🚀 release: v1.0.4

[warengonzaga]

This pull request updates the build workflow and dependency management for the project. The most significant changes include replacing the manual Docker build and push steps in .github/workflows/build.yml with a streamlined custom GitHub Action, and updating dependencies for glob and js-yaml to newer versions across package.json and pnpm-lock.yaml. These changes improve CI/CD maintainability, add support for pull request builds, and ensure the project uses the latest supported packages.

Build workflow improvements:

• Replaced manual Docker build and push steps in .github/workflows/build.yml with the wgtechlabs/container-build-flow-action@v1.0.4, simplifying configuration and adding features like PR comment support, security provenance, SBOM generation, and build caching. Also enabled builds on both main and dev branches for pushes and pull requests.

Dependency updates:

• Updated glob from version 10.4.5 to 10.5.0 and js-yaml from 4.1.0/3.14.1 to 4.1.1 in package.json and pnpm-lock.yaml to address security, compatibility, and bug fixes. [1] [2] [3] [4] [5] [6] [7] [8] [9]

Version bump:

• Bumped the project version in package.json from 1.0.3 to 1.0.4 to reflect the new workflow and dependency changes.

Lockfile cleanup:

• Removed legacy/unused dependencies (argparse@1.0.10, esprima@4.0.1, js-yaml@3.14.1, sprintf-js@1.0.3) from pnpm-lock.yaml to keep the lockfile up-to-date and reduce bloat. [1] [2] [3] [4] [5] [6]

These changes collectively modernize the build pipeline and dependency management, making future maintenance and contributions easier.

Summary by CodeRabbit

• Chores
  • Bumped version to 1.0.4.
  • Updated transitive dependencies (glob, js-yaml).
  • Optimized CI/CD workflow for improved build and deployment processes.
  • Updated .gitignore configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

🚀 Container Build Complete - Dev Build

Build Status: ✅ Success
Flow Type: dev
Description: Staging/pre-production validation

---

📦 Pull Image

Docker Hub: docker pull wgtechlabs/unthread-telegram-bot:dev-8f91a00

GHCR: docker pull ghcr.io/wgtechlabs/unthread-telegram-bot:dev-8f91a00

---

📋 Build Details

Property	Value
Flow Type	dev
Commit	d8a534b
Registry	Docker Hub + GHCR

🏷️ Image Tags

• wgtechlabs/unthread-telegram-bot:dev-8f91a00
• ghcr.io/wgtechlabs/unthread-telegram-bot:dev-8f91a00

---

🔍 Testing Your Changes

1. Pull the image using one of the commands above
2. Run the container with your test configuration
3. Verify the changes work as expected
4. Report any issues in this PR

---

🚀 Quick Start

# Pull and run the container
Docker Hub: docker pull wgtechlabs/unthread-telegram-bot:dev-8f91a00
docker run <your-options> <image>

---

_{🤖 Powered by Container Build Flow Action
💻 with ❤️ by Waren Gonzaga under WG Technology Labs, and Him 🙏}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request refactors the continuous integration workflow into a consolidated container build and push process, updates version dependencies in the project manifest, and extends the gitignore configuration. The CI workflow transitions from multi-step environment-specific builds to a unified action with centralized registry configuration.

Changes

Cohort / File(s)	Summary
CI/Workflow Consolidation .github/workflows/build.yml	Restructures the build pipeline from environment-specific steps to a single "Container Build & Push" job using container-build-flow-action. Adds event triggers for pull_request and push on main and dev branches. Enables build caching, SBOM generation, provenance attestation, and PR comments while simplifying image tagging and registry configuration.
Project Configuration .gitignore, package.json	Extends gitignore with a rule for .github/instructions/snyk_rules.instructions.md. Increments package version to 1.0.4 and adds transitive dependency resolutions for glob (10.5.0) and js-yaml (4.1.1).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Container Build & Push Action Configuration: Verify container-build-flow-action inputs (dockerfile, context, platforms) and registry settings are correctly configured for both Docker Hub and GitHub Container Registry
• Event Trigger Coverage: Confirm that pull_request and push events on main and dev branches align with intended CI/CD flow
• Provenance and Caching: Validate SBOM generation, provenance attestation, and caching behavior will function as intended
• Image Naming and Tagging: Ensure the simplified image-name approach covers all deployment scenarios previously handled by explicit per-environment tags

Suggested labels

release, maintainers only

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is vague and generic, using only a version number without describing the substantive changes (workflow refactoring, dependency updates, security improvements).	Consider a more descriptive title such as 'Refactor CI workflow with container-build-flow-action and update dependencies' that conveys the actual changes made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8caabfd and d8a534b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/build.yml (1 hunks)
• .gitignore (1 hunks)
• package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-06-22T10:12:09.684Z

Learnt from: warengonzaga
Repo: wgtechlabs/unthread-telegram-bot PR: 24
File: docker-compose.yaml:29-29
Timestamp: 2025-06-22T10:12:09.684Z
Learning: The Unthread Telegram Bot project is currently in beta development phase (v1.0.0-beta.2) and does not yet have official versioned Docker builds available, making the use of :latest tags acceptable for development purposes in docker-compose.yaml.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Container Build & Push

🔇 Additional comments (5)

.gitignore (1)

92-94: A most prudent addition to the artifact exclusions.

The inclusion of the Snyk AI Rules file in the gitignore proves quite sensible, preventing auto-generated security analysis artifacts from cluttering the repository. The placement and formatting align seamlessly with the existing organizational structure.

.github/workflows/build.yml (3)

3-8: Workflow triggers have been prudently expanded for enhanced validation.

The addition of pull_request events on both primary and development branches represents a sensible refinement. This ensures code is built and validated prior to merge, whilst maintaining the existing push-triggered builds. A most efficient approach to continuous validation.

---

13-16: Permission scope demonstrates appropriate granularity.

The permissions block reflects judicious allocation: read access to repository contents, write access to container registries, and pull request comment permissions. This aligns elegantly with the workflow's functional requirements.

---

22-51: The external action is legitimate and properly configured.

wgtechlabs/container-build-flow-action@v1.0.4 is a well-documented GitHub Action from WG Technology Labs with proper metadata and comprehensive input documentation. The action supports multi-architecture builds via the platforms input (which accepts comma-separated values like linux/amd64,linux/arm64).

The current workflow restricts builds to linux/amd64 by design. If multi-architecture support is needed for ARM64 or other platforms, update the platforms field to include them (e.g., linux/amd64,linux/arm64).

package.json (1)

3-3: Version bump and dependency pinning appropriately address security vulnerabilities.

The patch increment from 1.0.3 to 1.0.4 correctly reflects the security updates in the resolutions. The pinned versions are security patches: glob 10.5.0 fixes CVE-2025-64756 (high-severity command-injection in CLI affecting versions <10.5.0), and js-yaml 4.1.1 fixes CVE-2025-64718 (moderate prototype-pollution affecting versions <4.1.1). Both versions are the recommended secure releases with no known vulnerabilities.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}