ci: set up build and lint GitHub Action workflow#31
Conversation
|
Someone is attempting to deploy a commit to the itzzavdhesh's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
✅ Thanks! This PR is linked to #20 and will close it automatically when merged. |
📝 WalkthroughWalkthroughThe workflow file was replaced with a CI job that runs on pushes and pull requests to ChangesCI workflow update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🎉 Thanks for your first pull request to FlowCraft! A couple of quick checks before a maintainer reviews it: make sure your description includes something like Closes #12 to link the issue it resolves, and double-check the Contributing Guide for our PR checklist. We'll take a look soon!
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/main.yml:
- Around line 14-21: The workflow in the Checkout Code and Set up Node.js steps
uses floating action tags and leaves checkout credentials persisted. Update the
actions/checkout and actions/setup-node references in the workflow to immutable
commit SHAs, and add persist-credentials: false to the Checkout Code step so
repo-controlled npm scripts do not retain git auth in local config.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: b684a718-8571-40ef-9f75-81859d796d4d
📒 Files selected for processing (1)
.github/workflows/main.yml
| - name: Checkout Code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 18 | ||
| cache: 'npm' |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
resolve_tag() {
local repo="$1"
local tag="$2"
local type sha
read -r type sha < <(
curl -fsSL "https://api.github.com/repos/${repo}/git/ref/tags/${tag}" \
| jq -r '.object.type, .object.sha' \
| paste - -)
if [ "$type" = "tag" ]; then
sha=$(curl -fsSL "https://api.github.com/repos/${repo}/git/tags/${sha}" | jq -r '.object.sha')
fi
echo "${repo}@${tag} -> ${sha}"
}
resolve_tag actions/checkout v4
resolve_tag actions/setup-node v4Repository: itzzavdhesh/FlowCraft
Length of output: 250
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== .github/workflows/main.yml =="
cat -n .github/workflows/main.yml
echo
echo "== package.json =="
cat -n package.json
echo
echo "== Search for git/auth usage in workflow files =="
rg -n "persist-credentials|git |github-token|checkout@|setup-node@" .github/workflows . -g '!node_modules' -g '!dist' -g '!build'Repository: itzzavdhesh/FlowCraft
Length of output: 2550
Pin the GitHub Actions and disable persisted checkout credentials.
actions/checkout@v4 and actions/setup-node@v4 are floating tags; pin both to immutable SHAs. Also set persist-credentials: false on checkout, since this workflow runs repo-controlled npm scripts and doesn’t need git auth left in the local config.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/main.yml around lines 14 - 21, The workflow in the
Checkout Code and Set up Node.js steps uses floating action tags and leaves
checkout credentials persisted. Update the actions/checkout and
actions/setup-node references in the workflow to immutable commit SHAs, and add
persist-credentials: false to the Checkout Code step so repo-controlled npm
scripts do not retain git auth in local config.
Source: Linters/SAST tools
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/main.yml">
<violation number="1" location=".github/workflows/main.yml:15">
P1: Pin `actions/checkout` to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.</violation>
<violation number="2" location=".github/workflows/main.yml:18">
P2: Pin `actions/setup-node` to a full-length commit SHA instead of the floating `@v4` tag so workflow dependencies are immutable.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| - name: Hello | ||
| run: echo "Workflow is working!" | ||
| - name: Checkout Code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
P1: Pin actions/checkout to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/main.yml, line 15:
<comment>Pin `actions/checkout` to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.</comment>
<file context>
@@ -1,12 +1,30 @@
- - name: Hello
- run: echo "Workflow is working!"
+ - name: Checkout Code
+ uses: actions/checkout@v4
+
+ - name: Set up Node.js
</file context>
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 |
There was a problem hiding this comment.
P2: Pin actions/setup-node to a full-length commit SHA instead of the floating @v4 tag so workflow dependencies are immutable.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/main.yml, line 18:
<comment>Pin `actions/setup-node` to a full-length commit SHA instead of the floating `@v4` tag so workflow dependencies are immutable.</comment>
<file context>
@@ -1,12 +1,30 @@
+ uses: actions/checkout@v4
+
+ - name: Set up Node.js
+ uses: actions/setup-node@v4
+ with:
+ node-version: 18
</file context>
Related Issue
Closes #20
Summary
This PR introduces a production-grade CI workflow to replace the placeholder file, enforcing TypeScript type validation and Vite build checks on all pushes and pull requests to
main.Changes Made
npm run lintandnpm run build.Testing
Screenshots
N/A (GitHub Actions workflow update)
Impact
Avoids merging broken, uncompilable code and improves developer experience.
Checklist
Summary by cubic
Sets up a production CI workflow in GitHub Actions to run type checks and builds on pushes and PRs to
main, replacing the placeholder workflow. This helps catch broken TypeScript or builds before merge.main.actions/checkout@v4andactions/setup-node@v4with Node 18 and npm cache; installs vianpm ci.npm run lint(type check) andnpm run build.Written for commit d80bc29. Summary will update on new commits.
Summary by CodeRabbit