ci: add changeset coverage check

[PaulNewling]

New composite action actions/changeset/check-coverage — fails when a PR's changesets don't bump every workspace package the PR modifies. Catches the catalog-software gap (a pnpm-workspace.yaml catalog version bumped without a matching changeset for the consuming workflow package).

Wired into the check-changesets job in node-simple-pnpm.yaml as a continue-on-error: true step. Reports missing packages in the job log. Never blocks merge today.

How "modified" is detected

1. Direct package edits — pnpm -r --filter '[origin/<base>]' list selects packages whose own files changed. pnpm runs the per-package git diff itself, so no manual longest-prefix matching or ignore-list maintenance.
2. Catalog bumps in pnpm-workspace.yaml — yq flattens .catalog and .catalogs.* to key=value; uniq -u over old vs head gives the changed keys; jq then finds every workspace consumer that depends on the key via "catalog:...". Structural parse avoids the false-positive surface of a regex on the raw diff (e.g. an unrelated overrides.<name> bump no longer leaks into the catalog path).

Skips private (unpublished) packages — they never appear in a changeset's release set.

Tests

actions/changeset/check-coverage/test/ ships a bats suite (14 cases) against a minimal pnpm-workspace fixture. .github/workflows/0-test-changeset-coverage.yaml runs it on every PR that touches the action source.

Local: bats actions/changeset/check-coverage/test/coverage.bats. See test/README.md for fixture and runner deps.

Known follow-ups (out of scope here)

• Named-catalog over-reporting. The consumer-match jq predicate uses startswith("catalog"), so it doesn't distinguish "catalog:" from "catalog:<name>". Not exercised today (no named catalogs in target repo). Tighten when .catalogs.* are introduced and add a fixture variant for them.
• continue-on-error: true ramp. Stays warn-only through the canary. Tighten to blocking after the gate proves itself — same conditional as the surrounding preflight-* jobs fits: enforce on changeset-default-branch and merge_group, warn-only on PRs.
• Pre-existing sed-scope bug in merge-beta.sh / fix-beta.sh. Flagged separately. The sed flips third-party refs too, leaving actions/checkout@v4-beta etc. unresolvable while the workflow lives on v4-beta. Not addressed in this PR; ticket open.

Greptile Summary

This PR introduces a new actions/changeset/check-coverage composite action that detects when a PR modifies workspace packages without a corresponding changeset bump, wired into the check-changesets job as a non-blocking (continue-on-error: true) step. It is accompanied by a bats test suite and a dedicated CI workflow.

• check-coverage.sh: detects two categories of missed bumps — direct file edits inside a workspace package (via pnpm --filter '[origin/base]' list) and catalog version changes in pnpm-workspace.yaml (via structural yq diffing of .catalog/.catalogs); exits 1 on a gap, 2 on tooling failure, 0 on clean coverage.
• coverage.bats + helpers.bash: thirteen bats tests covering the main paths (direct edits, catalog bumps, private packages, partial coverage, empty changesets) using a shared pnpm install base with per-test tar-copied workspaces for speed.
• node-simple-pnpm.yaml: the coverage check is added after the existing "Check for Changesets" step with if: always() so it runs even when there are no changesets yet, surfacing every un-bumped package at once.

Confidence Score: 5/5

Safe to merge; the coverage check is non-blocking and the core detection logic is solid for the common single-catalog case.

The change is entirely additive and non-blocking. The detection logic is well-tested with a thorough bats suite. The two edge cases flagged have no impact on the critical path and won't cause data loss or incorrect merge decisions.

The cat_pairs section of check-coverage.sh (lines 163–178) is worth revisiting if the repo ever adopts multiple named catalogs with overlapping package keys.

Important Files Changed

Filename	Overview
actions/changeset/check-coverage/check-coverage.sh	Core coverage-check logic; two minor edge cases: named-catalog consumers can be over-flagged, and the ::error:: annotations lack file/line targeting claimed in the PR description.
.github/workflows/node-simple-pnpm.yaml	Wires the new coverage-check step with continue-on-error: true; always() condition runs even on job cancellation — consider adding !cancelled().
.github/workflows/0-test-changeset-coverage.yaml	New test workflow; installs bats explicitly but relies on pre-installed mikefarah/yq — the verify step provides a clear failure message if it's ever absent.
actions/changeset/check-coverage/action.yaml	Minimal composite action definition; delegates entirely to the shell script via ACTION_PATH and BASE_BRANCH env vars.
actions/changeset/check-coverage/test/coverage.bats	Good bats suite covering direct edits, catalog bumps, partial coverage, private packages, and empty-changeset corner cases.
actions/changeset/check-coverage/test/helpers.bash	Clean test helpers; shared pnpm install with tar-based per-test workspace copies is a good pattern for speed.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[check-changesets job] --> B[pnpm install]
    B --> C[Check for Changesets\npnpm changeset status]
    C -->|always| D[check-coverage action]
    D --> E{run check-coverage.sh}
    E --> F[1. Build bumped_set\nchangeset status --output JSON]
    E --> G[2a. Build required_set\npnpm filter list direct edits]
    E --> H{pnpm-workspace.yaml\nchanged?}
    H -->|yes| I[2b. yq diff old vs new\ncatalog entries]
    I --> J[Find consumers of\ntouched catalog keys\nvia jq in package.json]
    J --> K[Add to required_set]
    G --> K
    F --> L{required_set minus\nbumped_set}
    K --> L
    L -->|empty| M[exit 0]
    L -->|non-empty| N[emit error annotations\nexit 1]
    N --> O[continue-on-error: true\njob continues]

Loading

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
.github/workflows/node-simple-pnpm.yaml:586-588
The `always()` condition will execute this step even when the job is cancelled mid-run (e.g. a manual cancel or a concurrency group eviction). Adding `!cancelled()` avoids wasting runner minutes on a dead workflow run.

```suggestion
        if: |
          always() && !cancelled() &&
          (github.event_name == 'pull_request' || github.event_name == 'merge_group')
```

### Issue 2 of 3
actions/changeset/check-coverage/check-coverage.sh:189-192
The filter `startswith("catalog")` matches any version spec that starts with the literal string "catalog". The pnpm protocol prefix is always `catalog:` (with a colon), so `startswith("catalog:")` is the more precise guard and avoids any hypothetical false match from a non-pnpm value that happened to begin with "catalog".

```suggestion
        if jq -e --arg k "${key}" '
            [.dependencies?, .devDependencies?, .peerDependencies?, .optionalDependencies?]
            | map(select(. != null) | to_entries) | add // []
            | map(select(.key == $k and ((.value // "") | startswith("catalog:"))))
```

### Issue 3 of 3
actions/changeset/check-coverage/check-coverage.sh:163-178
**Named-catalog changes can over-flag unrelated consumers**

`cat_pairs` flattens both `.catalog` and all named `.catalogs` into a single stream that loses which named catalog each entry belongs to. When two named catalogs both declare the same package at different pinned versions and only one pin changes, `sort | uniq -u` still emits the bare package name as "touched." The downstream consumer search then requires bumps from packages that reference the *unchanged* named catalog too. Repos using multiple named catalogs with overlapping package names will see persistent false-positive coverage-gap annotations.

_{Reviews (2): Last reviewed commit: "Revert "Fix incomplete revert: flip rema..." | Re-trigger Greptile}

[PaulNewling]

@greptileai