chore: update ci/cd configuration#789
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
Summary by CodeRabbit
WalkthroughStandardizes Vitest configs across packages (v8 coverage), bumps TypeScript and packageManager, simplifies Node engine, renames a build error class, updates website dev deps, and adjusts Dependabot and GitHub Actions (publish, CodeQL, Node CI) configurations. ChangesBuild Infrastructure and Dependency Modernization
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 17-18: The checkout step using actions/checkout@v6 currently
persists GitHub credentials; add persist-credentials: false to that step (the
actions/checkout@v6 usage block) so credentials are not kept for later steps,
preventing credential leakage during publish-related workflow runs.
- Around line 17-18: Replace the tag-based action references so the workflow
pins to exact SHAs: locate the uses entries currently set to actions/checkout@v6
and actions/setup-node@v6 and update them to the corresponding commit SHAs
(e.g., actions/checkout@<sha> and actions/setup-node@<sha>); you may add a
trailing comment noting the original v6 tag for traceability, but ensure the
uses fields contain the full commit SHAs to prevent floating updates.
- Around line 7-9: The workflow currently declares global permissions
(permissions: id-token: write, contents: read); move this block into the single
job definition so permissions are scoped at job level, and add brief comments
near the job-level permissions explaining why id-token: write is required for
OIDC-based npm publishing and why contents: read is needed (e.g., to access repo
metadata/packaging), keeping the permission values unchanged but limiting their
scope to the job that performs the publish.
In `@package.json`:
- Line 41: Update the top-level engines.node constraint in package.json (the
engines.node field) to require Node 22+ to match website devDependency
requirements: change the current "node": "^20.19.0 || ^22.9.0 || >=24" to a
stricter range such as ">=22.0.0" (or ">=22.9.0" if you want to enforce the
specific minor) so tools like cpx2 and minify won’t trigger engine warnings or
break the website build.
In `@packages/build/src/source/segment/errors/ModuleNotFound.ts`:
- Line 2: The repo has an inconsistent rename: packages/build uses
ModuleNotFound (referenced by MemberLocator) while packages/sourcing still
defines/exports and throws ModuleNotLoaded; fix by making the rename repo-wide
or scoping it. Either update packages/sourcing to rename the error class and all
exports/imports/throw sites from ModuleNotLoaded to ModuleNotFound (update the
class name, export names, import statements, and any throw new
ModuleNotLoaded(...) to throw new ModuleNotFound(...)), or revert packages/build
to use ModuleNotLoaded so names match; ensure all references (e.g., the error
class, exports, and MemberLocator imports) are updated consistently across both
packages.
In `@website/package.json`:
- Line 16: The package.json uses the cpx invocation cpx -u
"src/**/*.{svg,png,txt}" dist; instead of treating cpx2@9.0.0 as a breaking
concern, add a lightweight smoke test that runs that exact command and verifies
expected files were copied (e.g., check a couple of known svg/png/txt files
exist under dist) and wire it into CI or as an npm script so we can quickly
confirm that the -u flag and brace glob behave as expected; locate the cpx
invocation in package.json and add an npm script like "cpx-smoke" that executes
the same cpx command and a small existence-check step (shell or Node script) to
assert the copy worked.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 02e53440-14bc-4f9e-916b-91a98a238b7b
⛔ Files ignored due to path filters (3)
documentation/package-lock.jsonis excluded by!**/package-lock.jsonpackage-lock.jsonis excluded by!**/package-lock.jsonwebsite/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (33)
.github/dependabot.yml.github/workflows/publish.ymlpackage.jsonpackages/analysis/vitest.config.tspackages/build/src/source/segment/errors/ModuleNotFound.tspackages/build/vitest.config.tspackages/cli/vitest.config.tspackages/configuration/vitest.config.tspackages/execution/vite.config.tspackages/execution/vitest.config.tspackages/health/vite.config.tspackages/health/vitest.config.tspackages/http/vite.config.tspackages/http/vitest.config.tspackages/init/vite.config.tspackages/init/vitest.config.tspackages/jitar/vite.config.tspackages/jitar/vitest.config.tspackages/logging/vite.config.tspackages/logging/vitest.config.tspackages/middleware/vite.config.tspackages/middleware/vitest.config.tspackages/runtime/vite.config.tspackages/runtime/vitest.config.tspackages/scheduling/vite.config.tspackages/scheduling/vitest.config.tspackages/services/vite.config.tspackages/services/vitest.config.tspackages/sourcing/vite.config.tspackages/sourcing/vitest.config.tspackages/validation/vite.config.tspackages/validation/vitest.config.tswebsite/package.json
💤 Files with no reviewable changes (12)
- packages/middleware/vite.config.ts
- packages/validation/vite.config.ts
- packages/health/vite.config.ts
- packages/sourcing/vite.config.ts
- packages/execution/vite.config.ts
- packages/runtime/vite.config.ts
- packages/init/vite.config.ts
- packages/http/vite.config.ts
- packages/services/vite.config.ts
- packages/jitar/vite.config.ts
- packages/logging/vite.config.ts
- packages/scheduling/vite.config.ts
| permissions: | ||
| id-token: write | ||
| contents: read |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win
Scope permissions to job level and add explanatory comments.
Permissions should be scoped as narrowly as possible. Since there's only one job, move permissions to the job level. Additionally, document why these permissions are required for OIDC-based npm publishing.
🔐 Proposed refactor
-permissions:
- id-token: write
- contents: read
-
jobs:
publish:
runs-on: ubuntu-latest
+ # OIDC-based npm publish requires id-token: write for provenance and contents: read for checkout
+ permissions:
+ id-token: write
+ contents: read
environment:🧰 Tools
🪛 zizmor (1.25.2)
[error] 8-8: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level
(excessive-permissions)
[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 7 - 9, The workflow currently
declares global permissions (permissions: id-token: write, contents: read); move
this block into the single job definition so permissions are scoped at job
level, and add brief comments near the job-level permissions explaining why
id-token: write is required for OIDC-based npm publishing and why contents: read
is needed (e.g., to access repo metadata/packaging), keeping the permission
values unchanged but limiting their scope to the job that performs the publish.
| - name: ⚙️ Checkout Repository | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
Add persist-credentials: false to prevent credential leakage.
When publishing packages, the workflow should not persist GitHub credentials in the checkout to minimize the risk of accidental credential exposure in subsequent steps.
🔒 Proposed fix
- name: ⚙️ Checkout Repository
uses: actions/checkout@v6
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: ⚙️ Checkout Repository | |
| uses: actions/checkout@v6 | |
| - name: ⚙️ Checkout Repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 17 - 18, The checkout step using
actions/checkout@v6 currently persists GitHub credentials; add
persist-credentials: false to that step (the actions/checkout@v6 usage block) so
credentials are not kept for later steps, preventing credential leakage during
publish-related workflow runs.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check if there's a documented policy requiring SHA-pinned actions
# Search for security policy or workflow guidelines
fd -t f -e md -e txt . | xargs rg -l "pin.*action|SHA.*hash|commit.*hash" | head -10Repository: MaskingTechnology/jitar
Length of output: 49
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== publish.yml =="
sed -n '1,120p' .github/workflows/publish.yml
echo
echo "== All uses: actions/ in workflows (unpinned/tags only) =="
rg --no-heading -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' \
'uses:\s*([^/@\s]+/[^/@\s]+)@([^#\s]+)' .github/workflows \
| head -n 200
echo
echo "== Look for SHA pinning / supply-chain policy docs (more broadly) =="
rg -n --hidden --glob '!**/node_modules/**' \
'pin actions|SHA-pinned|commit SHA|supply[- ]chain|pin to (commit|SHA)|workflow.*policy|policy.*actions' \
.github README* LICENSE* SECURITY* *.md 2>/dev/null || true
echo
echo "== Look for pinning policy keywords anywhere in repo =="
rg -n --hidden --glob '!**/node_modules/**' \
'pin actions|SHA-pinned|commit SHA|pin to commit|pin to SHA' . 2>/dev/null | head -n 50 || trueRepository: MaskingTechnology/jitar
Length of output: 1343
🏁 Script executed:
#!/bin/bash
nl -ba .github/workflows/publish.yml | sed -n '1,80p'Repository: MaskingTechnology/jitar
Length of output: 108
🏁 Script executed:
#!/bin/bash
awk 'NR>=12 && NR<=30 {printf "%d:%s\n", NR, $0}' .github/workflows/publish.ymlRepository: MaskingTechnology/jitar
Length of output: 551
Pin GitHub Actions to commit SHAs (avoid @v6 tags)
.github/workflows/publish.ymluses tag-based actions:actions/checkout@v6(17-18) andactions/setup-node@v6(20-21).- Update both
uses:entries to the exact commit SHAs for the intendedv6releases (e.g.,actions/checkout@<sha>,actions/setup-node@<sha>), optionally keeping a comment referencing the upstream tag.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 17 - 18, Replace the tag-based
action references so the workflow pins to exact SHAs: locate the uses entries
currently set to actions/checkout@v6 and actions/setup-node@v6 and update them
to the corresponding commit SHAs (e.g., actions/checkout@<sha> and
actions/setup-node@<sha>); you may add a trailing comment noting the original v6
tag for traceability, but ensure the uses fields contain the full commit SHAs to
prevent floating updates.
| @@ -1,5 +1,5 @@ | |||
|
|
|||
| export default class ModuleNotLoaded extends Error | |||
| export default class ModuleNotFound extends Error | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Search for any remaining references to the old ModuleNotLoaded class name
# Search for imports, type references, or usage of ModuleNotLoaded
rg -n --type=ts -C3 '\bModuleNotLoaded\b'Repository: MaskingTechnology/jitar
Length of output: 3355
🏁 Script executed:
#!/bin/bash
# Check where ModuleNotFound is defined and used
rg -n --type=ts -C3 '\bModuleNotFound\b' .
# Check whether the build-side ModuleNotFound is imported from the sourcing-side
rg -n --type=ts -C3 "ModuleNotFound" packages/build packages/sourcingRepository: MaskingTechnology/jitar
Length of output: 4524
🏁 Script executed:
#!/bin/bash
# Search for old name only within packages/build
rg -n --type=ts -C3 '\bModuleNotLoaded\b' packages/buildRepository: MaskingTechnology/jitar
Length of output: 49
🏁 Script executed:
#!/bin/bash
# Search for any remaining references to the old ModuleNotLoaded class name (build package only)
rg -n --type=ts -C3 '\bModuleNotLoaded\b' packages/buildRepository: MaskingTechnology/jitar
Length of output: 49
🏁 Script executed:
rg -n --type=ts -C3 '\bModuleNotLoaded\b' packages/buildRepository: MaskingTechnology/jitar
Length of output: 49
🏁 Script executed:
#!/bin/bash
# Verify no remaining references to ModuleNotLoaded in packages/build
rg -n --type=ts -C3 '\bModuleNotLoaded\b' packages/buildRepository: MaskingTechnology/jitar
Length of output: 49
Rename consistency is correct in packages/build, but not repo-wide.
packages/build has no remaining ModuleNotLoaded references, and MemberLocator now imports/throws ModuleNotFound from packages/build/src/source/segment/errors/ModuleNotFound.ts.
packages/sourcing still defines/exports and throws ModuleNotLoaded (e.g., packages/sourcing/src/modules/errors/ModuleNotLoaded.ts), so either scope this rename check to packages/build or complete the rename in packages/sourcing.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/build/src/source/segment/errors/ModuleNotFound.ts` at line 2, The
repo has an inconsistent rename: packages/build uses ModuleNotFound (referenced
by MemberLocator) while packages/sourcing still defines/exports and throws
ModuleNotLoaded; fix by making the rename repo-wide or scoping it. Either update
packages/sourcing to rename the error class and all exports/imports/throw sites
from ModuleNotLoaded to ModuleNotFound (update the class name, export names,
import statements, and any throw new ModuleNotLoaded(...) to throw new
ModuleNotFound(...)), or revert packages/build to use ModuleNotLoaded so names
match; ensure all references (e.g., the error class, exports, and MemberLocator
imports) are updated consistently across both packages.
| }, | ||
| "devDependencies": { | ||
| "cpx2": "^8.0.0", | ||
| "cpx2": "^9.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What are the breaking changes in cpx2 version 9.0.0 compared to 8.0.0?
💡 Result:
As of June 10, 2026, version 9.0.0 of the cpx2 package has been published to npm (published on May 19, 2026) [1][2]. However, there is no publicly documented list of breaking changes, release notes, or a changelog explicitly detailing the transitions between version 8.0.0 and 9.0.0 in the primary cpx2 repository or its associated documentation [3][2]. Users upgrading to version 9.0.0 should be aware that cpx2 acts as a maintained fork of the original cpx package, intended to be a drop-in replacement for CLI usage, while requiring users to update their Node.js imports from cpx to cpx2 [3][4]. Given the lack of formal documentation regarding the 9.0.0 release, it is recommended to review the package.json dependency differences or test the package in a development environment to identify any potential breaking behavior [1][2]. Other software products with similar names, such as "Abilis CPX 2000" [5] or various unrelated tools [6][7][8], should not be confused with the cpx2 npm package.
Citations:
- 1: https://registry.npmjs.org/cpx2
- 2: https://www.npmjs.com/package/cpx2
- 3: https://github.com/bcomnes/cpx2
- 4: https://github.com/es-tooling/module-replacements/blob/main/docs/modules/cpx.md
- 5: https://support.abilis.net/relnotes/cpx2k/R9.0.html
- 6: https://gml.noaa.gov/aero/software/aerosols/cpx2.html
- 7: https://ftp/aftp.cmdl.noaa.gov/data/aer/doc/software/Using_CPX2.pdf
- 8: https://www.10xgenomics.com/support/software/cell-ranger/9.0/release-notes/cr-release-notes
🏁 Script executed:
#!/bin/bash
# Description: Test the cpx2 command syntax used in website build scripts
echo "=== Current cpx2 usage in scripts ==="
jq -r '.scripts | to_entries[] | select(.value | contains("cpx")) | "\(.key): \(.value)"' website/package.json
echo -e "\n=== cpx2 version in lockfile ==="
jq -r '.packages["node_modules/cpx2"].version // "not found"' website/package-lock.json
echo -e "\n=== Files matched by cpx glob pattern ==="
fd -e svg -e png -e txt . website/src/ | head -10Repository: MaskingTechnology/jitar
Length of output: 701
Relax the request: cpx2 v9.0.0 breaking changes aren’t documented; focus on a build/script smoke test.
website/package.json uses cpx -u "src/**/*.{svg,png,txt}" dist and the lockfile resolves cpx2 to 9.0.0, but there’s no publicly documented 8.0.0→9.0.0 breaking-change list specifying CLI flag/glob behavior. Keep the check as a practical verification (ensure -u and the {svg,png,txt} brace glob still work), not as a major compatibility concern based on known breaking changes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@website/package.json` at line 16, The package.json uses the cpx invocation
cpx -u "src/**/*.{svg,png,txt}" dist; instead of treating cpx2@9.0.0 as a
breaking concern, add a lightweight smoke test that runs that exact command and
verifies expected files were copied (e.g., check a couple of known svg/png/txt
files exist under dist) and wire it into CI or as an npm script so we can
quickly confirm that the -u flag and brace glob behave as expected; locate the
cpx invocation in package.json and add an npm script like "cpx-smoke" that
executes the same cpx command and a small existence-check step (shell or Node
script) to assert the copy worked.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/nodejsci.yml:
- Line 20: The YAMLlint brackets rule is violated for the node-version matrix
entry; update the node-version matrix list (the line containing "node-version: [
22.x, 24.x ]") to remove the extra spaces inside the brackets so it reads
"node-version: [22.x, 24.x]" (or convert it to a block sequence with "- 22.x"
and "- 24.x") to satisfy YAMLlint.
In @.github/workflows/publish.yml:
- Around line 16-17: The workflow uses actions/checkout@... without disabling
credential persistence; update the checkout step that uses actions/checkout to
include a with block setting persist-credentials: false (i.e., add "with:
persist-credentials: false" to the Checkout step) so the GITHUB_TOKEN is not
persisted to subsequent steps/artifacts; ensure every checkout step across
workflows uses this same change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 18c5af4a-1288-4f74-bf1b-a49319542fbb
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (4)
.github/workflows/codeql.yml.github/workflows/nodejsci.yml.github/workflows/publish.ymlpackage.json
| strategy: | ||
| matrix: | ||
| node-version: [ 20.x, 22.x, 24.x ] | ||
| node-version: [ 22.x, 24.x ] |
There was a problem hiding this comment.
Fix YAMLlint bracket spacing in the matrix list.
This line violates YAMLlint’s brackets rule.
🧹 Proposed fix
- node-version: [ 22.x, 24.x ]
+ node-version: [22.x, 24.x]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| node-version: [ 22.x, 24.x ] | |
| node-version: [22.x, 24.x] |
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 20-20: too many spaces inside brackets
(brackets)
[error] 20-20: too many spaces inside brackets
(brackets)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/nodejsci.yml at line 20, The YAMLlint brackets rule is
violated for the node-version matrix entry; update the node-version matrix list
(the line containing "node-version: [ 22.x, 24.x ]") to remove the extra spaces
inside the brackets so it reads "node-version: [22.x, 24.x]" (or convert it to a
block sequence with "- 22.x" and "- 24.x") to satisfy YAMLlint.
Source: Linters/SAST tools
| - name: ⚙️ Checkout Repository | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
Shared root cause: actions/checkout credential persistence is enabled in multiple workflows.
Both workflows should set with.persist-credentials: false on checkout to reduce token exposure across later steps/artifacts.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 16 - 17, The workflow uses
actions/checkout@... without disabling credential persistence; update the
checkout step that uses actions/checkout to include a with block setting
persist-credentials: false (i.e., add "with: persist-credentials: false" to the
Checkout step) so the GITHUB_TOKEN is not persisted to subsequent
steps/artifacts; ensure every checkout step across workflows uses this same
change.
Source: Linters/SAST tools
|
2 participants
Fixes #786
Changes proposed in this pull request:
releaseenvironment to prevent unauthorized publicationsModuleNotFoundvite.config.tstovitest.config.tsto indicate vitest specific config@MaskingTechnology/jitar