feat: add CI/CD security, dev infrastructure (4→13/13)#536
feat: add CI/CD security, dev infrastructure (4→13/13)#536c6zks4gssn-droid wants to merge 1 commit intojamiepine:mainfrom
Conversation
Added by Bonanza Labs using Fork Doctor v0.2.0 - CodeQL security scanning (TypeScript + Python, weekly) - Dependabot (npm, pip, cargo, GitHub Actions) - Pre-commit hooks (ESLint, Flake8, standard) - Issue templates (bug + feature) - PR template - Dev Container (Python + Bun + Rust) - SBOM generation (SPDX, backend + frontend) - Performance benchmark workflow - BONANZA_IMPROVEMENTS.md Score: 4/13 → 13/13
📝 WalkthroughWalkthroughAdded comprehensive infrastructure configuration files for the Voicebox project, including a dev container setup, GitHub workflows for CI/CD (CodeQL, SBOM, benchmarking), Dependabot configuration, issue and PR templates, pre-commit hooks, and documentation of infrastructure improvements. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (1)
.github/workflows/sbom.yml (1)
11-15: Pin third-party action to an immutable commit SHA for supply chain safety.Using
anchore/sbom-action@v0relies on a mutable tag. GitHub's official security guidance recommends pinning actions to a full-length commit SHA instead, which is the only way to use an action as an immutable release. The current SHA for v0 ise22c389904149dbc22b58101806040fa8d37a610.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/sbom.yml around lines 11 - 15, The workflow uses the mutable tag anchore/sbom-action@v0 in two places; replace both occurrences with the full commit SHA anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 to pin the action immutably. Update each uses: anchore/sbom-action@v0 -> anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 and ensure both instances in the sbom.yml diff are changed so the workflow references the exact commit.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.devcontainer/devcontainer.json:
- Line 8: The devcontainer's postCreateCommand invokes "just setup" but the
features list does not install the just tool, causing container creation to
fail; update the devcontainer configuration by adding the appropriate just
feature entry to the "features" object so the container image installs the just
binary before postCreateCommand runs (ensure you modify the same JSON that
contains the postCreateCommand and add the official just feature, e.g., the
devcontainers/features/just entry or equivalent, so "just" is available when
postCreateCommand executes).
In @.github/workflows/benchmark.yml:
- Around line 15-16: The "Run TTS benchmark" step currently only prints a
placeholder; replace it with a real benchmark invocation and artifact upload so
regressions can be detected. Update the step named "Run TTS benchmark" to
execute your benchmark runner (e.g., run a benchmark script like
benchmark/tts_benchmark.py or run pytest with --benchmark-save/--benchmark-json)
and then add a follow-up action to persist results (e.g.,
actions/upload-artifact) so benchmark artifacts and metrics are available to the
workflow for comparison.
In @.github/workflows/codeql.yml:
- Around line 12-13: The workflow's permissions only include security-events:
write but must also grant contents: read and actions: read for CodeQL to
checkout repo content and upload SARIFs in private repos; update the permissions
block to include contents: read and actions: read (keeping security-events:
write) so the CodeQL job can access repository contents and actions APIs.
In @.github/workflows/sbom.yml:
- Around line 13-18: Replace the absolute workspace paths used as inputs to the
anchore/sbom-action (currently set to '/backend' and '/app') with
repository-relative paths (remove the leading slashes so they become 'backend'
and 'app'); update the path values passed to anchore/sbom-action@v0 in the
.github workflow where the keys read path: '/backend' and path: '/app' so they
instead read path: 'backend' and path: 'app'.
In @.pre-commit-config.yaml:
- Around line 2-7: The pre-commit hook currently references the ESLint mirror
(repo: https://github.com/pre-commit/mirrors-eslint, rev: v9.0.0, id: eslint,
files: \.(ts|tsx)$) but this repo uses Biome for linting; remove or replace that
ESLint hook and add a pre-commit hook that runs Biome instead (e.g., a local
hook with entry "biome check" or "biome lint" scoped to the app/ TypeScript
files), ensuring the hook targets the same file patterns (or narrows to app/ if
desired) so pre-commit invokes Biome rather than ESLint.
In `@BONANZA_IMPROVEMENTS.md`:
- Around line 5-17: The "9/9 new checks" header is inconsistent with the table
because "README badges" is marked "(already present)"; update
BONANZA_IMPROVEMENTS.md to either remove the "README badges" row from the
new-checks table or change the header and table to indicate "8/9 new checks" (or
move badges to a "pre-existing" subsection). Edit the header text "9/9 new
checks" and/or the table row for "README badges" so the count and items
accurately reflect only newly added infrastructure items, ensuring the header
and table match.
---
Nitpick comments:
In @.github/workflows/sbom.yml:
- Around line 11-15: The workflow uses the mutable tag anchore/sbom-action@v0 in
two places; replace both occurrences with the full commit SHA
anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 to pin the action
immutably. Update each uses: anchore/sbom-action@v0 ->
anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 and ensure both
instances in the sbom.yml diff are changed so the workflow references the exact
commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f2d17315-e80b-49a3-b434-f4b0144d96f3
📒 Files selected for processing (10)
.devcontainer/devcontainer.json.github/ISSUE_TEMPLATE/bug_report.md.github/ISSUE_TEMPLATE/feature_request.md.github/PULL_REQUEST_TEMPLATE.md.github/dependabot.yml.github/workflows/benchmark.yml.github/workflows/codeql.yml.github/workflows/sbom.yml.pre-commit-config.yamlBONANZA_IMPROVEMENTS.md
| "ghcr.io/devcontainers-extra/features/bun:1": {}, | ||
| "ghcr.io/devcontainers/features/rust:1": {} | ||
| }, | ||
| "postCreateCommand": "just setup", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Check devcontainer post-create command:"
sed -n '1,120p' .devcontainer/devcontainer.json | nl -ba | sed -n '1,80p'
echo
echo "Check whether repository provisions 'just' anywhere:"
rg -n --hidden -S '\bjust\b|cargo install just|apt(-get)? install just|brew install just|go install .*just' \
.devcontainer justfile .github || true
echo
echo "Check that the called target exists:"
rg -n --hidden -S '^setup:' justfile || trueRepository: jamiepine/voicebox
Length of output: 161
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check devcontainer.json content ==="
cat .devcontainer/devcontainer.json | head -40
echo
echo "=== Search for 'just' in features configuration ==="
grep -i "just" .devcontainer/devcontainer.json || echo "(not found)"
echo
echo "=== Check if setup target exists in justfile ==="
grep -n "^setup:" justfile || echo "(not found)"
echo
echo "=== Full devcontainer.json ==="
cat .devcontainer/devcontainer.jsonRepository: jamiepine/voicebox
Length of output: 1101
🌐 Web query:
mcr.microsoft.com/devcontainers/python:3.11 just command included
💡 Result:
The mcr.microsoft.com/devcontainers/python:3.11 Docker image is a pre-built development container image based on the official python:3.11 Debian image (likely trixie variant by default). It includes: - Python 3.11 - git - zsh with Oh My Zsh! - Non-root 'vscode' user with sudo access - nvm (Node Version Manager) for optional Node.js installation - A number of Python development tools installed via pipx (specific tools not explicitly listed in sources, but designed for isolated environments; examples include utilities like black, flake8, etc., as per standard devcontainer practice) - Common development dependencies - Security patches: upgraded setuptools to 78.1.1, gitpython to 3.1.41, and Subversion to 1.14.5 - imagemagick removed for security The Dockerfile starts from python:${VARIANT} where VARIANT=3.11 for this tag, runs apt updates/purges, pip upgrades, and a custom svn upgrade script. Full details in the .devcontainer folder of https://github.com/devcontainers/images/tree/main/src/python. No ENTRYPOINT or CMD is set in the base Dockerfile (inherits from python image, which has no CMD). It is designed for use as a VS Code devcontainer base image, not for running a specific command by default. When used in devcontainer.json, VS Code sets up the environment accordingly. Last pushed around March 2026 per MCR tags.
Citations:
- 1: https://hub.docker.com/r/microsoft/devcontainers-python
- 2: https://mcr.microsoft.com/en-us/product/devcontainers/python/about
- 3: https://github.com/devcontainers/images/blob/18f4a3bc/src/python/README.md
- 4: https://github.com/devcontainers/images/blob/84a5cfc2/src/python/.devcontainer/Dockerfile
- 5: https://mcr.microsoft.com/en-us/artifact/mar/devcontainers/python/tag/3.11
- 6: https://github.com/devcontainers/images/blob/84a5cfc2/src/python/README.md
- 7: https://github.com/devcontainers/images/blob/18f4a3bc/src/python/.devcontainer/Dockerfile
- 8: https://github.com/devcontainers/images/tree/main/src/python
- 9: https://github.com/devcontainers/images/tree/main/src/python/.devcontainer
🌐 Web query:
ghcr.io/devcontainers-extra/features/just devcontainer feature
💡 Result:
ghcr.io/devcontainers-extra/features/just is a Dev Container feature from the devcontainers-extra/features repository that installs the "just" command runner tool in development containers for VS Code and GitHub Codespaces. This repository provides extra community-maintained features beyond the official devcontainers/features set, with the project actively maintained as of March 2026 (last push 2026-03-22). The repo lists "Just" in its languages (Shell 100.0%, Just), indicating a feature for installing the just build tool (https://just.systems/), a modern alternative to Makefiles. To use it in devcontainer.json: { "image": "mcr.microsoft.com/devcontainers/base:bookworm", "features": { "ghcr.io/devcontainers-extra/features/just": {} } } Check the specific feature's README in the repo's src/just directory for options and details. The project is a continuation of devcontainers-contrib/features due to original inactivity, not officially endorsed by the Dev Containers project but widely used and CLI-redirected from contrib namespace. Other community "just" features exist (e.g., ghcr.io/guiyomh/features/just:0), but this matches the queried path exactly.
Citations:
- 1: https://github.com/devcontainers-extra/features
- 2: https://github.com/devcontainers-extra/features/tree/main
- 3: https://github.com/devcontainers-contrib/features/
- 4: https://github.com/pl4nty/devcontainer-features
- 5: https://containers.dev/features
Add just feature to devcontainer configuration.
The postCreateCommand calls just setup, but the features section does not include the just tool. The base image does not provide just, so container creation will fail.
Suggested fix
{
"name": "Voicebox Development",
"image": "mcr.microsoft.com/devcontainers/python:3.11",
"features": {
+ "ghcr.io/devcontainers-extra/features/just:1": {},
"ghcr.io/devcontainers-extra/features/bun:1": {},
"ghcr.io/devcontainers/features/rust:1": {}
},🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.devcontainer/devcontainer.json at line 8, The devcontainer's
postCreateCommand invokes "just setup" but the features list does not install
the just tool, causing container creation to fail; update the devcontainer
configuration by adding the appropriate just feature entry to the "features"
object so the container image installs the just binary before postCreateCommand
runs (ensure you modify the same JSON that contains the postCreateCommand and
add the official just feature, e.g., the devcontainers/features/just entry or
equivalent, so "just" is available when postCreateCommand executes).
| - name: Run TTS benchmark | ||
| run: python -c "print('Benchmark placeholder - add real benchmarks')" |
There was a problem hiding this comment.
This is not a real benchmark yet.
Line 16 only prints a message, so the workflow cannot detect regressions or produce benchmark artifacts. This misses the stated benchmark objective.
Suggested direction
- - name: Run TTS benchmark
- run: python -c "print('Benchmark placeholder - add real benchmarks')"
+ - name: Run TTS benchmark
+ run: |
+ python backend/scripts/benchmark_tts.py --output benchmark-results.json
+ - name: Upload benchmark results
+ uses: actions/upload-artifact@v4
+ with:
+ name: benchmark-results
+ path: benchmark-results.json🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/benchmark.yml around lines 15 - 16, The "Run TTS
benchmark" step currently only prints a placeholder; replace it with a real
benchmark invocation and artifact upload so regressions can be detected. Update
the step named "Run TTS benchmark" to execute your benchmark runner (e.g., run a
benchmark script like benchmark/tts_benchmark.py or run pytest with
--benchmark-save/--benchmark-json) and then add a follow-up action to persist
results (e.g., actions/upload-artifact) so benchmark artifacts and metrics are
available to the workflow for comparison.
| permissions: | ||
| security-events: write |
There was a problem hiding this comment.
Add required permissions for CodeQL.
The workflow only grants security-events: write, but CodeQL typically requires additional permissions. Missing contents: read may cause the checkout to fail in certain repository configurations, and missing actions: read can affect sarif upload in private repositories.
🔒 Proposed fix to add missing permissions
permissions:
+ contents: read
+ actions: read
security-events: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/codeql.yml around lines 12 - 13, The workflow's
permissions only include security-events: write but must also grant contents:
read and actions: read for CodeQL to checkout repo content and upload SARIFs in
private repos; update the permissions block to include contents: read and
actions: read (keeping security-events: write) so the CodeQL job can access
repository contents and actions APIs.
| path: /backend | ||
| format: spdx-json | ||
| - uses: anchore/sbom-action@v0 | ||
| with: | ||
| path: /app | ||
| format: spdx-json |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Verify expected repo directories exist relative to workspace:"
fd -t d '^(backend|app)$' . || true
echo
echo "Show workflow path inputs:"
sed -n '1,120p' .github/workflows/sbom.yml | nl -ba | sed -n '1,120p'Repository: jamiepine/voicebox
Length of output: 260
🏁 Script executed:
cat -n .github/workflows/sbom.ymlRepository: jamiepine/voicebox
Length of output: 558
🌐 Web query:
anchore/sbom-action path parameter absolute vs relative paths GitHub Actions
💡 Result:
The path parameter in anchore/sbom-action accepts relative paths to the repository root (e.g., ./build/), as explicitly stated in the official README. There is no mention of support for absolute paths in the documentation. In GitHub Actions, relative paths are standard and resolved from the workspace (checked out repository root after actions/checkout), making them portable across runners. Absolute paths (e.g., /home/runner/work/repo/build) may work technically since the filesystem is accessible, but they are not recommended or documented, as they reduce portability (runner workspaces vary). Use relative paths for best practice.
Citations:
- 1: https://github.com/anchore/sbom-action/blob/main/README.md
- 2: https://github.com/anchore/sbom-action/tree/b95490d8839d1f51624b8a9694613d13dc980a4c
- 3: https://github.com/anchore/sbom-action
Use workspace-relative paths; current absolute paths violate documented best practices.
Lines 13 and 17 use /backend and /app (absolute filesystem paths). The anchore/sbom-action expects relative paths to the repository root (e.g., backend and app), as documented in the official README. Absolute paths reduce portability across runners.
Suggested fix
- uses: anchore/sbom-action@v0
with:
- path: /backend
+ path: backend
format: spdx-json
- uses: anchore/sbom-action@v0
with:
- path: /app
+ path: app
format: spdx-json📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| path: /backend | |
| format: spdx-json | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| path: /app | |
| format: spdx-json | |
| path: backend | |
| format: spdx-json | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| path: app | |
| format: spdx-json |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/sbom.yml around lines 13 - 18, Replace the absolute
workspace paths used as inputs to the anchore/sbom-action (currently set to
'/backend' and '/app') with repository-relative paths (remove the leading
slashes so they become 'backend' and 'app'); update the path values passed to
anchore/sbom-action@v0 in the .github workflow where the keys read path:
'/backend' and path: '/app' so they instead read path: 'backend' and path:
'app'.
| - repo: https://github.com/pre-commit/mirrors-eslint | ||
| rev: v9.0.0 | ||
| hooks: | ||
| - id: eslint | ||
| types: [file] | ||
| files: \.(ts|tsx)$ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Check lint tooling in app/package.json:"
sed -n '1,120p' app/package.json | nl -ba | sed -n '1,80p'
echo
echo "Check Biome configuration:"
sed -n '1,140p' biome.json | nl -ba | sed -n '1,120p'
echo
echo "Search for ESLint config/dependency in repository:"
rg -n --hidden -S 'eslintConfig|@typescript-eslint|eslint' package.json app/package.json .eslintrc* eslint.config.* || trueRepository: jamiepine/voicebox
Length of output: 161
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Content of app/package.json (first 150 lines) ==="
head -150 app/package.json
echo
echo "=== Content of biome.json ==="
cat biome.json 2>/dev/null || echo "biome.json not found"
echo
echo "=== Full .pre-commit-config.yaml ==="
cat .pre-commit-config.yaml 2>/dev/null || echo ".pre-commit-config.yaml not found"
echo
echo "=== Search for ESLint configurations ==="
rg -n 'eslintConfig|@typescript-eslint|eslint' --type yaml --type json || echo "No ESLint configs found"
echo
echo "=== Check for ESLint dependencies ==="
rg -n 'eslint' package.json app/package.json || echo "No ESLint dependencies found"Repository: jamiepine/voicebox
Length of output: 4879
Pre-commit is configured to use ESLint, but the app is set up with Biome for linting.
The app/ directory has no ESLint dependencies and all lint scripts point to Biome (biome lint, biome check). The pre-commit hook at lines 2–7 runs ESLint on all .ts|tsx files repo-wide, creating a tooling mismatch that will cause pre-commit failures or conflicting rule enforcement between local development and CI/CD.
Suggested fix
repos:
- - repo: https://github.com/pre-commit/mirrors-eslint
- rev: v9.0.0
+ - repo: local
hooks:
- - id: eslint
- types: [file]
- files: \.(ts|tsx)$
+ - id: biome-check
+ name: biome check
+ entry: bunx biome check
+ language: system
+ files: \.(ts|tsx|js|jsx|json)$📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - repo: https://github.com/pre-commit/mirrors-eslint | |
| rev: v9.0.0 | |
| hooks: | |
| - id: eslint | |
| types: [file] | |
| files: \.(ts|tsx)$ | |
| - repo: local | |
| hooks: | |
| - id: biome-check | |
| name: biome check | |
| entry: bunx biome check | |
| language: system | |
| files: \.(ts|tsx|js|jsx|json)$ |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.pre-commit-config.yaml around lines 2 - 7, The pre-commit hook currently
references the ESLint mirror (repo:
https://github.com/pre-commit/mirrors-eslint, rev: v9.0.0, id: eslint, files:
\.(ts|tsx)$) but this repo uses Biome for linting; remove or replace that ESLint
hook and add a pre-commit hook that runs Biome instead (e.g., a local hook with
entry "biome check" or "biome lint" scoped to the app/ TypeScript files),
ensuring the hook targets the same file patterns (or narrows to app/ if desired)
so pre-commit invokes Biome rather than ESLint.
| ## Added Infrastructure (9/9 new checks) | ||
|
|
||
| | Check | Details | | ||
| |-------|---------| | ||
| | CodeQL Security | Weekly TypeScript + Python scans | | ||
| | Dependabot | npm + pip + cargo + GitHub Actions | | ||
| | Pre-commit Hooks | ESLint + Flake8 + standard hooks | | ||
| | Issue Templates | Bug report + feature request | | ||
| | PR Template | Structured checklist | | ||
| | Dev Container | Python + Bun + Rust environment | | ||
| | SBOM Generation | SPDX format for backend + frontend | | ||
| | Performance Benchmarks | TTS benchmark workflow | | ||
| | README badges | (already present) | |
There was a problem hiding this comment.
Inconsistent count of new checks.
The header claims "9/9 new checks," but the table includes "README badges" marked as "(already present)." If badges already existed, they shouldn't be counted as new infrastructure additions. This creates confusion about what was actually added in this PR.
Either remove the badges row from the table, or clarify that 8 checks are new and 1 was pre-existing.
📝 Proposed fix to clarify the count
Option 1: Remove pre-existing item from new checks
-## Added Infrastructure (9/9 new checks)
+## Added Infrastructure (8 new checks)
| Check | Details |
|-------|---------|
| CodeQL Security | Weekly TypeScript + Python scans |
| Dependabot | npm + pip + cargo + GitHub Actions |
| Pre-commit Hooks | ESLint + Flake8 + standard hooks |
| Issue Templates | Bug report + feature request |
| PR Template | Structured checklist |
| Dev Container | Python + Bun + Rust environment |
| SBOM Generation | SPDX format for backend + frontend |
| Performance Benchmarks | TTS benchmark workflow |
-| README badges | (already present) |Option 2: Clarify with separate sections
-## Added Infrastructure (9/9 new checks)
+## Added Infrastructure (8 new checks)
| Check | Details |
|-------|---------|
| CodeQL Security | Weekly TypeScript + Python scans |
| Dependabot | npm + pip + cargo + GitHub Actions |
| Pre-commit Hooks | ESLint + Flake8 + standard hooks |
| Issue Templates | Bug report + feature request |
| PR Template | Structured checklist |
| Dev Container | Python + Bun + Rust environment |
| SBOM Generation | SPDX format for backend + frontend |
| Performance Benchmarks | TTS benchmark workflow |
+
+## Pre-existing Infrastructure (1 check)
+
+| Check | Details |
+|-------|---------|
| README badges | (already present) |📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ## Added Infrastructure (9/9 new checks) | |
| | Check | Details | | |
| |-------|---------| | |
| | CodeQL Security | Weekly TypeScript + Python scans | | |
| | Dependabot | npm + pip + cargo + GitHub Actions | | |
| | Pre-commit Hooks | ESLint + Flake8 + standard hooks | | |
| | Issue Templates | Bug report + feature request | | |
| | PR Template | Structured checklist | | |
| | Dev Container | Python + Bun + Rust environment | | |
| | SBOM Generation | SPDX format for backend + frontend | | |
| | Performance Benchmarks | TTS benchmark workflow | | |
| | README badges | (already present) | | |
| ## Added Infrastructure (8 new checks) | |
| | Check | Details | | |
| |-------|---------| | |
| | CodeQL Security | Weekly TypeScript + Python scans | | |
| | Dependabot | npm + pip + cargo + GitHub Actions | | |
| | Pre-commit Hooks | ESLint + Flake8 + standard hooks | | |
| | Issue Templates | Bug report + feature request | | |
| | PR Template | Structured checklist | | |
| | Dev Container | Python + Bun + Rust environment | | |
| | SBOM Generation | SPDX format for backend + frontend | | |
| | Performance Benchmarks | TTS benchmark workflow | |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@BONANZA_IMPROVEMENTS.md` around lines 5 - 17, The "9/9 new checks" header is
inconsistent with the table because "README badges" is marked "(already
present)"; update BONANZA_IMPROVEMENTS.md to either remove the "README badges"
row from the new-checks table or change the header and table to indicate "8/9
new checks" (or move badges to a "pre-existing" subsection). Edit the header
text "9/9 new checks" and/or the table row for "README badges" so the count and
items accurately reflect only newly added infrastructure items, ensuring the
header and table match.
1 participant
Infrastructure Improvements
This PR adds 9 missing infrastructure checks to bring Voicebox from 4/13 to 13/13.
Added (9 checks)
Score: 4/13 → 13/13 🏥
Built with Fork Doctor by Bonanza Labs
Summary by CodeRabbit
Documentation
Chores