ci: add Knip dependency check

Add a dependency-only Knip CI shard, keep full unused-file mode manual, and scope pnpm's release-age override to the latest Knip dlx install.
2026-05-06 06:10:44 +00:00 · 2026-04-29 09:10:48 +01:00
parent 2c0449571c
commit 72cf700fbf
4 changed files with 31 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1199,6 +1199,9 @@ jobs:
          - check_name: check-lint
            task: lint
            runner: blacksmith-16vcpu-ubuntu-2404
+          - check_name: check-dependencies
+            task: dependencies
+            runner: ubuntu-24.04
          - check_name: check-policy-guards
            task: policy-guards
            runner: ubuntu-24.04
@@ -1281,6 +1284,9 @@ jobs:
            lint)
              pnpm lint --threads=8
              ;;
+            dependencies)
+              pnpm deadcode:dependencies
+              ;;
            policy-guards)
              pnpm lint:webhook:no-low-level-body-read
              pnpm lint:auth:no-pairing-store-group
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -8,6 +8,8 @@ read_when:

 The CI runs on every push to `main` and every pull request. It uses smart scoping to skip expensive jobs when only unrelated areas changed. Manual `workflow_dispatch` runs intentionally bypass smart scoping and fan out the full normal CI graph for release candidates or broad validation, with Android lanes opt-in through `include_android` for standalone manual runs. Release-only plugin prerelease lanes live in the separate `Plugin Prerelease` workflow and run only from `Full Release Validation` or an explicit manual dispatch.

+The `check-dependencies` shard runs `pnpm deadcode:dependencies`, a production Knip dependency-only pass pinned to the latest Knip version used by that script, with pnpm's minimum release age disabled for the `dlx` install. It gates newly unused, unlisted, unresolved, binary, or catalog dependencies without enabling Knip's full unused-file mode, which remains a manual audit because OpenClaw intentionally loads many plugin and runtime surfaces through manifests and string specifiers.
+
 `Full Release Validation` is the manual umbrella workflow for "run everything
 before release." It accepts a branch, tag, or full commit SHA, dispatches the
 manual `CI` workflow with that target, dispatches `Plugin Prerelease` for
--- a/knip.config.ts
+++ b/knip.config.ts
@@ -18,6 +18,7 @@ const rootEntries = [
 ] as const;

 const bundledPluginEntries = [
+  "*.ts!",
  "index.ts!",
  "setup-entry.ts!",
  "{api,contract-api,helper-api,runtime-api,light-runtime-api,update-offset-runtime-api,channel-plugin-api,provider-plugin-api,setup-api}.ts!",
@@ -26,6 +27,25 @@ const bundledPluginEntries = [
  "src/subagent-hooks-api.ts!",
 ] as const;

+const bundledPluginIgnoredRuntimeDependencies = [
+  "@agentclientprotocol/claude-agent-acp",
+  "@azure/identity",
+  "@clawdbot/lobster",
+  "@discordjs/opus",
+  "@homebridge/ciao",
+  "@matrix-org/matrix-sdk-crypto-wasm",
+  "@mozilla/readability",
+  "@openai/codex",
+  "@pierre/theme",
+  "@tloncorp/tlon-skill",
+  "@zed-industries/codex-acp",
+  "jiti",
+  "linkedom",
+  "openclaw",
+  "pdfjs-dist",
+  "typebox",
+] as const;
+
 const config = {
  ignoreFiles: [
    "scripts/**",
@@ -93,7 +113,7 @@ const config = {
  workspaces: {
    ".": {
      entry: rootEntries,
-      ignoreDependencies: ["@openclaw/*"],
+      ignoreDependencies: ["@openclaw/*", "sqlite-vec"],
      project: [
        "src/**/*.ts!",
        "scripts/**/*.{js,mjs,cjs,ts,mts,cts}!",
@@ -114,7 +134,7 @@ const config = {
      // `index.ts` contracts, so Knip needs these convention-based entry files.
      entry: bundledPluginEntries,
      project: ["index.ts!", "src/**/*.ts!"],
-      ignoreDependencies: ["openclaw"],
+      ignoreDependencies: bundledPluginIgnoredRuntimeDependencies,
    },
  },
 } as const;
--- a/package.json
+++ b/package.json
@@ -1300,6 +1300,7 @@
    "config:schema:check": "node --import tsx scripts/generate-base-config-schema.ts --check",
    "config:schema:gen": "node --import tsx scripts/generate-base-config-schema.ts --write",
    "deadcode:ci": "pnpm deadcode:report:ci:knip",
+    "deadcode:dependencies": "pnpm --config.minimum-release-age=0 dlx knip@6.8.0 --config knip.config.ts --production --no-progress --reporter compact --dependencies --no-config-hints",
    "deadcode:knip": "pnpm dlx knip --config knip.config.ts --production --no-progress --reporter compact --files --dependencies",
    "deadcode:report": "pnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unused",
    "deadcode:report:ci:knip": "mkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || true",