Skip to content

Added check to fail if NPM commands are used#49

Merged
palisadoes merged 7 commits into
PalisadoesFoundation:mainfrom
palisadoes:NPM-1771788584
Feb 22, 2026
Merged

Added check to fail if NPM commands are used#49
palisadoes merged 7 commits into
PalisadoesFoundation:mainfrom
palisadoes:NPM-1771788584

Conversation

@palisadoes

@palisadoes palisadoes commented Feb 22, 2026

Copy link
Copy Markdown
Contributor

Added check to fail if NPM commands are used

Summary by CodeRabbit

  • Chores
    • Added a GitHub Actions workflow that automatically scans and prevents npm commands in CI/CD configurations, enforcing pnpm usage instead.

@github-actions

Copy link
Copy Markdown

Our Pull Request Approval Process

This PR will be reviewed according to our:

  1. Palisadoes Contributing Guidelines

  2. AI Usage Policy

Your PR may be automatically closed if:

  1. Our PR template isn't filled in correctly
  2. You haven't correctly linked your PR to an issue

👉 https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/linking-a-pull-request-to-an-issue

Thanks for contributing!

@coderabbitai

coderabbitai Bot commented Feb 22, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@palisadoes has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

A new GitHub Actions workflow file has been added that automatically detects npm command usage within other workflow files. When triggered, the workflow scans all YAML files in .github/workflows, emits an error if npm is found, and suggests using pnpm as the alternative.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/pull-request-no-npm.yml
New workflow that detects npm command usage across workflow files and enforces pnpm usage by failing the job if npm is found.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

🐰 A workflow so keen, with a vigilant eye,
Scans for npm commands that must say goodbye,
In pnpm we trust, as the rules now apply,
No npm shall pass, or the checks will deny! 📋✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Added check to fail if NPM commands are used' directly and clearly describes the main change—introducing a check that detects and fails on NPM command usage.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@palisadoes

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review and reevaluate all your previous comments that may have been dismissed, ignored or resolved. Evaluate whether the goals of the issue linked in the first PR comment are met. If there are test cases, ensure that the updated or created tests won't be flaky, especially in a sharded testing environment where test cleanup is important and response times are highly variable. Post your conclusion as an easily readable comment that also includes your findings outside the diffs.

@coderabbitai

coderabbitai Bot commented Feb 22, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Fetch PR details including body to find linked issue
gh pr view 49 --json title,body,number,state,additions,deletions,changedFiles,files

# Fetch all review comments and conversations on the PR
gh pr view 49 --json comments,reviews --jq '.comments[] | "Comment by \(.author.login) at \(.createdAt):\n\(.body)\n---"'

# Get the list of files changed in the PR
gh pr view 49 --json files --jq '.files[] | .path'

Length of output: 5007


🏁 Script executed:

#!/bin/bash

# Read the workflow file
cat .github/workflows/pull-request-no-npm.yml

# Search for issues related to NPM in this repository
gh issue list --limit 50 --json number,title,body,state --jq '.[] | select(.title | test("npm|NPM"; "i")) | "Issue #\(.number) (\(.state)): \(.title)\nBody: \(.body)\n---"'

# Also search closed issues
gh issue list --state closed --limit 50 --json number,title,body,state --jq '.[] | select(.title | test("npm|NPM"; "i")) | "Issue #\(.number) (\(.state)): \(.title)\nBody: \(.body)\n---"'

# Check if there are any other workflow files related to npm or package management
fd -e yml -e yaml . .github/workflows/ --exec cat {}

Length of output: 55932


@palisadoes, I've completed a comprehensive review of PR #49. Here are my findings:

📋 Executive Summary

Goal Achievement: ⚠️ Partially Met

The PR adds a reusable workflow to detect npm commands, but has several implementation issues and is not integrated into any actual workflow, meaning it won't run automatically.


🔍 Detailed Findings

✅ What Works

  1. Clear Intent: The workflow has a well-defined purpose - prevent npm usage in favor of pnpm
  2. Helpful Feedback: Provides clear error messages directing users to pnpm
  3. Reusable Design: Uses workflow_call for potential reuse across workflows

❌ Critical Issues

1. Not Integrated - Won't Actually Run

The workflow uses workflow_call trigger only, but I don't see it being called by any other workflow in the repository. This means:

  • The check will never execute automatically
  • Developers can still commit npm commands without detection
  • Recommendation: Create a PR workflow that calls this, or add it to an existing workflow

2. Narrow Detection Pattern

The current pattern grep -rq "npm " "$WORKFLOW_DIRECTORY" only matches npm followed by a space, missing:

# These would NOT be detected:
npm install    # (has tab instead of space)
npm;           # (semicolon)
npm|grep       # (pipe)
run: npm       # (line ending)
npm\ninstall   # (newline)

Recommendation: Use a more robust pattern:

grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"

3. False Positives

Would incorrectly flag legitimate occurrences:

# This comment says: Don't use npm install
# ^ Would fail the check despite being helpful documentation

- name: Error handling
  run: echo "Error: npm command not found"
  # ^ Would fail despite being just an error message

Recommendation: Add context-aware detection or document acceptable patterns

4. Limited Scope

Only scans .github/workflows/ directory, missing:

  • Package.json scripts that might use npm
  • Shell scripts in other directories
  • Makefiles
  • Documentation that should use pnpm in examples

Recommendation: Either expand scope or clearly document limitations

5. No Tests

  • No test workflows to verify the detection works
  • Can't validate edge cases
  • No way to ensure it won't break with future changes

Recommendation: Add test cases with:

# Test files with npm commands (should fail)
# Test files without npm commands (should pass)
# Test files with "npm" in comments (expected behavior?)

📍 Missing Information

No Linked Issue: The PR body doesn't link to an issue. This makes it difficult to:

  • Understand the full context and requirements
  • Verify all acceptance criteria are met
  • Track the feature request history

🎯 Recommendations for Fix

  1. Immediate: Link this PR to the relevant issue
  2. High Priority: Integrate this workflow into an actual PR check
  3. High Priority: Improve the detection pattern to be more robust
  4. Medium Priority: Add test cases to verify functionality
  5. Low Priority: Consider expanding scope beyond workflows directory

💡 Suggested Implementation

Here's an improved detection script:

FORBIDDEN_COMMAND="npm"
WORKFLOW_DIRECTORY=".github/workflows"

# Use word boundaries to match npm as a command, not in words like "pnpm"
# Exclude comment lines and this workflow file itself
if grep -rE --exclude="$(basename "$0")" '^[^#]*\bnpm\b' "$WORKFLOW_DIRECTORY"; then
  echo "::error::Forbidden 'npm' command found in workflow files!"
  echo "Please use 'pnpm' instead."
  echo "Matches found:"
  grep -rnE --exclude="$(basename "$0")" '^[^#]*\bnpm\b' "$WORKFLOW_DIRECTORY"
  exit 1
else
  echo "✅ No forbidden 'npm' commands found."
fi

📊 Conclusion

While the PR introduces the mechanism for npm detection, it does not fully achieve the stated goal because:

  • The check won't run (not integrated)
  • Detection is too narrow (will miss violations)
  • No tests exist to verify functionality

Suggested Next Steps:

  1. Integrate this workflow into an existing PR check
  2. Fix the detection pattern
  3. Add test workflows
  4. Link to the relevant issue

Would you like me to help implement these improvements?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/pull-request-no-npm.yml (1)

15-17: Scan scope is limited to .github/workflows/.

npm commands can appear in shell scripts, Makefile targets, package.json scripts, CI configuration files in other directories, or documentation. Restricting the scan to .github/workflows/ misses all of those.

♻️ Broaden scan scope to the entire repository
-         WORKFLOW_DIRECTORY=".github/workflows"
+         SCAN_ROOT="."

-         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="$SELF_WORKFLOW"; then
+         if grep -rE '\bnpm\b' "$SCAN_ROOT" \
+              --include="*.yml" --include="*.yaml" \
+              --include="*.sh" --include="Makefile" \
+              --exclude-dir=".git" \
+              --exclude-dir="node_modules" \
+              --exclude="pull-request-no-npm.yml"; then

If the intent is strictly to police workflow files only, document that limitation explicitly so future maintainers understand it is a deliberate scope restriction rather than an oversight.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request-no-npm.yml around lines 15 - 17, The grep
scope is limited by the WORKFLOW_DIRECTORY variable and the conditional using
grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY", which misses npm occurrences
elsewhere; update the check so it scans the entire repository (e.g., run grep
recursively from the repo root instead of "$WORKFLOW_DIRECTORY" or include other
common locations like scripts/, Makefile, and package.json) or, if scanning only
workflows is intentional, add an explicit comment/variable (and documentation)
stating the deliberate limitation so maintainers understand the narrow scope;
modify the WORKFLOW_DIRECTORY usage and the grep invocation accordingly and
document the chosen scope.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull-request-no-npm.yml:
- Around line 3-4: The workflow currently uses workflow_call so it is never run
on PRs; either add a pull_request trigger to this file (replace or augment on:
workflow_call with on: pull_request) so the workflow runs automatically for pull
requests, or create a separate caller workflow that uses this reusable workflow
(invoking the file that contains workflow_call) and triggers on pull_request;
update the file to reference pull_request where appropriate or create a new
.github/workflows/* workflow that uses the reusable workflow.
- Around line 13-23: The self-scan currently fails because the grep line (grep
-rE '\bnpm\b' "$WORKFLOW_DIRECTORY") scans this workflow file itself; update the
check in the block that sets WORKFLOW_DIRECTORY and runs grep so it excludes the
current workflow file (use the GITHUB_WORKFLOW_REF env var or hardcode the
filename) — e.g., modify the grep/find invocation used in the detection step to
skip "$GITHUB_WORKFLOW_REF" (or ".github/workflows/pull-request-no-npm.yml") so
the workflow file is not scanned and the error/exit logic only triggers for
other workflow files.

---

Nitpick comments:
In @.github/workflows/pull-request-no-npm.yml:
- Around line 15-17: The grep scope is limited by the WORKFLOW_DIRECTORY
variable and the conditional using grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY",
which misses npm occurrences elsewhere; update the check so it scans the entire
repository (e.g., run grep recursively from the repo root instead of
"$WORKFLOW_DIRECTORY" or include other common locations like scripts/, Makefile,
and package.json) or, if scanning only workflows is intentional, add an explicit
comment/variable (and documentation) stating the deliberate limitation so
maintainers understand the narrow scope; modify the WORKFLOW_DIRECTORY usage and
the grep invocation accordingly and document the chosen scope.

Comment thread .github/workflows/pull-request-no-npm.yml
Comment on lines +13 to +23
- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"

if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Self-scan causes the workflow to always fail — the detection is broken.

grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" scans every file under .github/workflows/, which includes this workflow file itself. The file contains the word "npm" as a standalone token in at least three places (the name: fields on lines 1 and 13, and the error message on line 18), so the check immediately matches and exits with code 1 on every run regardless of actual violations.

The fix is to exclude the current workflow file from the scan. The cleanest approach uses GITHUB_WORKFLOW_REF:

🐛 Proposed fix — exclude the current workflow file from the scan
      - name: Scan workflow file for forbidden npm commands
        run: |
          WORKFLOW_DIRECTORY=".github/workflows"
+         SELF_WORKFLOW=$(basename "$GITHUB_WORKFLOW_REF" | cut -d'@' -f1)

-         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
+         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="$SELF_WORKFLOW"; then
            echo "::error::Forbidden 'npm' command found in one or more workflow files!"
            echo "Please use 'pnpm' instead."
            exit 1
          else
            echo "No forbidden 'npm' commands found. The job can proceed."
          fi

If you prefer a simpler, hardcoded exclusion (acceptable since the filename is stable):

-         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
+         if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="pull-request-no-npm.yml"; then
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"
if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi
- name: Scan workflow file for forbidden npm commands
run: |
WORKFLOW_DIRECTORY=".github/workflows"
SELF_WORKFLOW=$(basename "$GITHUB_WORKFLOW_REF" | cut -d'@' -f1)
if grep -rE '\bnpm\b' "$WORKFLOW_DIRECTORY" --exclude="$SELF_WORKFLOW"; then
echo "::error::Forbidden 'npm' command found in one or more workflow files!"
echo "Please use 'pnpm' instead."
exit 1
else
echo "No forbidden 'npm' commands found. The job can proceed."
fi
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request-no-npm.yml around lines 13 - 23, The
self-scan currently fails because the grep line (grep -rE '\bnpm\b'
"$WORKFLOW_DIRECTORY") scans this workflow file itself; update the check in the
block that sets WORKFLOW_DIRECTORY and runs grep so it excludes the current
workflow file (use the GITHUB_WORKFLOW_REF env var or hardcode the filename) —
e.g., modify the grep/find invocation used in the detection step to skip
"$GITHUB_WORKFLOW_REF" (or ".github/workflows/pull-request-no-npm.yml") so the
workflow file is not scanned and the error/exit logic only triggers for other
workflow files.

@palisadoes

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review and reevaluate all your previous comments that may have been dismissed, ignored or resolved. Evaluate whether the goals of the issue linked in the first PR comment are met. If there are test cases, ensure that the updated or created tests won't be flaky, especially in a sharded testing environment where test cleanup is important and response times are highly variable. Post your conclusion as an easily readable comment that also includes your findings outside the diffs.

@coderabbitai

coderabbitai Bot commented Feb 22, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Get PR details including linked issues from body and comments
echo "=== PR DETAILS ==="
gh pr view 49 --json title,body,number,state,author,createdAt,additions,deletions,changedFiles

echo -e "\n=== CHECKING FOR LINKED ISSUES IN PR BODY AND COMMENTS ==="
gh pr view 49 --json body --jq '.body'
echo -e "\n--- First comment ---"
gh api "/repos/PalisadoesFoundation/.github/issues/49/comments" --jq '.[0] | "Comment by \(.user.login) at \(.created_at):\n\(.body)"'

echo -e "\n=== WORKFLOW FILE CONTENT ==="
cat .github/workflows/pull-request-no-npm.yml

echo -e "\n=== SEARCHING FOR WORKFLOWS THAT CALL THIS WORKFLOW ==="
# Search for any workflow files that reference pull-request-no-npm
rg -n "pull-request-no-npm" .github/workflows/ --type yaml

echo -e "\n=== LISTING ALL WORKFLOW FILES ==="
fd -e yml -e yaml . .github/workflows/ --exec echo {}

echo -e "\n=== SEARCHING FOR TEST FILES RELATED TO NPM CHECK ==="
# Look for any test workflows or test files
fd -e yml -e yaml . .github/workflows/ --exec grep -l "test" {} \;
rg -l "test.*npm|npm.*test" .github/ --type yaml

echo -e "\n=== CHECKING FOR ISSUES MENTIONING NPM ==="
gh issue list --limit 100 --search "npm in:title,body" --json number,title,state,body --jq '.[] | "Issue #\(.number) (\(.state)): \(.title)"'

Length of output: 3760


@palisadoes, I've completed a fresh comprehensive review of PR #49. Here's my analysis:

🔍 Critical Finding: No Linked Issue

Important: The PR body does not contain a link to any issue. You mentioned "the issue linked in the first PR comment," but no such issue exists. The first comment is an automated bot message about the PR approval process. Without a linked issue, I cannot evaluate whether the goals are met or verify acceptance criteria.


📊 Current State Analysis

✅ Improvements Made Since Previous Review

The workflow has been significantly improved:

  1. Better Detection Pattern:

    • ❌ Before: grep -rq "npm " (missed many cases)
    • ✅ Now: grep -rE '^[^#]*\bnpm\b' (uses word boundaries, excludes comments)
  2. Expanded Scope:

    • ❌ Before: Only .github/workflows
    • ✅ Now: .github/workflows docs/docs package.json (catches npm in docs and package.json)

These changes address 2 of the 5 critical issues from my previous review.


❌ Remaining Critical Issues

1. Workflow Not Integrated - Still Won't Run 🚨

The workflow still uses only workflow_call trigger and is not called by any other workflow. I searched all workflow files and found zero references to pull-request-no-npm.

Impact: The check will never execute automatically. Developers can still commit npm commands without detection.

Evidence:

# Search result: EMPTY
rg -n "pull-request-no-npm" .github/workflows/

Required Fix: Add this to an existing PR workflow or create a new one that calls it:

jobs:
  check-npm:
    uses: ./.github/workflows/pull-request-no-npm.yml

2. No Test Coverage 🚨

There are no test workflows or test cases to verify:

  • Detection works correctly
  • Edge cases are handled
  • Pattern doesn't break with future changes
  • False positives/negatives behavior

Flakiness Assessment: N/A - no tests exist to be flaky.


🎯 Findings Outside the Diffs

Repository-Wide Scan Results:

  1. 14 workflow files exist in .github/workflows/
  2. None of them reference or use the npm detection workflow
  3. No issues found in the repository related to npm enforcement
  4. No integration points identified where this workflow would be triggered

Current Workflow Behavior:

on:
  workflow_call:  # ⚠️ Only triggered when explicitly called

This means the workflow is dormant - it exists but doesn't protect against npm usage.


📋 Comprehensive Conclusion

Goal Achievement: ⚠️ Incomplete

Aspect Status Notes
Detection Logic ✅ Good Improved pattern handles most cases
Scope Coverage ✅ Good Covers workflows, docs, and package.json
Integration Missing Not called by any workflow
Automation Missing Won't run on PRs
Testing Missing No test coverage
Issue Goals Unknown No issue linked

What Works:

  • ✅ Detection pattern is robust (word boundaries, comment exclusion)
  • ✅ Multi-location scanning (workflows, docs, package.json)
  • ✅ Clear error messages

What's Broken:

  • 🚨 Will never run automatically - not integrated into PR checks
  • 🚨 No verification - untested functionality
  • 🚨 No traceability - missing issue link

🎯 Required Actions to Complete This PR

1. Link an Issue (High Priority)

Create or link an issue describing:

  • Why npm should be forbidden
  • What the acceptance criteria are
  • Where enforcement should apply

2. Integrate the Workflow (Critical - Blocks Goal)

Add to an existing PR workflow (e.g., pull-request-review.yml):

jobs:
  npm-check:
    uses: ./.github/workflows/pull-request-no-npm.yml

Or trigger it directly:

on:
  pull_request:
    branches: [main, develop]

3. Add Test Coverage (High Priority)

Create test scenarios:

  • ✅ Test file with npm install → should fail
  • ✅ Test file with pnpm install → should pass
  • ✅ Test file with comment # don't use npm → should pass
  • ✅ Test file with deployment (contains "npm") → should pass

🔧 Immediate Next Step

Please clarify:

  1. Is there an issue this PR should be linked to?
  2. Should I help integrate this workflow into your PR checks?
  3. Would you like me to generate test cases?

Without integration, this PR adds a workflow that exists but doesn't protect anything.

✅ Actions performed

Full review triggered.

@palisadoes

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review and reevaluate all your previous comments that may have been dismissed, ignored or resolved. Evaluate whether the goals of the issue linked in the first PR comment are met. If there are test cases, ensure that the updated or created tests won't be flaky, especially in a sharded testing environment where test cleanup is important and response times are highly variable. Post your conclusion as an easily readable comment that also includes your findings outside the diffs.

@coderabbitai

coderabbitai Bot commented Feb 22, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

echo "=== FETCHING LATEST PR DETAILS ==="
gh pr view 49 --json title,body,number,state,author,createdAt,updatedAt,additions,deletions,changedFiles,files

echo -e "\n=== CHECKING ALL PR COMMENTS FOR LINKED ISSUES ==="
gh api "/repos/PalisadoesFoundation/.github/issues/49/comments" --jq '.[] | "Comment #\(.id) by \(.user.login) at \(.created_at):\n\(.body)\n---"'

echo -e "\n=== READING CURRENT WORKFLOW FILE ==="
cat .github/workflows/pull-request-no-npm.yml

echo -e "\n=== CHECKING IF WORKFLOW IS NOW CALLED BY OTHER WORKFLOWS ==="
rg -n "pull-request-no-npm" .github/workflows/ --type yaml || echo "No references found"

echo -e "\n=== LISTING ALL WORKFLOW FILES ==="
fd -e yml -e yaml . .github/workflows/

echo -e "\n=== CHECKING FOR NEW TEST FILES OR TEST WORKFLOWS ==="
fd -e yml -e yaml . .github/workflows/ --exec grep -l "test" {} \; || echo "No test workflows found"

echo -e "\n=== SEARCHING FOR ANY RECENT COMMITS TO THE PR ==="
gh pr view 49 --json commits --jq '.commits[] | "Commit: \(.oid[0:7]) by \(.authors[0].login) at \(.committedDate)\nMessage: \(.messageHeadline)"'

echo -e "\n=== CHECKING IF WORKFLOW HAS pull_request TRIGGER ==="
grep -A 5 "^on:" .github/workflows/pull-request-no-npm.yml

echo -e "\n=== SEARCHING ENTIRE REPO FOR NPM ISSUE REFERENCES ==="
rg -i "npm.*issue|issue.*npm" --type yaml --type md -g '!node_modules' | head -20 || echo "No issue references found"

Length of output: 28016


@palisadoes, I've completed another comprehensive review of PR #49. I found a CRITICAL new issue with the latest changes:

🚨 CRITICAL: Invalid Workflow Syntax

The workflow trigger syntax in the latest commit is incorrect and will prevent the workflow from running:

# ❌ CURRENT (INCORRECT):
on:
  workflow_call:
    pull_request:

This syntax is invalid because workflow_call doesn't accept nested triggers. The workflow will fail to parse.

Required Fix - Use one of these correct syntaxes:

# ✅ OPTION 1 (Recommended):
on:
  workflow_call:
  pull_request:
    branches: [main, develop]
# ✅ OPTION 2 (Simplified):
on: [workflow_call, pull_request]

📊 Complete Analysis

✅ Improvements Made (Since First Review)

  1. Better Detection Pattern: Now uses grep -rE '^[^#]*\bnpm\b' with word boundaries and comment exclusion
  2. Expanded Scope: Now scans .github/workflows docs/docs package.json (not just workflows)
  3. Attempted Trigger Addition: Tried to add pull_request trigger (but syntax is broken)

❌ Critical Issues

Issue Status Impact
Invalid YAML Syntax 🚨 NEW - BLOCKING Workflow won't run at all
No Linked Issue Still Missing Can't verify requirements
No Tests Still Missing No validation or flakiness concerns
Not Integrated ⚠️ Partially Addressed Attempted direct trigger but syntax broken

🎯 Findings Outside the Diffs

Recent Activity:

  • 5 commits pushed between 19:33 and 20:06 UTC
  • 14 workflow files in repository, none reference this workflow
  • No npm-related issues found in repository search
  • No test workflows exist for this checker

Current State:

The workflow attempts to trigger on pull_request events directly (good intent!) but the YAML syntax error means it won't work.


📋 Comprehensive Conclusion

Goal Achievement: ❌ Not Met - Broken

Aspect Status Grade
Syntax Validity BROKEN F
Detection Logic ✅ Good A
Scope Coverage ✅ Good A
Direct Trigger ⚠️ Attempted D
Testing ❌ Missing F
Issue Link ❌ Missing F
Overall Will Not Run F

🔧 Required Actions (Priority Order)

1. FIX SYNTAX (CRITICAL - Must Do First) 🚨

Change the trigger section to:

on:
  workflow_call:
  pull_request:
    branches:
      - main
      - develop

2. Link an Issue (High Priority)

The PR body states "Added check to fail if NPM commands are used" but doesn't link to an issue. Please add:

  • Why npm is forbidden
  • What the acceptance criteria are
  • Related context or discussion

3. Add Tests (Medium Priority)

Create test files to verify:

  • ✅ Files with npm install → detection works
  • ✅ Files with pnpm install → no false positives
  • ✅ Comments with "npm" → correctly ignored
  • ✅ Words like "deployment" → correctly ignored

💡 Complete Fixed VersionHere's the corrected workflow file:

name: Do not use the npm command

on:
  workflow_call:
  pull_request:
    branches:
      - main
      - develop

jobs:
  Detect-NPM:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Scan for forbidden npm commands
        run: |
          LOCATIONS=".github/workflows docs/docs package.json"

          if grep -rE '^[^#]*\bnpm\b' $LOCATIONS; then
            echo "::error::Forbidden 'npm' command found!"
            echo "Please use 'pnpm' instead."
            exit 1
          else
            echo "✅ No forbidden 'npm' commands found."
          fi

🎯 Summary

Current Status: The workflow is broken due to invalid YAML syntax and will not execute.

What Works:

  • ✅ Detection pattern is robust
  • ✅ Scope covers multiple locations
  • ✅ Good error messages

What's Broken:

  • 🚨 Invalid trigger syntax - prevents workflow from running
  • No linked issue - can't verify goals are met
  • No tests - can't assess flakiness

Next Step: Fix the syntax error in the on: section, then test that the workflow actually runs on PRs.

Would you like me to help create test cases or integrate this into your existing workflows once the syntax is fixed?

✅ Actions performed

Full review triggered.

@palisadoes

Copy link
Copy Markdown
Contributor Author

@coderabbitai

Is the current syntax correct and will the action only run on pull requests?

@coderabbitai

coderabbitai Bot commented Feb 22, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the current workflow file to check syntax
cat .github/workflows/pull-request-no-npm.yml

Length of output: 651


@palisadoes, yes! The current syntax is correct

on:
  workflow_call:
  pull_request:

This is valid YAML for GitHub Actions. However, to answer your second question: No, it will NOT run only on pull requests.

How It Works:

The workflow will trigger on TWO separate events:

  1. workflow_call - When explicitly called by another workflow
  2. pull_request - When PR events occur (opened, synchronized, reopened)

If You Want It to Run ONLY on Pull Requests:

Remove the workflow_call line:

on:
  pull_request:

Or be more specific about which PR events and branches:

on:
  pull_request:
    branches:
      - main
      - develop
    types: [opened, synchronize, reopened]

Current Behavior:

Will run automatically on all PRs to any branch
Can also be called by other workflows as a reusable workflow

Both triggers are active, so the workflow has two ways to execute. Is this the behavior you intended, or would you prefer it to only run on PRs?

@palisadoes palisadoes merged commit 30ebf2d into PalisadoesFoundation:main Feb 22, 2026
1 of 2 checks passed
@palisadoes palisadoes deleted the NPM-1771788584 branch February 22, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant