🤖 fix: pin Bun and freeze installs to avoid lock churn (#3072)

## Summary

Pin Bun 1.3.5 in the repo manifests and switch the install entrypoints
that previously rewrote lockfiles to `--frozen-lockfile`. This makes Bun
version expectations explicit across the main app, mobile app, and
chat-components package while stopping local validation and publish
automation from silently mutating `bun.lock`.

## Background

This repo already pins Bun 1.3.5 in the main CI setup action, but
several other entrypoints were still effectively unpinned or running
mutable installs. That let validation on machines with a different Bun
setup rewrite lockfiles even when no dependency change was intended.

## Implementation

- added `packageManager: "bun@1.3.5"` to the root, mobile, and
chat-components manifests
- changed the root/mobile Makefile install sentinels to run `bun install
--frozen-lockfile`
- updated the chat-components publish workflow to use `bun install
--frozen-lockfile`
- pinned the auto-cleanup workflows to Bun 1.3.5 to match the existing
shared setup action
- regenerated the synced GitHub Actions guide and built-in docs snapshot
that mirror the auto-cleanup workflow

## Validation

- `make static-check`
- `cd mobile && bun install --frozen-lockfile`
- `cd packages/chat-components && bun install --frozen-lockfile`
- `make lint-actions`

## Risks

Low. The main behavior change is that Bun version mismatches or stale
lockfiles now fail fast instead of being normalized implicitly during
install.

---

_Generated with `mux` • Model: `openai:gpt-5.4` • Thinking: `xhigh` •
Cost: `$2.29`_

<!-- mux-attribution: model=openai:gpt-5.4 thinking=xhigh costs=2.29 -->

Author: ammar-agent

.github/workflows/_npm-publish.yml

@@ -228,7 +228,7 @@ jobs:
 
       - name: Install chat-components deps
         working-directory: packages/chat-components
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Build chat-components package
         working-directory: packages/chat-components

.github/workflows/auto-cleanup-fixup.yml

@@ -73,6 +73,8 @@ jobs:
 
       - uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
         if: ${{ steps.precheck.outputs.enabled == 'true' }}
+        with:
+          bun-version: 1.3.5
 
       # Pin the git identity so the AI agent doesn't invent its own.
       - name: Configure git identity

.github/workflows/auto-cleanup.yml

@@ -52,6 +52,8 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
       - uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
         if: ${{ steps.precheck.outputs.enabled == 'true' }}
+        with:
+          bun-version: 1.3.5
 
       # Pin the git identity so the AI agent doesn't invent its own.
       # Without this, commits end up as "mux-auto-cleanup[bot]" while the

Makefile

@@ -108,14 +108,15 @@ all: build
 # Sentinel file to track when dependencies are installed
 # Depends on package.json and bun.lock - rebuilds if either changes
 node_modules/.installed: package.json bun.lock
-	@echo "Dependencies out of date or missing, running bun install..."
-	@bun install
+	@echo "Dependencies out of date or missing, running bun install --frozen-lockfile..."
+	@# Keep local validation from silently rewriting bun.lock when a different Bun version is installed.
+	@bun install --frozen-lockfile
 	@touch node_modules/.installed
 
 # Mobile dependencies - separate from main project
 mobile/node_modules/.installed: mobile/package.json mobile/bun.lock
-	@echo "Installing mobile dependencies..."
-	@cd mobile && bun install
+	@echo "Installing mobile dependencies with bun install --frozen-lockfile..."
+	@cd mobile && bun install --frozen-lockfile
 	@touch mobile/node_modules/.installed
 
 # Legacy target for backwards compatibility

docs/guides/github-actions.mdx

@@ -97,6 +97,8 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
       - uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
         if: ${{ steps.precheck.outputs.enabled == 'true' }}
+        with:
+          bun-version: 1.3.5
 
       # Pin the git identity so the AI agent doesn't invent its own.
       # Without this, commits end up as "mux-auto-cleanup[bot]" while the

mobile/package.json

@@ -3,6 +3,7 @@
   "private": true,
   "version": "0.0.1",
   "description": "Expo app for mux (connects to mux server over HTTP/WS)",
+  "packageManager": "bun@1.3.5",
   "main": "expo-router/entry",
   "scripts": {
     "start": "expo start",

package.json

@@ -15,6 +15,7 @@
   "publishConfig": {
     "access": "public"
   },
+  "packageManager": "bun@1.3.5",
   "scripts": {
     "dev": "make dev",
     "prebuild:main": "./scripts/generate-version.sh",

packages/chat-components/package.json

@@ -2,6 +2,7 @@
   "name": "@coder/mux-chat-components",
   "version": "0.1.0",
   "description": "Shared chat components for Mux conversation rendering",
+  "packageManager": "bun@1.3.5",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

src/node/services/agentSkills/builtInSkillContent.generated.ts

@@ -3931,6 +3931,8 @@ export const BUILTIN_SKILL_FILES: Record<string, Record<string, string>> = {
       "          token: ${{ steps.app-token.outputs.token }}",
       "      - uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0",
       "        if: ${{ steps.precheck.outputs.enabled == 'true' }}",
+      "        with:",
+      "          bun-version: 1.3.5",
       "",
       "      # Pin the git identity so the AI agent doesn't invent its own.",
       '      # Without this, commits end up as "mux-auto-cleanup[bot]" while the',