Erf test

[kansas1295]

Fixes #????

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6a007e0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows. 1) .github/workflows/codacy.yml: “Codacy Security Scan” runs on push/PR to master and a weekly cron, checks out code, runs Codacy Analysis CLI to generate results.sarif with GitHub compatibility, and uploads via github/codeql-action/upload-sarif@v2. Sets permissions for contents (read) and security-events (write). 2) .github/workflows/npm-publish-github-packages.yml: on release created, runs a build job (Node.js 16, npm ci, npm test) and a publish job (needs build, Node.js 16 with npm.pkg.github.com, npm ci, npm publish using GITHUB_TOKEN). Permissions: contents read, packages write.

Pre-merge checks and finishing touches

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The PR title "Erf test" is vague and does not describe the primary changes in this changeset, which add two GitHub Actions workflows (.github/workflows/codacy.yml and .github/workflows/npm-publish-github-packages.yml); it fails to communicate the main change or intent. Because the title does not meaningfully summarize the change, the check is inconclusive.	Please replace the title with a concise, specific summary of the main change (for example, "Add Codacy security scan and GitHub Packages npm publish workflows") so reviewers can quickly understand the PR's purpose.
Description Check	❓ Inconclusive	The PR description is a generic contributor template containing an empty "Fixes" placeholder and a checklist but it does not describe the actual file additions, reasons, or effects of the change, so it is very vague and does not provide meaningful context for reviewers. This makes the description inconclusive relative to the changeset.	Ask the author to replace the template with a brief summary of what was changed (which workflow files were added, their purpose and triggers, any required secrets or side effects), reference any related issue number, and update the checklist items accordingly.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (8)

.github/workflows/npm-publish-github-packages.yml (3)

6-9: Trigger on “published”, not “created”, to avoid premature publishes.

Created fires for draft releases; published is safer for actual releases.

 on:
   release:
-    types: [created]
+    types: [published]
+  workflow_dispatch:

---

10-13: Add concurrency to avoid duplicate publishes on retries.

 jobs:
+  # Cancel older runs for the same ref to avoid double-publish
+  concurrency:
+    group: npm-publish-${{ github.ref }}
+    cancel-in-progress: false

---

33-34: Add a provenance-safe publish flag only if targeting npmjs; omit for GPR.

If you later target npmjs.com, prefer npm publish --provenance --access public. For GitHub Packages, keep plain npm publish.

.github/workflows/codacy.yml (5)

59-61: Upgrade upload action and pin by commit for supply‑chain safety.

Move from v2 to v3 and pin to a specific SHA.

-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@<pinned_v3_SHA>

---

39-39: Pin checkout@v4 to a commit SHA.

Tags are mutable; pinning reduces risk.

-        uses: actions/checkout@v4
+        uses: actions/checkout@<pinned_v4_SHA>

---

53-56: Reconsider forcing success via max-allowed-issues.

This suppresses CI failures even on severe findings. Prefer letting the step fail or gating by severity in repository rules.

Option A: remove the override.

-          gh-code-scanning-compat: true
-          # Force 0 exit code to allow SARIF file generation
-          # This will handover control about PR rejection to the GitHub side
-          max-allowed-issues: 2147483647
+          gh-code-scanning-compat: true

Option B: keep but enforce blocking in branch protection using code‑scanning alerts.

---

35-36: Add a timeout to avoid hung scans.

     runs-on: ubuntu-latest
+    timeout-minutes: 30

---

16-24: Optional: add concurrency to avoid piling up weekly/PR scans.

 on:
   push:
     branches: [ "master" ]
   pull_request:
     branches: [ "master" ]
   schedule:
     - cron: '26 8 * * 0'
+
+concurrency:
+  group: codacy-${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b9c7078 and 6a007e0.

📒 Files selected for processing (2)

• .github/workflows/codacy.yml (1 hunks)
• .github/workflows/npm-publish-github-packages.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Check: lint

.github/workflows/npm-publish-github-packages.yml

[failure] 29-29:
the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

---

[failure] 28-28:
the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

---

[failure] 15-15:
the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

---

[failure] 14-14:
the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

🪛 GitHub Actions: lint workflows

.github/workflows/npm-publish-github-packages.yml

[error] 14-14: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue [action]

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: tests
• GitHub Check: coverage
• GitHub Check: tests-upgradeable
• GitHub Check: slither
• GitHub Check: tests-foundry
• GitHub Check: halmos

[coderabbitai]

⚠️ Potential issue

Update deprecated actions and Node version (pipeline is failing).

• actions/checkout@v3 and actions/setup-node@v3 are flagged as too old by the runner.
• Node 16 is EOL; use an active LTS (20.x) or current (22.x).

Apply:

-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 20.x
+          cache: npm

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	- uses: actions/setup-node@v3
	with:
	node-version: 16
	- run: npm ci
	- run: npm test
	- uses: actions/checkout@v4
	- uses: actions/setup-node@v4
	with:
	node-version: 20.x
	cache: npm
	- run: npm ci
	- run: npm test

🧰 Tools

🪛 GitHub Check: lint

[failure] 15-15:
the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

---

[failure] 14-14:
the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

🪛 GitHub Actions: lint workflows

[error] 14-14: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue [action]

🤖 Prompt for AI Agents

In .github/workflows/npm-publish-github-packages.yml around lines 14 to 19, the
workflow uses deprecated action versions and an EOL Node version; replace
actions/checkout@v3 with actions/checkout@v4 and actions/setup-node@v3 with
actions/setup-node@v4 (or latest stable tags), update the node-version from 16
to a currently supported LTS like 20 (or 22), and ensure the setup-node step
remains before npm ci and npm test so the correct Node is used during install
and test.