fix(workflows): validate deployment structure

[RitwijParmar]

Summary

Fixes #3444 by running Sim's full workflow structure validation before deployment paths persist or activate workflow deployment versions.

This adds a shared deploy-time validation helper that checks, in order:

• full workflow structure via validateWorkflowState
• schedule configuration via validateWorkflowSchedules
• trigger webhook deploy config via validateTriggerWebhookConfigForDeploy

The same guard is used for:

• fresh deploys through performFullDeploy
• activating an existing deployment version through performActivateVersion

Why

Before this, deploy orchestration only validated schedules and trigger webhooks. A workflow snapshot with invalid block/edge structure could still reach deployment persistence if it passed those narrower checks. For agent workflows, that creates a reliability problem: broken canvases can become callable/deployed artifacts and fail later in harder-to-debug execution paths.

Tests

Added orchestration tests for:

• rejecting structurally invalid workflows before schedule/webhook checks during deploy
• rejecting invalid deployment snapshots before activating an older version

Local validation:

• bunx biome check apps/sim/lib/workflows/orchestration/deploy.ts apps/sim/lib/workflows/orchestration/deploy.test.ts
• NODE_OPTIONS='--max-old-space-size=8192' bunx tsc --noEmit --project apps/sim/tsconfig.json --pretty false

I also attempted the focused Vitest file, but this macOS environment cannot load Rollup's native optional binary:

• bun run test lib/workflows/orchestration/deploy.test.ts
• blocked by @rollup/rollup-darwin-arm64 code-signature loader failure before tests start

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 3, 2026 5:17pm

[cursor]

PR Summary

Medium Risk
Changes deployment gates for live workflows; behavior is stricter validation with low blast radius if structure checks match editor expectations.

Overview
Deploy and activate paths now run full workflow structure validation (validateWorkflowState) before schedule and trigger webhook checks, via a shared validateWorkflowForDeployment helper used by performFullDeploy and performActivateVersion.

Invalid block/edge snapshots are rejected with errorCode: 'validation' and a clear structure message, so broken canvases should not be persisted or activated when only narrower checks would have passed.

New orchestration tests assert structure failures short-circuit before schedule/webhook validation and before activateWorkflowVersion on activation.

^{Reviewed by Cursor Bugbot for commit 1945237. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Adds a shared validateWorkflowForDeployment helper that runs full structural validation (validateWorkflowState) before schedule and webhook checks, and wires it into both performFullDeploy and performActivateVersion so broken canvas snapshots are rejected before any deployment state is persisted.

• deploy.ts: Extracts validateWorkflowForDeployment, removing duplicated schedule/webhook guard logic from both deploy paths and prepending a structural validity check.
• deploy.test.ts: Adds new describe blocks for performFullDeploy and performActivateVersion covering the structural-rejection path, plus corrects mocks for deployWorkflow and activateWorkflowVersion that were previously anonymous vi.fn() instances.

Confidence Score: 4/5

The change is straightforward and the core guard logic is correct; the only gaps are test coverage and a small leftover check that won't cause runtime misbehavior.

The shared validation helper is wired in correctly and the rejection behavior is tested. The new tests only cover error paths, so a regression that causes validateWorkflowForDeployment to always reject valid workflows would go undetected.

deploy.test.ts — both new describe blocks lack a happy-path case; deploy.ts — the pre-validation blocks check in performActivateVersion is now superseded by the shared helper.

Important Files Changed

Filename	Overview
apps/sim/lib/workflows/orchestration/deploy.ts	Extracts a shared validateWorkflowForDeployment helper that adds structural validation (via validateWorkflowState) before schedule and webhook checks in both performFullDeploy and performActivateVersion. A now-redundant blocks existence check remains before the shared helper in performActivateVersion.
apps/sim/lib/workflows/orchestration/deploy.test.ts	Adds two new describe blocks testing the rejection path for invalid workflow structures. Neither block includes a happy-path case, leaving the integration of the new validation in the successful deploy/activate flow untested.

Comments Outside Diff (1)

1. apps/sim/lib/workflows/orchestration/deploy.ts, line 371-377 (link)

   The explicit blocks existence check is now redundant — validateWorkflowForDeployment calls validateWorkflowState which already guards !workflowState.blocks. Keeping both paths means the same condition produces two different error strings depending on which fires first. Removing the manual check lets the shared helper own all structural error messaging consistently.

_{Reviews (1): Last reviewed commit: "fix(workflows): validate deployment stru..." | Re-trigger Greptile}

[greptile-apps]

Missing happy-path coverage for the new validation integration

Both performFullDeploy and performActivateVersion test suites only exercise the rejection path. There are no cases where mockDeployWorkflow / mockActivateWorkflowVersion return a success payload, so there is no test that confirms a structurally valid workflow actually completes the deploy/activate flow after the new validation passes. If validateWorkflowForDeployment were accidentally changed to always return { success: false }, the existing suite would still pass. Consider adding at least one success-path case per describe block to guard the integration end-to-end.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!