build: add CI workflow with production build step#686
Closed
saif-at-scalekit wants to merge 1 commit into
Closed
Conversation
Add .github/workflows/ci.yml that runs on every push and PR: - Type check (pnpm astro check) - Format check (pnpm run format:check) - Agent markdown audit (--strict) - Production build (pnpm run build) This catches build regressions before merge. Closes #644
Contributor
WalkthroughAdded a GitHub Actions CI workflow file ( ChangesGitHub Actions CI Workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 3-10: Add an explicit least-privilege permissions block for the
workflow by adding a top-level permissions mapping (noting the existing keys
'on', 'jobs', and job name 'check') that restricts the GITHUB_TOKEN scope—e.g.,
set permissions: contents: read (and packages: read or id-token: write only if
those specific actions require them), or scope down further per-job if needed;
place this top-level 'permissions' key alongside 'on' and 'jobs' to ensure
external actions like actions/checkout@v4, pnpm/action-setup@v4 and
actions/setup-node@v4 run with the minimal required privileges.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4481ba11-4fe0-4cc9-bb6e-ab0a08441551
📒 Files selected for processing (1)
.github/workflows/ci.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**
⚙️ CodeRabbit configuration file
.github/workflows/**: This is a CI/CD workflow file. Apply these constraints:
- Do NOT suggest changing
--forceto--force-with-leaseunless
there is a concrete race condition with parallel trigger sources.- Do NOT suggest adding concurrency groups unless the workflow has
both scheduled and manual triggers on the same branch.- Focus on: correct action versions, secret exposure, missing
permissions blocks, and missing error handling on API calls.- Use actionlint findings as the primary source; do not duplicate
what actionlint already reports.
Files:
.github/workflows/ci.yml
🧠 Learnings (1)
📚 Learning: 2026-05-06T07:45:01.683Z
Learnt from: saif-at-scalekit
Repo: scalekit-inc/developer-docs PR: 631
File: .github/workflows/scheduled-deploy.yml:8-12
Timestamp: 2026-05-06T07:45:01.683Z
Learning: In the scalekit-inc/developer-docs repository, for GitHub Actions workflows under .github/workflows that do not use third-party actions, do not run untrusted code, and only perform read API calls plus a Netlify build trigger, it is acceptable to rely on GitHub's default workflow token permissions. Do not flag missing explicit permissions blocks for these minimal-risk workflows. If a workflow includes external actions, uses untrusted code, or requires write permissions beyond netlify hook invocation, require explicit permissions in the YAML and/or CI checks.
Applied to files:
.github/workflows/ci.yml
🔇 Additional comments (1)
.github/workflows/ci.yml (1)
21-34: LGTM!
Comment on lines
+3
to
+10
| on: | ||
| push: | ||
| branches: ['**'] | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| check: | ||
| runs-on: ubuntu-latest |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat .github/workflows/ci.ymlRepository: scalekit-inc/developer-docs
Length of output: 709
Add explicit least-privilege workflow permissions.
The workflow uses external actions (actions/checkout@v4, pnpm/action-setup@v4, actions/setup-node@v4) and should define permissions to restrict GITHUB_TOKEN scope.
🔐 Minimal fix
on:
push:
branches: ['**']
pull_request:
+permissions:
+ contents: read
+
jobs:
check:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| on: | |
| push: | |
| branches: ['**'] | |
| pull_request: | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| on: | |
| push: | |
| branches: ['**'] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 3 - 10, Add an explicit
least-privilege permissions block for the workflow by adding a top-level
permissions mapping (noting the existing keys 'on', 'jobs', and job name
'check') that restricts the GITHUB_TOKEN scope—e.g., set permissions: contents:
read (and packages: read or id-token: write only if those specific actions
require them), or scope down further per-job if needed; place this top-level
'permissions' key alongside 'on' and 'jobs' to ensure external actions like
actions/checkout@v4, pnpm/action-setup@v4 and actions/setup-node@v4 run with the
minimal required privileges.
Collaborator
Author
|
Reverting — will re-approach each issue individually after discussion. |
✅ Deploy Preview for scalekit-starlight ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
.github/workflows/ci.ymlthat runs on every push and PR, including the production build step that was missing from the original PR #635.Steps in the workflow
pnpm astro checkpnpm run format:checknode scripts/agent-markdown-audit.js --strictpnpm run build(the key addition from CI: run production build in GitHub Actions (not only local checks) #644)Uses Node 20 with pnpm caching. The build command matches the documented local build:
astro build && node scripts/generate-llms-index.js.Why
PR #635 was closed without merge. This picks up that work and adds the build step so build regressions are caught before merge.
Closes #644
Summary by CodeRabbit