feat: upgrade deps, node, bump semantic-release to v25 #231
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughRemoved multiple internal .cursor rule docs, bumped Node.js to v24.13.0 (nvmrc, Dockerfile), extended the action manifest (new inputs/outputs), updated GitHub workflows, reworked package/dev tooling (ESLint, Vitest), stylistic tweaks in entrypoint.js, and large README/RELEASE_NOTES/AGENT documentation updates. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codfish
force-pushed
the
upgrades
branch
2 times, most recently
from
07c9dac to
0b2994f
Compare
|
You have run out of free Bugbot PR reviews for this billing cycle. This will reset on March 6. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/release.yml (1)
54-55:⚠️ Potential issue | 🔴 CriticalBug:
SEMANTIC_OUTPUTSreferences a non-existent step ID.Line 55 references
steps.semantic-dry-run.outputs, but the semantic-release step on Line 16 hasid: semantic. This will always resolve to an empty string.🐛 Proposed fix
- SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic-dry-run.outputs) }} + SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic.outputs) }}Dockerfile (1)
13-13:⚠️ Potential issue | 🟡 MinorReplace
--only=prodwith--omit=devfor npm 7+ compatibility.
--only=prodis deprecated in npm 7+; use--omit=devinstead. Node.js v22.18.0-slim (as specified in the coding guidelines) bundles npm 10.9.3, which fully supports this flag.Proposed fix
-RUN npm ci --only=prod +RUN npm ci --omit=dev
🤖 Fix all issues with AI agents
In `@package.json`:
- Line 27: Remove the unused production dependency "@babel/runtime" from
package.json by deleting the "@babel/runtime": "^7.28.6" entry in the
dependencies object; after removal, update the lockfile by running your package
manager (npm install or yarn install) and rebuild the Docker image to ensure the
package is no longer included in the final image.
🧹 Nitpick comments (2)
entrypoint.js (1)
143-143: forEach callback should not return a value (Biome lint warning).The
&&short-circuit is used for side effects, causing the callback to implicitly return a value thatforEachignores. Use an explicitifblock or afor...ofloop instead.Proposed fix
- Object.keys(options).forEach(key => (options[key] === undefined || options[key] === '') && delete options[key]); + Object.keys(options).forEach(key => { + if (options[key] === undefined || options[key] === '') delete options[key]; + });package.json (1)
21-23: Test script is a no-op despite adding Vitest as a dev dependency.
vitestis declared indevDependenciesbut thetestscript just echoes "No tests". Consider wiring it up or adding a TODO.Suggested change
- "test": "echo 'No tests'" + "test": "vitest"
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/release.yml (1)
62-63:⚠️ Potential issue | 🟠 MajorBug:
SEMANTIC_OUTPUTSreferences a non-existent step IDsemantic-dry-run.The semantic-release step has
id: semantic(Line 16), but this line referencessteps.semantic-dry-run.outputs. This will always resolve tonull.Proposed fix
- SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic-dry-run.outputs) }} + SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic.outputs) }}Dockerfile (1)
13-13:⚠️ Potential issue | 🟡 Minor
--only=prodis deprecated; use--omit=devinstead.Node 24.13.0 ships with npm 11.6.2, where
--only=prodhas been deprecated since npm 7. The modern equivalent is--omit=dev.Proposed fix
-RUN npm ci --only=prod +RUN npm ci --omit=dev
🤖 Fix all issues with AI agents
In `@README.md`:
- Line 27: Update the README line that currently reads "preferrably" to the
correct spelling "preferably" (the line referencing use of `@v5` and the
recommended docker digest or commit sha), ensuring the phrase now reads "...or
preferably the recommended docker digest or commit sha below".
- Line 379: Replace the incorrect GitHub Actions job key "run:
codfish/semantic-release-action@v5" in the README example with the correct
"uses: codfish/semantic-release-action@v5" so the recipe uses the action
invocation syntax; locate the example string in README.md and update that token
wherever the same pattern appears.
- Line 299: The example in README uses the wrong GitHub Actions key; replace the
incorrect "run: codfish/semantic-release-action@v5" example with the correct
"uses" form so the action is invoked rather than executed as a shell
command—locate the snippet containing "run: codfish/semantic-release-action@v5"
and change the key from run to uses while keeping the same action identifier.
🧹 Nitpick comments (2)
entrypoint.js (1)
143-143:forEachcallback should not return a value (Biome lint).The arrow function's expression body implicitly returns the result of the
&&/deletechain. While harmless at runtime (forEach ignores return values), this triggers theuseIterableCallbackReturnlint rule and hurts readability.Proposed fix — use a block body
- Object.keys(options).forEach(key => (options[key] === undefined || options[key] === '') && delete options[key]); + Object.keys(options).forEach(key => { + if (options[key] === undefined || options[key] === '') delete options[key]; + });package.json (1)
21-23:vitestis listed as a devDependency but the test script is a no-op.
vitest(^4.0.18) is declared indevDependencieson Line 36, yet thetestscript just echoes "No tests". Either removevitestfrom devDependencies until tests are actually added, or wire up the test script to use it (e.g.,"test": "vitest").
codfish
changed the title
BREAKING CHANGE: @semantic-release/github no longer consumes the GitHub Search API in the plugin. Upgraded to semantic-release v25 with breaking changes in the GitHub plugin. Any breaking changes from v25 apply to this github action version except for Node version requirements. Because this is a docker-based github action, the version of node in use is defined inside of the docker image, not by the consuming runner or your code. - **@semantic-release/github v12**: The GitHub plugin no longer uses the GitHub Search API (`/search/issues` endpoint). It now uses GraphQL queries exclusively for issue retrieval. This architectural change may affect issue management in edge cases. See [github plugin v12 release notes](https://github.com/semantic-release/github/releases/tag/v12.0.0). - **semantic-release v25**: Upgraded from v24.2.7 to v25.0.3 - @semantic-release/npm upgraded to v13 - @semantic-release/commit-analyzer and @semantic-release/release-notes-generator moved from beta to stable - Dependency updates (yargs v18, hosted-git-info v9) - See [semantic-release v25 release notes](https://github.com/semantic-release/semantic-release/releases/tag/v25.0.0) - **npm OIDC Trusted Publishing Support**: The upgrade to @semantic-release/npm v13 enables support for npm's new OIDC-based trusted publishing. This allows publishing to npm without long-lived access tokens by using GitHub's OIDC token provider. This is more secure and eliminates the need to store `NPM_TOKEN` as a repository secret when publishing from GitHub Actions. See [npm documentation](https://docs.npmjs.com/generating-provenance-statements) for configuration details. - **Node.js**: Upgraded to v24.13.0 (bundled in Docker, not a breaking change for users) - **@actions/core**: Upgraded to v3.0.0 (internal implementation only) 1. Test in a separate branch first - the GitHub plugin's architectural change could affect issue management behavior 2. Review [semantic-release v25 changes](https://github.com/semantic-release/semantic-release/releases/tag/v25.0.0) 3. Review [@semantic-release/github v12 changes](https://github.com/semantic-release/github/releases/tag/v12.0.0) 4. Update your workflows to use `@v5` 5. **(Optional)** Migrate to npm OIDC Trusted Publishing: - Configure your package on [npmjs.com](https://www.npmjs.com/) to enable trusted publishing from GitHub Actions - Add `id-token: write` permission to your workflow job - Remove the `NPM_TOKEN` secret (you won't need it anymore!) - See [npm's trusted publishing guide](https://docs.npmjs.com/generating-provenance-statements) - `v5` uses semantic-release v25 & node v24.13.0 - `v4` uses semantic-release v24 & node v22.18.0 - `v3` uses semantic-release v22 & node v20.9 - `v2` uses semantic-release v20 & node v18.7 **Compare**: v4.0.1...v5.0.0 * upgrade to semantic-release v25, @actions/core v3, Node v24.13.0, and update dev tooling - semantic-release: v24.2.7 → v25.0.3 - @semantic-release/github: v11 → v12 - @semantic-release/npm: v12 → v13 - @actions/core: v1.11.1 → v3.0.0 - Node.js: v22.18.0 → v24.13.0 - Dev tooling: Migrated from cod-scripts to eslint + vitest --- - **npm OIDC Trusted Publishing**: With @semantic-release/npm v13, you can now use npm's OIDC-based trusted publishing instead of long-lived `NPM_TOKEN` secrets. This provides better security by using GitHub's OIDC token provider to authenticate npm publishes directly from GitHub Actions. No more storing sensitive npm tokens in repository secrets! - **Automated major version tag updates**: The release workflow now automatically updates the major version tag (v5) to point to the latest release. Users binding to `@v5` will automatically receive the latest stable v5.x.x release. --- **Note**: This release follows the same versioning strategy as v4.0.0: breaking changes from semantic-release and its plugins (except Node version requirements) apply to this action. The GitHub Search API removal in @semantic-release/github v12 is a real architectural breaking change that justifies the v5.0.0 major version bump.
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/release.yml (1)
64-65:⚠️ Potential issue | 🟠 MajorBug:
semantic-dry-runstep ID does not exist — outputs will be empty.Line 65 references
steps.semantic-dry-run.outputs, but the semantic-release step has idsemantic(line 18). This meansSEMANTIC_OUTPUTSwill always be empty in the dump step.Proposed fix
- SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic-dry-run.outputs) }} + SEMANTIC_OUTPUTS: ${{ toJson(steps.semantic.outputs) }}Dockerfile (1)
13-13:⚠️ Potential issue | 🔴 CriticalReplace
--only=prodwith--omit=devand update Node.js base image to v22.18.0-slim.The
--only=prodflag is deprecated in npm 7+; use--omit=devinstead. Additionally, the Dockerfile usesnode:24.13.0-slimbut the coding guidelines requirenode:22.18.0-slim.Proposed fix
-FROM node:24.13.0-slim +FROM node:22.18.0-slim-RUN npm ci --only=prod +RUN npm ci --omit=dev
🤖 Fix all issues with AI agents
In `@package.json`:
- Around line 21-22: The "format" npm script currently runs "eslint --fix" which
performs lint autofixes, not Prettier formatting, so update consistency between
package.json and AGENT.md: either change the "format" script to run Prettier
(e.g., a Prettier CLI command for the codebase) and keep AGENT.md as-is, or
rename the "format" script to something like "lint:fix" and update AGENT.md to
instruct using ESLint autofix instead; ensure you edit the "format" and/or
"lint" script entries in package.json and the corresponding wording in AGENT.md
so the script name and the documentation match.
- Line 23: Update the package.json test script to actually run Vitest or remove
the unused devDependency; specifically, replace the current "test" entry (echo
'No tests') with a command that invokes Vitest (e.g., "test": "vitest run" or
"test": "vitest") to match the declared devDependency "vitest" and AGENT.md
guidance, or if there are truly no tests, remove "vitest" from devDependencies
to avoid installing unused packages and update AGENT.md accordingly; ensure you
modify the "test" property in package.json and the "vitest" entry under
devDependencies.
In `@README.md`:
- Line 165: Update the Docker image digest string for the semantic-release
action to the v5 image digest: locate the two occurrences of the image reference
matching "uses: docker://ghcr.io/codfish/semantic-release-action@sha256:..."
(currently pointing to the v4.0.1 digest) and replace the sha256 digest with the
new v5 image digest produced by the release workflow so both references (the one
at line ~165 and the one at line ~204) point to the v5 multi-platform image.
In `@RELEASE_NOTES_V5.md`:
- Around line 5-9: Update the branding: replace the lowercase occurrences of
"github action" in the release notes with the correct capitalization "GitHub
Action" (and ensure any standalone "github" references are "GitHub") so the
sentence "Because this is a docker-based github action, the" becomes "Because
this is a docker-based GitHub Action, the". Locate the exact phrase "github
action" in the RELEASE_NOTES_V5.md content and apply the capitalization
consistently.
🧹 Nitpick comments (3)
entrypoint.js (1)
143-143: Static analysis: forEach callback should not return a value.Biome flags this because the
&&expression produces a return value from the callback, whichforEachignores. Use a block body to make the intent explicit.Proposed fix
- Object.keys(options).forEach(key => (options[key] === undefined || options[key] === '') && delete options[key]); + Object.keys(options).forEach(key => { + if (options[key] === undefined || options[key] === '') delete options[key]; + });action.yml (1)
83-92: Theargsentries are not consumed by the entrypoint.
entrypoint.jsreads inputs viacore.getInput()(fromINPUT_*env vars), not fromprocess.argv. These positional args are effectively unused. While harmless and likely a pre-existing pattern, they add maintenance burden — any input rename requires updating bothinputs:andargs:..github/workflows/release.yml (1)
11-12: Consider addingpackages: writepermission for GHCR pushes.The workflow pushes Docker images to
ghcr.io(lines 77, 88–102). WhileGCR_TOKENis used for auth, if you ever switch toGITHUB_TOKENfor GHCR, you'll needpackages: write. Also verify that theGCR_TOKENsecret is a PAT withwrite:packagesscope.
| "format": "eslint --fix", | ||
| "lint": "eslint", |
There was a problem hiding this comment.
"format": "eslint --fix" is misleading — AGENT.md says "Format code using Prettier".
The format script runs eslint --fix, which is linting with auto-fix, not Prettier formatting. Either rename this to better reflect what it does, or add a Prettier step. The AGENT.md guidance at line 23 says "Format code using Prettier" which doesn't match reality. One of the two should be updated for consistency.
🤖 Prompt for AI Agents
In `@package.json` around lines 21 - 22, The "format" npm script currently runs
"eslint --fix" which performs lint autofixes, not Prettier formatting, so update
consistency between package.json and AGENT.md: either change the "format" script
to run Prettier (e.g., a Prettier CLI command for the codebase) and keep
AGENT.md as-is, or rename the "format" script to something like "lint:fix" and
update AGENT.md to instruct using ESLint autofix instead; ensure you edit the
"format" and/or "lint" script entries in package.json and the corresponding
wording in AGENT.md so the script name and the documentation match.
1 participant
Summary by CodeRabbit
New Features
Chores
Documentation