[ENG-3641] Adds amplify support

[dnehl]

Migrated widget and dashboard to aomplify and removed vercel dependencies

Summary by CodeRabbit

• New Features

  • Added hosting support for both frontend apps in the monorepo, with separate build and publish settings.

• Bug Fixes

  • Improved deployment reliability by pinning tool versions and standardizing build setup.
  • Removed a catch-all route rewrite so path handling now follows the app’s default behavior more consistently.

• Chores

  • Updated project tooling and install settings to use a more consistent dependency layout.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates CI, toolchain, and Amplify Hosting configuration. It pins Node and pnpm versions, sets hoisted package linking, replaces the CI mise action with inline installation, and adds a two-app Amplify build setup.

Changes

Build and hosting configuration

Layer / File(s)	Summary
Toolchain and package manager settings .npmrc, mise.toml	node-linker is set to hoisted, Node.js is pinned to 24.15.0, and pnpm is mapped to npm:pnpm version 10.33.2.
CI checkout and mise setup .github/workflows/ci.yml	The workflow adds contents: read, uses a pinned actions/checkout commit, installs mise inline with curl, and keeps lint, build, and test on the same pnpm run commands.
Amplify hosting configuration amplify.yml	Amplify Hosting is configured for packages/widget and packages/dashboard with shared mise and pnpm setup, per-app VITE_* env files, build commands, artifact outputs, and node_modules caching.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I hopped through CI with a tidy grin,
Hoisted my links and pinned tools within.
Two apps on Amplify, side by side,
With pnpm and mise on a careful ride.
Thump-thump! The build path feels light 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title is concise and accurately reflects the main change: adding Amplify support and migrating away from Vercel.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch eng-3641-migrate-perps-widget-off-vercel

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 22-23: The Checkout step in the CI workflow should disable
persisted Git credentials. Update the actions/checkout usage in the Checkout job
to set persist-credentials to false so later install/build steps cannot reuse
the checkout token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5bb829f3-717f-4589-af48-f170c41873f3

📥 Commits

Reviewing files that changed from the base of the PR and between 0faee3e and a334df2.

⛔ Files ignored due to path filters (1)

• mise.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .npmrc
• amplify.yml
• mise.toml
• vercel.json

💤 Files with no reviewable changes (1)

• vercel.json

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ci.yml
echo '---'
cat -n .github/workflows/ci.yml | sed -n '1,220p'

Repository: stakekit/perps-widget

Length of output: 1610

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show workflow structure and any later steps that might rely on git credentials.
ast-grep outline .github/workflows/ci.yml --view expanded || true
echo '---'
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml

Repository: stakekit/perps-widget

Length of output: 507

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "File:"
git ls-files .github/workflows/ci.yml

echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'

echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || true

Repository: stakekit/perps-widget

Length of output: 1946

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "File:"
git ls-files .github/workflows/ci.yml

echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'

echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || true

Repository: stakekit/perps-widget

Length of output: 1946

---

🌐 Web query:

actions/checkout persist-credentials default true documentation

💡 Result:

In the GitHub actions/checkout action, the persist-credentials input is enabled by default (default: true) [1][2]. When set to true (the default), the action configures the authentication token or SSH key with the local Git configuration [3][1]. This allows subsequent steps in your workflow to execute authenticated Git commands (such as git fetch or git push) without requiring additional configuration [3][4]. The action automatically removes these credentials during the post-job cleanup process [3][5]. If you wish to prevent the action from configuring these credentials, you can set persist-credentials to false [3][6]: - with: persist-credentials: false Recent updates have improved the security of this feature by storing credentials in a file under $RUNNER_TEMP rather than directly within.git/config, while maintaining the same default behavior and functionality [3][7].

Citations:

• 1: https://github.com/actions/checkout/blob/master/action.yml
• 2: https://github.com/actions/checkout/blob/main/action.yml
• 3: https://github.com/actions/checkout/?tab=readme-ov-file
• 4: https://github.com/marketplace/actions/checkout?version=v3.6.0
• 5: https://github.com/actions/checkout
• 6: https://github.com/actions/checkout/blob/main/README.md
• 7: https://github.com/marketplace/actions/checkout

---

Disable persisted checkout credentials. This workflow only reads the repo, so persist-credentials: false avoids leaving the checkout token available to later install/build steps.

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 22 - 23, The Checkout step in the CI
workflow should disable persisted Git credentials. Update the actions/checkout
usage in the Checkout job to set persist-credentials to false so later
install/build steps cannot reuse the checkout token.

Source: Linters/SAST tools