Automate ComfyUI release bump workflow

[benceruleanlu]

Summary

• add a manual ComfyUI bump workflow via workflow_dispatch
• auto-update config.comfyUI.version, regenerate scripts/core-requirements.patch, and recompile assets/requirements/*.compiled
• add helper scripts for patch regeneration and compile-command replay from .compiled headers
• harden version/tag validation and script safety checks

Motivation

• reduce manual release chores for Desktop when ComfyUI publishes a new release
• align bumps with the pattern used in 81c93891303c9b55f0f6601bea44ee5029b2b7fa
• avoid requiring any changes in Comfy-Org/ComfyUI

Testing

• yarn format
• yarn lint
• yarn typecheck
• manual script smoke tests for success and failure paths

How To Use

• Run workflow Auto Bump ComfyUI Release from Actions in Comfy-Org/desktop
• Optional input: comfyui_version (e.g. 0.12.4 or v0.12.4)
• If omitted, workflow resolves latest ComfyUI release automatically

Summary by CodeRabbit

• Chores
  • Added an automated workflow to detect ComfyUI releases (manual or dispatched), determine target version, update project version, regenerate dependency patches, rebuild shipped requirement artifacts, and open a pull request with the changes and artifacts.
  • Added maintenance scripts to recompile packaged requirement artifacts from embedded headers and to regenerate core dependency patch files, with validation, dry-run support, and explicit error handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that determines a target ComfyUI release (input, payload, or latest), validates it, updates package.json, checks out ComfyUI into assets, regenerates core requirements patch, recompiles bundled requirements, and opens a PR. Includes two helper scripts for patch regen and recompilation.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/auto_bump_comfyui_release.yml	New "Auto Bump ComfyUI Release" workflow: resolves/validates target tag/version (input, payload, or latest release), exports outputs, decides whether to update, updates package.json config, checks out ComfyUI to assets/ComfyUI, runs patch regen and recompilation, cleans up, and creates a PR with artifacts and labels.
Recompile Script scripts/recompileRequirementsFromHeaders.sh	New Bash script to discover assets/requirements/*.compiled (or given files), parse header uv pip compile commands, validate -o output paths match targets, and execute or dry-run the compile commands; includes repo-root checks and explicit error exits.
Patch Regeneration Script scripts/regenerateCoreRequirementsPatch.sh	New Bash script that removes the comfyui-frontend-package pin from a requirements file, generates a unified diff against the original, and writes core-requirements.patch to the specified output; uses a temporary workdir with cleanup and precise error handling.

Sequence Diagram

sequenceDiagram
    participant User as User
    participant Workflow as GitHub Actions Workflow
    participant Repo as This Repo
    participant API as GitHub API
    participant ComfyUI as ComfyUI Repo
    participant Scripts as Local Scripts

    User->>Workflow: trigger (workflow_dispatch or repository_dispatch)
    Workflow->>API: request latest ComfyUI release (if needed)
    API-->>Workflow: release tag, version, URL
    Workflow->>Workflow: normalize & validate tag/version
    Workflow->>Repo: read current package.json version
    alt should_update == true
        Workflow->>ComfyUI: checkout target tag into assets/ComfyUI
        Workflow->>Scripts: run `regenerateCoreRequirementsPatch.sh`
        Scripts-->>Workflow: core-requirements.patch
        Workflow->>Scripts: run `recompileRequirementsFromHeaders.sh`
        Scripts-->>Workflow: recompiled artifacts
        Workflow->>Repo: update `package.json` and commit changes
        Workflow->>API: create PR with branch, commit, artifacts, labels
        API-->>Workflow: PR created
    else should_update == false
        Workflow-->>User: skip with message
    end

Loading

Poem

🐇 I found a tag upon the hill,
I patched and compiled with carrot-skill,
Pushed a branch and wrote a plea,
Opened a PR for all to see,
Hop to merge — a cozy thrill!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: automating the ComfyUI release bump workflow, which is the core objective of adding the new GitHub Actions workflow and supporting scripts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ben/auto-bump-comfyui-release

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/vite@7.1.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@7.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

Adds an automated, event-driven GitHub Actions workflow to bump the embedded ComfyUI release and regenerate the downstream patch + compiled requirement artifacts, reducing manual release maintenance work for Desktop.

Changes:

• Introduces auto_bump_comfyui_release.yml, triggered by repository_dispatch (comfyui_release_published) and manual workflow_dispatch, to open an automated PR bumping ComfyUI.
• Adds scripts/regenerateCoreRequirementsPatch.sh to regenerate scripts/core-requirements.patch by removing the comfyui-frontend-package==... pin from upstream requirements.
• Adds scripts/recompileRequirementsFromHeaders.sh to re-run uv pip compile commands embedded in assets/requirements/*.compiled headers.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
scripts/regenerateCoreRequirementsPatch.sh	Generates scripts/core-requirements.patch from upstream ComfyUI requirements.txt by removing a pinned dependency line.
scripts/recompileRequirementsFromHeaders.sh	Recompiles assets/requirements/*.compiled by replaying the embedded uv pip compile command from each file header.
.github/workflows/auto_bump_comfyui_release.yml	New workflow to resolve a target ComfyUI release, bump package.json, regenerate patch, rebuild compiled requirements, and open a PR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow runs uv pip compile (via scripts/recompileRequirementsFromHeaders.sh) but never pins/installs a specific Python version. update_compiled_requirements.yml explicitly sets up Python 3.12 before compiling; without that, uv may resolve markers differently depending on the runner image and produce inconsistent .compiled outputs. Add a actions/setup-python step (matching the version used elsewhere) before installing/running uv.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/auto_bump_comfyui_release.yml:
- Around line 87-94: The curl invocation that sets TAG_STATUS uses the -f flag
which causes curl to exit non-zero on HTTP errors and triggers set -euo pipefail
to abort the script before the 404 check; update the TAG_STATUS curl command
(the line that sets TAG_STATUS using curl and the TARGET_TAG variable) to remove
the -f option (e.g., change -fsSL to -sSL or otherwise ensure curl always
returns 0) so the HTTP status is captured and the subsequent if [ "$TAG_STATUS"
!= "200" ] check can run and emit the friendly error message.

In `@scripts/recompileRequirementsFromHeaders.sh`:
- Around line 103-105: The current invocation uses bash -lc "$compile_command"
which forces a login shell (losing CI PATH) and runs an unchecked shell string;
change it to run without -l and avoid executing an unchecked string: replace
bash -lc "$compile_command" with a safer execution strategy such as invoking
bash -c "$compile_command" (drop -l) or, better, split the validated command
into an argv array and exec it directly (use the compile_command words as
arguments to run uv with exec or use an array variable) so PATH is preserved and
arbitrary shell injection is avoided; update the invocation around the
compile_command and dry_run check (the block that currently runs bash -lc
"$compile_command") to implement this.

🧹 Nitpick comments (3)

scripts/recompileRequirementsFromHeaders.sh (1)

21-34: Unknown flags (e.g. --foo) are silently treated as file paths.

The * catch-all in the argument parser will interpret any unrecognized flag like --typo as a file argument, leading to a confusing "Missing file" error downstream rather than an "unknown option" message.

Consider adding a guard:

Suggested change

     *)
+      if [[ "$argument" == --* ]]; then
+        echo "Unknown option: $argument" >&2
+        usage >&2
+        exit 1
+      fi
       compiled_files+=("$argument")
       ;;

.github/workflows/auto_bump_comfyui_release.yml (2)

144-150: uv is installed without version pinning.

The install script (https://astral.sh/uv/install.sh) fetches the latest uv version. A breaking change or regression in a future uv release could silently alter the compiled output. Consider pinning a version:

curl -LsSf https://astral.sh/uv/0.6.x/install.sh | sh

This is acceptable for a workflow that produces a human-reviewed PR, but worth noting for reproducibility.

---

162-164: Consider updating to peter-evans/create-pull-request@v8, the current major version.

The peter-evans/create-pull-request@v6 action exists and is stable (v6.1.0 is the latest v6 release), but v8 is now the current major version. Upgrading would ensure access to the latest features, improvements, and security updates.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/auto_bump_comfyui_release.yml:
- Around line 143-167: The PR creation uses the default github.token (see the
peter-evans/create-pull-request@v6 step and its token input), which prevents CI
from running; replace token: ${{ github.token }} with an app-generated
installation token or PAT (e.g., a secret like ${{ secrets.GH_APP_TOKEN }}), and
add a preceding step to create or retrieve that GitHub App/PAT token (store it
in a job output or a secret-name) so the create-pull-request action consumes
that token instead; update the token reference in the create-pull-request step
(token input) to use the generated token variable.

🧹 Nitpick comments (1)

.github/workflows/auto_bump_comfyui_release.yml (1)

125-131: Consider pinning the uv version for reproducibility.

The install script fetches the latest uv, which could introduce breakage if a new uv release changes behavior. The install script supports version pinning:

-          curl -LsSf https://astral.sh/uv/install.sh | sh
+          curl -LsSf https://astral.sh/uv/0.6.x/install.sh | sh

Replace 0.6.x with the version currently in use. This makes the workflow deterministic and avoids surprise breakage.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

PRs created with github.token won't trigger CI workflows.

GitHub deliberately prevents workflows triggered by the default GITHUB_TOKEN from triggering further workflow runs (to avoid infinite loops). The auto-generated PR won't run CI checks (e.g., build, test, lint) unless you use a GitHub App token or PAT.

If CI validation on the bump PR is required, swap github.token for an app-generated token:

-          token: ${{ github.token }}
+          token: ${{ steps.app-token.outputs.token }}

(after adding a step to generate a token from a GitHub App installation)

If the intent is to merge without CI or to manually re-trigger, the current setup is fine — just document that expectation.

🤖 Prompt for AI Agents

In @.github/workflows/auto_bump_comfyui_release.yml around lines 143 - 167, The
PR creation uses the default github.token (see the
peter-evans/create-pull-request@v6 step and its token input), which prevents CI
from running; replace token: ${{ github.token }} with an app-generated
installation token or PAT (e.g., a secret like ${{ secrets.GH_APP_TOKEN }}), and
add a preceding step to create or retrieve that GitHub App/PAT token (store it
in a job output or a secret-name) so the create-pull-request action consumes
that token instead; update the token reference in the create-pull-request step
(token input) to use the generated token variable.

[benceruleanlu]

Fixed

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript-eslint@​8.20.0
	systeminformation@​5.25.11
	vitest@​3.2.4
	tmp@​0.2.3
	ts-node@​10.9.2
	rimraf@​6.0.1
	vite@​7.1.3
	yaml@​2.7.0
	wait-on@​8.0.2
	vite-plugin-dts@​4.5.4
	typescript@​5.9.2
	mixpanel@​0.18.0
	prettier@​3.4.2
	node-pty@​1.1.0-beta39

View full report

[comfy-pr-bot]

Test Evidence Check

⚠️ Warning: Visual Documentation Missing

If this PR changes user-facing behavior, visual proof (screen recording or screenshot) is required. PRs without applicable visual documentation may not be reviewed until provided.

You can add it by:

• GitHub: Drag & drop media directly into the PR description
• YouTube: Include a link to a short demo