Skip to content

ci: set up build and lint GitHub Action workflow#31

Open
Babin123456 wants to merge 1 commit into
itzzavdhesh:mainfrom
Babin123456:ci/setup-github-action-workflow
Open

ci: set up build and lint GitHub Action workflow#31
Babin123456 wants to merge 1 commit into
itzzavdhesh:mainfrom
Babin123456:ci/setup-github-action-workflow

Conversation

@Babin123456

@Babin123456 Babin123456 commented Jun 26, 2026

Copy link
Copy Markdown

Related Issue

Closes #20

Summary

This PR introduces a production-grade CI workflow to replace the placeholder file, enforcing TypeScript type validation and Vite build checks on all pushes and pull requests to main.

Changes Made

  • Configured Node 18 execution environment.
  • Configured npm cache to speed up subsequent runs.
  • Set up automatic triggers on pushes/PRs.
  • Runs npm run lint and npm run build.

Testing

  • Tested locally by executing typecheck and build processes manually.
  • Build successfully completed.

Screenshots

N/A (GitHub Actions workflow update)

Impact

Avoids merging broken, uncompilable code and improves developer experience.

Checklist

  • Code follows project standards
  • Tested locally
  • No unrelated changes included
  • Responsive design verified
  • Accessibility considered

Summary by cubic

Sets up a production CI workflow in GitHub Actions to run type checks and builds on pushes and PRs to main, replacing the placeholder workflow. This helps catch broken TypeScript or builds before merge.

  • New Features
    • Triggers on push and pull_request for main.
    • Uses actions/checkout@v4 and actions/setup-node@v4 with Node 18 and npm cache; installs via npm ci.
    • Runs npm run lint (type check) and npm run build.

Written for commit d80bc29. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Updated automated checks to run on both push and pull request updates to the main branch.
    • Added build and lint verification as part of continuous integration, helping catch issues earlier and improve release reliability.

@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the itzzavdhesh's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions

Copy link
Copy Markdown

✅ Thanks! This PR is linked to #20 and will close it automatically when merged.

@github-actions github-actions Bot added ELUSOC enhancement New feature or request VETERAN labels Jun 26, 2026
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The workflow file was replaced with a CI job that runs on pushes and pull requests to main, checks out the repository, sets up Node 18 with npm caching, installs dependencies, and runs lint and build commands.

Changes

CI workflow update

Layer / File(s) Summary
Workflow replacement
.github/workflows/main.yml
The placeholder push-only workflow was replaced with a CI workflow for push and pull_request events to main that runs checkout, Node setup, dependency install, linting, and build steps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

  • VoiceForge issue 21: It requests the same GitHub Actions CI lint/build workflow that this PR adds.

Poem

A tiny bunny hops in delight, 🐇
With lint and build now shining bright.
From placeholder cheer to CI glow,
The main branch gets a safer flow.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: replacing the placeholder workflow with a build-and-lint CI workflow.
Description check ✅ Passed The description is mostly complete and covers the issue, summary, testing, and impact, though the Type of Change section is missing.
Linked Issues check ✅ Passed The workflow implements the linked issue requirements: checkout, install, lint, build, and triggers on pushes and PRs to main.
Out of Scope Changes check ✅ Passed The PR appears scoped to the requested CI workflow replacement with no unrelated code changes introduced.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Thanks for your first pull request to FlowCraft! A couple of quick checks before a maintainer reviews it: make sure your description includes something like Closes #12 to link the issue it resolves, and double-check the Contributing Guide for our PR checklist. We'll take a look soon!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yml:
- Around line 14-21: The workflow in the Checkout Code and Set up Node.js steps
uses floating action tags and leaves checkout credentials persisted. Update the
actions/checkout and actions/setup-node references in the workflow to immutable
commit SHAs, and add persist-credentials: false to the Checkout Code step so
repo-controlled npm scripts do not retain git auth in local config.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b684a718-8571-40ef-9f75-81859d796d4d

📥 Commits

Reviewing files that changed from the base of the PR and between 22009dd and d80bc29.

📒 Files selected for processing (1)
  • .github/workflows/main.yml

Comment on lines +14 to +21
- name: Checkout Code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

resolve_tag() {
  local repo="$1"
  local tag="$2"

  local type sha
  read -r type sha < <(
    curl -fsSL "https://api.github.com/repos/${repo}/git/ref/tags/${tag}" \
      | jq -r '.object.type, .object.sha' \
      | paste - -)

  if [ "$type" = "tag" ]; then
    sha=$(curl -fsSL "https://api.github.com/repos/${repo}/git/tags/${sha}" | jq -r '.object.sha')
  fi

  echo "${repo}@${tag} -> ${sha}"
}

resolve_tag actions/checkout v4
resolve_tag actions/setup-node v4

Repository: itzzavdhesh/FlowCraft

Length of output: 250


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .github/workflows/main.yml =="
cat -n .github/workflows/main.yml

echo
echo "== package.json =="
cat -n package.json

echo
echo "== Search for git/auth usage in workflow files =="
rg -n "persist-credentials|git |github-token|checkout@|setup-node@" .github/workflows . -g '!node_modules' -g '!dist' -g '!build'

Repository: itzzavdhesh/FlowCraft

Length of output: 2550


Pin the GitHub Actions and disable persisted checkout credentials.

actions/checkout@v4 and actions/setup-node@v4 are floating tags; pin both to immutable SHAs. Also set persist-credentials: false on checkout, since this workflow runs repo-controlled npm scripts and doesn’t need git auth left in the local config.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 14 - 21, The workflow in the
Checkout Code and Set up Node.js steps uses floating action tags and leaves
checkout credentials persisted. Update the actions/checkout and
actions/setup-node references in the workflow to immutable commit SHAs, and add
persist-credentials: false to the Checkout Code step so repo-controlled npm
scripts do not retain git auth in local config.

Source: Linters/SAST tools

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/main.yml">

<violation number="1" location=".github/workflows/main.yml:15">
P1: Pin `actions/checkout` to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.</violation>

<violation number="2" location=".github/workflows/main.yml:18">
P2: Pin `actions/setup-node` to a full-length commit SHA instead of the floating `@v4` tag so workflow dependencies are immutable.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

- name: Hello
run: echo "Workflow is working!"
- name: Checkout Code
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Pin actions/checkout to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/main.yml, line 15:

<comment>Pin `actions/checkout` to a full-length commit SHA and disable credential persistence here. The default checkout behavior stores the token in local git config, which is unnecessary for this workflow and broadens token exposure to later script steps.</comment>

<file context>
@@ -1,12 +1,30 @@
-      - name: Hello
-        run: echo "Workflow is working!"
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
</file context>

uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Pin actions/setup-node to a full-length commit SHA instead of the floating @v4 tag so workflow dependencies are immutable.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/main.yml, line 18:

<comment>Pin `actions/setup-node` to a full-length commit SHA instead of the floating `@v4` tag so workflow dependencies are immutable.</comment>

<file context>
@@ -1,12 +1,30 @@
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
</file context>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ELUSOC enhancement New feature or request VETERAN

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEATURE] [ELUSoC_2026] Setup CI Build and Lint GitHub Action Workflow

1 participant