ci: post sticky PR comment with fallow audit findings (#954)

jrusso1020 · web-flow · commit efc5f0584bb1 · 2026-05-18T21:28:41.000-07:00
* ci: run fallow audit in lefthook pre-commit

Mirrors the same `fallow audit --base ... --fail-on-issues` check that
runs in CI, but locally against HEAD so issues surface at commit time
instead of after the push round-trip.

Scoped to `packages/**` source files via the glob — non-code edits
(README, docs, top-level configs) skip the hook entirely.

Measured locally: ~5s in parallel with the existing lint/format/typecheck
checks. Doesn't extend wall-clock time because typecheck (~11s) is the
long pole, and lefthook runs commands in parallel.

The default `--gate new-only` means inherited findings don't block the
commit — same gate behavior as CI, so local pre-commit and PR audit
agree.

* refactor: delete orphan declarations flagged by fallow

After fallow's auto-fix de-exports unused symbols, oxlint surfaces them
as no-unused-vars. This PR deletes those orphan declarations outright.

Biggest cleanup: studio/src/icons/SystemIcons.tsx shrinks from 132 to 57
lines — 33 unused icon wrappers and their phosphor-icon imports deleted.

Other deletions across 14 more files covering paired getter/setters,
helper functions, dead env constants, internal components with no
callers, and cascading unused imports.

Cascade-causing files held back for follow-up PRs: renderOrchestrator
barrel of captureCost re-exports, telemetry/portUtils/remote barrels,
Button.tsx + ui/index.ts (would orphan whole file), studioMotion
type re-exports.

Test plan: typecheck clean across 8 packages, oxlint + oxfmt clean,
fallow audit exit 0 (remaining findings inherited), cli + studio
vitest suites pass.

* ci: post sticky PR comment with fallow audit findings

Reviewers shouldn't have to dig through CI logs to see what fallow
flagged. With this change, on every PR the fallow job posts (or
updates) a sticky comment containing the full audit report formatted
as a collapsible markdown table.

The comment uses fallow's built-in `pr-comment-github` format, which
already emits a `&lt;!-- fallow-id: fallow-results --&gt;` sentinel.
`marocchino/sticky-pull-request-comment@v2.9.1` matches that header so
each run replaces the previous comment instead of stacking new ones.

The job now runs in three steps:
1. Run `fallow audit ... --format pr-comment-github` with
   `continue-on-error: true` so the comment posts even when the audit
   fails. Exit code is captured.
2. Post (or update) the sticky comment with the captured output.
3. Re-emit the audit exit code so the job still fails-the-build on
   new findings.

Bumps the workflow's `pull-requests` permission from read to write,
needed for the sticky-comment poster to call the issues API.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -86,24 +86,74 @@ jobs:
   # the changed files. The default `--gate new-only` means existing legacy
   # findings don't fail the build — only NEW issues introduced by the PR do.
   # This stops bleeding while letting incremental cleanup land separately.
+  #
+  # On findings, the job posts (or updates) a sticky comment on the PR so
+  # reviewers see the full list inline instead of digging through CI logs.
   fallow:
     name: Fallow audit
     needs: changes
     if: needs.changes.outputs.code == 'true' && github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    # Scope write access to this single job — the rest of `ci.yml` keeps the
+    # workflow-level `pull-requests: read` default so build / lint / test
+    # tokens can't post or modify PR comments. Job-level permissions override
+    # the workflow block.
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # Full history so `--base origin/main` can diff against the merge
           # base on stacked PRs, not just the shallow tip.
           fetch-depth: 0
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
-      # Pinned version — bumps land via a deliberate PR. Keep in sync with
-      # the version that produced the current `.fallowrc.jsonc` config.
-      - run: npx -y fallow@2.75.0 audit --base origin/main --fail-on-issues
+      - run: bun install --frozen-lockfile
+      - name: Run fallow audit
+        id: audit
+        # `bun install` above made `bunx fallow` resolve from node_modules, so
+        # we don't re-download fallow each run. The script disables `errexit`
+        # so the audit's non-zero exit (on findings) doesn't abort before we
+        # write the exit code to the step output. The size check guards
+        # against fallow crashing before producing markdown (e.g. transient
+        # parse failure) — without it we'd post a blank sticky comment.
+        run: |
+          set +e
+          bunx fallow audit --base origin/main --fail-on-issues \
+            --format pr-comment-github \
+            > /tmp/fallow-comment.md
+          echo "exit_code=$?" >> "$GITHUB_OUTPUT"
+          if [ ! -s /tmp/fallow-comment.md ]; then
+            echo "fallow produced no output — see the job logs above." > /tmp/fallow-comment.md
+          fi
+      - name: Post sticky comment (findings)
+        if: steps.audit.outputs.exit_code != '0'
+        # Fork PRs run with a read-only GITHUB_TOKEN regardless of the
+        # workflow's `permissions:` block, so the comment post will fail on
+        # forks. Don't fail the whole job — the audit gate below still fires.
+        continue-on-error: true
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          # `header` matches fallow's built-in `<!-- fallow-id: fallow-results -->`
+          # sentinel so subsequent runs update the same comment.
+          header: fallow-results
+          path: /tmp/fallow-comment.md
+      - name: Remove stale sticky comment (clean run)
+        if: steps.audit.outputs.exit_code == '0'
+        continue-on-error: true
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          header: fallow-results
+          delete: true
+      - name: Fail if audit found issues
+        if: steps.audit.outputs.exit_code != '0'
+        run: |
+          echo "::error::Fallow audit found new issues — see the PR comment above for details."
+          exit 1
 
   format:
     name: Format
