ci: add PR title linting#1166
Conversation
|
Warning Review limit reached
Next review available in: 33 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds Conventional Commits rules, a Node 24 local GitHub Action that validates pull request titles, and a workflow triggered when pull requests are opened, edited, or reopened. ChangesPR title linting
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant PullRequest
participant lint-pr-title.yml
participant lint-pr-title
participant commitlint.config.mjs
PullRequest->>lint-pr-title.yml: opened, edited, or reopened event
lint-pr-title.yml->>lint-pr-title: execute local action
lint-pr-title->>commitlint.config.mjs: load rules
commitlint.config.mjs-->>lint-pr-title: return rules
lint-pr-title-->>lint-pr-title.yml: pass or set failed
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/lint-pr-title.yml (1)
32-34: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winPrefer
npm ciovernpm installin CI environments.Using
npm installcan result in non-deterministic builds because it might update yourpackage-lock.jsonor install different dependency versions. For CI environments, it's highly recommended to commit thepackage-lock.jsonfile for the action and usenpm cito ensure reproducible dependency resolution.♻️ Proposed refactor
- name: Install action dependencies - run: npm install --ignore-scripts + run: npm ci --ignore-scripts working-directory: .github/actions/lint-pr-title🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lint-pr-title.yml around lines 32 - 34, Update the “Install action dependencies” step in the lint-pr-title workflow to use npm ci instead of npm install, while preserving the existing --ignore-scripts flag and working-directory.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/actions/lint-pr-title/src/index.js:
- Around line 30-33: Update the lint call in the action’s main flow to pass the
resolved parserOpts from load() into `@commitlint/lint` alongside config.rules,
defaultIgnores, and helpUrl. Reuse the parser options already returned or
resolved by load(), ensuring PR titles are parsed with the configured grammar.
In @.github/workflows/lint-pr-title.yml:
- Around line 24-25: Update the actions/checkout step in the PR-title lint
workflow to explicitly disable credential persistence using the checkout
action’s persist-credentials setting. Leave the existing pinned action version
and other checkout behavior unchanged.
---
Nitpick comments:
In @.github/workflows/lint-pr-title.yml:
- Around line 32-34: Update the “Install action dependencies” step in the
lint-pr-title workflow to use npm ci instead of npm install, while preserving
the existing --ignore-scripts flag and working-directory.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 7cc002a3-e11f-45c7-bc03-062555c82d9e
📒 Files selected for processing (5)
.github/actions/lint-pr-title/action.yml.github/actions/lint-pr-title/package.json.github/actions/lint-pr-title/src/index.js.github/workflows/lint-pr-title.ymlcommitlint.config.mjs
| - name: Checkout code | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Disable credential persistence in checkout.
The static analysis tool zizmor flagged a potential security risk: GitHub Actions artifacts could persist credentials if not explicitly disabled. Since this workflow only lints the PR title and doesn't need to push changes back to the repository, you should disable credential persistence for better security hygiene.
🛡️ Proposed fix
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/lint-pr-title.yml around lines 24 - 25, Update the
actions/checkout step in the PR-title lint workflow to explicitly disable
credential persistence using the checkout action’s persist-credentials setting.
Leave the existing pinned action version and other checkout behavior unchanged.
Source: Linters/SAST tools
| @@ -0,0 +1,24 @@ | |||
| export default { | |||
There was a problem hiding this comment.
It would be better if we keep this config file inside .github/actions/lint-pr-title/, since it's lint-pr-title action specific and not repo wide. keeping at root looks like a project-wide commit linting config.
| @@ -0,0 +1,15 @@ | |||
| { | |||
There was a problem hiding this comment.
Lock file
PR titles get edited frequently, especially early in review when people are adjusting scope or fixing typos.
Wouldn't it be better if we keep a lock file committed so that:
- First run - installs and caches node_modules
- Every subsequent edit - cache hit, skips install entirely, goes straight to linting
(Also consistent deps build)
The linting itself is near-instant, so with caching the action becomes essentially free after the first run. Without it, we are paying the install cost on every edit for the lifetime of every PR in the repo.
| pull_request: | ||
| types: | ||
| - opened | ||
| - edited |
There was a problem hiding this comment.
If a PR is closed and reopened with a non-compliant title, validation won't run.
Suggest adding reopened to the trigger list as well.
| import { default as load } from '@commitlint/load'; | ||
| import { default as lint } from '@commitlint/lint'; | ||
| import { default as format } from '@commitlint/format'; |
There was a problem hiding this comment.
| import { default as load } from '@commitlint/load'; | |
| import { default as lint } from '@commitlint/lint'; | |
| import { default as format } from '@commitlint/format'; | |
| import load from '@commitlint/load'; | |
| import lint from '@commitlint/lint'; | |
| import format from '@commitlint/format'; |
cef9df7 to
3c6fcfc
Compare
Summary
lint-pr-title) with commitlintcommitlint.config.mjsat the repo root with standard type rulesSummary by CodeRabbit