Skip to content

chore(scorecard): version bump to v1.51.2#3284

Open
Eswaraiahsapram wants to merge 9 commits into
redhat-developer:mainfrom
Eswaraiahsapram:scorecard-bump-1.51.0
Open

chore(scorecard): version bump to v1.51.2#3284
Eswaraiahsapram wants to merge 9 commits into
redhat-developer:mainfrom
Eswaraiahsapram:scorecard-bump-1.51.0

Conversation

@Eswaraiahsapram

@Eswaraiahsapram Eswaraiahsapram commented Jun 3, 2026

Copy link
Copy Markdown
Member

Hey, I just made a Pull Request!

Scorecard version bump

Fix - https://redhat.atlassian.net/browse/RHIDP-13795

Screen.Recording.2026-06-03.at.8.55.19.PM.mov

E2E Test Fixes (Playwright)

Problem: All e2e tests were failing at the guest login step after the Backstage 1.51.2 version bump. The error was:

"You cannot sign in as a guest, you must either enable the legacy guest token or configure the auth backend to support guest sign in."

Root Cause: In @backstage/core-components 0.18.11, the guest sign-in flow now requires the backend's /api/auth/guest/refresh endpoint to be ready before sign-in can succeed. The previous playwright.config.ts only waited for the frontend (port 3000) to be available, but the backend (port 7007) takes longer to start. Tests would begin before the backend was ready, causing guest auth to fail.

Changes (aligned with workspaces/adoption-insights e2e setup):

  1. playwright.config.ts — Restructured to follow the same pattern as adoption-insights:
  • Per-locale webServer array: starts an isolated server instance per locale with separate ports
  • Waits for the backend readiness endpoint (/.backstage/health/v1/readiness) instead of just a frontend port, ensuring the auth backend is fully initialized before tests run
  • Per-project baseURL for locale isolation
  • reuseExistingServer: false for CI reliability
  1. e2e-tests/test_yamls/app-config-e2e-{locale}.yaml (6 files) — Same structure as adoption-insights/e2e-tests/test_yamls/. Per-locale config overrides that assign unique frontend/backend ports so each locale runs in isolation:

How to test

  1. Configure the GitHub integration in app-config.yaml
integrations:
  github:
    - host: github.com
      token: GITHUB_TOKEN
  1. Configure the Jira integration in app-config.yaml
jira:
  baseUrl: https://redhat.atlassian.net
  token: JIRA_TOKEN
  product: cloud
  1. Configure proxy in app-config.yaml
proxy:
  '/jira/api':
    target: https://redhat.atlassian.net
    headers:
      Authorization: <JIRA_PAT>
      Accept: 'application/json'
      Content-Type: 'application/json'
      X-Atlassian-Token: 'nocheck'
      User-Agent: 'MY-UA-STRING'
  1. Already, we have a few example entities in the examples folder to test.

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or Updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)

@rhdh-gh-app

rhdh-gh-app Bot commented Jun 3, 2026

Copy link
Copy Markdown

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name Package Path Changeset Bump Current Version
app-legacy workspaces/scorecard/packages/app-legacy none v0.0.0
app workspaces/scorecard/packages/app none v0.0.0
backend workspaces/scorecard/packages/backend none v0.0.0
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot workspaces/scorecard/plugins/scorecard-backend-module-dependabot minor v0.2.13
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-filecheck workspaces/scorecard/plugins/scorecard-backend-module-filecheck minor v0.1.11
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-github workspaces/scorecard/plugins/scorecard-backend-module-github minor v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-jira workspaces/scorecard/plugins/scorecard-backend-module-jira minor v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-openssf workspaces/scorecard/plugins/scorecard-backend-module-openssf minor v0.2.13
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube workspaces/scorecard/plugins/scorecard-backend-module-sonarqube minor v0.1.8
@red-hat-developer-hub/backstage-plugin-scorecard-backend workspaces/scorecard/plugins/scorecard-backend minor v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-common workspaces/scorecard/plugins/scorecard-common minor v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-node workspaces/scorecard/plugins/scorecard-node minor v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard workspaces/scorecard/plugins/scorecard minor v2.7.9

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 3, 2026

Copy link
Copy Markdown

Review

Findings

Medium

  • [dependency-compatibility] workspaces/scorecard/plugins/scorecard/package.json:58 — The published package @red-hat-developer-hub/backstage-plugin-scorecard bumps @backstage/plugin-catalog-react from ^2.1.1 to ^3.0.0 (major version), @backstage/frontend-plugin-api from ^0.15.1 to ^0.17.1 (breaking under 0.x semver), and @backstage/plugin-permission-react from ^0.4.41 to ^0.5.1 (breaking under 0.x semver). Consumers must upgrade their Backstage framework to a compatible version (v1.51.2+) when adopting this plugin version.
    Remediation: Document the minimum required Backstage version (1.51.2) in the changelog or release notes so consumers know which framework version to target.

Low

  • [test-integrity] workspaces/scorecard/plugins/scorecard/src/alpha/blueprints/ScorecardLayoutBlueprint.test.tsx:60 — The inline snapshot for configSchema.schema changed from a full JSON schema object to [Function], reflecting an upstream change in how @backstage/frontend-plugin-api represents config schemas (lazy getter). The snapshot accurately captures the new runtime behavior.
  • [scope-creep] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx — The Sidebar.tsx refactoring hardcodes Home, Catalog, and Settings items rather than rendering them dynamically from the items array. This is a necessary adaptation for the Backstage v1.51.2 new frontend system: the PR also explicitly registers catalogPlugin and userSettingsPlugin in App.tsx, which causes their nav items to appear in the dynamic items list. The refactoring filters out duplicates to prevent double-rendering.
  • [naming-convention] workspaces/scorecard/packages/app-legacy/src/components/Root/Root.tsx:89 — The Home SidebarItem changed from to="" to to="/". Other sibling items still use relative paths (to="catalog", to="api-docs"), creating a mixed convention.
  • [edge-case] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:39 — Auto-accepting all dialogs via page.on('dialog') could mask real bugs. If an unexpected dialog appears, it will be silently accepted rather than causing a visible test failure.
  • [unused-variable] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:70splitNavItems still computes and returns footerItems but no caller uses it after the refactoring. Dead code.
Previous run

Review

Findings

High

  • [logic-error] workspaces/scorecard/playwright.config.ts:76 — The per-project baseURL (http://localhost:${FRONTEND_PORT_BASE + i}) is unconditionally set, which overrides the global baseURL that respects process.env.PLAYWRIGHT_URL. In Playwright, project-level use fields override global use fields, so the global baseURL: process.env.PLAYWRIGHT_URL ?? 'http://localhost:3000' on line 63 becomes dead code for all projects. When PLAYWRIGHT_URL is provided (e.g., CI environments pointing to an external server), each project will still attempt to connect to localhost:300x instead of the provided URL, while no webServer is started (the webServer array is empty when PLAYWRIGHT_URL is set).
    Remediation: Make the per-project baseURL conditional: baseURL: process.env.PLAYWRIGHT_URL ?? \http://localhost:${FRONTEND_PORT_BASE + i}``

Medium

  • [test-weakened] workspaces/scorecard/plugins/scorecard/src/alpha/blueprints/ScorecardLayoutBlueprint.test.tsx:46 — The inline snapshot assertion for configSchema.schema is weakened from a full JSON Schema object (32 lines of structural validation including property types, required fields, and additionalProperties constraints) to "schema": [Function]. This removes validation that the config schema defines the expected groups property with correct types and required fields. While this likely reflects an upstream API change in Backstage (lazy schema getter), the loss of structural coverage means regressions in the config schema definition would go undetected by this test.
    Remediation: Add a separate assertion that calls the schema function and validates the returned schema object, e.g., expect(result.configSchema.schema()).toMatchObject({ properties: { groups: { type: 'object' } } })
Previous run (2)

Review

Reason: stale-head

The review agent reviewed commit 449fe63444de1b82a2a715ac58b353dbaffe3c75 but the PR HEAD is now 11f73ac9d51f02032cc2d00dd7fc8f0f74632999. This review was discarded to avoid approving unreviewed code.

Previous run (3)

Looks good to me

Review

Findings

Low

  • [type-cast idiom] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast is a broad type-suppression pattern not used anywhere else in this codebase, introduced to work around a Recharts Tooltip type incompatibility. The behavioral change (conditionally rendering the Tooltip vs always rendering with a no-op) is safe, but the cast defeats compile-time type checking for this prop.
    Remediation: Prefer a more precise cast or adjust the tooltipContent prop type to align with Recharts' expected Tooltip.content type.

  • [auth configuration] workspaces/scorecard/app-config.yaml:182 — The guest auth provider config changes from explicit userEntityRef: user:development/guest to guest: {} with environment: development added. The RBAC admin config still references user:development/guest. Verify the default guest provider identity in Backstage v1.51.2 resolves to the same entity ref.
    Remediation: Confirm that the default guest provider identity matches user:development/guest so RBAC admin permissions are preserved.

  • [scope creep] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx — The PR includes a substantial refactoring of Sidebar.tsx (hardcoding Home/Catalog items, removing conditional footer rendering, dropping Fragment-based rendering). This is likely necessitated by the @backstage/plugin-catalog-react v2→v3 major bump and @backstage/frontend-plugin-api 0.15→0.17 changes, but the PR body does not explain the motivation.
    Remediation: Update the PR description to note which upstream breaking changes required the sidebar refactoring.

  • [scope creep] workspaces/scorecard/packages/app/src/App.tsx — Two new plugin imports (catalogPlugin, userSettingsPlugin) added to the features array. Likely required by the Backstage version upgrade but undocumented.
    Remediation: Add a note in the PR body explaining the explicit plugin registration requirement.

  • [unused code] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx — The splitNavItems function still computes and returns footerItems, but the caller no longer destructures it. This is dead code after the refactoring.
    Remediation: Remove the footerItems computation from splitNavItems or remove the function if no longer needed.

Previous run (4)

Looks good to me

Review

Findings

Low

  • [type-safety] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast on the Tooltip content prop silences a type mismatch between tooltipContent and the recharts Tooltip.content prop type. While this works at runtime, it permanently disables type checking on this prop. Consider using a properly narrowed type assertion (e.g., as ContentType<string, string> from recharts) or a thin wrapper function.

  • [sidebar-settings-visibility-regression] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:135 — The Settings sidebar group changes from conditional (shown only when footerItems has items) to always rendered. The addition of userSettingsPlugin to App.tsx features should register the /settings route, but worth verifying.

  • [missing-feature-registration] workspaces/scorecard/packages/app/src/App.tsx:36catalogPlugin and userSettingsPlugin are imported from alpha packages and added to the features array. Verify no auto-discovery mechanism already registers these plugins, which could cause duplicate extension conflicts.

  • [e2e-test-fragility] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — The switchToLocale method changes from click-based navigation to goto() calls, which is more reliable. The Root.tsx path change from "" to "/" should resolve to the same route.

  • [behavioral-change] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — Tooltip is now conditionally mounted/unmounted rather than always rendered with a no-op content function. Low risk as recharts handles optional children gracefully.

Previous run (5)

Review

Findings

Medium

  • [dead-code] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:70 — The splitNavItems function still computes and returns footerItems, but the component now destructures only { headerItems, mainItems }. The footerItems computation becomes dead code. Additionally, splitNavItems filters out items whose to includes /settings from mainItems (moving them to footerItems), but since footerItems is no longer consumed and the footer Settings group is now hardcoded, any dynamically-registered settings-related nav items are silently dropped from the sidebar.
    Remediation: Clean up splitNavItems to remove the footerItems computation, or stop filtering /settings items from mainItems since the footer is now hardcoded.

  • [architectural-inconsistency] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:82 — The Sidebar uses the legacy NavContentBlueprint API with ({ items }) and manual array sorting/filtering (68 lines of helper code). Several other workspaces in the repo have migrated to the newer ({ navItems }) API with .withComponent(), .take(), and .rest() methods, which achieves the same result more declaratively. Not all workspaces have migrated yet (adoption-insights, bulk-import also use the old API), so this is not blocking, but the version bump would be a natural opportunity to align.
    Remediation: Consider migrating to the ({ navItems }) API to reduce code complexity and align with the repo's migration trajectory. See workspaces/app-defaults/packages/app/src/modules/nav/Sidebar.tsx for an example.

Low

  • [auth-config] workspaces/scorecard/app-config.yaml:185 — The guest provider config changes from guest: { userEntityRef: user:development/guest } to guest: {}. Backstage defaults to user:default/guest when no userEntityRef is specified, but the RBAC admin config at line 225 still references user:development/guest. The guest user will authenticate as user:default/guest but the RBAC admin entry expects user:development/guest, causing the dev guest user to lose admin privileges. This only affects the local development environment.
    Remediation: Update the RBAC admin entry at line 225 to user:default/guest, or retain userEntityRef: user:development/guest in the guest provider config.

  • [type-safety] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast on the Tooltip content prop suppresses the type mismatch between tooltipContent and recharts' expected prop type. The behavioral change (conditional rendering instead of passing a no-op function) is correct, but as never is an aggressive escape hatch that will hide future type incompatibilities if recharts' API changes.
    Remediation: Consider a more targeted type assertion (e.g., adjusting PieTooltipContentProps to extend recharts' TooltipProps) rather than as never.

  • [edge-case] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:77 — Pre-existing: if a locale is not in LOCALE_DISPLAY_NAMES, getLocaleDisplayName returns the raw locale string, which likely won't match any dropdown option, causing a test timeout rather than a clear failure message.

  • [scope-creep] workspaces/scorecard/app-config.yaml:181 — The auth config restructuring (adding environment: development, simplifying guest provider) is a behavioral change. While likely required for v1.51.2 compatibility, it changes how the guest user is identified at runtime and should be called out explicitly in the PR description.

  • [scope-creep] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:39 — The e2e test page object contains non-trivial behavioral changes (dialog handler, page.goto()-based navigation). These are likely necessary adaptations for v1.51.2 UI changes but would benefit from a brief explanation in the PR description.

  • [api-shape] workspaces/scorecard/packages/app/src/App.tsx:36 — The PR adds explicit catalogPlugin and userSettingsPlugin imports from alpha packages, which matches the pattern in some NFS-style apps (orchestrator, app-defaults). Other NFS apps (extensions, quickstart) do not include these. This is a reasonable adaptation but not universally required.

Previous run (6)

Review

Findings

Medium

  • [behavioral change] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:80 — The refactored Sidebar hardcodes Home, Catalog, and MyGroups items and filters them from the dynamic items list. The new filter uses item.to.includes('/catalog') which would incorrectly filter out any dynamic nav item whose path contains /catalog as a substring (e.g., /catalog-something). The pre-existing code had the same substring issue for catalog icon replacement but the consequence was wrong icon; now the consequence is item hidden entirely.
    Remediation: Use a more precise path match, e.g., item.to === '/catalog' || item.to.startsWith('/catalog?') || item.to.startsWith('/catalog/') instead of item.to.includes('/catalog').

  • [scope creep] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:103 — The Sidebar component has been substantially refactored: Home and Catalog items are now hardcoded instead of derived from nav items, footer conditional removed, Fragment pattern replaced. This is a behavioral change to navigation logic bundled with a version bump. If necessitated by breaking changes in plugin-catalog-react v3 or frontend-plugin-api v0.17, the PR description should say so.
    Remediation: Either split the Sidebar refactoring into a separate PR or explicitly document why the version bump necessitated these navigation changes.

  • [scope creep] workspaces/scorecard/packages/app/src/App.tsx:18 — Two new plugin imports (catalogPlugin and userSettingsPlugin from alpha entry points) were added. Adding new plugin registrations changes runtime behavior and is not a mechanical version bump.
    Remediation: Document in the PR description why these new imports are required by the version bump. If not required, move to a separate PR.

Low

  • [authentication] workspaces/scorecard/app-config.yaml:185 — The guest provider config changed from explicit userEntityRef: user:development/guest to guest: {}, making the guest identity resolution implicit. The RBAC admin config still references user:development/guest, so a future upstream default change could silently break the admin grant.

  • [dead code / unused return value] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:70 — The splitNavItems function still computes and returns footerItems, but after this change the caller destructures only { headerItems, mainItems }. The footerItems filtering logic and return become dead code.

  • [type-safety / suppression pattern] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The change introduces as never to cast tooltipContent, which is a blanket type suppression. This is likely needed because the local PieTooltipContentProps interface drifted from Recharts' expected Tooltip content prop type after the version bump. Consider aligning the local interface instead.

  • [path convention inconsistency] workspaces/scorecard/packages/app-legacy/src/components/Root/Root.tsx:89 — The diff changes Home SidebarItem path from "" to "/" but leaves other items using relative paths without leading slash (e.g., catalog, api-docs). Mixed convention within Root.tsx.

  • [scope creep] workspaces/scorecard/app-config.yaml:182 — Auth configuration changed from explicit guest provider config to minimal guest: {} and added environment: development. If required by the Backstage version upgrade, note it in the PR description.

  • [scope creep] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:96 — E2E tests modified with new dialog handling, navigation strategy changes. If these fix breakage caused by the Backstage version bump, document it.

  • [changeset accuracy] workspaces/scorecard/.changeset/icy-poets-run.md:1 — All 10 packages are marked as minor bump. While minor may be appropriate given the major dependency version jumps (plugin-catalog-react ^2→^3, plugin-scaffolder-backend ^3→^4), the changeset description only says "Backstage version bump to v1.51.2" without mentioning the code changes.

Previous run (7)

Review

Findings

Medium

  • [api-contract] workspaces/scorecard/app-config.yaml:225 — The diff changes the guest auth provider from guest: { userEntityRef: user:development/guest } to guest: {}, which causes Backstage to default the guest user entity ref to user:default/guest. However, the RBAC admin config at line 225 still references user:development/guest, the catalog entity in examples/orgs/guest.yaml defines the user in namespace development, and component ownership in examples/components/all-scorecards.yaml uses owner: user:development/guest. After this change, the guest user will log in as user:default/guest but RBAC admin privileges are granted to user:development/guest — so the dev guest user will lose admin permissions for scorecard, catalog, permission, and scaffolder plugins.
    Remediation: Either keep userEntityRef: user:development/guest in the guest provider config, or update the RBAC admin config (line 225), the catalog entity (examples/orgs/guest.yaml), and component ownership references to use user:default/guest instead.

Low

  • [type-safety] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast on tooltipContent suppresses the type checker entirely. While the behavioral change (conditionally rendering Tooltip instead of passing a no-op) is correct, the as never cast means any type mismatch between tooltipContent and recharts' expected Tooltip.content prop type will be silently ignored in future upgrades.
    Remediation: Use a more precise cast or fix the type of tooltipContent to match recharts' expected type directly.
Previous run (8)

Review

Findings

Low

  • [edge-case] workspaces/scorecard/packages/app/src/modules/nav/Sidebar.tsx:109 — The filter .filter(item => !item.to.includes('/catalog') && item.to !== '/' && item.to !== '/home') uses includes('/catalog') which would match paths containing '/catalog' as a substring (e.g., '/catalog-import'), hiding them from the sidebar. This is a pre-existing pattern already used in the same file at MAIN_NAV_ORDER and the icon selection logic, so it is not a regression introduced by this PR, but the new filter raises the consequence from icon-swap to complete omission.

  • [type-safety] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never type cast on tooltipContent silences all type checking on the content prop of the recharts Tooltip component. The component defines its own PieTooltipContentProps interface that may not exactly match recharts' expected type, which is likely why the cast exists. A more targeted cast would preserve partial type safety.

Previous run (9)

Review

Reason: stale-head

The review agent reviewed commit 5dbd4785ef6516f641ffe81d5687a247550b9ed3 but the PR HEAD is now 79c12a098e0fc8bcb1a3ee5da6bdaadd352d45fd. This review was discarded to avoid approving unreviewed code.

Previous run (10)

Review

Findings

Medium

  • [type safety / suppressed type error] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast on tooltipContent is a type-safety escape hatch that silences any type mismatch between the component's PieTooltipContentProps interface and what recharts 3.x expects for Tooltip.content. Since PieTooltipContentProps uses conventional recharts tooltip fields (active, coordinate, payload, label), a runtime failure is unlikely in practice, but the cast will hide any future compile-time breakage if recharts changes the content prop contract.
    Remediation: Import the recharts 3.x tooltip content type and either align PieTooltipContentProps to extend it, or write a thin adapter wrapper so the cast is unnecessary.

Low

  • [behavioral change in disabled tooltip path] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The falsy branch changed from () => null (a render function that returns nothing, suppressing the tooltip) to undefined (no custom content, so recharts renders its default tooltip). When tooltipContent is not provided, the <Tooltip> element is still rendered (it is not conditionally omitted), so recharts will show its built-in default tooltip on hover instead of showing nothing.
    Remediation: If the intent is to suppress tooltips entirely when tooltipContent is not provided, restore () => null or conditionally omit the <Tooltip> component when isTooltipEnabled is false.

Labels: PR is a dependency version bump for the scorecard workspace

Previous run (11)

Review

Findings

Medium

  • [logic-error] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — Changing the disabled-tooltip fallback from () => null to undefined alters runtime behavior. When tooltipContent is not provided (as in AverageCardComponent), isTooltipEnabled is false and content receives undefined. In recharts v3 (recharts@^3.3.0), passing content={undefined} to <Tooltip> causes recharts to render its built-in default tooltip on hover, whereas the old content={() => null} rendered nothing. This will produce an unwanted default tooltip on the AverageCard pie chart.
    Remediation: Keep the falsy branch as a function that returns null: content={isTooltipEnabled ? (tooltipContent as never) : () => null}, or conditionally render the <Tooltip> component only when isTooltipEnabled is true.

Low

  • [edge-case] workspaces/scorecard/plugins/scorecard/src/components/ScorecardHomepageSection/ResponsivePieChart.tsx:137 — The as never cast on tooltipContent silences any type incompatibility between the component's PieTooltipContentProps signature and recharts v3's expected Tooltip.content prop type. This hides potential mismatches rather than properly aligning the types.

  • [test-weakened] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — The switchToLocale method changed from clicking the 'Settings' link and 'Home' link to using direct page.goto() calls. This means switchToLocale no longer verifies that the Settings link and Home link are present and clickable in the UI, reducing coverage of the navigation flow.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailability on deployment. This PR is a mechanical version bump that would have triggered the early-exit criteria, so impact is negligible.
Previous run (12)

Review

Findings

Critical

  • [stale-reference] workspaces/scorecard/packages/backend/src/index.ts:95 — The PR removes @backstage/plugin-mcp-actions-backend from packages/backend/package.json dependencies, but packages/backend/src/index.ts line 95 still contains backend.add(import('@backstage/plugin-mcp-actions-backend'));. This stale import will cause a build failure or runtime crash when the backend starts, since the package will no longer be installed.
    Remediation: Either (a) remove line 95 from packages/backend/src/index.ts to match the dependency removal, or (b) keep @backstage/plugin-mcp-actions-backend in package.json with an updated version compatible with Backstage 1.51.2.

Low

  • [unused-dependency] workspaces/scorecard/plugins/scorecard-node/package.json — The uuid package (^9.0.1) is added as a new dependency but no source file under plugins/scorecard-node/src/ imports or references it. This is likely an artifact of the Backstage version bump tooling. Consider removing it if not needed, or verify whether it is now required as a peer dependency of an upstream package.
Previous run (13)

Review

Findings

Critical

  • [stale-reference] workspaces/scorecard/packages/backend/src/index.ts:95 — The PR removes @backstage/plugin-mcp-actions-backend from packages/backend/package.json but does not remove the corresponding backend.add(import('@backstage/plugin-mcp-actions-backend')) on line 95 of packages/backend/src/index.ts. At build or startup time, the backend will fail because the module is no longer installed as a dependency.
    Remediation: Either remove line 95 from packages/backend/src/index.ts, or keep the dependency in package.json and update its version as part of the bump.

Medium

  • [unused-dependency] workspaces/scorecard/plugins/scorecard-node/package.json — The PR adds uuid (^9.0.1) as a new dependency to scorecard-node/package.json, but there are zero imports or references to uuid anywhere in the scorecard-node/src directory. This appears to be an unnecessary dependency addition that increases bundle size and supply-chain surface.
    Remediation: Verify whether uuid is actually needed. If not, remove it from this PR.

Low

  • [incomplete-test-update] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:46 — The PR changes switchToLocale to use page.goto() instead of clicking sidebar links, but loginAndSetLocale at line 46 still uses getByRole('link', { name: 'Home' }) for a visibility assertion. While this is less likely to break than click interactions, it is worth verifying the assertion still passes with Backstage v1.51.2.

  • [stale-reference] workspaces/scorecard/plugins/scorecard-backend/README.md:343 — The README references @backstage/plugin-mcp-actions-backend in installation instructions (lines 343-355). If this dependency is intentionally removed from the example backend, the documentation should be updated or clarified as optional.

Info

  • [sub-agent-failure] The style-conventions sub-agent did not return findings: model not available in deployment. This does not affect the review outcome for a version-bump PR.
Previous run (14)

Review

Findings

Medium

  • [unused dependency] workspaces/scorecard/plugins/scorecard-node/package.json:51 — The diff adds uuid: ^9.0.1 as a new runtime dependency to scorecard-node, but there are zero imports or references to uuid anywhere in the scorecard-node/src/ source tree. This is either a premature addition (code that uses it is missing from this PR) or an accidental inclusion. Shipping an unused dependency increases bundle size and attack surface for no benefit.
    Remediation: Remove the uuid dependency from scorecard-node/package.json unless there is companion code in this PR that was accidentally omitted. If uuid usage is planned for a follow-up PR, add the dependency in that PR instead.

Low

  • [test behavior change] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — The switchToLocale method changes from SPA-style navigation (clicking sidebar links) to full-page navigations via page.goto('/settings') and page.goto('/'). While page.goto() is generally more reliable in e2e tests, it no longer exercises the sidebar navigation path. This is minor given the version bump context where old selectors may no longer match the updated Backstage UI.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment. Style review was skipped for this run.

  • [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment. Intent/scope review was skipped for this run.

Previous run (15)

Review

Findings

Low

  • [unused dependency] workspaces/scorecard/plugins/scorecard-node/package.json — The uuid package (^9.0.1) is added as a new production dependency, but no source file in scorecard-node/src imports or references uuid. This may have been added by backstage-cli versions:bump to satisfy a transitive dependency requirement, which is a common pattern in Backstage version bumps, but the necessity should be confirmed.
    Remediation: Verify whether uuid is actually needed (e.g., check if a newer version of @backstage/backend-plugin-api or @backstage/plugin-catalog-node requires it as a peer dependency). If not needed, remove it from dependencies.

  • [test behavior change] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — The switchToLocale method changes from clicking the Settings link (SPA navigation) to page.goto('/settings') (full page navigation), and similarly from clicking a Home link to page.goto('/'). Using page.goto() triggers a full browser navigation rather than a client-side route transition, which reduces the fidelity of the E2E test — if the Settings or Home links break in the sidebar, this test would not catch it.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model not available on deployment. This is a non-critical dimension for a mechanical version-bump PR.

  • [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model not available on deployment. This is a non-critical dimension for a mechanical version-bump PR.

Previous run (16)

Review

Findings

Medium

  • [Incomplete fix / consistency] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/HomePage.ts:42 — The PR changes CatalogPage.switchToLocale to use page.goto() instead of clicking sidebar links for navigation (both the Settings link and the Home link). However, HomePage.navigateToHome() at line 42 still uses this.page.getByRole('link', { name: 'Home' }).first().click() for navigation. This method is called in scorecard.test.ts at lines 455 and 733, and in homepageWidgetUtils.ts at lines 34 and 42. If the sidebar structure changed in v1.51.2 requiring the CatalogPage fix, navigateToHome() is likely affected too.
    Remediation: Update HomePage.navigateToHome() to use await this.page.goto('/') for consistency with the CatalogPage fix, or verify that the Home link selector still works in v1.51.2 and document why the two cases differ.

Low

  • [Metadata inconsistency] workspaces/scorecard/.changeset/icy-poets-run.md — The PR title says "version bump to v1.51.0" but the changeset and backstage.json both target v1.51.2. No runtime impact — code is internally consistent at v1.51.2.

Info

  • [Auto-generated output] workspaces/scorecard/plugins/scorecard/report-alpha.api.md — The property reordering in configInput (path and title swapped) is consistent with auto-generated API Extractor output. No functional change.

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model not available. This dimension was not evaluated; however, a dependency version bump PR has minimal style surface area.

Previous run (17)

Review

Reason: stale-head

The review agent reviewed commit 6548a291ce4348892532517d0631e8e5cd5da6ca but the PR HEAD is now a801f336cce6ebafb4bfb6ccbb9d212aeb0d5721. This review was discarded to avoid approving unreviewed code.

Previous run (18)

Review

Findings

Low

  • [test-weakened] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72switchToLocale switches from role-based link clicking (getByRole('link', { name: 'Settings' })) to direct URL navigation (page.goto('/settings')). This bypasses UI element verification for the settings and home navigation links. However, this pattern is consistent with existing page.goto() usage in loginAndSetLocale() and openCatalog() in the same file, and the method's core purpose (locale switching) remains fully tested. Likely a necessary adaptation to Backstage v1.51.0 sidebar changes.

  • [pattern-violation] workspaces/scorecard/plugins/scorecard/report-alpha.api.md:57 — The configInput property ordering changed from {title, path} to {path, title}. This is a cosmetic reordering in the auto-generated API report, likely caused by a change in API Extractor's output ordering in the new Backstage version. No semantic impact.

Info

  • [api-contract] workspaces/scorecard/plugins/scorecard/package.json — Several major version bumps included: @backstage/plugin-catalog-react ^2.x → ^3.0.0, @backstage/plugin-scaffolder-backend ^3.x → ^4.0.0, @backstage/frontend-plugin-api ^0.15.x → ^0.17.0. No source code changes accompany these bumps, suggesting the consumed API surface was not affected. CI build and test results should confirm compatibility.

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: the sonnet model was unavailable on this deployment. This is a sonnet-tier dimension and does not block the review.

Previous run (19)

Review

Findings

Low

  • [api-contract] workspaces/scorecard/.changeset/icy-poets-run.md — Changeset marks all scorecard packages as minor despite consuming major dependency version bumps (@backstage/plugin-catalog-react v2→v3, @backstage/plugin-scaffolder-backend v3→v4). The generated API report (report-alpha.api.md) shows only a cosmetic property reorder, confirming no breaking type changes propagated to the scorecard plugins' public API. This appears consistent with standard Backstage version bump practice, but worth verifying that no breaking changes affect downstream consumers.

  • [test-inadequate] workspaces/scorecard/packages/app-legacy/e2e-tests/pages/CatalogPage.ts:72 — E2E test replaced UI-element-based navigation (getByRole('link', { name: 'Settings' }) and locator('a').filter({ hasText: 'Home' })) with direct page.goto() calls. This is reasonable for a version bump (the UI elements may have changed), but slightly reduces coverage of navigation link presence/functionality. The affected code is test setup, not the behavior under test.

  • [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md — Typo in changeset description: "Backsatge" should be "Backstage".

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on deployment. Style review was not performed for this PR.
Previous run (20)

Review

Findings

Medium

  • [api-contract] workspaces/scorecard/plugins/scorecard/package.json:59@backstage/plugin-catalog-react is bumped from ^2.1.1 to ^3.0.0 (major version). The scorecard plugin imports EntityContentBlueprint, useEntity, catalogApiRef, entityRouteRef, EntityRefLink, and EntityRefLinks from this package across 8 source files. A major version bump may include breaking API changes. No source code changes accompany this bump, so if any of these imports changed shape in v3, the build will fail silently after merge.
    Remediation: Confirm CI build and test suite pass. Verify all imports from @backstage/plugin-catalog-react are still valid in v3.0.0.

  • [api-contract] workspaces/scorecard/plugins/scorecard/package.json:56@backstage/frontend-plugin-api is bumped from ^0.15.1 to ^0.17.0 (two minor versions on a 0.x package, which per semver may include breaking changes). The scorecard plugin imports createFrontendPlugin, createFrontendModule, PageBlueprint, createApiFactory, and ApiBlueprint from this package. The report-alpha.api.md shows a property reorder in configInput, confirming the API extractor ran against the new version and the generated surface shifted.
    Remediation: Confirm CI passes. For 0.x packages, even minor bumps can be breaking per semver.

Low

  • [api-contract] workspaces/scorecard/packages/backend/package.json:38@backstage/plugin-scaffolder-backend is bumped from ^3.2.0 to ^4.0.0 (major version). No scorecard source code directly imports from this package (it is a backend app dependency only), so the risk is limited to runtime module registration changes.

  • [api-contract] workspaces/scorecard/packages/app-legacy/package.json:41@backstage/plugin-permission-react is bumped from ^0.4.41 to ^0.5.1 (minor on 0.x). The app-legacy package uses RequirePermission from this package — verify it still works with 0.5.x.

  • [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md:14 — Typo in changeset description: "Backsatge" should be "Backstage".

Info

  • [test-adequacy] This PR bumps multiple dependencies with major version changes but modifies zero source or test files. Ensure the CI build, type-checking, and test suite have been validated against the new dependency versions.

  • [sub-agent-failure] The style-conventions, intent-coherence, and cross-repo-contracts sub-agents could not be dispatched (model unavailable). These are sonnet-tier dimensions; findings from these dimensions were not evaluated for this review.

Previous run (21)

Review

Findings

High

  • [api-contract] workspaces/scorecard/plugins/scorecard/package.json — Several dependencies have major version bumps (plugin-catalog-react v2→v3, plugin-scaffolder-backend v3→v4, frontend-plugin-api v0.15→v0.17, plugin-permission-react v0.4→v0.5, ui v0.13→v0.15) but no source code (.ts/.tsx) files are modified in this PR. CI confirms a problem: both "Workspace scorecard, CI step for node 22" and "node 24" are failing, while the Verify step passes. The source code imports from these packages (e.g., entityRouteRef, useEntity, useEntityPresentation from plugin-catalog-react; RequirePermission from plugin-permission-react; PageBlueprint, createFrontendModule from frontend-plugin-api). Major version bumps can introduce breaking changes to APIs, type signatures, or runtime behavior.
    Remediation: Investigate the CI failures in the scorecard workspace CI step. Review the Backstage upgrade changelogs for plugin-catalog-react v3, plugin-scaffolder-backend v4, frontend-plugin-api v0.16/v0.17, and plugin-permission-react v0.5 for migration steps. Apply any required source code changes to fix the build/tests.

Low

  • [api-contract] workspaces/scorecard/packages/backend/package.jsonplugin-scaffolder-backend is bumped from ^3.2.0 to ^4.0.0 (major version) and plugin-auth-backend from ^0.27.3 to ^0.29.0 (skipping v0.28). While packages/backend only wires these as backend modules, major version bumps in backend plugins can change module registration APIs, configuration schemas, or database migration behavior.
    Remediation: Review Backstage changelogs for plugin-scaffolder-backend v4.0.0 and plugin-auth-backend v0.29.0 to confirm no migration steps are needed.

  • [naming-convention] workspaces/scorecard/.changeset/icy-poets-run.md:14 — Typo in changeset description: "Backsatge version bump to v1.51.0" should be "Backstage version bump to v1.51.0". This text will appear in the published changelog.
    Remediation: Fix the typo: BacksatgeBackstage.

Info

  • [sub-agent-failure] N/A — The style-conventions and intent-coherence sub-agents did not return findings: model not available on deployment. These are sonnet-tier dimensions and do not block the review.
Previous run (22)

Review

Reason: stale-head

The review agent reviewed commit 19a59bb9d4d30ad380ca3fce1805f8aa5094d171 but the PR HEAD is now 4b5264d23fdd75f36b2d332b25183ec129b9a9a3. This review was discarded to avoid approving unreviewed code.

Previous run (23)

Review

Reason: stale-head

The review agent reviewed commit 3b9be5228239f6d27e2bed351bd41ad3074da819 but the PR HEAD is now 19a59bb9d4d30ad380ca3fce1805f8aa5094d171. This review was discarded to avoid approving unreviewed code.

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

'@red-hat-developer-hub/backstage-plugin-scorecard': minor
---

Backsatge version bump to v1.51.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] naming-convention

Typo in changeset description: 'Backsatge version bump to v1.51.0' should be 'Backstage version bump to v1.51.0'. This text will appear in the published changelog.

Suggested fix: Fix the typo: Backsatge → Backstage.

@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 4b5264d to 1cd6c9b Compare June 3, 2026 16:11
@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.21%. Comparing base (b9f42ce) to head (2162b7c).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3284      +/-   ##
==========================================
- Coverage   54.21%   54.21%   -0.01%     
==========================================
  Files        2312     2312              
  Lines       88532    88534       +2     
  Branches    24621    24631      +10     
==========================================
  Hits        48001    48001              
- Misses      40229    40231       +2     
  Partials      302      302              
Flag Coverage Δ *Carryforward flag
adoption-insights 83.70% <ø> (ø) Carriedforward from b9f42ce
ai-integrations 67.95% <ø> (ø) Carriedforward from b9f42ce
app-defaults 69.79% <ø> (ø) Carriedforward from b9f42ce
augment 46.39% <ø> (ø) Carriedforward from b9f42ce
boost 74.35% <ø> (ø) Carriedforward from b9f42ce
bulk-import 72.46% <ø> (ø) Carriedforward from b9f42ce
cost-management 14.10% <ø> (ø) Carriedforward from b9f42ce
dcm 61.79% <ø> (ø) Carriedforward from b9f42ce
extensions 61.53% <ø> (ø) Carriedforward from b9f42ce
global-floating-action-button 71.18% <ø> (ø) Carriedforward from b9f42ce
global-header 59.71% <ø> (ø) Carriedforward from b9f42ce
homepage 49.92% <ø> (ø) Carriedforward from b9f42ce
install-dynamic-plugins 56.77% <ø> (ø) Carriedforward from b9f42ce
konflux 91.49% <ø> (ø) Carriedforward from b9f42ce
lightspeed 68.54% <ø> (ø) Carriedforward from b9f42ce
mcp-integrations 85.46% <ø> (ø) Carriedforward from b9f42ce
orchestrator 38.30% <ø> (ø) Carriedforward from b9f42ce
quickstart 63.76% <ø> (ø) Carriedforward from b9f42ce
sandbox 79.56% <ø> (ø) Carriedforward from b9f42ce
scorecard 82.62% <0.00%> (-0.05%) ⬇️
theme 61.26% <ø> (ø) Carriedforward from b9f42ce
translations 7.25% <ø> (ø) Carriedforward from b9f42ce
x2a 78.68% <ø> (ø) Carriedforward from b9f42ce

*This pull request uses carry forward flags. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b9f42ce...2162b7c. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jun 3, 2026
@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 1cd6c9b to 6b6556b Compare June 4, 2026 04:03

const displayName = getLocaleDisplayName(locale);
await this.page.getByRole('link', { name: 'Settings' }).click();
await this.page.goto('/settings');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] test-inadequate

E2E test replaced UI-element-based navigation with direct page.goto() calls, slightly reducing coverage of navigation link presence/functionality. The affected code is test setup, not the behavior under test.

Comment thread workspaces/scorecard/.changeset/icy-poets-run.md Outdated
@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed requires-manual-review Review requires human judgment labels Jun 4, 2026
@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 6b6556b to aad1405 Compare June 4, 2026 04:18

const displayName = getLocaleDisplayName(locale);
await this.page.getByRole('link', { name: 'Settings' }).click();
await this.page.goto('/settings');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] test-weakened

switchToLocale switches from role-based link clicking to direct URL navigation (page.goto), bypassing UI element verification. However, this is consistent with existing page.goto() usage in loginAndSetLocale() and openCatalog() in the same file, and the method's core purpose (locale switching) remains fully tested.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jun 4, 2026
@dzemanov

dzemanov commented Jun 9, 2026

Copy link
Copy Markdown
Member

I think we can get in these PRs before this bump, to avoid rebasing:

@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from aad1405 to 6548a29 Compare June 16, 2026 06:25
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:27 AM UTC · Completed 6:36 AM UTC
Commit: e24f46f · View workflow run →

@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from ce408c2 to a801f33 Compare June 16, 2026 06:31
@fullsend-ai-review

Copy link
Copy Markdown

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:38 AM UTC · Completed 6:46 AM UTC
Commit: e24f46f · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed ready-for-merge All reviewers approved — ready to merge labels Jun 16, 2026
@Eswaraiahsapram Eswaraiahsapram changed the title chore(scorecard): version bump to v1.51.0 chore(scorecard): version bump to v1.51.2 Jun 16, 2026
@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 1ae277c to 2946aae Compare June 25, 2026 12:07
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Review · ❌ Terminated · Started 12:08 PM UTC · Ended 12:22 PM UTC
Commit: 381f36a · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 12:08 PM UTC · Completed 12:22 PM UTC
Commit: 381f36a · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:25 PM UTC · Completed 1:01 PM UTC
Commit: 381f36a · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jun 25, 2026
@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 2946aae to 33910a0 Compare June 26, 2026 04:46
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 4:49 AM UTC · Completed 5:00 AM UTC
Commit: d196266 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:15 AM UTC · Completed 5:25 AM UTC
Commit: d196266 · View workflow run →

) : null}

<Tooltip content={isTooltipEnabled ? tooltipContent : () => null} />
{isTooltipEnabled && <Tooltip content={tooltipContent as never} />}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] type-cast idiom

The as never cast is a broad type-suppression pattern not used anywhere else in this codebase, introduced to work around a Recharts Tooltip type incompatibility. The behavioral change is safe, but the cast defeats compile-time type checking.

Suggested fix: Prefer a more precise cast or adjust the tooltipContent prop type to align with Recharts' expected Tooltip.content type.

type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.

auth:
environment: development

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] auth configuration

The guest auth provider config changes from explicit userEntityRef to guest: {} with environment: development. The RBAC admin config still references user:development/guest. Verify the default guest provider identity in Backstage v1.51.2 matches.

Suggested fix: Confirm that the default guest provider identity resolves to user:development/guest so RBAC admin permissions are preserved.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed requires-manual-review Review requires human judgment labels Jun 26, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 11:51 AM UTC · Completed 12:22 PM UTC
Commit: d196266 · View workflow run →

@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 09711b9 to 449fe63 Compare June 26, 2026 12:06
@fullsend-ai-review

Copy link
Copy Markdown

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:25 PM UTC · Completed 12:34 PM UTC
Commit: 71cfae4 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

use: {
channel: 'chrome' as const,
locale,
baseURL: `http://localhost:${FRONTEND_PORT_BASE + i}`,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

The per-project baseURL (http://localhost:${FRONTEND_PORT_BASE + i}) is unconditionally set, which overrides the global baseURL that respects process.env.PLAYWRIGHT_URL. In Playwright, project-level use fields override global use fields, so the global baseURL: process.env.PLAYWRIGHT_URL on line 63 becomes dead code for all projects. When PLAYWRIGHT_URL is provided (e.g., CI environments pointing to an external server), each project will still attempt to connect to localhost:300x instead of the provided URL, while no webServer is started (the webServer array is empty when PLAYWRIGHT_URL is set). This is a regression from the previous config where no per-project baseURL was set, allowing the global PLAYWRIGHT_URL to take effect.

Suggested fix: Make the per-project baseURL conditional: baseURL: process.env.PLAYWRIGHT_URL ?? http://localhost:${FRONTEND_PORT_BASE + i}

},
"type": "object",
},
"schema": [Function],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] test-weakened

The inline snapshot assertion for configSchema.schema is weakened from a full JSON Schema object (32 lines of structural validation including property types, required fields, and additionalProperties constraints) to schema: [Function]. This removes validation that the config schema defines the expected groups property with correct types and required fields. While this likely reflects an upstream API change in Backstage (lazy schema getter), the loss of structural coverage means regressions in the config schema definition would go undetected by this test.

Suggested fix: Add a separate assertion that calls the schema function and validates the returned schema object, e.g., expect(result.configSchema.schema()).toMatchObject({ properties: { groups: { type: object } } })

@fullsend-ai-review fullsend-ai-review Bot removed the ready-for-merge All reviewers approved — ready to merge label Jun 26, 2026
- Add proper cleanup of dialog event listener to prevent memory leaks
- Use try-finally pattern to ensure cleanup happens
- Fixes Node 24 E2E test failures while maintaining Node 22 compatibility
@Eswaraiahsapram Eswaraiahsapram force-pushed the scorecard-bump-1.51.0 branch from 11f73ac to 2162b7c Compare June 27, 2026 02:49
@sonarqubecloud

Copy link
Copy Markdown

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 2:53 AM UTC · Completed 3:07 AM UTC
Commit: b9f42ce · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file workspace/scorecard

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants