refactor: create actions/setup-dependencies/action

[alfetopito]

Summary

Refactor to simplify gh actions, creating a reusable workflow for setting up the repo.

Summary by CodeRabbit

• Chores
  • Added a reusable CI action to centralize dependency setup (Node/Yarn/npm auth), replacing repeated inline setup steps.
  • Updated multiple workflows to use the new centralized setup action, simplifying pipelines and reducing duplication.
  • Consolidated authentication handling for package installs via a single action input.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions composite action at .github/actions/setup-dependencies/action.yml that consolidates npmrc/SDK install, Node.js setup, and Yarn install; several workflows were updated to replace inline setup steps with a single call to this local action.

Changes

Cohort / File(s)	Summary
New Composite Action \.github/actions/setup-dependencies/action\.yml	Added a composite GitHub Action that checks out the repo (configurable persist-credentials), runs the workspace install-sdk-preview.mjs via GitHub Script exposing PACKAGE_READ_AUTH_TOKEN, sets up Node.js (node-version: lts/*) with Yarn caching, and runs yarn install --frozen-lockfile.
CI & Token Workflows \.github/workflows/ci\.yml, \.github/workflows/cowFi-tokens\.yml	Replaced inline steps (set up npmrc / run SDK install script / set up Node.js / install dependencies) with a single ./.github/actions/setup-dependencies step that accepts authToken. Remaining steps (checkout, tests, validation, artifact/upload steps) retained.
Action Execution Workflow \.github/workflows/executeAction\.yml	Removed inline npmrc/SDK/node/install steps and replaced them with the new setup-dependencies action; the rest of the workflow remains unchanged.
List & Permit Workflows \.github/workflows/generateAuxLists\.yml, \.github/workflows/updatePermitInfo\.yml	Replaced repeated checkout/npmrc/node/yarn steps with the setup-dependencies action; subsequent generation, commit/push, and failure-handling steps unchanged.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant WF as Workflow
    participant ACTION as setup-dependencies (composite)
    participant CHECKOUT as actions/checkout
    participant SCRIPT as install-sdk-preview.mjs
    participant NODE as actions/setup-node
    participant YARN as yarn

    WF->>ACTION: call ./.github/actions/setup-dependencies (input: authToken)
    ACTION->>CHECKOUT: checkout repo (persist-credentials configurable)
    ACTION->>SCRIPT: run via github-script (env: PACKAGE_READ_AUTH_TOKEN)
    ACTION->>NODE: setup node (node-version: lts/*) + enable yarn cache
    ACTION->>YARN: yarn install --frozen-lockfile
    ACTION-->>WF: dependencies ready

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check composite action schema, inputs, and indentation in action.yml.
• Verify github-script invocation correctly imports/runs install-sdk-preview.mjs from workspace and that PACKAGE_READ_AUTH_TOKEN is scoped safely.
• Confirm workflows pass authToken correctly and that persist-credentials behavior matches prior inline usage where required.
• Test at least one workflow (CI) to validate the combined action executes as expected.

Poem

I hopped through YAML fields with cheer,
One action bundles steps so near.
Tokens tucked and Node set right,
Yarn hums softly through the night.
A rabbit's nod — our CI takes flight. 🐰✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "refactor: create actions/setup-dependencies/action" accurately reflects the main change in the pull request. The changeset adds a new composite GitHub Action at .github/actions/setup-dependencies/action.yml that consolidates dependency setup logic (npmrc configuration, Node.js setup, and yarn installation), and updates five existing workflows to use this new action instead of inline setup steps. The title is concise, specific, and uses the "refactor:" prefix to indicate this is a refactoring effort. The title clearly communicates the primary artifact being delivered—the new setup-dependencies action.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/refactor-actions

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8cdaf2a and 63ba306.

📒 Files selected for processing (6)

• .github/actions/setup-dependencies/action.yml (1 hunks)
• .github/workflows/ci.yml (1 hunks)
• .github/workflows/cowFi-tokens.yml (1 hunks)
• .github/workflows/executeAction.yml (1 hunks)
• .github/workflows/generateAuxLists.yml (1 hunks)
• .github/workflows/updatePermitInfo.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/workflows/executeAction.yml
• .github/actions/setup-dependencies/action.yml
• .github/workflows/ci.yml
• .github/workflows/cowFi-tokens.yml
• .github/workflows/updatePermitInfo.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Socket Security: Pull Request Alerts

🔇 Additional comments (1)

.github/workflows/generateAuxLists.yml (1)

19-22: Refactoring verified as correct.

The composite action properly implements all expected functionality:

• authToken is defined as a required input parameter
• authToken is correctly passed as PACKAGE_READ_AUTH_TOKEN environment variable to the install-sdk-preview.mjs script
• Environment variable is set at the step level where authentication is needed

The workflow refactoring is sound and follows GitHub Actions best practices.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/generateAuxLists.yml (1)

16-17: Consider explicitly passing persist_credentials for consistency.

This workflow omits the persist_credentials input, relying on the action's default (false). While this works correctly, other workflows explicitly pass this parameter. For consistency and clarity, consider adding it:

       - name: Setup dependencies
         uses: ./.github/actions/setup-dependencies
+        with:
+          persist_credentials: false

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82d9071 and bce60c4.

📒 Files selected for processing (6)

• .github/actions/setup-dependencies/action.yml (1 hunks)
• .github/workflows/ci.yml (1 hunks)
• .github/workflows/cowFi-tokens.yml (1 hunks)
• .github/workflows/executeAction.yml (1 hunks)
• .github/workflows/generateAuxLists.yml (1 hunks)
• .github/workflows/updatePermitInfo.yml (1 hunks)

🔇 Additional comments (6)

.github/actions/setup-dependencies/action.yml (2)

20-22: Verify YAML script formatting and indentation.

Lines 21-22 contain a multi-line JavaScript string with unusual indentation. Ensure this is valid YAML and the script parses correctly at runtime.

For clarity, consider formatting as a single line or using YAML block syntax:

       with:
-        script: const { installSdkPreview } = await import("${{github.workspace}}/src/scripts/install-sdk-preview.mjs");
-          installSdkPreview(context, core);
+        script: |
+          const { installSdkPreview } = await import("${{github.workspace}}/src/scripts/install-sdk-preview.mjs");
+          installSdkPreview(context, core);

---

1-34: Action consolidates setup steps effectively.

The new composite action successfully centralizes dependency setup (checkout, npm config, Node.js, yarn install) into a reusable unit. This eliminates duplication across five workflows and follows the DRY principle well.

.github/workflows/cowFi-tokens.yml (1)

18-21: Migration to composite action is correct.

The workflow cleanly delegates dependency setup to the new action, reducing code duplication while maintaining the persist_credentials: false requirement for this job.

.github/workflows/executeAction.yml (1)

27-30: Setup consolidated correctly.

The workflow now uses the composite action to handle dependency setup. The removal of PACKAGE_READ_AUTH_TOKEN environment variable is correct since it's now managed within the action.

.github/workflows/ci.yml (1)

17-20: Clean setup consolidation.

The CI workflow now delegates all setup tasks to the composite action, reducing boilerplate while maintaining the same security posture with persist_credentials: false.

.github/workflows/updatePermitInfo.yml (1)

22-25: Setup step correctly migrated for update-permit-info job.

The matrix-based job correctly uses the composite action for dependency setup. The separate commit-changes job retains its own standalone checkout (line 52), which is appropriate since it's a dependent job that downloads artifacts.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bce60c4 and 8cdaf2a.

📒 Files selected for processing (6)

• .github/actions/setup-dependencies/action.yml (1 hunks)
• .github/workflows/ci.yml (1 hunks)
• .github/workflows/cowFi-tokens.yml (1 hunks)
• .github/workflows/executeAction.yml (1 hunks)
• .github/workflows/generateAuxLists.yml (1 hunks)
• .github/workflows/updatePermitInfo.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/cowFi-tokens.yml
• .github/workflows/ci.yml
• .github/workflows/generateAuxLists.yml

🧰 Additional context used

🪛 GitHub Actions: CI

.github/actions/setup-dependencies/action.yml

[error] 13-13: Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.PACKAGE_READ_AUTH_TOKEN

🔇 Additional comments (4)

.github/workflows/updatePermitInfo.yml (1)

27-28: LGTM!

The consolidation of dependency setup into a single reusable action simplifies the workflow while maintaining clarity.

.github/actions/setup-dependencies/action.yml (2)

15-19: LGTM!

The Node.js setup is properly configured with LTS version and Yarn caching enabled.

---

21-23: LGTM!

The dependency installation with frozen lockfile ensures reproducible builds across workflows.

.github/workflows/executeAction.yml (1)

32-33: LGTM, pending upstream fix.

The Setup dependencies consolidation is correctly applied here. However, this workflow will fail due to the critical issue in the composite action (secrets context access). Once that is resolved, this change will work as intended.

[alfetopito]

Please post merge review