Add comprehensive GitHub workflows and automation infrastructure #48
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>
Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>
Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive GitHub automation workflows and improves existing CI/CD infrastructure for the Object UI repository. The changes establish automated processes for security scanning, dependency management, issue/PR lifecycle management, and enhanced continuous integration.
Changes:
- Added 8 new GitHub workflow files for automated processes (CodeQL security scanning, Dependabot auto-merge, stale issue management, PR auto-labeling, bundle size checks, secret scanning, and changelog generation)
- Enhanced existing CI workflow with improved pnpm caching and Codecov token support
- Added complete issue/PR template system with bug reports, feature requests, and PR guidelines
- Created comprehensive workflow documentation and configuration files
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| cliff.toml | Configuration for git-cliff changelog generation tool with conventional commit parsing |
| README.md | Added CI and CodeQL workflow status badges |
| CONTRIBUTING.md | Added detailed documentation about automated workflows and contributor tips |
| .github/workflows/stale.yml | Automated stale issue/PR management with configurable timeframes |
| .github/workflows/size-check.yml | Bundle size monitoring and PR comment reporting |
| .github/workflows/secret-scan.yml | Gitleaks integration for secret detection |
| .github/workflows/labeler.yml | Automatic PR labeling based on changed files |
| .github/workflows/dependabot-auto-merge.yml | Automated approval and merging of Dependabot updates |
| .github/workflows/codeql.yml | CodeQL security analysis for vulnerability detection |
| .github/workflows/ci.yml | Enhanced CI with pnpm store caching and Codecov token |
| .github/workflows/changelog.yml | Automated CHANGELOG.md generation on releases |
| .github/labeler.yml | Configuration mapping file paths to PR labels |
| .github/dependabot.yml | Dependabot configuration for npm and GitHub Actions updates |
| .github/WORKFLOWS.md | Comprehensive documentation of all workflow functionality |
| .github/PULL_REQUEST_TEMPLATE.md | Standardized PR template with checklist and metadata |
| .github/ISSUE_TEMPLATE/feature_request.md | Structured feature request template |
| .github/ISSUE_TEMPLATE/config.yml | Issue template configuration with external links |
| .github/ISSUE_TEMPLATE/bug_report.md | Structured bug report template |
.github/workflows/size-check.yml
Outdated
| # Calculate sizes for main bundle files | ||
| for file in "$pkg"/*.js; do | ||
| if [ -f "$file" ] && [ ! -f "${file}.map" ]; then | ||
| size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null || echo "0") |
There was a problem hiding this comment.
The stat command syntax varies between BSD (macOS) and GNU (Linux) systems. While the fallback chain is correct, this workflow runs on ubuntu-latest, so the BSD syntax -f%z will always fail first. Consider reordering to try the GNU syntax first for efficiency, or simply use the GNU syntax since the workflow explicitly targets Ubuntu.
| size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null || echo "0") | |
| size=$(stat -c%s "$file" 2>/dev/null || echo "0") |
|
|
||
| # Calculate sizes for main bundle files | ||
| for file in "$pkg"/*.js; do | ||
| if [ -f "$file" ] && [ ! -f "${file}.map" ]; then |
There was a problem hiding this comment.
The condition [ ! -f "${file}.map" ] checks for the non-existence of a .map file, but the constructed filename is incorrect. If $file is dist/bundle.js, this checks for dist/bundle.js.map, not dist/bundle.map. Use [ ! -f "${file%.js}.js.map" ] or adjust the logic to correctly identify source map files.
| if [ -f "$file" ] && [ ! -f "${file}.map" ]; then | |
| if [ -f "$file" ] && [ ! -f "${file%.js}.js.map" ]; then |
| split_commits = false | ||
| # regex for preprocessing the commit messages | ||
| commit_preprocessors = [ | ||
| { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](https://github.com/objectstack-ai/objectui/issues/${2}))"}, |
There was a problem hiding this comment.
The URL hardcodes the organization name as objectstack-ai, but the README and other files reference objectql/objectui. This inconsistency will cause broken issue links in the generated changelog. Verify the correct organization name and update accordingly.
| { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](https://github.com/objectstack-ai/objectui/issues/${2}))"}, | |
| { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](https://github.com/objectql/objectui/issues/${2}))"}, |
| url: https://www.objectui.org | ||
| about: Check our documentation for guides and API references | ||
| - name: 💡 Feature Request | ||
| url: https://github.com/objectstack-ai/objectui/discussions/categories/ideas |
There was a problem hiding this comment.
Similar to the cliff.toml issue, this URL references objectstack-ai organization, but other parts of the codebase suggest the repository might be under a different organization. Verify the correct GitHub organization and repository path.
| url: https://github.com/objectstack-ai/objectui/discussions/categories/ideas | |
| url: https://github.com/objectql/objectui/discussions/categories/ideas |
| [](https://github.com/objectstack-ai/objectui/actions/workflows/ci.yml) | ||
| [](https://github.com/objectstack-ai/objectui/actions/workflows/codeql.yml) |
There was a problem hiding this comment.
The badge URLs in the example use objectstack-ai as the organization, which may not match the actual repository organization. Ensure these example URLs reflect the correct GitHub organization path to avoid confusion when contributors copy them.
| [](https://github.com/objectstack-ai/objectui/actions/workflows/ci.yml) | |
| [](https://github.com/objectstack-ai/objectui/actions/workflows/codeql.yml) | |
| [](https://github.com/objectql/objectui/actions/workflows/ci.yml) | |
| [](https://github.com/objectql/objectui/actions/workflows/codeql.yml) |
| - name: Get pnpm store directory | ||
| shell: bash | ||
| run: | | ||
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | ||
|
|
||
| - name: Setup pnpm cache | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ env.STORE_PATH }} | ||
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pnpm-store- | ||
|
|
There was a problem hiding this comment.
This pattern of manually setting up pnpm cache is duplicated across three jobs (test, lint, build). Consider extracting this into a composite action or using a reusable workflow to reduce duplication and improve maintainability.
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- |
github-actions
bot
added
documentation
…ce duplication Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>
|
✅ All checks passed!
|
|
✅ All checks passed!
|
|
✅ All checks passed!
|
|
✅ All checks passed!
|
1 similar comment
|
✅ All checks passed!
|
Implements complete CI/CD automation including security scanning, dependency management, and project maintenance workflows.
New Workflows
Security & Quality
Automation
Improvements
CI Pipeline
Developer Experience
.github/WORKFLOWS.md)Configuration
All workflows follow least-privilege permissions, use commit-pinned actions where security-critical, and include proper error handling.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.