ci: format and auto-commit diffs instead of just checking

[devin-ai-integration]

Summary

Refactors the Format job in .github/workflows/code-quality.yml so it actually runs the formatter and pushes any resulting diff back to the PR branch, instead of failing CI when the working tree isn't already formatted.

Changes:

• Replaced bunx biome ci --formatter-enabled=true ... with bun run format (which runs biome check --write --linter-enabled=false --assist-enabled=true).
• Added an auto-commit step using stefanzweifel/git-auto-commit-action@v5 that commits any formatting diffs as github-actions[bot] with the message style: apply biome formatting.
• Job now only runs on pull_request events from same-repo branches and grants contents: write (least-privilege override of the workflow's top-level contents: read). Skipped on push to main (no pushing to main from CI) and on fork PRs (default GITHUB_TOKEN can't push to forks).
• Checkout step pins ref: ${{ github.head_ref }} so the actual PR branch (not the merge commit) is checked out for committing back.

The Lint and Knip jobs are untouched.

Note: the auto-pushed commit will not retrigger CI on the PR (GitHub safety behavior with default GITHUB_TOKEN); reviewers may need to push an empty commit or re-run workflows if they want CI to run on the auto-formatted state.

Review & Testing Checklist for Human

• Open a throwaway PR that introduces a clear formatting violation (e.g. odd indentation in a .ts file) and confirm the Format job runs bun run format and pushes a style: apply biome formatting commit back to the branch.
• Confirm a PR with no formatting issues runs through Format cleanly with no extra commit.
• Confirm Lint and Knip still run and behave the same on PRs.
• Verify branch protection on main still works as expected (this PR doesn't touch it, but the workflow's permissions changed).

Notes

• Auto-commit only runs for same-repo PRs because GITHUB_TOKEN cannot push to forks. If you want fork PRs handled too, that requires either a dedicated bot PAT or moving to pull_request_target (which has security implications).
• I deliberately did not add the auto-commit behavior to the push: [main] trigger — pushing automated commits back to main would conflict with branch protection and is risky. Format issues on main should be caught by the PR-side job before merge.

Link to Devin session: https://app.devin.ai/sessions/d2582a2e217f4687aa7f9ffd3c457026

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web	Ready	Preview, Comment	May 10, 2026 0:14am
web-juliett	Ready	Preview, Comment	May 10, 2026 0:14am

[cursor]

🔒 Agentic Security Review
Severity: MEDIUM
Using stefanzweifel/git-auto-commit-action@v5 (mutable tag) in a job with contents: write introduces a supply-chain trust risk: if that tag is retargeted or compromised upstream, this workflow can run attacker-controlled code with repository write permissions.
Impact: Unauthorized commits could be pushed to PR branches from CI.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 12056c91d9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Retain formatting check for forked pull requests

The new job-level condition restricts format to same-repo PRs only, so fork PRs now skip formatting entirely. In GitHub Actions, a skipped job is treated as successful for required checks, which means external contributions can merge without any formatter validation. If auto-commit is only intended for same-repo branches, keep the formatter step running for all PRs and gate only the commit step behind the same-repo condition.

Useful? React with 👍 / 👎.