feat: add bun to controller

[sujitaw]

What

• added bun package manager for credo controller.

Summary by CodeRabbit

• Chores
  • Switched development, build, and validation tooling to an alternative runtime for improved performance and consistency.
  • Updated CI workflow to align with the new tooling and streamline install/lint/format/type-check steps.
  • Narrowed CI branch triggers to the primary release branch.
  • Added a top-level trusted dependency configuration to enhance build security and stability.

[coderabbitai]

📝 Walkthrough

Walkthrough

Update scripts and CI to use Bun (replacing Yarn commands) and add a top-level trustedDependencies array listing native-module-related packages and patch-package.

Changes

Package Manager and Dependency Configuration

Layer / File(s)	Summary
Build and script migration to bun package.json	Script commands including format, check-format, build, prestart:dev, start:dev, prepublishOnly, and validate are changed to use bun.
Native dependency trust configuration package.json	Adds trustedDependencies array whitelisting patch-package and native-module packages (node-gyp-build, @2060.io/*, @hyperledger/indy-vdr-nodejs, @hyperledger/anoncreds-nodejs, @credo-ts/askar, @openwallet-foundation/askar-nodejs).
CI workflow migration to bun .github/workflows/continuous-integration.yml	CI steps and branch filter switched from Yarn/develop to Bun/main; adds a Bun setup step (bun-version: 1.3.3) and replaces install/lint/format/typecheck commands with Bun equivalents (bun install, bun lint, bun check-format, bun check-types).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Bun in paws, scripts leap and run,
Yarn tiptoes off beneath the sun.
Native roots get a trustful nod,
Patch and builds now hop abroad. 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'feat: add bun to controller' is vague and does not clearly convey the scope of changes. While 'bun' is mentioned, it's unclear whether this refers to adding bun as a package manager, updating scripts, or other modifications.	Consider a more descriptive title such as 'feat: migrate package manager from yarn to bun' or 'feat: switch build scripts and dependencies to bun' to better reflect the comprehensive changes across package.json and CI workflows.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add_bun_for_controller

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 39: The validate script currently mixes package managers ("validate") by
calling bun lint && yarn check-types && yarn check-format; update it to use bun
consistently by invoking the other scripts via bun (e.g., replace the yarn calls
with bun run check-types and bun run check-format) and ensure the referenced
scripts check-types and check-format exist in package.json so all parts of
"validate" use bun only.
- Around line 26-39: Update CI/CD and project files to complete the yarn→bun
migration: modify the workflow referenced by continuous-integration.yml to
change cache: 'yarn' → 'bun' (or remove), replace `yarn install` with `bun
install`, and change `yarn lint`, `yarn check-format`, `yarn check-types` to
`bun lint`, `bun check-format`, `bun check-types`; update .github/dependabot.yml
to rename the 'yarn' label to 'bun'; remove yarn.lock and ensure bun.lockb is
generated and committed; and update developer setup docs/README to document
using bun so scripts like the package.json "validate" (which currently runs `bun
lint && yarn check-types && yarn check-format`) and other scripts
("format","check-format","lint","validate","dev","build") consistently use bun
commands.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d0b27ac-8d92-4340-bae5-468f17c4090d

📥 Commits

Reviewing files that changed from the base of the PR and between 3116c1a and ebc5f92.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/continuous-integration.yml (1)

22-29: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add explicit Bun installation and fix cache configuration.

actions/setup-node does not install Bun—it only sets up Node.js. Line 29 will fail with bun: command not found. Additionally, cache: 'bun' is not supported by setup-node; it only supports npm, yarn, and pnpm.

Proposed fix

      - name: Setup node v20
        uses: actions/setup-node@v4
        with:
          node-version: 20
-         cache: 'bun'

+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Cache Bun dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lockb') }}
+          restore-keys: bun-${{ runner.os }}-
+
       - name: Install dependencies
         run: bun install

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml around lines 22 - 29, The
workflow uses actions/setup-node with cache: 'bun' and then runs "bun install",
which fails because setup-node doesn't provide Bun and its cache option doesn't
support 'bun'; update the "Setup node v20" step to remove or change the
unsupported cache value (use supported values like 'npm'/'yarn'/'pnpm' or omit),
and add an explicit Bun installation step before the "Install dependencies" step
(either use an official setup action such as actions/setup-bun or run a short
install script to install Bun), ensuring the "Install dependencies" step still
runs "bun install" after Bun is available.

🧹 Nitpick comments (1)

.github/workflows/continuous-integration.yml (1)

29-29: ⚡ Quick win

Use a frozen lockfile in CI installs for deterministic builds.

On Line 29, prefer bun install --frozen-lockfile so CI fails on lockfile drift instead of silently changing dependency resolution.

Proposed fix

-      - name: Install dependencies
-        run: bun install
+      - name: Install dependencies
+        run: bun install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml at line 29, Update the CI
install step that currently runs "bun install" to use a frozen lockfile by
changing the command to "bun install --frozen-lockfile" so the workflow fails on
lockfile drift instead of mutating dependencies; locate the run step that
executes bun install in the continuous integration workflow and replace the
command accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/continuous-integration.yml:
- Around line 22-29: The workflow uses actions/setup-node with cache: 'bun' and
then runs "bun install", which fails because setup-node doesn't provide Bun and
its cache option doesn't support 'bun'; update the "Setup node v20" step to
remove or change the unsupported cache value (use supported values like
'npm'/'yarn'/'pnpm' or omit), and add an explicit Bun installation step before
the "Install dependencies" step (either use an official setup action such as
actions/setup-bun or run a short install script to install Bun), ensuring the
"Install dependencies" step still runs "bun install" after Bun is available.

---

Nitpick comments:
In @.github/workflows/continuous-integration.yml:
- Line 29: Update the CI install step that currently runs "bun install" to use a
frozen lockfile by changing the command to "bun install --frozen-lockfile" so
the workflow fails on lockfile drift instead of mutating dependencies; locate
the run step that executes bun install in the continuous integration workflow
and replace the command accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8e6fcb5f-edd3-4578-8cfd-3757351446f4

📥 Commits

Reviewing files that changed from the base of the PR and between ebc5f92 and 840b1bf.

📒 Files selected for processing (2)

• .github/workflows/continuous-integration.yml
• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/continuous-integration.yml (1)

29-30: ⚡ Quick win

Consider pinning the bun version for reproducibility.

The setup step doesn't specify a bun-version, which means CI will use the latest available version. This could lead to unexpected failures if a new bun release introduces breaking changes.

📌 Proposed fix to pin the bun version

 - name: Setup bun
   uses: oven-sh/setup-bun@v2
+  with:
+    bun-version: latest

Or pin to a specific version for maximum reproducibility:

 - name: Setup bun
   uses: oven-sh/setup-bun@v2
+  with:
+    bun-version: 1.1.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml around lines 29 - 30, The CI
step using the GitHub Action "Setup bun" (uses: oven-sh/setup-bun@v2) should pin
a specific bun version by adding the bun-version input (e.g., bun-version:
"1.5.0" or a tested semantic version) to the action configuration so the
workflow uses a fixed, reproducible bun release instead of the latest.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/continuous-integration.yml:
- Line 33: Update the CI step that runs the package install so it uses a frozen
lockfile: change the run command that currently invokes "bun install" to include
the "--frozen-lockfile" flag (i.e., "bun install --frozen-lockfile") so the
workflow step invoking bun install will fail on lockfile drift and produce
reproducible builds.

---

Nitpick comments:
In @.github/workflows/continuous-integration.yml:
- Around line 29-30: The CI step using the GitHub Action "Setup bun" (uses:
oven-sh/setup-bun@v2) should pin a specific bun version by adding the
bun-version input (e.g., bun-version: "1.5.0" or a tested semantic version) to
the action configuration so the workflow uses a fixed, reproducible bun release
instead of the latest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d639cef-821f-4292-b4b1-4ddb1b923664

📥 Commits

Reviewing files that changed from the base of the PR and between 840b1bf and 31aeb8d.

📒 Files selected for processing (1)

• .github/workflows/continuous-integration.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use --frozen-lockfile flag for reproducible CI builds.

The bun install command should include the --frozen-lockfile flag in CI environments to ensure reproducible builds and catch any drift between package.json and the lockfile.

🔒 Proposed fix to add frozen lockfile flag

 - name: Install dependencies
-  run: bun install
+  run: bun install --frozen-lockfile

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: bun install
	run: bun install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml at line 33, Update the CI step
that runs the package install so it uses a frozen lockfile: change the run
command that currently invokes "bun install" to include the "--frozen-lockfile"
flag (i.e., "bun install --frozen-lockfile") so the workflow step invoking bun
install will fail on lockfile drift and produce reproducible builds.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

69-69: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove duplicate dependency specification.

The pipeline warns that @types/ref-struct-di is specified twice: once in dependencies (line 69) and again in devDependencies (line 105). Type definitions should only be in devDependencies.

🔧 Proposed fix

     "`@types/node-fetch`": "^2.6.4",
-    "`@types/ref-struct-di`": "^1.1.12",
     "`@types/uuid`": "^10.0.0",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 69, Remove the duplicate "`@types/ref-struct-di`" entry
from the runtime dependencies block and keep it only under devDependencies; edit
package.json to delete the "`@types/ref-struct-di`" line from the "dependencies"
section (the one shown in the diff) so type definitions remain exclusively in
"devDependencies".

♻️ Duplicate comments (1)

.github/workflows/continuous-integration.yml (1)

35-35: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add --frozen-lockfile flag for reproducible builds.

The bun install command in CI should use --frozen-lockfile to ensure the lockfile is not modified and builds are reproducible. This also helps catch drift between package.json and the lockfile.

🔒 Proposed fix

       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml at line 35, Update the CI step
that runs the package installation so it uses Bun's frozen lockfile check:
replace the current "run: bun install" invocation with a command that adds the
--frozen-lockfile flag (i.e., run the install step as "bun install
--frozen-lockfile") so the job fails if the lockfile would be modified, ensuring
reproducible builds and detecting drift between package files and the lockfile.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/continuous-integration.yml:
- Line 30: The workflow currently uses the unpinned action reference
oven-sh/setup-bun@v2 which is a supply-chain risk; update that reference to the
specific commit oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 so
the CI always uses the exact action version, replacing oven-sh/setup-bun@v2 with
the provided commit hash in the continuous-integration.yml step that references
the setup-bun action.

In `@package.json`:
- Line 139: There's a JSON syntax error from a trailing comma before a closing
array bracket in package.json; locate the array that ends with the lone "]" (the
property whose value is the array causing the trailing comma) and remove the
trailing comma immediately before that closing bracket so the array is valid
JSON (no code change beyond deleting the comma).

---

Outside diff comments:
In `@package.json`:
- Line 69: Remove the duplicate "`@types/ref-struct-di`" entry from the runtime
dependencies block and keep it only under devDependencies; edit package.json to
delete the "`@types/ref-struct-di`" line from the "dependencies" section (the one
shown in the diff) so type definitions remain exclusively in "devDependencies".

---

Duplicate comments:
In @.github/workflows/continuous-integration.yml:
- Line 35: Update the CI step that runs the package installation so it uses
Bun's frozen lockfile check: replace the current "run: bun install" invocation
with a command that adds the --frozen-lockfile flag (i.e., run the install step
as "bun install --frozen-lockfile") so the job fails if the lockfile would be
modified, ensuring reproducible builds and detecting drift between package files
and the lockfile.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9babfa39-67c0-426f-a4d7-5e1354a29e71

📥 Commits

Reviewing files that changed from the base of the PR and between 31aeb8d and 35c92f2.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/continuous-integration.yml
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the commit hash for the v2 tag of oven-sh/setup-bun

gh api repos/oven-sh/setup-bun/git/ref/tags/v2 --jq '.object.sha' 2>/dev/null || \
gh api repos/oven-sh/setup-bun/commits?sha=v2 --jq '.[0].sha' 2>/dev/null || \
echo "Could not resolve v2 tag. Please check the repository manually."

Repository: credebl/agent-controller

Length of output: 109

---

Pin the action to a specific commit hash.

The oven-sh/setup-bun action is not pinned to a commit, creating a supply chain security risk. Replace oven-sh/setup-bun@v2 with oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 to ensure the exact version is always used, preventing potential tag manipulation or unintended updates.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/continuous-integration.yml at line 30, The workflow
currently uses the unpinned action reference oven-sh/setup-bun@v2 which is a
supply-chain risk; update that reference to the specific commit
oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 so the CI always uses
the exact action version, replacing oven-sh/setup-bun@v2 with the provided
commit hash in the continuous-integration.yml step that references the setup-bun
action.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix JSON syntax error: remove trailing comma.

JSON does not allow trailing commas. This will cause parsing errors when tools read package.json.

🐛 Proposed fix

-    "`@hyperledger/anoncreds-nodejs`",
+    "`@hyperledger/anoncreds-nodejs`"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	]
	"`@hyperledger/anoncreds-nodejs`"
	]

🧰 Tools

🪛 Biome (2.4.15)

[error] 139-139: Expected an array, an object, or a literal but instead found ']'.

(parse)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 139, There's a JSON syntax error from a trailing comma
before a closing array bracket in package.json; locate the array that ends with
the lone "]" (the property whose value is the array causing the trailing comma)
and remove the trailing comma immediately before that closing bracket so the
array is valid JSON (no code change beyond deleting the comma).