Conversation
|
Warning Rate limit exceeded@csikb has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 39 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (3)
WalkthroughAdds CODEOWNERS, multiple GitHub Actions workflows (build, docker, release, scorecard), Docker multi‑arch build config and bake file, pnpm / Node 22 migration, TypeScript/biome config updates, dependency and package.json changes, workspace config, Dockerfile adjustments, and small source/test import and default‑export edits. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GA as GitHub Actions
participant Runner as Runner (ubuntu-22.04)
participant Node as Node/pnpm
participant Tests as Test/integration
participant Codecov as Codecov
Dev->>GA: push / PR / schedule / dispatch
GA->>Runner: start job (build/integration/test/lint)
Runner->>Node: setup node (from package.json) + pnpm
Runner->>Node: pnpm install (frozen-lockfile)
par Parallel jobs
Runner->>Node: pnpm run build
Runner->>Tests: pnpm run test:ci (publish coverage to Codecov)
Runner->>Tests: pnpm run test:int:ci (with DEBUG env)
Runner->>Node: pnpm run lint
end
Tests-->>GA: status, artifacts, coverage
GA-->>Dev: workflow result
sequenceDiagram
autonumber
actor Dev as Developer
participant GA as GitHub Actions
participant Buildx as buildx/qemu
participant GHCR as ghcr.io
participant Anchore as Anchore Scan
Dev->>GA: push / release / PR
GA->>GA: hadolint Dockerfile
GA->>GHCR: docker/login-action
GA->>Buildx: setup-qemu + setup-buildx
GA->>GA: docker/metadata-action (tags)
GA->>GHCR: docker/bake (multi-arch, SBOM, provenance, cache)
alt non-PR events
GA->>Anchore: anchore/scan-action
Anchore-->>GA: SARIF
GA->>GHCR: upload SARIF (code scanning)
end
sequenceDiagram
autonumber
actor Dev as Developer
participant GA as GitHub Actions
participant GitHub as GitHub API
Dev->>GA: merge / push to main / merge_group
GA->>GitHub: create GitHub App token (secrets)
GA->>GitHub: checkout using App token
GA->>GA: setup pnpm & node, pnpm install
GA->>GitHub: pnpm run release (semantic-release using GH_TOKEN)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
Pre-merge checks and finishing touches❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (2)
package-lock.jsonis excluded by!**/package-lock.jsonpnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (12)
.github/CODEOWNERS(1 hunks).github/workflows/build.yml(1 hunks).github/workflows/docker.yml(1 hunks).github/workflows/release.yml(1 hunks).github/workflows/scorecard.yml(1 hunks).nvmrc(1 hunks).releaserc.json(1 hunks)biome.json(1 hunks)docker-compose.yml(1 hunks)package.json(2 hunks)pnpm-workspace.yaml(1 hunks)tsconfig.json(1 hunks)
🧰 Additional context used
🪛 GitHub Check: Scorecard
.github/workflows/build.yml
[failure] 1-1: Token-Permissions
score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
.github/workflows/docker.yml
[failure] 29-29: Token-Permissions
score is 0: jobLevel 'packages' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
| build: | ||
| name: Build and publish | ||
| runs-on: ubuntu-24.04-arm | ||
| permissions: |
There was a problem hiding this comment.
Use an available runner label
ubuntu-24.04-arm isn’t currently a GitHub-hosted runner label, so the job will fail to even queue. Switch to the supported ubuntu-22.04-arm64 (or ubuntu-latest) so the build can run.
- runs-on: ubuntu-24.04-arm
+ runs-on: ubuntu-22.04-arm64📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| build: | |
| name: Build and publish | |
| runs-on: ubuntu-24.04-arm | |
| permissions: | |
| build: | |
| name: Build and publish | |
| runs-on: ubuntu-22.04-arm64 | |
| permissions: |
🤖 Prompt for AI Agents
.github/workflows/docker.yml around lines 24 to 27: the job uses a non-existent
runner label `ubuntu-24.04-arm` so the workflow will never queue; change the
`runs-on` value to a supported runner such as `ubuntu-22.04-arm64` (or
`ubuntu-latest`) to allow the job to run, and update any other workflow jobs or
matrix entries that reference the invalid label to the same supported label for
consistency.
| on: | ||
| pull_request: | ||
| merge_group: | ||
| push: | ||
| branches: [ main ] |
There was a problem hiding this comment.
Restrict the release workflow to push-only triggers.
This job depends on vars.RELEASE_APP_ID and secrets.RELEASE_APP_PRIVATE_KEY. On pull_request runs (especially from forks), those values are unavailable, so the job will fail before steps run—effectively blocking outside contributions. Release automation should fire only after code lands on the release branch. Please drop the PR/merge_group triggers (or gate the job with if: github.event_name == 'push') so we only run on trusted pushes to main.
-on:
- pull_request:
- merge_group:
- push:
- branches: [ main ]
+on:
+ push:
+ branches: [ main ]
+ workflow_dispatch:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| pull_request: | |
| merge_group: | |
| push: | |
| branches: [ main ] | |
| on: | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: |
🤖 Prompt for AI Agents
In .github/workflows/release.yml around lines 3 to 7 the workflow is triggered
on pull_request and merge_group as well as push, which causes runs from forks to
attempt to access vars.RELEASE_APP_ID and secrets.RELEASE_APP_PRIVATE_KEY and
fail; fix by removing the pull_request and merge_group triggers so the workflow
only triggers on push to main, or alternatively keep triggers but add a
top-level job-level guard (if: github.event_name == 'push') so the release job
only executes on push events where the secrets are available.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
.github/workflows/build.yml(1 hunks)Dockerfile(1 hunks)src/config.ts(1 hunks)tsconfig.json(1 hunks)tsconfig.test.json(1 hunks)
🧰 Additional context used
🪛 GitHub Check: Scorecard
Dockerfile
[warning] 1-1: Pinned-Dependencies
score is 8: containerImage not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/build.yml
[failure] 1-1: Token-Permissions
score is 0: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
🔇 Additional comments (2)
tsconfig.json (1)
2-5:extendsmust be a string—current array keepstscfrom running.TypeScript doesn’t (yet) support extending from multiple configs directly; this form errors out with
TS5024. Please revert to a singleextendstarget and layer the second config via an intermediate base file or by copying the needed options.- "extends": [ - "@tsconfig/strictest/tsconfig.json", - "@tsconfig/node22/tsconfig.json" - ], + "extends": "@tsconfig/node22/tsconfig.json",.github/workflows/build.yml (1)
3-10: Lock down the defaultGITHUB_TOKENscope.Without an explicit
permissionsblock this workflow inherits broad write rights, which Scorecard already flags. Declare the minimal scopes (read-only for contents is enough here) to satisfy least-privilege.on: workflow_dispatch: pull_request: merge_group: push: branches: [ "main" ] +permissions: + contents: read + jobs:
| "extends": [ | ||
| "@tsconfig/strictest/tsconfig.json", | ||
| "@tsconfig/node22/tsconfig.json" | ||
| ], |
There was a problem hiding this comment.
Restore single-string extends before TS build breaks.
TypeScript still requires extends to be a single string; passing an array triggers TS5024 and stops the compiler. Collapse this back to one entry (and if you need both configs, daisy-chain them via an intermediate base config or merge the extra options manually).
- "extends": [
- "@tsconfig/strictest/tsconfig.json",
- "@tsconfig/node22/tsconfig.json"
- ],
+ "extends": "@tsconfig/node22/tsconfig.json",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "extends": [ | |
| "@tsconfig/strictest/tsconfig.json", | |
| "@tsconfig/node22/tsconfig.json" | |
| ], | |
| "extends": "@tsconfig/node22/tsconfig.json", |
🤖 Prompt for AI Agents
In tsconfig.test.json around lines 2 to 5, the "extends" field is an array which
causes TS5024; replace the array with a single string entry (choose the primary
config you need) and if you need settings from both, create an intermediate base
tsconfig that extends one config and merges or re-exports the other (or copy the
required compilerOptions into tsconfig.test.json) so the final "extends" is a
single string pointing to that base or primary config.
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (3)
docker-bake.hcl(1 hunks)package.json(1 hunks)src/router/health.ts(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- package.json
🔇 Additional comments (1)
src/router/health.ts (1)
2-2: Router import upgrade looks good.Switching to
@koa/routeris the correct companion for Koa ≥3, and the existingprefix/route setup remains a drop-in. 👍
| platforms = [ | ||
| "linux/amd64", | ||
| "linux/arm/v6", | ||
| "linux/arm/v7", | ||
| "linux/arm64/v8", | ||
| "linux/s390x", |
There was a problem hiding this comment.
Remove unsupported linux/arm/v6 platform.
The Dockerfile is based on the official Node 22 image, which does not publish linux/arm/v6 variants. Including this architecture causes docker buildx bake to fail during multi-arch builds. Please drop linux/arm/v6 (or switch to a base image that actually ships that architecture) so CI/CD stays green.
platforms = [
"linux/amd64",
- "linux/arm/v6",
"linux/arm/v7",
"linux/arm64/v8",
"linux/s390x",
]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| platforms = [ | |
| "linux/amd64", | |
| "linux/arm/v6", | |
| "linux/arm/v7", | |
| "linux/arm64/v8", | |
| "linux/s390x", | |
| platforms = [ | |
| "linux/amd64", | |
| "linux/arm/v7", | |
| "linux/arm64/v8", | |
| "linux/s390x", | |
| ] |
🤖 Prompt for AI Agents
In docker-bake.hcl around lines 14 to 19, the platforms list includes
"linux/arm/v6" which is unsupported by the Node 22 base image and causes buildx
bake to fail; remove "linux/arm/v6" from the platforms array (or replace the
base image with one that actually publishes arm/v6) so multi-arch builds
complete successfully.
…cripts in package.json
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
src/config.ts (1)
20-20: Optional: avoid overriding port 0 and handle NaN explicitlyCurrent
|| 3000overrides valid0and masks invalid values implicitly.Consider:
const parsedPort = Number.parseInt(process.env.PORT ?? '', 10) const port = Number.isFinite(parsedPort) ? parsedPort : 3000 const config: Config = { port, // ... }package.json (1)
34-44: Move Biome to devDependencies (tooling, not optional runtime)Biome is a dev tool; placing it in devDependencies is conventional and avoids optional install variance.
Apply this diff:
"devDependencies": { + "@biomejs/biome": "2.2.4", "@tsconfig/node22": "22.0.2", "@tsconfig/strictest": "2.0.6", "@types/koa": "3.0.0", @@ "optionalDependencies": { - "@biomejs/biome": "2.2.4", "@vitest/coverage-v8": "3.2.4", "@vitest/ui": "3.2.4", "axios": "1.12.2",Also applies to: 47-58
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (3)
package.json(2 hunks)src/config.ts(2 hunks)src/middleware/helmet.ts(1 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
src/middleware/helmet.ts (1)
src/middleware/index.ts (1)
helmet(6-6)
🪛 GitHub Actions: Build
package.json
[warning] 1-1: Syncpack: Dependency versions across workspace may be mismatched.
src/config.ts
[error] 14-16: lint/complexity/useLiteralKeys: The computed expression can be simplified without the use of a string literal. Use a literal key instead.
[error] 20-20: lint/complexity/useLiteralKeys: The computed expression can be simplified without the use of a string literal. Use a literal key instead.
[error] 22-22: lint/complexity/useLiteralKeys: The computed expression can be simplified without the use of a string literal. Use a literal key instead.
[error] 24-24: lint/complexity/useLiteralKeys: The computed expression can be simplified without the use of a string literal. Use a literal key instead.
[error] 26-26: lint/complexity/useLiteralKeys: The computed expression can be simplified without the use of a string literal. Use a literal key instead.
[error] 1-1: assist/source/organizeImports: The imports and exports are not sorted. Organize Imports (Biome).
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build and publish
🔇 Additional comments (2)
package.json (2)
24-31: All listed middleware are ESM-compatible with Koa 3
koa-bodyparser 4.4.x, koa-compress 5.1.x and koa-helmet 8.x all support ESM imports and match the Koa 3 middleware signature; no changes required.
63-64: Ignore Syncpack version mismatch warning
The workspace has no mismatched dependency versions; no alignment is required.Likely an incorrect or invalid review comment.
| import helmet from 'koa-helmet' | ||
|
|
||
| export default helmet() | ||
| export default helmet.default() |
There was a problem hiding this comment.
Fix helmet export: call the default export directly
koa-helmet exposes a default function; with ESM default import, call helmet(). Using .default() will throw at runtime.
Apply this diff:
-export default helmet.default()
+export default helmet()Based on learnings
🤖 Prompt for AI Agents
In src/middleware/helmet.ts around line 3, the code calls helmet.default() which
is incorrect for the ESM default export from koa-helmet; change the usage to
call the imported default function directly (i.e., replace the .default() call
with a direct helmet() invocation) and ensure the file imports the module as a
default import (import helmet from 'koa-helmet') so the runtime will not throw.
…e.js engine version
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.circleci/config.yml (1)
28-31: Fix the misspelledenvironmentkey.Line 30 currently uses
environemnt, which CircleCI will reject as an unknown parameter, causing the job to fail before tests even run. Please correct the spelling so theDEBUGvariable is passed through.- run: command: npm run test:int:ci - environemnt: + environment: - DEBUG: testcontainers:compose
🧹 Nitpick comments (1)
biome.json (1)
2-2: Use a stable remote schema URLPointing
$schemaintonode_modulesworks only after dependencies are installed; fresh clones, CI jobs fetching the file pre-install, or editors running in sandboxes won’t be able to resolve it. Switching back to the canonical hosted schema avoids spurious “schema not found” noise while still tracking the correct Biome version. Consider replacing the path with the public URL that matches the Biome release you’re pinned to (e.g.https://biomejs.dev/schemas/1.8.3/schema.json).- "$schema": "./node_modules/@biomejs/biome/configuration_schema.json", + "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (24)
.circleci/config.yml(1 hunks).github/workflows/build.yml(1 hunks)Dockerfile(1 hunks)biome.json(1 hunks)package.json(1 hunks)renovate.json(1 hunks)src/config.ts(2 hunks)src/middleware/postgraphile.ts(1 hunks)src/router/health.ts(1 hunks)tests/config.defaults.test.ts(1 hunks)tests/config.error.test.ts(1 hunks)tests/config.overwrite.test.ts(1 hunks)tests/database/postgres.test.ts(1 hunks)tests/index.test.ts(4 hunks)tests/middleware/bodyparser.test.ts(1 hunks)tests/middleware/compress.test.ts(1 hunks)tests/middleware/helmet.test.ts(1 hunks)tests/middleware/postgraphile.test.ts(1 hunks)tests/router/health.test.ts(1 hunks)testsInt/global-setup.ts(2 hunks)testsInt/graphql.test.ts(1 hunks)testsInt/health.test.ts(1 hunks)testsInt/ping.test.ts(1 hunks)tsconfig.json(1 hunks)
✅ Files skipped from review due to trivial changes (5)
- testsInt/graphql.test.ts
- tests/middleware/compress.test.ts
- testsInt/health.test.ts
- tests/config.defaults.test.ts
- tests/middleware/postgraphile.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/config.ts
🧰 Additional context used
🧬 Code graph analysis (1)
tests/middleware/helmet.test.ts (1)
src/middleware/index.ts (1)
helmet(6-6)
🪛 GitHub Actions: Build
testsInt/global-setup.ts
[error] 21-21: TypeError: Cannot read properties of undefined (reading 'down') during teardown
🔇 Additional comments (3)
src/middleware/postgraphile.ts (1)
2-3: Type-only import keeps runtime leanUsing the
typemodifier here strips thePostGraphileOptionsimport from runtime output while keeping the inference, which is exactly what we want.tsconfig.json (1)
2-5: Restore single-stringextendsto keeptsconfigvalidTypeScript still rejects arrays here (
TS5024: Compiler option 'extends' requires a value of type string), sotscwill bail out before compiling. Please switch back to a single base config (and, if you need to combine configs, layer them via an intermediate config or manual option merge).- "extends": [ - "@tsconfig/strictest/tsconfig.json", - "@tsconfig/node22/tsconfig.json" - ], + "extends": "@tsconfig/node22/tsconfig.json",.github/workflows/build.yml (1)
20-22: Fix setup-node version source.
actions/setup-nodecan’t read a JSONpackage.jsonas a version file; it expects a plain-text spec (e.g..nvmrc). Leaving this as-is will make every job fail before dependencies install. Please swap the parameter to an actual version string/file (and mirror the change in the other jobs).- node-version-file: package.json + node-version: '22.20.0'
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #227 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 11 11
Lines 94 97 +3
Branches 10 10
=========================================
+ Hits 94 97 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
2 participants
BREAKING CHANGE: Update project
Summary by CodeRabbit