Conversation
There was a problem hiding this comment.
8 issues found across 15 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name=".github/workflows/resources/sponsors.js">
<violation number="1" location=".github/workflows/resources/sponsors.js:2">
P0: Incorrect import path: `../index.js` resolves to `.github/workflows/index.js` which doesn't exist. The axios entry point is at the repository root. This will cause a module not found error at runtime.</violation>
<violation number="2" location=".github/workflows/resources/sponsors.js:3">
P0: Incorrect import path: `./repo.js` does not exist. The file is located at `bin/repo.js`. This will cause a module not found error at runtime.</violation>
<violation number="3" location=".github/workflows/resources/sponsors.js:4">
P0: Incorrect import path: `./helpers/colorize.js` does not exist. The file is located at `bin/helpers/colorize.js`. This will cause a module not found error at runtime.</violation>
</file>
<file name=".github/workflows/update-sponsor-block.yml">
<violation number="1" location=".github/workflows/update-sponsor-block.yml:43">
P2: The "Exit gracefully" step does not actually stop the workflow; it only exits that step. Subsequent steps still run even when `changed` is false, which can cause `cat ./temp/sponsors.md` to fail (or open a no-op PR). Gate the remaining steps with an `if: steps.sponsors-requires-update.outputs.changed == 'true'` condition (or move the condition to the job) so the workflow truly stops when no updates are needed.</violation>
</file>
<file name=".github/workflows/run-ci.yml">
<violation number="1" location=".github/workflows/run-ci.yml:25">
P2: This step has only a name and no `run` or `uses`, so the workflow fails validation. Combine the name and `uses` in a single step.</violation>
<violation number="2" location=".github/workflows/run-ci.yml:49">
P2: This step exits 0 but does not stop the job; without `if:` conditions on later steps, CI still runs even when only non-core files changed.</violation>
<violation number="3" location=".github/workflows/run-ci.yml:83">
P1: `matrix.language` is undefined because the matrix only contains `node-version`. CodeQL init will receive an empty language list and fail.</violation>
<violation number="4" location=".github/workflows/run-ci.yml:86">
P1: `uses` is indented too far and won’t be recognized as part of the step, which breaks the workflow YAML.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
.github/workflows/run-ci.yml
Outdated
| persist-credentials: true | ||
| - name: Check if core code files were modified | ||
| id: changed-core-code-files | ||
| uses: tj-actions/changed-files@v47 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: git config | ||
| run: | | ||
| git config user.name "${GITHUB_ACTOR}" | ||
| git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" | ||
| - name: Setup node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 24.x | ||
| cache: npm | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| - name: Check if sponsors require updates | ||
| id: sponsors-requires-update | ||
| run: node ./resources/update-sponsors.js | ||
| - name: Exit gracefully if no sponsor updates are needed | ||
| run: | | ||
| if [ "${{ steps.sponsors-requires-update.outputs.changed }}" = "false" ]; then | ||
| echo "No sponsor updates needed. Skipping further steps." | ||
| echo "only_modified=false" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| else | ||
| echo "Sponsor updates needed. Continuing with the workflow." | ||
| echo "only_modified=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Read sponsors.md file content | ||
| run: | | ||
| echo 'CONTENT<<EOF' >> $GITHUB_ENV | ||
| cat ./temp/sponsors.md >> $GITHUB_ENV | ||
| echo 'EOF' >> $GITHUB_ENV | ||
| shell: bash | ||
| - name: Echo sponsors content | ||
| run: | | ||
| echo "$CONTENT" | ||
| - name: Create pull request | ||
| uses: peter-evans/create-pull-request@v7 | ||
| with: | ||
| branch: sponsors | ||
| delete-branch: true | ||
| commit-message: "chore(sponsor): update sponsor block" | ||
| title: "[Chore] Update sponsor block" | ||
| body: | | ||
| **New sponsor block update:** | ||
| ${{ env.CONTENT }} | ||
| labels: | | ||
| pr::docs | ||
| bot | ||
| automerge | ||
| signoff: false | ||
| draft: false |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly define a permissions block, either at the root of the workflow (applying to all jobs) or inside the sponsors job, granting only the minimal permissions that the workflow actually needs. This constrains the GITHUB_TOKEN instead of relying on potentially broad repository/organization defaults.
For this specific workflow, the Create pull request step uses peter-evans/create-pull-request@v7 to create a branch, push commits, and open a PR. That requires write access to repository contents and to pull requests. Other steps (checkout, reading/writing files locally, Node setup, running scripts) do not require additional token scopes. The minimal safe permissions block is therefore contents: write and pull-requests: write. The cleanest fix is to add a permissions block at the workflow root (after the on: block and before jobs:) so it applies to the sponsors job without further changes. No imports or external definitions are needed, only a YAML edit to .github/workflows/update-sponsor-block.yml.
Concretely: in .github/workflows/update-sponsor-block.yml, add:
permissions:
contents: write
pull-requests: writebetween the on: block (ending at line 9) and the jobs: block (starting at line 11). This preserves existing functionality while enforcing least privilege and satisfying CodeQL.
| @@ -8,6 +8,10 @@ | ||
| schedule: | ||
| - cron: "0 1 * * *" | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| sponsors: | ||
| runs-on: ubuntu-latest |
| run: | | ||
| echo "$CONTENT" | ||
| - name: Create pull request | ||
| uses: peter-evans/create-pull-request@v7 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
There was a problem hiding this comment.
Pull request overview
This PR aims to consolidate and modernize GitHub Actions workflows for CI/CD, automate sponsor block updates, and clean up legacy configuration. However, the PR contains several critical issues that will break key functionality.
Changes:
- Added new CI workflow (run-ci.yml) that runs tests across Node 12-24 and includes CodeQL/dependency review
- Added automated sponsor block updater workflow with daily schedule
- Simplified publish workflow to trigger on version tags
- Added release branch creation workflow with version bumping
- Removed 9 legacy workflows and issue templates
- Added mise.toml for Node version management
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/run-ci.yml |
New consolidated CI workflow replacing old ci.yml; runs tests, builds, and security scans across multiple Node versions |
.github/workflows/update-sponsor-block.yml |
New workflow to automate sponsor block updates on a schedule |
.github/workflows/release-branch.yml |
New workflow to create release branches with version bumping and testing |
.github/workflows/publish.yml |
Simplified NPM publish workflow, now triggers on tags instead of merged PRs |
.github/workflows/ci.yml |
Removed old CI workflow (replaced by run-ci.yml) |
.github/workflows/sponsors.yml |
Removed old sponsors workflow (replaced by update-sponsor-block.yml) |
.github/workflows/pr.yml |
Removed old release PR workflow (replaced by release-branch.yml) |
.github/workflows/stale.yml |
Removed stale issue/PR management workflow |
.github/workflows/notify.yml |
Removed notification workflow |
.github/workflows/labeler.yml |
Removed PR labeler workflow |
.github/workflows/npm-tag.yml |
Removed NPM tag management workflow |
.github/workflows/depsreview.yaml |
Removed standalone dependency review (now part of run-ci.yml) |
.github/workflows/codeql-analysis.yml |
Removed standalone CodeQL workflow (now part of run-ci.yml) |
bin/sponsors.js |
Deleted sponsors script that was supposed to be relocated but replacement is missing |
.github/labeler.yml |
Removed labeler configuration file |
.github/ISSUE_TEMPLATE/*.yml |
Removed all issue template files |
.github/ISSUE_TEMPLATE/config.yml |
Removed issue template configuration |
.github/PULL_REQUEST_TEMPLATE.md |
Updated PR template with clearer instructions and branch reference fix |
.github/ISSUE_TEMPLATE.md |
Updated issue template with branch reference fixes and formatting improvements |
mise.toml |
Added mise configuration to standardize on Node 22 locally |
Comments suppressed due to low confidence (1)
.github/workflows/ci.yml:1
- The PR description states "Moved legacy workflows to .github/workflows/old" but the workflows are actually being deleted, not moved. There is no
.github/workflows/old/directory in the repository. This is a discrepancy between the PR description and the actual code changes. If the intention is to preserve these workflows for reference, they should be moved rather than deleted. If deletion is intentional, the PR description should be updated to reflect this.
There was a problem hiding this comment.
1 issue found across 5 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name=".github/workflows/update-sponsor-block.yml">
<violation number="1" location=".github/workflows/update-sponsor-block.yml:36">
P1: The workflow references `./bin/update-sponsors.js`, but that file does not exist in the repository. This will cause the sponsor update job to fail at runtime. Point the workflow at the existing script (or add the missing file).</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Summary by cubic
Reworked CI and release flows to stabilize builds across Node 12–24, simplify publishing, and automate sponsor updates. Also cleaned up old workflows and refreshed issue/PR templates.
New Features
Refactors
Written for commit 458f942. Summary will update on new commits.