ci: enable autofix.ci and pkg-pr-new workflows

[JounQin]

NPM_CONFIG_PROVENANCE env is enabled for releasing

---

Important

Add new GitHub workflows for autofix and commit publishing, update existing workflows, and modify package.json maintainers field.

• Workflows:
  • Add autofix.yml for automatic code formatting on pull requests.
  • Add pkg-pr-new.yml for publishing any commit on push or pull request.
  • Update ci.yml to include named steps for better clarity.
  • Update release.yml to include concurrency settings and permissions, and set NPM_CONFIG_PROVENANCE to true.
• Package.json:
  • Change contributors field to maintainers.

^{This description was created by for a54d7fe. You can customize this summary. It will automatically update as commits are pushed.}

Summary by CodeRabbit

• Chores
  • Added new GitHub Actions workflows for automated code formatting and publishing.
  • Improved CI and release workflows with clearer step names, enhanced concurrency controls, and updated permissions.
  • Enabled npm package provenance metadata in the release process.
  • Updated package metadata to use a "maintainers" field instead of "contributors".
  • Added documentation for a patch update to a development dependency.

[changeset-bot]

🦋 Changeset detected

Latest commit: a62bdd4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
eslint-plugin-prettier	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This update introduces several improvements and additions to the project's GitHub Actions workflows and package metadata. New workflow files are added for automated code formatting and publishing on any commit, while existing workflows are enhanced with clearer step names, explicit concurrency controls, and updated permissions. The release workflow now includes provenance metadata for npm packages. Additionally, the package.json file is updated to use a "maintainers" field instead of "contributors." A new changeset documents these updates, specifically noting the provenance configuration.

Changes

File(s)	Change Summary
.github/workflows/autofix.yml	Added new workflow for automated code formatting using autofix.ci on pull requests.
.github/workflows/pkg-pr-new.yml	Added new workflow to publish any commit on push or pull request events.
.github/workflows/ci.yml	Updated workflow: added explicit step names and version comments for clarity; no logic changes.
.github/workflows/release.yml	Enhanced workflow: added concurrency controls, explicit permissions, step renaming, and npm provenance metadata.
package.json	Replaced "contributors" field with "maintainers" field, reformatted entry.
.changeset/wise-houses-build.md	Added changeset documenting npm provenance configuration for CI and patch update to eslint-plugin-prettier.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub
    participant Workflow (autofix.ci)
    participant Runner
    participant autofix.ci Action

    GitHub->>Workflow (autofix.ci): Trigger on PR opened/reopened/synchronized
    Workflow (autofix.ci)->>Runner: Checkout repo, setup pnpm, setup Node.js, install deps
    Runner->>Runner: Run code formatting script
    Runner->>autofix.ci Action: Apply autofix.ci with fail-fast disabled

Loading

sequenceDiagram
    participant GitHub
    participant Workflow (pkg-pr-new)
    participant Runner

    GitHub->>Workflow (pkg-pr-new): Trigger on push or PR
    Workflow (pkg-pr-new)->>Runner: Checkout repo, setup pnpm, setup Node.js, install deps
    Runner->>Runner: Run pnpm dlx pkg-pr-new publish --compact

Loading

sequenceDiagram
    participant GitHub
    participant Workflow (release)
    participant Runner
    participant npm

    GitHub->>Workflow (release): Trigger release workflow
    Workflow (release)->>Runner: Checkout repo, setup pnpm, setup Node.js
    Runner->>Runner: Run release script with NPM_CONFIG_PROVENANCE=true
    Runner->>npm: Publish package with provenance metadata

Loading

Poem

🐇
A hop, a skip, new workflows bloom,
With provenance and order, they chase the gloom.
Maintainers now lead, contributors rest,
Automated fixes keep our code at its best.
With each commit and publish, CI runs anew—
This bunny’s quite proud of what the team can do!
✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR enhances the CI/CD pipelines by adding concurrency controls, new workflows, and environment configuration for releases. It includes:

• Updated release workflow with concurrency and additional permissions, plus enabling NPM_CONFIG_PROVENANCE for releasing.
• Addition of a new pkg-pr-new workflow to publish any commit.
• Update of the autofix.ci workflow with appropriate naming and standardized steps.

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

File	Description
.github/workflows/release.yml	Added concurrency, permissions, and environment variables for release
.github/workflows/pkg-pr-new.yml	New workflow for publishing any commit with similar concurrency settings
.github/workflows/ci.yml	Synchronized checkout, pnpm, and Node.js setup actions
.github/workflows/autofix.yml	New autofix workflow with checks and formatting steps

Files not reviewed (1)

• package.json: Language not supported

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-prettier@734

commit: a62bdd4

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to a54d7fe in 53 seconds. Click for details.

• Reviewed 160 lines of code in 5 files
• Skipped 0 files when reviewing.
• Skipped posting 7 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/ci.yml:49

• Draft comment:
  Step name 'Install ESLint ${{ matrix.node }}' is misleading since it installs ESLint based on matrix.eslint. Consider renaming to include the ESLint version.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

2. package.json:8

• Draft comment:
  Verify that the format for 'maintainers' is compliant with npm standards; typically an object with 'name' and 'email' may be preferred.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the PR author to verify compliance with npm standards, which is against the rules. It doesn't provide a specific suggestion or point out a clear issue with the code.

3. .github/workflows/autofix.yml:1

• Draft comment:
  Good: Workflow is correctly named 'autofix.ci' per security requirements.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

4. .github/workflows/ci.yml:34

• Draft comment:
  Excellent use of pinned commit hashes (e.g., checkout@11bd71901bbe5b1630ceea73d27597364c9af683) for enhanced security. Ensure you update them periodically.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

5. .github/workflows/pkg-pr-new.yml:1

• Draft comment:
  Review trigger events: The workflow triggers on both push and pull_request. Confirm that publishing on PR events is intentional to avoid accidental publishes from forks.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 30% <= threshold 50% The comment is asking the author to confirm their intention regarding the workflow triggers. It suggests that publishing on PR events might lead to accidental publishes from forks, which is a valid concern. However, it violates the rule of not asking the PR author to confirm their intention. The comment could be rephrased to suggest a specific action or change instead of asking for confirmation.

6. .github/workflows/release.yml:46

• Draft comment:
  NPM_CONFIG_PROVENANCE is enabled in the release workflow. Ensure its string 'true' is correctly interpreted and that its use is limited to release operations as intended.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

7. package.json:8

• Draft comment:
  Switching from 'contributors' to 'maintainers' changes the project metadata. Verify this change meets your publication and attribution requirements.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the author to verify if the change meets certain requirements, which is against the rules. It doesn't provide a specific suggestion or point out a clear issue with the code.

Workflow ID: wflow_GeUyj2VKqbdWs9Xj

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[JounQin]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

8-10: Consider using github.ref_name for clearer concurrency grouping
The workflow correctly cancels in-progress runs, preventing duplicate releases. For improved readability (dropping the refs/heads/ prefix), you might switch the group to ${{ github.workflow }}-${{ github.ref_name }}.

---

12-15: Principle of least privilege: Review unnecessary permissions
Explicit permissions are great for security. It appears the id-token permission isn’t leveraged by this job. Please verify its necessity and remove it if not required.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3247172 and a62bdd4.

📒 Files selected for processing (6)

• .changeset/wise-houses-build.md (1 hunks)
• .github/workflows/autofix.yml (1 hunks)
• .github/workflows/ci.yml (1 hunks)
• .github/workflows/pkg-pr-new.yml (1 hunks)
• .github/workflows/release.yml (2 hunks)
• package.json (1 hunks)

🔇 Additional comments (24)

package.json (1)

8-10: Field update looks correct
The contributors field was properly replaced with maintainers, and the new entry format aligns with npm’s expected syntax.

.changeset/wise-houses-build.md (1)

1-6: Changeset front-matter is valid
The YAML header correctly specifies a patch for eslint-plugin-prettier, and the summary clearly describes enabling NPM_CONFIG_PROVENANCE.

.github/workflows/ci.yml (1)

34-41: Pinned actions and explicit step names improve reproducibility
The checkout, pnpm setup, and Node.js setup steps are now explicitly named and pinned to specific commit SHAs, which enhances clarity and ensures consistent CI behavior.

.github/workflows/autofix.yml (9)

1-1: Workflow name meets security requirement
Naming the workflow autofix.ci satisfies the security constraint for the autofix.ci action.

---

3-9: Trigger configuration looks correct
The workflow triggers on pull request opened, reopened, and synchronize events as intended.

---

10-13: Concurrency group prevents overlapping runs
Grouping by ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true ensures only the latest run per branch is active.

---

18-19: Checkout step is correctly pinned
Using actions/checkout at a specific SHA maintains reproducibility.

---

21-22: pnpm setup step is consistent
The pnpm setup action is pinned and named, aligning with other workflows.

---

24-28: Node.js LTS setup is clear and cached
Using lts/* with pnpm cache ensures tests run on the latest LTS release with dependency caching.

---

30-31: Install step uses frozen lockfile
pnpm install --prefer-frozen-lockfile enforces lockfile integrity.

---

33-34: Format step aligns with project scripts
Running pnpm format ensures code style is applied before autofix.

---

36-39: Autofix action is properly configured
The autofix-ci/action pin and fail-fast: false option are set correctly for non-blocking autofixes.

.github/workflows/pkg-pr-new.yml (8)

1-1: Workflow name clearly describes purpose
Publish Any Commit accurately reflects the intent to run the pkg-pr-new publish command on every commit.

---

2-5: Event triggers cover both push and PR
Listening on both push and pull_request ensures the publishing step runs in relevant contexts.

---

6-8: Concurrency safeguards are in place
The same concurrency pattern as other workflows prevents redundant runs for the same branch.

---

15-17: Pinned checkout action
Consistent use of the same checkout SHA across workflows maintains CI stability.

---

18-20: pnpm setup is uniform
The pnpm action pin matches other workflows, reducing configuration drift.

---

21-25: Node.js setup follows established pattern
Using lts/* and cache reflects best practices for GitHub Actions speed and reliability.

---

27-28: Dependency installation is reliable
pnpm install --prefer-frozen-lockfile prevents unexpected lockfile changes.

---

30-31: Publish step invokes pkg-pr-new correctly
The pnpm dlx pkg-pr-new publish --compact command is properly configured to produce concise output.

.github/workflows/release.yml (4)

22-23: Good practice: Pinning the checkout action by SHA
Locking actions/checkout to a specific commit enhances reproducibility and security.

---

25-26: Pinned pnpm setup action ensures stability
Using the SHA for pnpm/action-setup (v4.1.0) guarantees consistent behavior across runs.

---

28-29: Pin Node.js setup action for consistency
Locking actions/setup-node to a known SHA (v4.4.0) is a solid practice to avoid unexpected changes.

---

46-46: Enable npm provenance metadata
Setting NPM_CONFIG_PROVENANCE: true aligns with best practices to record package provenance.