14.6 '@orpc/server': specifier: ^1.14.0 version: 1.14.6(crossws@0.4.6(srvx@0.11.16))(ws@8.21.0)