chore: standardize repository maintenance#869
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
❌ Deploy failed
📋 Build log (last lines)🤖 Powered by surge-preview |
|||||||||
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
Walkthrough站点构建与发布配置改为 Changes文档站点与自动化更新
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the documentation configuration, migrates the build output directory to docs-dist, cleans up configuration files, and significantly rewrites the README. Additionally, it introduces a Vercel configuration and updates the package.json scripts. The review feedback suggests using cross-env in the gh-pages script to ensure cross-platform compatibility and recommends decoupling the documentation deployment from the postpublish script to prevent publishing pipeline issues.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "docs:build": "dumi build", | ||
| "docs:deploy": "gh-pages -d .doc", | ||
| "docs:deploy": "gh-pages -d docs-dist", | ||
| "gh-pages": "GH_PAGES=1 npm run docs:build && npm run docs:deploy", |
There was a problem hiding this comment.
Setting environment variables directly like GH_PAGES=1 is not cross-platform and will fail on Windows environments (e.g., in default Command Prompt or PowerShell).
To ensure cross-platform compatibility for all contributors, consider using cross-env.
Note: Please remember to add cross-env to your devDependencies (e.g., npm install --save-dev cross-env).
| "gh-pages": "GH_PAGES=1 npm run docs:build && npm run docs:deploy", | |
| "gh-pages": "cross-env GH_PAGES=1 npm run docs:build && npm run docs:deploy", |
| "now-build": "npm run docs:build", | ||
| "prepublishOnly": "npm run compile && rc-np", | ||
| "postpublish": "tnpm sync @rc-component/menu", | ||
| "postpublish": "npm run gh-pages && tnpm sync @rc-component/menu", |
There was a problem hiding this comment.
Running documentation deployment (npm run gh-pages) inside the postpublish script can be problematic:
- It significantly slows down the publishing process for maintainers.
- It requires the publishing environment (or maintainer's local machine) to have write access to the repository's
gh-pagesbranch, which might fail in automated CI/CD release pipelines or for certain maintainers. - If the deployment fails, the
npm publishcommand will exit with a non-zero code even though the package has already been successfully published to the registry.
It is generally recommended to decouple documentation deployment from the package publishing lifecycle and instead automate it via a GitHub Actions workflow triggered on pushes/merges to the main branch.
| "postpublish": "npm run gh-pages && tnpm sync @rc-component/menu", | |
| "postpublish": "tnpm sync @rc-component/menu", |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #869 +/- ##
=======================================
Coverage 99.72% 99.72%
=======================================
Files 26 26
Lines 734 734
Branches 205 205
=======================================
Hits 732 732
Misses 2 2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/react-doctor.yml (1)
9-13: 🔒 Security & Privacy | 🔵 Trivial请移除
push场景下的不必要写权限,遵循最小权限原则。根据
millionco/react-doctor官方文档,该 Action 仅需contents: read即可运行。pull-requests: write、issues: write和statuses: write仅在需要在 PR 上发表评论或更新提交状态时必需。当工作流在push事件(如推送到主分支)触发时,这些写权限通常是不必要的。当前配置将写权限应用于所有push事件,扩大了GITHUB_TOKEN的攻击面。建议将权限配置拆分:仅针对
pull_request事件授予写权限,或为push事件定义仅包含contents: read的专用权限块。建议的权限配置示例
permissions: contents: read # 默认仅保留读权限 # 针对需要写权限的 PR 事件进行覆盖 on: pull_request: permissions: contents: read pull-requests: write issues: write statuses: write push: permissions: contents: read🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/react-doctor.yml around lines 9 - 13, The workflow permissions are too broad for push-triggered runs, so split the permissions in react-doctor.yml to keep only contents: read for push while reserving pull-requests: write, issues: write, and statuses: write for pull_request runs. Update the workflow-level permissions block and the on: pull_request / on: push configuration so the React Doctor action still has write access only when it needs to comment or update statuses, using the existing permissions and react-doctor job setup as the anchor points.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/react-component-ci.yml:
- Around line 6-8: Update the reusable workflow call in the test job to avoid
drift and overexposure of secrets: replace the current react-component/rc-test
workflow reference in the test job from the moving branch target to the pinned
SHA b8ebddc81ef706b50faff0242ab34ad8ecdd9a59, and remove secrets: inherit so
only the required CODECOV_TOKEN is passed explicitly via the test job’s secrets
block.
In `@README.md`:
- Line 112: Update the README prop table entry for overflowedIndicator so the
Default column matches the actual default used in Menu.tsx: change the generic
... to the string literal "..." and keep the description aligned with the
default value shown by the overflowedIndicator prop.
- Around line 130-153: `ItemType` 中 `type: 'submenu'` 的 `key` 限制为 string
需要补充原因说明,避免和 `type: 'item'` 允许 React.Key 的设计混淆。请在 `SubMenuType` 的 `key`
定义附近添加注释,明确这是为了匹配 `Menu` 组件的 `openKeys` / `defaultOpenKeys`(以及相关
`selectedKeys`)使用 string[] 的约束;同时保留 `MenuItemType` 使用 React.Key 的现状,并说明其在内部如
`onSelect` 处理时会统一转成 string。
In `@tsconfig.json`:
- Around line 16-17: TypeScript checking is pulling in the JavaScript config
file via the tsconfig.json include list, which will fail under tsc --noEmit
without allowJs. Update the tsconfig.json include configuration by removing
.fatherrc.js unless it must be type-checked, or alternatively enable allowJs in
compilerOptions if that file should stay included. Keep the fix localized to the
include/compilerOptions settings so the tsc check script stops hitting TS6504.
---
Nitpick comments:
In @.github/workflows/react-doctor.yml:
- Around line 9-13: The workflow permissions are too broad for push-triggered
runs, so split the permissions in react-doctor.yml to keep only contents: read
for push while reserving pull-requests: write, issues: write, and statuses:
write for pull_request runs. Update the workflow-level permissions block and the
on: pull_request / on: push configuration so the React Doctor action still has
write access only when it needs to comment or update statuses, using the
existing permissions and react-doctor job setup as the anchor points.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5d94616a-9097-4b0e-8dd8-ae31330ee3c7
📒 Files selected for processing (14)
.dumirc.ts.github/FUNDING.yml.github/workflows/cloudflare-pages-preview.yml.github/workflows/codeql.yml.github/workflows/main.yml.github/workflows/react-component-ci.yml.github/workflows/react-doctor.yml.github/workflows/surge-preview.yml.gitignoreREADME.mdnow.jsonpackage.jsontsconfig.jsonvercel.json
💤 Files with no reviewable changes (2)
- now.json
- .github/workflows/main.yml
| test: | ||
| uses: react-component/rc-test/.github/workflows/test-utoo.yml@main | ||
| secrets: inherit |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Resolved SHA for react-component/rc-test@main:"
gh api repos/react-component/rc-test/commits/main --jq '.sha'
echo
echo "Reusable workflow definition:"
gh api repos/react-component/rc-test/contents/.github/workflows/test-utoo.yml?ref=main --jq '.content' \
| base64 -d \
| sed -n '1,220p'Repository: react-component/menu
Length of output: 809
请固定复用工作流版本并收窄 secrets 暴露面。
当前配置引用 @main 分支且使用 secrets: inherit,存在上游代码漂移风险和敏感信息过度暴露风险。经核实,上游工作流实际需要 CODECOV_TOKEN,建议锁定提交版本并仅传递该必要密钥。
具体建议:
- 将
uses版本锁定为 SHA:b8ebddc81ef706b50faff0242ab34ad8ecdd9a59 - 移除
secrets: inherit,改为显式配置CODECOV_TOKEN
建议修改
test:
uses: react-component/rc-test/.github/workflows/test-utoo.yml@b8ebddc81ef706b50faff0242ab34ad8ecdd9a59
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}🧰 Tools
🪛 zizmor (1.26.1)
[error] 7-7: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 7-7: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow
(secrets-inherit)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/react-component-ci.yml around lines 6 - 8, Update the
reusable workflow call in the test job to avoid drift and overexposure of
secrets: replace the current react-component/rc-test workflow reference in the
test job from the moving branch target to the pinned SHA
b8ebddc81ef706b50faff0242ab34ad8ecdd9a59, and remove secrets: inherit so only
the required CODECOV_TOKEN is passed explicitly via the test job’s secrets
block.
Source: Linters/SAST tools
| "include": ["src", "docs", ".dumirc.ts", ".fatherrc.js"], | ||
| "exclude": ["node_modules", "lib", "es", "dist", "docs-dist", ".dumi"] |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major
🧩 Analysis chain
🌐 Web query:
Does TypeScript emit error TS6504 when a .js file is explicitly listed in tsconfig include without allowJs enabled?
💡 Result:
Yes, TypeScript will emit error TS6504 if a.js file is explicitly included in the project via the tsconfig.json files or include arrays while allowJs is disabled [1][2][3]. When allowJs is set to false (the default), the TypeScript compiler restricts valid input files to supported extensions—specifically.ts,.tsx, and.d.ts [4][5][2]. If a.js file is explicitly provided to the compiler, either via the configuration file or directly as a command-line argument, TypeScript identifies it as a JavaScript file and raises TS6504, suggesting that the allowJs option should be enabled to process such files [6][2][7]. It is important to note that TypeScript ignores the tsconfig.json file if you pass specific source files as arguments directly to the tsc command-line tool [7][8]. In such cases, the compiler defaults to its internal settings (where allowJs is false), which will also trigger this error even if your configuration file has allowJs set to true [5][8]. To ensure your configuration is respected, you should run tsc without specifying individual files, allowing it to pick up the configuration automatically [7][8].
Citations:
- 1: https://stackoverflow.com/questions/61164308/file-path-hello-js-is-a-javascript-file-did-you-mean-to-enable-the-allowjs
- 2: microsoft/TypeScript@9a3ec5f
- 3: https://stackoverflow.com/questions/72639233/why-does-my-vue-file-cause-a-ts6504-error-and-ask-me-if-i-meant-to-allowjs
- 4: https://www.typescriptlang.org/tsconfig/allowJs.html
- 5: https://stackoverflow.com/questions/48371964/tsconfig-json-doesnt-care-about-allowjs
- 6: https://typescript.tv/errors/ts6504
- 7: File is a Javascript file. Did you mean to enable the 'allowJs' option? gilamran/tsc-watch#106
- 8: https://stackoverflow.com/questions/60478889/running-tsc-command-does-nothing-ignores-tsconfig-file
include 中的 .fatherrc.js 将导致 tsc --noEmit 报错 TS6504
tsconfig.json 的 include 字段显式包含了 JavaScript 文件 .fatherrc.js,但 compilerOptions 未启用 allowJs。TypeScript 默认禁止直接编译或检查 .js 文件,这会触发 TS6504 错误(“Did you mean to enable the 'allowJs' option?”),导致新的 tsc 检查脚本失败。
建议方案(二选一):
- 移除 JS 文件(推荐):如果无需对
.fatherrc.js进行类型检查,将其从include中删除。 - 启用 JS 支持:在
compilerOptions中添加"allowJs": true(如需检查该 JS 文件)。
🔧 建议修改
- "include": ["src", "docs", ".dumirc.ts", ".fatherrc.js"],
+ "include": ["src", "docs", ".dumirc.ts"],📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "include": ["src", "docs", ".dumirc.ts", ".fatherrc.js"], | |
| "exclude": ["node_modules", "lib", "es", "dist", "docs-dist", ".dumi"] | |
| "include": ["src", "docs", ".dumirc.ts"], | |
| "exclude": ["node_modules", "lib", "es", "dist", "docs-dist", ".dumi"] |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tsconfig.json` around lines 16 - 17, TypeScript checking is pulling in the
JavaScript config file via the tsconfig.json include list, which will fail under
tsc --noEmit without allowJs. Update the tsconfig.json include configuration by
removing .fatherrc.js unless it must be type-checked, or alternatively enable
allowJs in compilerOptions if that file should stay included. Keep the fix
localized to the include/compilerOptions settings so the tsc check script stops
hitting TS6504.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Deployment failed with the following error: Learn More: https://vercel.com/afc163s-projects?upgradeToPro=build-rate-limit |
1 participant
Summary
docs-dist, replace legacynow.jsonwithvercel.json, and addtsc/ docs build scripts for local and preview validation.Test Plan
npm installnpx prettier --check README.md package.json .dumirc.ts tsconfig.json vercel.json .github/FUNDING.yml .github/workflows/*.ymlnpm run lintnpm run tscnpm test -- --runInBandnpm run compilenpm run buildnpx vercel build --yesSummary by CodeRabbit
Refs ant-design/ant-design#58514