workflow

[0xthrpw]

Summary by CodeRabbit

• New Features

  • Enabled an AI On‑Demand Assistant to respond to issues and PR comments with auto-labeling and escalation.
  • Enabled automated AI Code Review on pull requests with actionable review summaries.

• Chores

  • Replaced legacy AI workflows with reusable external workflow integrations and updated permissions/secrets mapping for improved reliability.

[coderabbitai]

Walkthrough

Replaces two custom GitHub Actions workflows with reusable workflows. Deletes .github/workflows/ai-on-demand.yaml and ai-review.yaml. Adds .github/workflows/ai-on-demand.yml and ai-review.yml referencing ethereumfollowprotocol/workflow-automation@v1.0.9, configuring triggers, permissions, inputs, and secrets for AI on-demand responses and AI PR reviews.

Changes

Cohort / File(s)	Summary of Changes
AI On-Demand Workflow replacement .github/workflows/ai-on-demand.yaml, .github/workflows/ai-on-demand.yml	Removed custom AI on-demand workflow; added reusable workflow integration (issue/PR comments and issues events). Configures permissions (contents: read, issues/pull-requests: write, actions: read), inputs (config-profile: "default", bot-mention: "@efp-dev-ops", enable-auto-labeling: true, enable-escalation: true), and secrets mapping (CLAUDE_CODE_OAUTH_TOKEN, APP_ID, PRIVATE_KEY, ALLOWED_USER_LIST).
AI Code Review Workflow replacement .github/workflows/ai-review.yaml, .github/workflows/ai-review.yml	Removed custom AI code review workflow; added reusable PR review workflow triggered on PR opened/synchronize/reopened. Sets permissions (contents: read, pull-requests: write, issues: write, actions: read), input config-profile: "default", and maps required secrets (CLAUDE_CODE_OAUTH_TOKEN, APP_ID, PRIVATE_KEY, ALLOWED_USER_LIST).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as User/Reviewer
  participant GH as GitHub Events
  participant AOD as ai-on-demand.yml
  participant Reuse as Reusable WF (issue-response@v1.0.9)
  participant Cmt as GitHub Comment

  User->>GH: Create comment / review / issue
  GH->>AOD: Trigger (created/submitted/opened)
  AOD->>Reuse: Invoke with inputs, permissions, secrets
  Note right of Reuse #a3d5ff: Processes bot mention, labeling, escalation
  Reuse-->>Cmt: Post AI response

Loading

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub PR Events
  participant ACR as ai-review.yml
  participant Reuse as Reusable WF (pr-review@v1.0.9)
  participant PR as Pull Request

  Dev->>GH: Open/Synchronize/Reopen PR
  GH->>ACR: Trigger workflow
  ACR->>Reuse: Invoke with security/quality/doc review enabled
  Note right of Reuse #a3d5ff: Runs code review and generates summary/comments
  Reuse-->>PR: Post review summary/comments

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• automation #55 — Similar migration of AI on-demand and AI code-review workflows to reusable automation using the same external workflow refs and settings.

Poem

A rabbit taps keys with a flick of an ear,
Old scripts hop out, new flows appear.
Reusable trails through Actions we tread,
Labels and reviews neatly spread.
With tokens in pocket and mentions to hear—
“@efp-dev-ops,” I’m all ears! 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying docs with    Cloudflare Pages

Latest commit:	214aa81
Status:	✅  Deploy successful!
Preview URL:	https://bd24965c.docs-2vz.pages.dev
Branch Preview URL:	https://workflow.docs-2vz.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (9)

.github/workflows/ai-review.yml (4)

6-10: Tighten permissions (drop actions: read if not required).

If the called workflow doesn’t need Actions API, remove this permission.

 permissions:
   contents: read
   pull-requests: write
   issues: write
-  actions: read

---

2-4: Consider handling “ready_for_review” trigger.

Covers draft-to-ready transitions.

 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, ready_for_review]

---

12-13: Add concurrency to avoid duplicate runs on rapid pushes.

 name: AI Code Review
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
   pull-requests: write
   issues: write
   actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

---

24-24: Add newline at EOF.

Fixes YAML lint error.

-      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}
\ No newline at end of file
+      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}
+

.github/workflows/ai-on-demand.yml (5)

1-1: Remove trailing spaces after workflow name.

Fixes YAML lint warning.

-name: AI On-Demand Assistant  
+name: AI On-Demand Assistant

---

12-16: Minimize permissions (drop actions: read if unnecessary).

 permissions:
   contents: read
   issues: write
   pull-requests: write
-  actions: read

---

2-10: Consider reacting to edited comments that add a bot mention.

Helps when users add “@efp-dev-ops” via edit.

 on:
   issue_comment:
-    types: [created]
+    types: [created, edited]
   pull_request_review_comment:
     types: [created]

---

18-19: Add concurrency to avoid duplicate replies on bursts.

 name: AI On-Demand Assistant
 on:
   issue_comment:
     types: [created, edited]
   pull_request_review_comment:
     types: [created]
   pull_request_review:
     types: [submitted]
   issues:
     types: [opened]
 
 permissions:
   contents: read
   issues: write
   pull-requests: write
   actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

---

18-30: Guard against self-trigger loops (optional).

If the reusable workflow doesn’t already, skip when the bot triggers the event.

 jobs:
   ai-response:
+    if: ${{ github.actor != 'efp-dev-ops[bot]' }}
     # Pin to exact commit for supply-chain safety (v1.0.9)
-    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/issue-response.yml@v1.0.9
+    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/issue-response.yml@<commit-sha>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3c6ef6e and 4f57d0d.

📒 Files selected for processing (4)

• .github/workflows/ai-on-demand.yaml (0 hunks)
• .github/workflows/ai-on-demand.yml (1 hunks)
• .github/workflows/ai-review.yaml (0 hunks)
• .github/workflows/ai-review.yml (1 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/ai-on-demand.yaml
• .github/workflows/ai-review.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ai-on-demand.yml

[error] 1-1: trailing spaces

(trailing-spaces)

.github/workflows/ai-review.yml

[error] 24-24: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

🛠️ Refactor suggestion

Pin reusable workflow to a commit SHA to prevent tag hijack.

-    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/issue-response.yml@v1.0.9
+    # Pin to exact commit for supply-chain safety (v1.0.9)
+    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/issue-response.yml@<commit-sha>

🤖 Prompt for AI Agents

.github/workflows/ai-on-demand.yml line 20: the reusable workflow reference
currently uses a tag (@v1.0.9) which can be hijacked; replace the tag with the
exact commit SHA for ethereumfollowprotocol/workflow-automation that corresponds
to v1.0.9 (find the tag’s commit SHA in that repo and update the line to use
@<COMMIT_SHA>), commit the change, and verify the workflow runs successfully.

[coderabbitai]

🛠️ Refactor suggestion

Pin reusable workflow to a commit SHA to prevent tag hijack.

Pin to the exact commit for v1.0.9 to reduce supply-chain risk.

-    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@v1.0.9
+    # Pin to exact commit for supply-chain safety (v1.0.9)
+    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@<commit-sha>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@v1.0.9
	# Pin to exact commit for supply-chain safety (v1.0.9)
	uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@<commit-sha>

🤖 Prompt for AI Agents

.github/workflows/ai-review.yml around line 14: the reusable workflow reference
currently uses a tag (v1.0.9), which is susceptible to tag hijacking; update the
uses line to reference the exact commit SHA for
ethereumfollowprotocol/workflow-automation (e.g., @<full-commit-sha>) instead of
the tag. Retrieve the correct commit SHA from the workflow-automation repo
(GitHub UI or git ls-remote) for the v1.0.9 release and replace the tag with
that SHA so the uses line pins to the exact commit.

[efp-dev-ops]

Claude finished @0xthrpw's task —— View job

---

TypeScript Code Quality Review

Comprehensive TypeScript analysis completed for the Ethereum Follow Protocol Documentation repository.

TypeScript Quality Assessment

Type Safety Rating: 9/10

• Excellent strict TypeScript configuration with "extends": "astro/tsconfigs/strict"
• All files properly typed with no any usage found
• Proper environment variable typing with well-defined interfaces
• Use of @total-typescript/ts-reset for enhanced type safety

Architecture Rating: 8/10

• Clean module organization and clear separation of concerns
• Appropriate use of interfaces for environment variables
• Good import/export patterns throughout
• Consistent TypeScript configuration across all files

Modern Features Usage: 8/10

• Uses import assertions (with { type: 'json' }) in update-dependencies.ts:7
• Proper async/await patterns throughout
• Well-structured type definitions and utility types
• Modern module syntax with ESM

Overall TypeScript Quality: 8.5/10

Detailed Analysis by File

tsconfig.json - Excellent Configuration

• Strengths:
  • Extends Astro's strict configuration
  • Enables checkJs and allowJs for comprehensive checking
  • Uses verbatimModuleSyntax for better module handling
  • Proper path mapping and plugin integration
• Score: 10/10

astro.config.ts - Strong Configuration File

• Strengths:
  • Proper type imports and structured configuration
  • Good use of TypeScript with Astro integrations
  • Type-safe environment variable access
• Minor Areas for Improvement:
  • Line 296: Number(process.env.PORT || 4321) could use more robust type validation
• Score: 8/10

tailwind.config.ts - Well-Typed Configuration

• Strengths:
  • Proper use of satisfies Config for type safety
  • Complex typography configuration with proper typing
  • Good interface definition for theme function parameter
• Score: 9/10

src/env.d.ts - Excellent Type Definitions

• Strengths:
  • Comprehensive environment variable typing
  • Proper module augmentation patterns
  • Multi-platform environment support (Node.js, Vite, Cloudflare)
• Score: 10/10

scripts/update-dependencies.ts - Good Build Tooling

• Strengths:
  • Modern import syntax with JSON assertion
  • Proper async/await usage
  • Good error handling patterns
• Minor Improvements:
  • Line 95-97: Could add better error handling for fetch failures
  • Large amount of commented code should be cleaned up
• Score: 7/10

src/content/config.ts - Simple but Effective

• Strengths:
  • Clean collection definitions using Starlight schemas
  • Proper schema typing
• Score: 8/10

TypeScript Best Practices Compliance

✅ Excellent:

• Strict TypeScript configuration enabled
• No usage of any type found
• Proper null/undefined checking via strict mode
• Interface/type definitions are clear and complete
• Module imports/exports are clean
• Modern TypeScript features used appropriately

✅ Good:

• Type assertions used appropriately (minimal usage)
• Proper async/await typing
• Effective use of utility types and modern syntax

Recommendations

High Priority

1. Environment Variable Validation (astro.config.ts:296):

   // Consider more robust port validation
   const port = process.env.PORT ? parseInt(process.env.PORT, 10) : 4321;
   if (isNaN(port)) throw new Error('Invalid PORT environment variable');

Medium Priority

1. Error Handling Enhancement (scripts/update-dependencies.ts):

   async function fetchPackageLatestVersion(name: string) {
     try {
       const response = await fetch(`https://registry.npmjs.org/${name}/latest`)
       if (!response.ok) throw new Error(`Failed to fetch ${name}: ${response.status}`)
       const { version } = await response.json() as { version: string }
       return version
     } catch (error) {
       console.error(`Error fetching version for ${name}:`, error)
       throw error
     }
   }

2. Code Cleanup: Remove commented code blocks in update-dependencies.ts (lines 36-53)

Low Priority

1. Consider adding JSDoc comments for complex functions
2. The codebase could benefit from more explicit return type annotations for public APIs

Security & Performance Notes

• ✅ No security anti-patterns detected
• ✅ No performance issues in TypeScript usage
• ✅ Proper module resolution and import patterns
• ✅ No circular dependencies detected

Final Assessment

This is a well-architected TypeScript codebase with excellent type safety practices. The strict configuration, modern feature usage, and clean architecture demonstrate professional TypeScript development standards. The minor improvements suggested would further enhance robustness but the current implementation is production-ready.

Recommended Action: The TypeScript code quality is excellent and requires only minor enhancements.

---

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/ai-review.yml (1)

14-14: Pin reusable workflow to an exact commit SHA (supply-chain hardening).

Tags can be retagged; pin to the v1.0.9 commit SHA.

-    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@v1.0.9
+    # Pin to exact commit for v1.0.9
+    uses: ethereumfollowprotocol/workflow-automation/.github/workflows/pr-review.yml@<commit-sha>

🧹 Nitpick comments (3)

.github/workflows/ai-review.yml (3)

6-10: Tighten/confirm permissions (principle of least privilege).

Validate if issues: write and actions: read are truly needed; add checks: write if the workflow posts Check Runs.

Option 1 — minimal:

 permissions:
   contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+  pull-requests: write

Option 2 — if using Checks API:

 permissions:
   contents: read
   pull-requests: write
+  checks: write

---

12-13: Add concurrency to auto-cancel superseded runs per PR.

Reduces duplicate runs on rapid pushes.

Top-level:

 permissions:
   contents: read
   pull-requests: write
   issues: write
   actions: read

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true

---

21-21: Add trailing newline (yamllint).

Fixes: no new line at end of file.

-      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}
+      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4f57d0d and 214aa81.

📒 Files selected for processing (1)

• .github/workflows/ai-review.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ai-review.yml

[error] 21-21: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: ai-review / quality-review
• GitHub Check: Cloudflare Pages

🔇 Additional comments (1)

.github/workflows/ai-review.yml (1)

16-21: Confirm inputs and secret names match the reusable workflow’s workflow_call schema.

Ensure these exact names are declared as required secrets/inputs in pr-review.yml.

If names differ, map to the called workflow’s expected keys:

     with:
-      config-profile: "default"
+      config-profile: "default"
     secrets:
-      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.DEV_OPS_BOT_CLAUDE_CODE_OAUTH_TOKEN }}
-      APP_ID: ${{ secrets.DEV_OPS_BOT_APP_ID }}
-      PRIVATE_KEY: ${{ secrets.DEV_OPS_BOT_PRIVATE_KEY }}
-      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}
+      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.DEV_OPS_BOT_CLAUDE_CODE_OAUTH_TOKEN }}
+      APP_ID: ${{ secrets.DEV_OPS_BOT_APP_ID }}
+      PRIVATE_KEY: ${{ secrets.DEV_OPS_BOT_PRIVATE_KEY }}
+      ALLOWED_USER_LIST: ${{ secrets.DEV_OPS_BOT_ALLOWED_USER_LIST }}

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

PRs from forks won’t have access to secrets; guard or switch event.

Either gate the job to skip forks, or carefully switch to pull_request_target (with safe checkout in the called workflow).

Option A — gate forks:

 jobs:
   ai-review:
+    if: ${{ github.event.pull_request.head.repo.fork == false }}

Option B — use pull_request_target:

-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]

Confirm the reusable workflow safely checks out the base ref to avoid running untrusted code.

---

🏁 Script executed:

#!/bin/bash
set -e

file=".github/workflows/ai-review.yml"
if [ -f "$file" ]; then
  echo "=== First 200 lines of $file ==="
  sed -n '1,200p' "$file"
  echo
  echo "=== Secret usage in $file ==="
  grep -n "secrets\." "$file" || echo "No secrets usage found"
else
  echo "File not found: $file"
  exit 1
fi

Length of output: 1314

---

Gate forks or switch to pull_request_target for secret access
This job uses repository secrets (e.g. DEV_OPS_BOT_CLAUDE_CODE_OAUTH_TOKEN), which aren’t available to pull_request events from forks. Either restrict it to non-forks:

 jobs:
   ai-review:
+    if: ${{ github.event.pull_request.head.repo.fork == false }}

or switch the trigger to pull_request_target (and ensure the reusable workflow’s checkout step uses the base ref):

-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	types: [opened, synchronize, reopened]
	on:
	pull_request_target:
	types: [opened, synchronize, reopened]