Skip to content

ci: add PR title linting#957

Open
yogeshchoudhary147 wants to merge 3 commits into
mainfrom
ci/lint-pr-title
Open

ci: add PR title linting#957
yogeshchoudhary147 wants to merge 3 commits into
mainfrom
ci/lint-pr-title

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a GitHub Actions workflow to lint PR titles against the Conventional Commits spec
  • Includes a local composite action (lint-pr-title) with commitlint
  • Adds commitlint.config.mjs at the repo root with standard type rules

Summary by CodeRabbit

  • New Features
    • Added automated pull request title validation using Conventional Commits rules.
    • Pull request titles are checked when opened or edited, with clear feedback for invalid formats.
    • Added standardized commit message rules, including allowed types, lowercase formatting, and subject requirements.

@yogeshchoudhary147
yogeshchoudhary147 requested a review from a team as a code owner July 18, 2026 02:35
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@yogeshchoudhary147, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 51 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 037ce6de-9957-4927-b4cd-b05cdd07b5fe

📥 Commits

Reviewing files that changed from the base of the PR and between 5448ad8 and 4e6076c.

⛔ Files ignored due to path filters (1)
  • .github/actions/lint-pr-title/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (4)
  • .github/actions/lint-pr-title/.npmrc
  • .github/actions/lint-pr-title/commitlint.config.mjs
  • .github/actions/lint-pr-title/src/index.js
  • .github/workflows/lint-pr-title.yml
📝 Walkthrough

Walkthrough

Adds commitlint rules and a local GitHub Action that validates pull request titles. A workflow runs the action when pull requests are opened or edited, using Node 24 and read-only repository permissions.

Changes

Pull request title linting

Layer / File(s) Summary
Commitlint rule contract
commitlint.config.mjs
Defines allowed commit types and formatting constraints for pull request titles.
Lint action implementation
.github/actions/lint-pr-title/package.json, .github/actions/lint-pr-title/action.yml, .github/actions/lint-pr-title/src/index.js
Packages a Node 24 action that loads the commitlint configuration, validates the title, and reports formatted errors.
Workflow execution wiring
.github/workflows/lint-pr-title.yml
Runs the local action for opened and edited pull requests after setting up Node and installing action dependencies.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PullRequest
  participant lint-title
  participant commitlint.config.mjs
  participant GitHubActions
  PullRequest->>lint-title: provide title on opened or edited event
  lint-title->>commitlint.config.mjs: load commitlint rules
  lint-title->>GitHubActions: set success or failure result
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding CI-based pull request title linting.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/lint-pr-title

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
.github/actions/lint-pr-title/package.json (1)

8-14: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider committing a package-lock.json file.

Since this action is installed dynamically in your workflow without a lockfile, your dependencies will resolve to the latest allowed versions on every run. This can lead to non-deterministic behavior and sudden workflow failures if a dependency releases a breaking change. Consider generating and committing a package-lock.json file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/lint-pr-title/package.json around lines 8 - 14, Generate a
package-lock.json for the lint-pr-title action using its package.json
dependencies and commit it alongside the package manifest. Ensure the lockfile
captures exact resolved versions so dynamic workflow installations remain
deterministic.
.github/workflows/lint-pr-title.yml (2)

32-34: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider using npm ci instead of npm install.

Using npm install can cause unexpected workflow failures if dependencies release breaking changes. If you commit a package-lock.json as previously recommended, you should update this step to use npm ci for deterministic, faster, and reliable installations.

📦 Proposed fix for deterministic installation
       - name: Install action dependencies
-        run: npm install --ignore-scripts
+        run: npm ci --ignore-scripts
         working-directory: .github/actions/lint-pr-title
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint-pr-title.yml around lines 32 - 34, Update the
“Install action dependencies” step in the lint-pr-title workflow to use npm ci
instead of npm install, preserving the existing --ignore-scripts option and
working-directory so installations use the committed lockfile deterministically.

4-7: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Include reopened and synchronize event types.

Adding reopened ensures the PR title is validated if a closed PR is revived. Adding synchronize ensures that if a developer pushes a new commit that modifies commitlint.config.mjs, the PR title is immediately re-validated against the new configuration.

🚀 Proposed fix to trigger on relevant PR updates
   pull_request:
     types:
       - opened
       - edited
+      - reopened
+      - synchronize
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint-pr-title.yml around lines 4 - 7, Update the
pull_request event types in the workflow to include reopened and synchronize
alongside opened and edited, so title validation reruns when a closed PR is
revived or new commits are pushed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/lint-pr-title.yml:
- Around line 24-25: Add persist-credentials: false to the actions/checkout step
in the lint-pr-title workflow, leaving the existing pinned checkout action
unchanged.

---

Nitpick comments:
In @.github/actions/lint-pr-title/package.json:
- Around line 8-14: Generate a package-lock.json for the lint-pr-title action
using its package.json dependencies and commit it alongside the package
manifest. Ensure the lockfile captures exact resolved versions so dynamic
workflow installations remain deterministic.

In @.github/workflows/lint-pr-title.yml:
- Around line 32-34: Update the “Install action dependencies” step in the
lint-pr-title workflow to use npm ci instead of npm install, preserving the
existing --ignore-scripts option and working-directory so installations use the
committed lockfile deterministically.
- Around line 4-7: Update the pull_request event types in the workflow to
include reopened and synchronize alongside opened and edited, so title
validation reruns when a closed PR is revived or new commits are pushed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6416d518-da6f-4410-9415-4f684e38b7a7

📥 Commits

Reviewing files that changed from the base of the PR and between 4f7efb4 and 5448ad8.

📒 Files selected for processing (5)
  • .github/actions/lint-pr-title/action.yml
  • .github/actions/lint-pr-title/package.json
  • .github/actions/lint-pr-title/src/index.js
  • .github/workflows/lint-pr-title.yml
  • commitlint.config.mjs

Comment on lines +24 to +25
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Disable credential persistence to improve security.

By default, actions/checkout persists the GitHub token in the local git configuration. Since this workflow only reads the repository and does not need to push changes, setting persist-credentials: false adheres to the principle of least privilege and prevents potential credential leakage.

🔒️ Proposed fix to disable credential persistence
       - name: Checkout code
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint-pr-title.yml around lines 24 - 25, Add
persist-credentials: false to the actions/checkout step in the lint-pr-title
workflow, leaving the existing pinned checkout action unchanged.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant