Conversation
|
WalkthroughAdds a GitHub Actions workflow (Deploy Preview) for PRs to changeset-release/main that builds with Node 20, prepares a prerelease via Changesets, bumps version, extracts the version, and publishes dist artifacts to npm. Includes concurrency keyed by PR, fork-skip guard, and exposes outputs for deployment details and package version. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub
participant WF as Deploy Preview Workflow
participant Job as deploy_preview (ubuntu-latest)
participant NPM as npm Registry
Dev->>GH: Open/Reopen/Synchronize PR -> base: changeset-release/main
GH->>WF: Trigger workflow (if not from fork)
alt Forked PR
WF-->>Dev: Skipped (guard condition)
else Internal PR
WF->>Job: Start job (concurrency per PR)
Job->>Job: actions/checkout (fetch-depth: 0)
Job->>Job: Local setup action (.github/actions/setup)
Job->>Job: Setup Node 20.x (pnpm cache, registry)
Job->>Job: Build SDK
Job->>Job: Configure git user/email
Job->>Job: Create empty changeset
Job->>Job: Enter prerelease mode (PR-scoped)
Job->>Job: Version via Changesets
Job->>Job: Read package.json -> extract version
Job->>NPM: Publish dist (changeset publish --no-git-checks) using NPM_TOKEN
NPM-->>Job: Publish result
Job-->>WF: Set outputs (deployment_details, contracts_package_version)
WF-->>Dev: Workflow completed
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| concurrency: | ||
| group: preview-${{ github.event.pull_request.number }} | ||
| cancel-in-progress: true | ||
| if: ${{ !github.event.pull_request.head.repo.fork }} | ||
| outputs: | ||
| deployment_details: ${{ steps.export_addresses.outputs.deployment_details }} | ||
| contracts_package_version: ${{ steps.get_version.outputs.package_version }} | ||
| steps: | ||
| - name: 'Checkout Code' | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 # Necessary for changesets to work correctly | ||
|
|
||
| - uses: './.github/setup' | ||
|
|
||
| - name: 'Setup Node.js for npm' | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'pnpm' | ||
| registry-url: 'https://registry.npmjs.org' | ||
|
|
||
| - name: 'Build SDK' | ||
| run: pnpm build | ||
|
|
||
| - name: Setup git | ||
| run: | | ||
| git config --global user.name "github-actions[bot]" | ||
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
|
|
||
| - name: Create empty changeset | ||
| run: pnpm changeset add --empty | ||
|
|
||
| - name: Enter prerelease mode | ||
| run: pnpm changeset pre enter pr-${{ github.event.pull_request.number }} | ||
|
|
||
| - name: Bump versions | ||
| run: pnpm changeset version | ||
|
|
||
| - name: Get package version | ||
| id: get_version | ||
| run: | | ||
| VERSION=$(jq -r .version package.json) | ||
| echo "package_version=$VERSION" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: 'Publish Preview to npm' | ||
| run: cd ./dist && pnpm changeset publish --no-git-checks | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best way to fix this problem is to add a permissions key with the lowest necessary privileges. Given the steps shown, there is no evidence in the snippet that the workflow requires write access to the repository (no steps create or push commits, create issues, or open pull requests). Therefore, setting permissions: contents: read at the job level is a safe and minimal fix. This change should be inserted directly below either the workflow's root (after the name line) or within the affected job (deploy_and_publish_contracts_preview) definition. As there may be multiple jobs in other contexts and the flagged line is within the job, adding permissions at the job level (line 13) covers only this job. Insert the permissions block immediately after runs-on: ubuntu-latest (line 13) to minimize impact and follow least privilege.
| @@ -11,6 +11,8 @@ | ||
| jobs: | ||
| deploy_and_publish_contracts_preview: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| concurrency: | ||
| group: preview-${{ github.event.pull_request.number }} | ||
| cancel-in-progress: true |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/preview.yml (1)
7-62: Scope the GITHUB_TOKEN permissionsWe’re relying on the default broad token scopes. Add an explicit
permissionsblock (e.g.,contents: read) and elevate only what this job truly needs (such aspackages: writeif required) to stay compliant with GitHub’s least-privilege guidance.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/preview.yml(1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/preview.yml
19-19: property "export_addresses" is not defined in object type {get_version: {conclusion: string; outcome: string; outputs: {string => string}}}
(expression)
🪛 GitHub Check: CodeQL
.github/workflows/preview.yml
[warning] 13-62: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}
| deployment_details: ${{ steps.export_addresses.outputs.deployment_details }} | ||
| contracts_package_version: ${{ steps.get_version.outputs.package_version }} |
There was a problem hiding this comment.
Define the export_addresses step or drop the job output
steps.export_addresses never exists, so deployment_details is always blank and anything consuming this output will silently get nothing. Either add the missing step (with id: export_addresses) that sets deployment_details, or remove the output until it’s implemented.
🧰 Tools
🪛 actionlint (1.7.7)
19-19: property "export_addresses" is not defined in object type {get_version: {conclusion: string; outcome: string; outputs: {string => string}}}
(expression)
🤖 Prompt for AI Agents
.github/workflows/preview.yml around lines 19-20: the job output references
steps.export_addresses.outputs.deployment_details but no step with id:
export_addresses exists, so deployment_details is always empty; either add a
step in the job with id: export_addresses that sets the deployment_details
output (using echo "::set-output name=deployment_details::value" or the newer
GITHUB_OUTPUT method) before referencing it, or remove the deployment_details
output line entirely until that step is implemented; make the change
consistently across jobs that consume this output.
1 participant
This should create a preview package each time when release PR is updated
Summary by CodeRabbit