Feat/GitHub pages website

[oleg-koval]

Summary by CodeRabbit

• New Features

  • Launched project website with comprehensive documentation and resources

• Documentation

  • Enhanced README with Quick Start section, badges, and improved structure
  • Added Contributing and Security policy documentation

• Chores

  • Integrated OpenSSF Scorecard security scanning
  • Improved CI/CD pipeline with packaging validation and GitHub Pages deployment

[coderabbitai]

Warning

Rate limit exceeded

@oleg-koval has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 28 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dcd7ffb9-abdc-43f6-9fdb-3a0216e10a92

📥 Commits

Reviewing files that changed from the base of the PR and between 397fff7 and 8904e17.

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

The PR adds a public-facing GitHub Pages site, improves the release process with validation and plugin filtering, implements OpenSSF Scorecard monitoring, excludes site changes from release triggers, and introduces contributor and security documentation alongside an updated README.

Changes

GitHub Pages Site Deployment

Layer / File(s)	Summary
Site Configuration & Metadata package.json	Added homepage field pointing to the deployed site URL.
Site Assets site/index.html, site/styles.css	HTML document with SEO/social metadata, masthead, install/usage examples, release semantics table, and maintainer links; accompanying stylesheet defining theme variables, layouts (masthead/boxes/two-column grid), responsive breakpoints, and typography.
Site Infrastructure site/robots.txt, site/sitemap.xml	Robot exclusion and sitemap files to support search engine indexing and crawling.
Pages Deployment Workflow .github/workflows/pages.yml	New workflow that builds and deploys the ./site directory to GitHub Pages on main branch pushes affecting site/**, with configurable Pages permissions and artifact upload/deployment steps.
Release Workflow Filtering .github/workflows/release.yml	Added paths-ignore to prevent release workflow from running on site-only or Pages workflow file changes.

Release Process & Build Validation

Layer / File(s)	Summary
Release Configuration release.repo.config.js	Plugins array now explicitly filters sharedConfig.plugins to exclude @semantic-release/changelog and @semantic-release/git, ensuring the repo-only configuration is compatible with protected main branch.
Release Execution Script scripts/release-main.mjs	New ESM script that loads release config, invokes semantic-release with ci: true and dryRun: false, and logs when no release is generated.
NPM Scripts & Validation package.json	Changed semantic-release script to invoke node ./scripts/release-main.mjs instead of direct CLI; added pack:check script for packaging validation.
CI Validation & Permissions .github/workflows/ci.yml	Added npm run pack:check validation step in the validate job; changed permissions.contents from read to write in semantic-release-dry-run job to enable dry-run write operations.
Release Configuration Tests test/release-config.test.js	New test case verifies that repoReleaseConfig.plugins contains only the four expected plugins (commit-analyzer, release-notes-generator, npm, github).

Project Documentation & Security

Layer / File(s)	Summary
Security Policy SECURITY.md	Documents supported versions (latest npm + active main branch), private vulnerability reporting via GitHub security advisories, and guidance on what information to include in reports.
Contribution Guide CONTRIBUTING.md	Outlines development setup (Node version from package.json), required npm commands (install/test/config/doc checks and packaging), branch-based release behavior (stable from main, beta from beta), and PR expectations (focus, tests/docs updates, no secrets/artifacts, Conventional Commits).
OpenSSF Scorecard .github/workflows/scorecard.yml	New security monitoring workflow that runs on schedule, manual dispatch, and pushes to main; executes OSSF Scorecard analysis and uploads SARIF results via CodeQL action.
README Reorganization readme.md	Restructured with centered icon, OpenSSF Scorecard and license badges, new "Quick Start" section, and reorganized content flow (System Requirements, Documentation, Project Status, Security Notes, Support sections added/moved); removed outdated migration notice.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

The PR spans multiple independent domains (site deployment, release mechanics, documentation, security workflows) with heterogeneous changes including new configuration logic (plugin filtering), scripting (release-main.mjs), markup (site files), and documentation. While each cohort follows a clear pattern, the diversity of file types and purposes—from CSS styling to workflow YAML to npm scripts—requires separate reasoning for each component.

Possibly related PRs

• feat(release): add beta channel and docs automation #56: Modifies release.repo.config.js and test/release-config.test.js around plugin filtering and repoReleaseConfig behavior.
• Master #57: Updates release configuration logic and package.json semantic-release script, directly overlapping with release process changes in this PR.

Poem

🐰 A site now stands with gleaming pages bright,
Release config filtered, plugins set just right,
Security badges glow, scorecard keeps watch,
Contributors welcome, secrets in the notch—
From humble README to indexed domain,
The project grows more official again! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Feat/GitHub pages website' clearly summarizes the main change: adding a GitHub Pages website to the project, which is substantiated by the addition of site/ files, pages.yml workflow, and related documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/github-pages-website

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 53 minutes and 28 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add GitHub Pages site, improve release config, and enhance documentation

✨ Enhancement 📝 Documentation

Walkthroughs

Description

• Add GitHub Pages landing site with SEO metadata and styling
• Filter changelog and git plugins from repo-only release config
• Add GitHub Pages and OpenSSF Scorecard deployment workflows
• Restructure README with improved organization and features section
• Add CONTRIBUTING.md and SECURITY.md documentation files
• Update release workflow to skip site changes and add package check

Diagram

flowchart LR
  A["Release Config"] -- "filter plugins" --> B["Repo Release Config"]
  C["Site Files"] -- "deploy via workflow" --> D["GitHub Pages"]
  E["CI Workflow"] -- "skip site changes" --> F["Release Workflow"]
  G["Documentation"] -- "add guides" --> H["Contributing & Security"]
  I["Package"] -- "add homepage" --> J["npm Registry"]

Loading

File Changes

1. site/index.html 📝 Documentation +177/-0

Create GitHub Pages landing site with SEO

site/index.html

---

2. site/styles.css ✨ Enhancement +210/-0

Add responsive styling for landing page

site/styles.css

---

3. site/robots.txt 📝 Documentation +4/-0

Add robots.txt for search engine crawling

site/robots.txt

---

View more (12)

4. site/sitemap.xml 📝 Documentation +8/-0

Add XML sitemap for SEO indexing

site/sitemap.xml

---

5. release.repo.config.js 🐞 Bug fix +10/-0

Filter changelog and git plugins from repo config

release.repo.config.js

---

6. test/release-config.test.js 🧪 Tests +12/-0

Add test for protected main branch compatibility

test/release-config.test.js

---

7. .github/workflows/pages.yml ✨ Enhancement +41/-0

Add GitHub Pages deployment workflow

.github/workflows/pages.yml

---

8. .github/workflows/scorecard.yml ✨ Enhancement +37/-0

Add OpenSSF Scorecard security analysis workflow

.github/workflows/scorecard.yml

---

9. .github/workflows/ci.yml ✨ Enhancement +4/-1

Add package check and update dry-run permissions

.github/workflows/ci.yml

---

10. .github/workflows/release.yml ✨ Enhancement +3/-0

Exclude site changes from release workflow trigger

.github/workflows/release.yml

---

11. package.json ⚙️ Configuration changes +3/-1

Add homepage URL and pack check script

package.json

---

12. scripts/release-main.mjs ✨ Enhancement +24/-0

Create release script using repo config

scripts/release-main.mjs

---

13. readme.md 📝 Documentation +94/-56

Restructure README with features and documentation links

readme.md

---

14. CONTRIBUTING.md 📝 Documentation +29/-0

Add contribution guidelines and development setup

CONTRIBUTING.md

---

15. SECURITY.md 📝 Documentation +23/-0

Add security policy and vulnerability reporting

SECURITY.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0)

1. Broken npm README image 🐞 Bug ≡ Correctness

Description

readme.md embeds ./site/assets/icon.svg, but package.json’s files allowlist excludes
site/**, so the image will be missing from the published package and render broken on npmjs.com
and in node_modules.

Code

readme.md[R25-27]

+<p align="center">
+  <img src="./site/assets/icon.svg" width="120" height="120" alt="semantic-release-npm-github-publish icon">
+</p>

Evidence

The README references an icon under site/, but the package is published using an explicit files
allowlist that does not include site/**, so the icon won’t be in the tarball that npm uses to
render the README.

readme.md[25-27]
package.json[27-33]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`readme.md` references `./site/assets/icon.svg`, but `site/**` is not included in the npm package allowlist (`package.json.files`). This causes a broken image on npmjs.com and for users viewing the packaged README.

### Issue Context
npm includes the README by default, but it will not include arbitrary referenced assets unless they’re part of the packed files.

### Fix Focus Areas
- readme.md[25-27]
- package.json[27-33]

### Suggested fix options
1) Change the README image URL to an absolute URL (recommended), e.g. to `raw.githubusercontent.com` (or to the GitHub Pages URL).
2) Alternatively, include the needed asset(s) in the npm package by adding `site/assets/icon.svg` (or `site/assets/**`) to `files` (avoid shipping the whole `site/` unless intentional).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unneeded contents write permission 🐞 Bug ⛨ Security

Description

The semantic-release-dry-run CI job grants contents: write and checks out with default persisted
credentials even though it runs an auth-free dry-run config, increasing the blast radius of any
compromised dependency/script during CI.

Code

.github/workflows/ci.yml[R54-60]

    needs: validate
    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
    permissions:
-      contents: read
+      contents: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

Evidence

The CI workflow shows the dry-run job explicitly uses contents: write, while the dry-run
semantic-release config only uses @semantic-release/commit-analyzer and
@semantic-release/release-notes-generator and runs with dryRun: true, so it doesn’t need repo
write access. With default checkout behavior (no persist-credentials: false), the write-scoped
token is also persisted into the git config for that workspace.

.github/workflows/ci.yml[51-74]
release.dry-run.config.js[1-9]
scripts/release-dry-run.mjs[1-20]
.github/workflows/scorecard.yml[22-26]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The `semantic-release-dry-run` job in CI uses `permissions: contents: write` and performs a checkout with default persisted credentials, but the dry-run configuration uses auth-free plugins and runs with `dryRun: true`. This unnecessarily grants write capability to the job.

### Issue Context
The job runs `npm run release:dry-run`, which loads `release.dry-run.config.js` (commit-analyzer + release-notes-generator only) via `scripts/release-dry-run.mjs`.

### Fix Focus Areas
- .github/workflows/ci.yml[51-74]
- release.dry-run.config.js[1-9]
- scripts/release-dry-run.mjs[1-20]

### Proposed changes
- Change the job permissions back to `contents: read`.
- Add `persist-credentials: false` to the `actions/checkout` step in that job (mirroring the scorecard workflow) to avoid leaving a token configured in git.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Action not SHA pinned 🐞 Bug ⛨ Security

Description

scorecard.yml uses ossf/scorecard-action@v2.4.0 by tag instead of pinning to a commit SHA, which
is weaker supply-chain hardening for CI workflows.

Code

.github/workflows/scorecard.yml[R27-33]

+      - name: Run OpenSSF Scorecard
+        uses: ossf/scorecard-action@v2.4.0
+        with:
+          results_file: scorecard.sarif
+          results_format: sarif
+          publish_results: true
+

Evidence

The workflow references the Scorecard action by a version tag rather than a commit digest, which is
a common CI hardening recommendation for third-party actions.

.github/workflows/scorecard.yml[27-33]
Best Practice: GitHub Actions security hardening

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The Scorecard workflow uses a third-party action by tag (`ossf/scorecard-action@v2.4.0`). Pinning actions to a commit SHA is a stronger supply-chain hardening practice.

### Issue Context
This workflow runs on a schedule/push and has `security-events: write` permissions, so it’s worth hardening.

### Fix Focus Areas
- .github/workflows/scorecard.yml[27-33]

### Proposed change
- Replace `ossf/scorecard-action@v2.4.0` with `ossf/scorecard-action@<full_commit_sha>` (optionally keep the version in a comment for readability).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. Broken npm readme image 🐞 Bug ≡ Correctness

readme.md embeds ./site/assets/icon.svg, but package.json’s files allowlist excludes
site/**, so the image will be missing from the published package and render broken on npmjs.com
and in node_modules.

Agent Prompt

### Issue description
`readme.md` references `./site/assets/icon.svg`, but `site/**` is not included in the npm package allowlist (`package.json.files`). This causes a broken image on npmjs.com and for users viewing the packaged README.

### Issue Context
npm includes the README by default, but it will not include arbitrary referenced assets unless they’re part of the packed files.

### Fix Focus Areas
- readme.md[25-27]
- package.json[27-33]

### Suggested fix options
1) Change the README image URL to an absolute URL (recommended), e.g. to `raw.githubusercontent.com` (or to the GitHub Pages URL).
2) Alternatively, include the needed asset(s) in the npm package by adding `site/assets/icon.svg` (or `site/assets/**`) to `files` (avoid shipping the whole `site/` unless intentional).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[github-actions]

🎉 This PR is included in version 1.7.6 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀