ci: add PR title linting#957
Conversation
|
Warning Review limit reached
Next review available in: 51 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
📝 WalkthroughWalkthroughAdds commitlint rules and a local GitHub Action that validates pull request titles. A workflow runs the action when pull requests are opened or edited, using Node 24 and read-only repository permissions. ChangesPull request title linting
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant PullRequest
participant lint-title
participant commitlint.config.mjs
participant GitHubActions
PullRequest->>lint-title: provide title on opened or edited event
lint-title->>commitlint.config.mjs: load commitlint rules
lint-title->>GitHubActions: set success or failure result
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/actions/lint-pr-title/package.json (1)
8-14: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winConsider committing a
package-lock.jsonfile.Since this action is installed dynamically in your workflow without a lockfile, your dependencies will resolve to the latest allowed versions on every run. This can lead to non-deterministic behavior and sudden workflow failures if a dependency releases a breaking change. Consider generating and committing a
package-lock.jsonfile.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/actions/lint-pr-title/package.json around lines 8 - 14, Generate a package-lock.json for the lint-pr-title action using its package.json dependencies and commit it alongside the package manifest. Ensure the lockfile captures exact resolved versions so dynamic workflow installations remain deterministic..github/workflows/lint-pr-title.yml (2)
32-34: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winConsider using
npm ciinstead ofnpm install.Using
npm installcan cause unexpected workflow failures if dependencies release breaking changes. If you commit apackage-lock.jsonas previously recommended, you should update this step to usenpm cifor deterministic, faster, and reliable installations.📦 Proposed fix for deterministic installation
- name: Install action dependencies - run: npm install --ignore-scripts + run: npm ci --ignore-scripts working-directory: .github/actions/lint-pr-title🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lint-pr-title.yml around lines 32 - 34, Update the “Install action dependencies” step in the lint-pr-title workflow to use npm ci instead of npm install, preserving the existing --ignore-scripts option and working-directory so installations use the committed lockfile deterministically.
4-7: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winInclude
reopenedandsynchronizeevent types.Adding
reopenedensures the PR title is validated if a closed PR is revived. Addingsynchronizeensures that if a developer pushes a new commit that modifiescommitlint.config.mjs, the PR title is immediately re-validated against the new configuration.🚀 Proposed fix to trigger on relevant PR updates
pull_request: types: - opened - edited + - reopened + - synchronize🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lint-pr-title.yml around lines 4 - 7, Update the pull_request event types in the workflow to include reopened and synchronize alongside opened and edited, so title validation reruns when a closed PR is revived or new commits are pushed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/lint-pr-title.yml:
- Around line 24-25: Add persist-credentials: false to the actions/checkout step
in the lint-pr-title workflow, leaving the existing pinned checkout action
unchanged.
---
Nitpick comments:
In @.github/actions/lint-pr-title/package.json:
- Around line 8-14: Generate a package-lock.json for the lint-pr-title action
using its package.json dependencies and commit it alongside the package
manifest. Ensure the lockfile captures exact resolved versions so dynamic
workflow installations remain deterministic.
In @.github/workflows/lint-pr-title.yml:
- Around line 32-34: Update the “Install action dependencies” step in the
lint-pr-title workflow to use npm ci instead of npm install, preserving the
existing --ignore-scripts option and working-directory so installations use the
committed lockfile deterministically.
- Around line 4-7: Update the pull_request event types in the workflow to
include reopened and synchronize alongside opened and edited, so title
validation reruns when a closed PR is revived or new commits are pushed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 6416d518-da6f-4410-9415-4f684e38b7a7
📒 Files selected for processing (5)
.github/actions/lint-pr-title/action.yml.github/actions/lint-pr-title/package.json.github/actions/lint-pr-title/src/index.js.github/workflows/lint-pr-title.ymlcommitlint.config.mjs
| - name: Checkout code | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Disable credential persistence to improve security.
By default, actions/checkout persists the GitHub token in the local git configuration. Since this workflow only reads the repository and does not need to push changes, setting persist-credentials: false adheres to the principle of least privilege and prevents potential credential leakage.
🔒️ Proposed fix to disable credential persistence
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/lint-pr-title.yml around lines 24 - 25, Add
persist-credentials: false to the actions/checkout step in the lint-pr-title
workflow, leaving the existing pinned checkout action unchanged.
Source: Linters/SAST tools
e37c8be to
4e6076c
Compare
Summary
lint-pr-title) with commitlintcommitlint.config.mjsat the repo root with standard type rulesSummary by CodeRabbit