Chore node24 build migration#231
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (2)
WalkthroughThis PR modernizes the GitHub Pages deploy workflow (bumped actions, Node.js 24, pnpm caching, and dynamic repo-derived commit author) and adds pnpm workspace and packageManager configuration for the site. ChangesBuild and Deployment Infrastructure
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-docs.yml:
- Around line 14-17: The workflow uses floating action refs and leaves checkout
credentials and pnpm sourcing unpinned: replace actions/checkout@v6,
pnpm/action-setup@v6, and actions/setup-node@v4 with their corresponding full
commit SHAs, add with: persist-credentials: false to the actions/checkout step,
and configure the pnpm/action-setup step to include explicit with.version and
with.package_json_file pointing to site/package.json so pnpm reads the correct
packageManager pin; ensure the setup-node step is also referenced by SHA and any
node-version is explicitly provided (or pinned) instead of relying on defaults.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2b7f8621-f881-46a2-b9ce-d6abba9d0f11
📒 Files selected for processing (3)
.github/workflows/deploy-docs.ymlsite/package.jsonsite/pnpm-workspace.yaml
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| - uses: pnpm/action-setup@v6 | ||
| - uses: actions/setup-node@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate and display the workflow section around the reported lines
FILE=".github/workflows/deploy-docs.yml"
echo "=== File: $FILE ==="
nl -ba "$FILE" | sed -n '1,120p'
echo "=== End excerpt ==="
# Grep for uses lines and relevant inputs
echo "=== action uses (context) ==="
rg -n "uses:\s|persist-credentials|pnpm/action-setup|setup-node" "$FILE" -n || true
# Show any with: blocks under pnpm/action-setup / checkout / setup-node
echo "=== pnpm/action-setup block ==="
rg -n "pnpm/action-setup" -n "$FILE" || true
# Print a small window around pnpm/action-setup
line=$(rg -n "pnpm/action-setup" "$FILE" | head -n1 | cut -d: -f1 || true)
if [[ -n "${line:-}" ]]; then
start=$((line-8)); end=$((line+20))
nl -ba "$FILE" | sed -n "${start},${end}p"
fi
echo "=== checkout persist-credentials ==="
rg -n "actions/checkout" "$FILE" || true
rg -n "persist-credentials" "$FILE" || true
echo "=== checkout node setup context ==="
rg -n "actions/checkout@|actions/setup-node@|setup-node@|actions/checkout" "$FILE" || trueRepository: Rat-OS/RatOS
Length of output: 165
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/deploy-docs.yml"
echo "=== File exists? ==="
ls -la "$FILE"
echo "=== Full file (with line numbers via awk) ==="
awk '{print FNR ":" $0}' "$FILE" | sed -n '1,220p'
echo "=== Focus: lines 1-80 (for reported range sanity) ==="
awk '{print FNR ":" $0}' "$FILE" | sed -n '1,80p'
echo "=== Matches: uses/setup/checkout/pnpm/action-setup ==="
rg -n "uses:\s*|actions/checkout|actions/setup-node|pnpm/action-setup|persist-credentials|with:" "$FILE" || true
echo "=== Extract checkout block (around uses: actions/checkout) ==="
line=$(rg -n "uses:\s*actions/checkout" "$FILE" | head -n1 | cut -d: -f1 || true)
if [[ -n "${line:-}" ]]; then
start=$((line-6)); end=$((line+12))
awk -v s="$start" -v e="$end" '{if(FNR>=s && FNR<=e) print FNR ":" $0}' "$FILE"
fi
echo "=== Extract pnpm/action-setup block ==="
line=$(rg -n "uses:\s*pnpm/action-setup" "$FILE" | head -n1 | cut -d: -f1 || true)
if [[ -n "${line:-}" ]]; then
start=$((line-6)); end=$((line+18))
awk -v s="$start" -v e="$end" '{if(FNR>=s && FNR<=e) print FNR ":" $0}' "$FILE"
fi
echo "=== Extract actions/setup-node block ==="
line=$(rg -n "uses:\s*actions/setup-node" "$FILE" | head -n1 | cut -d: -f1 || true)
if [[ -n "${line:-}" ]]; then
start=$((line-6)); end=$((line+14))
awk -v s="$start" -v e="$end" '{if(FNR>=s && FNR<=e) print FNR ":" $0}' "$FILE"
fiRepository: Rat-OS/RatOS
Length of output: 5408
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Files ==="
ls -la
echo "=== site/package.json ==="
if [[ -f site/package.json ]]; then
sed -n '1,120p' site/package.json
echo "=== packageManager field ==="
rg -n '"packageManager"\s*:' site/package.json || true
else
echo "site/package.json not found"
fi
echo "=== root package.json ==="
if [[ -f package.json ]]; then
sed -n '1,120p' package.json
echo "=== packageManager field ==="
rg -n '"packageManager"\s*:' package.json || true
else
echo "root package.json not found"
fi
echo "=== Check if deploy-docs.yml has any persist-credentials or pnpm/action-setup with: config ==="
rg -n "persist-credentials|package_json_file|packageManager|with:" .github/workflows/deploy-docs.yml || trueRepository: Rat-OS/RatOS
Length of output: 3982
🌐 Web query:
actions/checkout persist-credentials default value
💡 Result:
The actions/checkout input persist-credentials has the default value true (i.e., it persists the token/credentials by default). This is stated by GitHub’s checkout documentation as “Default: true” for persist-credentials, and the docs also describe that it can be opted out by setting persist-credentials: false.[1][2] Brief context: when persist-credentials is enabled, the auth token is persisted in the local git config so later steps can run authenticated git commands; the token is removed during post-job cleanup, and you can disable persistence with persist-credentials: false.[1][2]
Citations:
- 1: https://github.com/actions/checkout/?tab=readme-ov-file
- 2: https://github.com/actions/checkout/tree/v4
🌐 Web query:
pnpm/action-setup package_json_file default reads repository root package.json packageManager input
💡 Result:
Default behavior: pnpm/action-setup’s package_json_file input defaults to reading package.json from the repository root (path “package.json”). [1] The action documents that package_json_file is optional with default value package.json. That means if you don’t set package_json_file, it will look for packageManager in the root-level package.json and (when you omit the version input) use the pnpm version from that packageManager field. [1] If your repo doesn’t have a root package.json or you want to point at a different one (e.g., a monorepo subfolder), you must set package_json_file accordingly. [1] (Implementation detail) The action also treats package_json_file as a path input and normalizes/expands it before using it to read the packageManager configuration. [2]
Citations:
- 1: https://github.com/pnpm/action-setup?tab=readme-ov-file
- 2: https://deepwiki.com/pnpm/action-setup/3.2-input-processing-system
🌐 Web query:
pnpm/action-setup inputs version package_json_file packageManager inference behavior
💡 Result:
pnpm/action-setup: inputs + version/packageManager inference behavior 1) with: version - Meaning: “Version of pnpm to install.” [1] - Optionality/inference: - It is optional when your repo’s package.json contains a packageManager field. [1] - Otherwise it is required. [1] - “Version” parsing/inference: the input supports npm-style versioning formats such as exact versions (e.g. 6.24.1), version ranges (e.g. 6, 6.x.x, 6.24.x), caret ranges (e.g. ^6.24.1), wildcards (*), and also latest. [1] 2) with: package_json_file - Meaning: Optional file path (default package.json) to read “packageManager” configuration from. [1] - Inference behavior tie-in: - When you omit with.version, the action will read the packageManager field from the file specified by package_json_file (defaulting to package.json) to determine which pnpm version to install. [1] 3) packageManager field (conceptually, in your package.json) - This is not an action input; it’s a field in the project’s package.json that pnpm/action-setup reads (from package_json_file) to infer the pnpm version when with.version is omitted. [1] Overall decision logic - If packageManager exists in the specified package_json_file: you may omit with.version and pnpm/action-setup installs the pnpm version from that field. [1] - If packageManager does not exist: with.version becomes required. [1] (Implementation note: the action’s input processing expands package_json_file and retrieves version via its input processing layer.) [2]
Citations:
- 1: https://github.com/pnpm/action-setup?tab=readme-ov-file
- 2: https://deepwiki.com/pnpm/action-setup/3.2-input-processing-system
Pin deploy-docs workflow action refs to SHAs and harden checkout/pnpm version sourcing
In .github/workflows/deploy-docs.yml (lines 14-17), actions/checkout@v6, pnpm/action-setup@v6, and actions/setup-node@v4 use floating tags—pin them to full commit SHAs. actions/checkout also lacks with: persist-credentials: false, so it keeps credentials (default is true).
Additionally, pnpm/action-setup@v6 has no with.version and no with.package_json_file, so it defaults to reading package.json from the repo root; this repo has no root package.json, so it won’t reliably use site/package.json’s packageManager pin.
🔒 Suggested hardening
- - name: Checkout
- uses: actions/checkout@v6
+ - name: Checkout
+ uses: actions/checkout@<FULL_COMMIT_SHA>
+ with:
+ persist-credentials: false
- - uses: pnpm/action-setup@v6
+ - uses: pnpm/action-setup@<FULL_COMMIT_SHA>
- - uses: actions/setup-node@v4
+ - uses: actions/setup-node@<FULL_COMMIT_SHA>🧰 Tools
🪛 zizmor (1.25.2)
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy-docs.yml around lines 14 - 17, The workflow uses
floating action refs and leaves checkout credentials and pnpm sourcing unpinned:
replace actions/checkout@v6, pnpm/action-setup@v6, and actions/setup-node@v4
with their corresponding full commit SHAs, add with: persist-credentials: false
to the actions/checkout step, and configure the pnpm/action-setup step to
include explicit with.version and with.package_json_file pointing to
site/package.json so pnpm reads the correct packageManager pin; ensure the
setup-node step is also referenced by SHA and any node-version is explicitly
provided (or pinned) instead of relying on defaults.
LongLiveCHIEF
force-pushed
the
chore-node24-build-migration
branch
from
acbb7a7 to
debd785
Compare
1 participant
Updates the docs site to use node v24 and specific version of pnpm. Use
corepack enableto allow it to manage the pnpm version, and then runcorepack installlocally for it to install the correct version ofpnpmspecified in thepackage.jsonThis also updates the committer information in the deploy action to use the repository name and the
actions@github.lcomemail address.Summary by CodeRabbit