⚙️ setup: add Biome linter, CodeQL, Dependabot, and consolidate CI workflows#20
⚙️ setup: add Biome linter, CodeQL, Dependabot, and consolidate CI workflows#20warengonzaga wants to merge 6 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| let bits = 0 | ||
| let value = 0 | ||
| const bytes: number[] = [] | ||
| const cleaned = input.toUpperCase().replace(/=+$/g, ''); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
📦 Package Build Flow — Monorepo Build🔀 Pull Request Build — Pre-release package for testing PR changes
📥 Quick Install (changed packages)npm i @tinyclaw/types@2.0.0-dev.5772a1f @tinyclaw/plugins@2.0.0-dev.5772a1f @tinyclaw/plugin-channel-discord@2.0.0-dev.5772a1f @tinyclaw/plugin-channel-friends@2.0.0-dev.5772a1f @tinyclaw/plugin-provider-openai@2.0.0-dev.5772a1f tinyclaw@2.0.0-dev.5772a1fThis package was built automatically by the Package Build Flow action. |
There was a problem hiding this comment.
Pull request overview
This PR introduces Biome for linting and formatting, consolidates CI workflows by merging commit linting into the main CI workflow, and adds CodeQL security scanning and Dependabot dependency management. The changes primarily consist of automated formatting fixes across the entire TypeScript/JavaScript codebase to ensure consistency.
Changes:
- Added Biome linter/formatter configuration and integrated it into the CI pipeline
- Consolidated commit message linting into the main CI workflow and removed the separate workflow file
- Added CodeQL workflow for automated security vulnerability scanning
- Added Dependabot configuration for automated dependency updates (npm, GitHub Actions, Docker)
- Applied consistent formatting across all TypeScript/JavaScript files (import ordering, semicolons, quote style, multi-line formatting)
Reviewed changes
Copilot reviewed 150 out of 151 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| biome.json | Biome linter/formatter configuration with recommended rules |
| .github/dependabot.yml | Dependabot config for npm, GitHub Actions, and Docker updates |
| .github/workflows/codeql.yml | CodeQL security scanning workflow |
| .github/workflows/ci.yml | Consolidated CI workflow including commit linting and Biome checks |
| .github/workflows/commit-lint.yml | Removed (consolidated into ci.yml) |
| package.json | Added Biome scripts (lint, lint:fix, format) |
| packages/**/*.ts | Formatting changes: imports, semicolons, quotes, multi-line |
| src//*.ts, src//*.js | Formatting changes across web, landing, and CLI |
| plugins/**/*.ts | Formatting changes in provider and channel plugins |
🛠️ Container Build Complete - Dev BuildBuild Status: ✅ Success 📦 Pull ImageDocker Hub: docker pull warengonzaga/tinyclaw:dev-d9e0a41GHCR: docker pull ghcr.io/warengonzaga/tinyclaw:dev-d9e0a41📋 Build Details
🏷️ Image Tags• 🔍 Testing Your Changes
🚀 Quick Start# Pull and run the container
Docker Hub: docker pull warengonzaga/tinyclaw:dev-d9e0a41
docker run <your-options> <image>🔒 Security Scan Results📋 Pre-Build Security Checks✅ Source Code Scan: 0 vulnerabilities found 🐳 Container Image Vulnerabilities
📊 Detailed Security ReportsView detailed vulnerability reports in the GitHub Security tab. 🤖 Powered by Container Build Flow Action v1.2.0 |
…eset (#22) * Initial plan * 🔧 update (release): use GH_PAT token in checkout to bypass branch ruleset Co-authored-by: warengonzaga <15052701+warengonzaga@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: warengonzaga <15052701+warengonzaga@users.noreply.github.com>
📦 Package Build Flow — Monorepo Build🔀 Pull Request Build — Pre-release package for testing PR changes
📥 Quick Install (changed packages)npm i @tinyclaw/types@2.0.0-dev.c03f78a @tinyclaw/plugins@2.0.0-dev.c03f78a @tinyclaw/plugin-channel-discord@2.0.0-dev.c03f78a @tinyclaw/plugin-channel-friends@2.0.0-dev.c03f78a @tinyclaw/plugin-provider-openai@2.0.0-dev.c03f78a tinyclaw@2.0.0-dev.c03f78aThis package was built automatically by the Package Build Flow action. |
This pull request introduces several improvements to the repository's infrastructure, code formatting, and code quality automation. The most significant changes include consolidating and enhancing CI workflows (especially commit linting and security scanning), introducing Biome for linting and formatting, and making code style more consistent across the compactor package. Below are the most important changes grouped by theme:
CI/CD and Automation Improvements
.github/workflows/ci.yml) and removed the separatecommit-lint.ymlfile, ensuring commit messages follow the Clean Commit convention as part of the standard CI process. [1] [2]dependabot.ymlconfiguration to automate dependency update PRs for npm, GitHub Actions, and Docker, with grouping and labeling for better manageability.Formatting and Linting Enhancements
biome.jsonfor configuration and updatedpackage.jsonscripts to run linting and formatting via Biome. [1] [2]Code Style and Consistency
compactorpackage to use more consistent and readable styles, such as replacing/ +/gwith/ {2,}/g, expanding multi-line function arguments into single lines where appropriate, and improving table parsing logic for Markdown and KV tables. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]These changes collectively improve the project's maintainability, code quality, and security posture.