feat: add CI/CD, security, and dev infrastructure (3→13/13)#28
feat: add CI/CD, security, and dev infrastructure (3→13/13)#28Clarence Etnel (c6zks4gssn-droid) wants to merge 1 commit into
Conversation
Added by Bonanza Labs using Fork Doctor v0.2.0 - GitHub Actions CI/CD (multi-node matrix) - CodeQL security scanning (weekly) - Dependabot configuration (npm + actions) - Pre-commit hooks (ESLint + standard) - Issue templates (bug + feature) - PR template - Dev Container config (TypeScript + Bun) - SBOM generation workflow (SPDX) - Performance benchmark workflow - BONANZA_IMPROVEMENTS.md Score: 3/13 → 13/13
Clarence Etnel (c6zks4gssn-droid)
requested a review
from Ryan Zhu (underthestars-zhy)
as a code owner
📝 WalkthroughWalkthroughThis pull request adds comprehensive development infrastructure and CI/CD configuration to the Spectrum project, including a TypeScript/Bun dev container, GitHub Actions workflows for continuous integration, security scanning, dependency management, pre-commit hooks, standardized issue and pull request templates, and supporting documentation. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
.github/workflows/codeql.yml (1)
14-21: Add missingpermissionsand acategoryfor the analyze step.Minor hardening for the CodeQL job:
- Explicitly grant
contents: read(andactions: read, required for private repos and recommended generally) in addition tosecurity-events: write. Relying on default permissions is brittle if the repo default is ever tightened.- Pass
category: "/language:typescript"toanalyze@v3so results are properly namespaced — this matters once you add more languages or analysis variants.Proposed change
permissions: + contents: read + actions: read security-events: write steps: - uses: actions/checkout@v4 - uses: github/codeql-action/init@v3 with: languages: typescript - uses: github/codeql-action/analyze@v3 + with: + category: "/language:typescript"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml around lines 14 - 21, The workflow is missing explicit repository read permissions and a category for CodeQL analyze; update the permissions block to include contents: read and actions: read alongside security-events: write, and add category: "/language:typescript" to the github/codeql-action/analyze@v3 step so results are properly namespaced; locate and modify the existing permissions section and the analyze step (look for the permissions: security-events: write entry and the - uses: github/codeql-action/analyze@v3 step) to apply these changes..github/workflows/ci.yml (1)
12-14: Node 18 is EOL.Node.js 18 reached end-of-life in April 2025. Consider dropping 18 from the matrix and testing on 20/22 (and optionally 24) instead.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml around lines 12 - 14, Update the CI matrix under strategy.matrix.node-version to remove Node 18 (currently [18, 20, 22]) so it only tests supported LTS versions (e.g., [20, 22]); optionally add 24 if you want to include the next LTS. Locate the node-version entry in the workflow YAML (strategy.matrix.node-version) and replace the array to drop 18 (and add 24 if desired), keeping the rest of the matrix unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/benchmark.yml:
- Around line 16-19: The benchmark workflow currently runs npm ci and then
attempts npm run benchmark --if-present which silently does nothing because
there is no "benchmark" script; either add a real "benchmark" npm script in
package.json (e.g., "benchmark": "node ./bench/run.js" or a runner that outputs
JUnit/JSON) and wire a benchmarking action (such as
benchmark-action/github-action-benchmark) to persist/compare results, or
remove/disable the "Run benchmarks" step and the workflow until benchmarks exist
to avoid misleading successful runs; also ensure the workflow uses npm install
instead of npm ci if there is no committed package-lock.json (or commit
package-lock.json) to avoid npm ci failures.
In @.github/workflows/ci.yml:
- Line 20: CI currently runs "npm ci" which conflicts with package.json's
packageManager "bun@1.3.5" and will fail without lockfiles; replace each "npm
ci" invocation in the CI workflow (both occurrences of the string "npm ci") with
"bun install" so the workflow uses Bun as the package manager and installs
dependencies correctly.
- Around line 21-32: The CI workflow currently uses optional flags and calls to
scripts that don't exist (npm test, npm run lint) so quality gates are silently
skipped; update the workflow to call the actual scripts defined in package.json
(e.g., replace npm test and npm run lint with npm run check and any other
concrete scripts like npm run fix if desired) and remove --if-present from
required steps (for example remove --if-present from the build/check commands)
so missing scripts fail the job; change the job step commands in the lint and
build jobs (referencing the existing job names and the commands npm run build,
npm test, npm run lint, npm run check, and the --if-present flag) accordingly to
ensure CI fails loudly when scripts are absent.
In @.github/workflows/sbom.yml:
- Around line 13-17: The SBOM step currently scans the upstream image
(anchore/sbom-action with image: node:22) instead of this repo; update the SBOM
action config to scan the checked-out workspace (use the action's directory/path
input such as path: . or target: . instead of image: node:22) so it inventories
package.json/bun.lockb/package-lock.json and write to output-file:
sbom.spdx.json; also update the workflow triggers to run on push to main (or
release tags) in addition to the weekly cron so the SBOM reflects shipped code.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 12-14: Update the CI matrix under strategy.matrix.node-version to
remove Node 18 (currently [18, 20, 22]) so it only tests supported LTS versions
(e.g., [20, 22]); optionally add 24 if you want to include the next LTS. Locate
the node-version entry in the workflow YAML (strategy.matrix.node-version) and
replace the array to drop 18 (and add 24 if desired), keeping the rest of the
matrix unchanged.
In @.github/workflows/codeql.yml:
- Around line 14-21: The workflow is missing explicit repository read
permissions and a category for CodeQL analyze; update the permissions block to
include contents: read and actions: read alongside security-events: write, and
add category: "/language:typescript" to the github/codeql-action/analyze@v3 step
so results are properly namespaced; locate and modify the existing permissions
section and the analyze step (look for the permissions: security-events: write
entry and the - uses: github/codeql-action/analyze@v3 step) to apply these
changes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c94746cf-ac20-4b20-92e2-5b722d49cdf3
📒 Files selected for processing (11)
.devcontainer/devcontainer.json.github/ISSUE_TEMPLATE/bug_report.md.github/ISSUE_TEMPLATE/feature_request.md.github/PULL_REQUEST_TEMPLATE.md.github/dependabot.yml.github/workflows/benchmark.yml.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/sbom.yml.pre-commit-config.yamlBONANZA_IMPROVEMENTS.md
📜 Review details
🔇 Additional comments (6)
.github/dependabot.yml (1)
1-11: LGTM!Dependabot configuration is valid and covers both npm and GitHub Actions on a sensible weekly cadence.
.github/ISSUE_TEMPLATE/bug_report.md (1)
1-23: LGTM!Front matter and sections are well-formed.
.github/ISSUE_TEMPLATE/feature_request.md (1)
1-18: LGTM!.devcontainer/devcontainer.json (1)
1-13: LGTM!Dev container config is minimal and correct;
postCreateCommand: bun installpairs well with the Bun feature..github/PULL_REQUEST_TEMPLATE.md (1)
14-14:CONTRIBUTING.mdexists in the repository, so the checklist reference is valid. No action needed.> Likely an incorrect or invalid review comment..pre-commit-config.yaml (1)
2-7: [rewritten review comment]
[classification tag]
| - run: npm ci | ||
| - run: npm run build --if-present | ||
| - name: Run benchmarks | ||
| run: npm run benchmark --if-present || echo "No benchmarks configured yet" |
There was a problem hiding this comment.
Benchmark job is effectively a no-op.
package.json does not define a benchmark script, so npm run benchmark --if-present will silently skip and the fallback echo will print on every push to main. Either add a real benchmark script (and persist/compare results, e.g., via benchmark-action/github-action-benchmark) or remove this workflow until benchmarks exist to avoid misleading "✅" signals.
Also, npm ci assumes a committed package-lock.json — see the corresponding comment on ci.yml.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/benchmark.yml around lines 16 - 19, The benchmark workflow
currently runs npm ci and then attempts npm run benchmark --if-present which
silently does nothing because there is no "benchmark" script; either add a real
"benchmark" npm script in package.json (e.g., "benchmark": "node ./bench/run.js"
or a runner that outputs JUnit/JSON) and wire a benchmarking action (such as
benchmark-action/github-action-benchmark) to persist/compare results, or
remove/disable the "Run benchmarks" step and the workflow until benchmarks exist
to avoid misleading successful runs; also ensure the workflow uses npm install
instead of npm ci if there is no committed package-lock.json (or commit
package-lock.json) to avoid npm ci failures.
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ matrix.node-version }} | ||
| - run: npm ci |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
fd -H -t f '^(package-lock\.json|bun\.lockb|pnpm-lock\.yaml|yarn\.lock)$' -d 2Repository: photon-hq/spectrum-ts
Length of output: 47
🏁 Script executed:
# Search for lock files at any depth in the entire repository
fd -H -t f '(package-lock\.json|bun\.lockb|pnpm-lock\.yaml|yarn\.lock)$'Repository: photon-hq/spectrum-ts
Length of output: 47
🏁 Script executed:
# Check if package.json exists and what package manager is specified
if [ -f package.json ]; then
echo "=== package.json exists ==="
head -30 package.json
fiRepository: photon-hq/spectrum-ts
Length of output: 495
🏁 Script executed:
# Check the CI workflow file to understand the full context
if [ -f .github/workflows/ci.yml ]; then
echo "=== CI Workflow ==="
cat -n .github/workflows/ci.yml | head -50
fiRepository: photon-hq/spectrum-ts
Length of output: 952
🏁 Script executed:
# Search for turbo configuration
fd -H -t f 'turbo\.json|\.turborc|\.turborc\.json'Repository: photon-hq/spectrum-ts
Length of output: 75
Replace npm ci with the correct package manager installation for Bun.
The repository declares "packageManager": "bun@1.3.5" in package.json but the CI workflow uses npm ci on lines 20 and 31. No lock files exist (package-lock.json, bun.lockb, pnpm-lock.yaml, or yarn.lock), so npm ci will fail immediately with every CI run. Use bun install instead to match the declared package manager.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml at line 20, CI currently runs "npm ci" which
conflicts with package.json's packageManager "bun@1.3.5" and will fail without
lockfiles; replace each "npm ci" invocation in the CI workflow (both occurrences
of the string "npm ci") with "bun install" so the workflow uses Bun as the
package manager and installs dependencies correctly.
| - run: npm run build --if-present | ||
| - run: npm test --if-present | ||
|
|
||
| lint: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
| - run: npm ci | ||
| - run: npm run lint --if-present |
There was a problem hiding this comment.
CI silently skips quality gates — test/lint scripts don't exist.
package.json only defines build, dev, check, and fix scripts. Because every step uses --if-present, npm test and npm run lint will no-op, so this workflow provides no real lint or test coverage despite appearing green. Also, npm run build under turbo build will run but CI contributes nothing beyond that.
Consider invoking the scripts that actually exist (e.g., npm run check for linting via ultracite) and dropping --if-present on required steps so missing scripts fail loudly.
Proposed fix
- - run: npm ci
- - run: npm run build --if-present
- - run: npm test --if-present
+ - run: npm ci
+ - run: npm run build
+ - run: npm test --if-present
...
- - run: npm ci
- - run: npm run lint --if-present
+ - run: npm ci
+ - run: npm run check🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 21 - 32, The CI workflow currently
uses optional flags and calls to scripts that don't exist (npm test, npm run
lint) so quality gates are silently skipped; update the workflow to call the
actual scripts defined in package.json (e.g., replace npm test and npm run lint
with npm run check and any other concrete scripts like npm run fix if desired)
and remove --if-present from required steps (for example remove --if-present
from the build/check commands) so missing scripts fail the job; change the job
step commands in the lint and build jobs (referencing the existing job names and
the commands npm run build, npm test, npm run lint, npm run check, and the
--if-present flag) accordingly to ensure CI fails loudly when scripts are
absent.
| - uses: anchore/sbom-action@v0 | ||
| with: | ||
| image: node:22 | ||
| format: spdx-json | ||
| output-file: sbom.spdx.json |
There was a problem hiding this comment.
SBOM scans the wrong target — it inventories node:22, not this project.
Using image: node:22 produces an SBOM of the upstream Node.js Docker image rather than Spectrum-TS's own source/dependencies. For a project SBOM that actually reflects this repo's supply chain, scan the checked-out workspace (which will pick up package.json/bun.lockb/package-lock.json).
Proposed change
- uses: actions/checkout@v4
- uses: anchore/sbom-action@v0
with:
- image: node:22
- format: spdx-json
+ path: .
+ format: spdx-json
output-file: sbom.spdx.jsonAlso worth considering: run this on push to main (or on release tags) in addition to the weekly cron, so the SBOM reflects the actual shipped code rather than whatever happened to be on main at 06:00 Monday.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: anchore/sbom-action@v0 | |
| with: | |
| image: node:22 | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| path: . | |
| format: spdx-json | |
| output-file: sbom.spdx.json |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/sbom.yml around lines 13 - 17, The SBOM step currently
scans the upstream image (anchore/sbom-action with image: node:22) instead of
this repo; update the SBOM action config to scan the checked-out workspace (use
the action's directory/path input such as path: . or target: . instead of image:
node:22) so it inventories package.json/bun.lockb/package-lock.json and write to
output-file: sbom.spdx.json; also update the workflow triggers to run on push to
main (or release tags) in addition to the weekly cron so the SBOM reflects
shipped code.
1 participant
Infrastructure Improvements
This PR adds 10 missing infrastructure checks to bring Spectrum-TS from 3/13 to 13/13.
Added (10 checks)
Score: 3/13 → 13/13 🏥
Built with Fork Doctor by Bonanza Labs
Summary by CodeRabbit
Documentation
Chores