ci: lint PR conventions and polish CI workflows

[Astro-Han]

Summary

• docs(ci): one-line comment at every setup-node usage documenting it is load-bearing ([Feature] Drop actions/setup-node from bun-only CI jobs #70) — bun install triggers trustedDependencies postinstalls (electron, node-pty, esbuild, tree-sitter) that call node explicitly. Comment anchors to trustedDependencies in package.json so the list stays grep-able.
• ci: new advisory pr-title-lint workflow using amannn/action-semantic-pull-request@v6.1.1 (SHA-pinned) to validate PR titles against Conventional Commits ([Feature] Enforce Conventional Commits on PR titles #68).
• ci: new advisory commit-lint workflow using wagoid/commitlint-github-action@v6.2.1 (SHA-pinned) with .commitlintrc.json extending @commitlint/config-conventional ([Feature] Enforce Conventional Commits on commit messages #69).
• ci: flip dependency-review's comment-summary-in-pr from always to never; drop the fork-skip guard and pull-requests: write permission (both only existed because of the always-on summary). Fork PRs now get advisory CVE/license coverage too.

Why

Issue #54 (the CI merge-gate hardening epic) left four loose ends. This PR closes #67, #68, #69, and #70 in a single batch since all four are small workflow-level changes with no logical dependencies. Also folds in a small dependency-review cleanup: the always-on PR summary was useful during the initial rollout on #55 to verify bun.lock parses correctly, but it has served its purpose and is noise on every PR now.

AGENTS.md convention was updated in a prior local edit: PR titles switched from the old [Feature]/[Bug] scheme to Conventional Commits; issue titles still use [Feature]/[Bug] via .github/ISSUE_TEMPLATE/*.yml.

Decisions declined during two rounds of crosscheck review: re-adding synchronize to pr-title-lint (title does not change on push); dropping fetch-depth: 0 on commit-lint (wagoid uses local git log, not the API); dropping wip: true (safe under merge-commit strategy); merging pr-title-lint and commit-lint into one file (mixed pull_request_target / pull_request security contexts); switching commit-lint to bunx commitlint inside ci.yml (real alternative but adds devDep; deferred).

Related Issue

Closes #67
Closes #68
Closes #69
Closes #70

How To Verify

# The PR itself is the smoke test:
# - pr-title-lint runs against this PR title (Conventional Commits -> pass)
# - commit-lint runs against the 4 commits on this branch (all Conventional -> pass)
# - dependency-review job runs green without posting a PR comment
# - ci / check, desktop-smoke / check, codeql / analyze-js-ts stay green
#   (no semantic change to their existing jobs)

test:ci exit-code audit for #67 is recorded as an issue comment on #67; bun test --reporter=junit was empirically verified to exit non-zero on a failing test.

Screenshots or Recordings

No UI changes.

Checklist

• I ran the relevant verification steps
• I tested visible changes manually when needed
• I am targeting the dev branch

Summary by CodeRabbit

• Chores
  • Configured Commitlint to enforce conventional commit message rules
  • Implemented PR title linting requiring conventional commit format (e.g., feat:, fix:, refactor:)
  • Adjusted dependency review workflow to reduce required permissions and reporting

[coderabbitai]

Warning

Rate limit exceeded

@Astro-Han has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 59 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 12 minutes and 59 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f9eb28a2-2928-474c-9e54-eaeb0e1fcbcd

📥 Commits

Reviewing files that changed from the base of the PR and between fd00a23 and 09dd83f.

📒 Files selected for processing (1)

• .commitlintrc.json

📝 Walkthrough

Walkthrough

This change introduces Conventional Commits enforcement for PR titles and commit messages through two new GitHub Actions workflows, adds a Commitlint configuration file, inserts explanatory comments across workflow files documenting bun install and Node dependencies, and modifies the dependency-review workflow to reduce permissions and change PR comment behavior.

Changes

Cohort / File(s)	Summary
Commitlint Configuration .commitlintrc.json	New file establishing Conventional Commits linting rules via @commitlint/config-conventional preset for commit message validation.
Commit Message Linting Workflow .github/workflows/commit-lint.yml	New workflow that lints commit messages in PRs against Conventional Commits conventions, runs on PR events targeting dev branch with full git history, and uses wagoid/commitlint-github-action with the .commitlintrc.json config.
PR Title Linting Workflow .github/workflows/pr-title-lint.yml	New workflow that enforces Conventional Commits style PR titles (e.g., feat:, fix:, refactor:), runs on PR events targeting dev branch, uses amannn/action-semantic-pull-request, supports WIP draft detection, and validates title format (3+ characters, non-space start).
Dependency Review Workflow .github/workflows/dependency-review.yml	Adjusted workflow permissions from write to read for pull-requests, removed fork-only execution conditional, changed PR comment behavior from always to never, and shifted to advisory-only advisory logging mode.
Workflow Documentation Comments .github/workflows/build.yml, .github/workflows/ci.yml, .github/workflows/desktop-smoke.yml, .github/workflows/e2e-artifacts.yml	Added inline comments before actions/setup-node steps documenting that bun install triggers trustedDependencies postinstall scripts that explicitly invoke node, cautioning against removal without patching scripts and referencing issue #70.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Commits now follow the righteous path,
With PR titles tamed by linting's wrath,
No more rogue messages left unadorned—
Conventional rules we've sworn!
Hop along, dear workflows, clean and bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: linting PR conventions (via pr-title-lint and commit-lint workflows) and polishing CI workflows (comments, dependency-review updates).
Description check	✅ Passed	The description comprehensively covers all template sections: detailed Summary of changes, clear Why rationale, Related Issues links, How To Verify steps, and completed Checklist.
Linked Issues check	✅ Passed	All four linked issues are addressed: #67 audit noted in comment, #68/#69 implemented via pr-title-lint and commit-lint workflows with SHA-pinning, #70 handled by setup-node comments explaining trustedDependencies necessity.
Out of Scope Changes check	✅ Passed	All changes are scoped to the four linked issues: workflow additions (pr-title-lint, commit-lint), documentation comments (setup-node), and dependency-review permission/config adjustments. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-ci-polish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a .commitlintrc.json configuration file to enforce conventional commit standards using the @commitlint/config-conventional preset. Feedback suggests enhancing the configuration by adding a JSON schema for IDE autocompletion and disabling the subject-case rule to prevent linting errors when using acronyms like PR or CI in commit messages.