feat(react): add react package and example #29
Conversation
commit: |
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 17 days ago
To fix the problem, add a permissions: block either at the workflow root (to affect all jobs) or to the specific job that requires it (in this case, the build job). The permissions should follow the principle of least privilege. Since the workflow appears to build and publish a package via a third-party tool and does not (in the shown steps) directly create pull requests, modify issues, or push to repo contents, it’s likely that only contents: read is needed. However, if the publishing tool requires broader GitHub permissions (e.g., contents: write or packages: write), those should be added, ideally after testing. For now, insert the minimal block for safety.
Insert the following block just below the workflow name: and before on: (affecting all jobs), or inside the job as shown in the background—here we will add it at the workflow root for clarity.
| @@ -1,4 +1,6 @@ | ||
| name: Publish Preview Package (Next.js) | ||
| permissions: | ||
| contents: read | ||
| on: [push, pull_request] | ||
|
|
||
| jobs: |
| name: Publish Preview Package (React.js) | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | ||
| TURBO_TEAM: ${{ vars.TURBO_TEAM }} | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Enable Corepack | ||
| run: npm i -g corepack@latest && corepack enable | ||
|
|
||
| - name: Setup Node.js v22 LTS | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
| cache: "pnpm" | ||
|
|
||
| - name: Cache Turborepo build setup | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .turbo | ||
| key: ${{ runner.os }}-turbo-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-turbo- | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install | ||
|
|
||
| - name: Build package | ||
| run: pnpm build --filter=@simpleanalytics/react | ||
|
|
||
| - name: Publish React preview package | ||
| run: pnpx pkg-pr-new publish './packages/react' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 17 days ago
To resolve this issue, add an explicit permissions block to the workflow (just below the name or at the root, above on:) or specifically to the build job. Since the current workflow steps do not appear to require write access to repository contents or pull requests, the minimal safe permissions setting is contents: read. This restricts the automatic GITHUB_TOKEN to read-only access, significantly reducing risk. The edit should be made to the beginning of the .github/workflows/publish-preview-react.yaml file, either immediately after name: or within the build job definition.
| @@ -1,4 +1,6 @@ | ||
| name: Publish Preview Package (React.js) | ||
| permissions: | ||
| contents: read | ||
| on: [push, pull_request] | ||
|
|
||
| jobs: |
| name: Release Package (React.js) | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | ||
| TURBO_TEAM: ${{ vars.TURBO_TEAM }} | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Enable Corepack | ||
| run: npm i -g corepack@latest && corepack enable | ||
|
|
||
| - name: Setup Node.js v22 LTS | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
| cache: "pnpm" | ||
| registry-url: https://registry.npmjs.org | ||
|
|
||
| - name: Cache Turborepo build setup | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .turbo | ||
| key: ${{ runner.os }}-turbo-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-turbo- | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install | ||
|
|
||
| - name: Build package | ||
| run: pnpm build --filter=@simpleanalytics/react | ||
|
|
||
| - name: Publish package | ||
| shell: bash | ||
| run: pnpm publish --filter=@simpleanalytics/react --access public --no-git-checks | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 17 days ago
To fix the problem, you should add an explicit permissions block to the workflow, restricting the default token scope to the minimal required privileges. For this workflow, only read access to repository contents is necessary, since all publishing is handled with separate npm authentication and there are no steps that require write access to the repo, issues, or PRs. The best place to add this is right after the workflow name and on fields, before jobs, to apply it globally unless a job overrides it.
- Edit
.github/workflows/publish-react.yaml. - Insert the following lines:
just after the
permissions: contents: read
on:section, beforejobs:.
| @@ -7,6 +7,9 @@ | ||
|
|
||
| concurrency: ${{ github.workflow }}-${{ github.ref }} | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Release Package (React.js) |
|
@adriaandotcom This one is ready. Are you fine with it being in the same repo as the Next.js plugin? |
Note
Introduce
@simpleanalytics/reactlibrary and a Vite React example app demonstrating its usage.@simpleanalytics/react: New React package exposingSimpleAnalyticscomponent plustrackEventandtrackPageview; injects SA script with configurabledata-*props; includes utilities, types, build (tsup) and publish setup.examples/reactjs: New Vite + React (TS) example app integrating@simpleanalytics/reactwith basic UI; includes Vite, ESLint, TypeScript configs.tsup), type declarations, and required project configs/deps for the new package and example.Written by Cursor Bugbot for commit f5bd45b. This will update automatically on new commits. Configure here.