chore: standardize repository tooling#785
Conversation
|
@QDyanbing is attempting to deploy a commit to the React Component Team on Vercel. A member of the Team first needs to authorize it. |
Walkthrough此 PR 将包名与示例导入统一切换到 Changes包名与站点迁移
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
.dumirc.tsESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox. docs/examples/dynaymicCSS.tsxESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox. docs/examples/focus.tsxESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request migrates the repository to the scoped package @rc-component/util, updating the README, documentation, and configuration files accordingly. It also refactors package scripts, updates TypeScript paths, and adds a Vercel configuration. Feedback is provided regarding a mismatch in the README where useMobile is documented as an exported hook but is not exported in src/index.ts.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #785 +/- ##
=======================================
Coverage 86.42% 86.42%
=======================================
Files 39 39
Lines 1068 1068
Branches 388 373 -15
=======================================
Hits 923 923
Misses 143 143
Partials 2 2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/cloudflare-pages-preview.yml (1)
31-31: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value预览构建建议使用
npm ci以保证可复现性。预览部署使用
npm install会按package.json解析最新满足范围的版本,构建结果不可复现。若仓库存在package-lock.json,建议改用npm ci。🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cloudflare-pages-preview.yml at line 31, The Cloudflare Pages preview workflow is using npm install, which can produce non-reproducible builds. Update the workflow step in cloudflare-pages-preview to use npm ci instead, keeping the install behavior locked to package-lock.json for consistent preview deployments.package.json (1)
28-34: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win把
docs和根级 TS 配置也纳入lint。这次迁移同时改了
docs/examples/*.tsx,而tsconfig.json也把docs、.dumirc.ts、.fatherrc.ts视为受支持的 TS 输入;现在的lint只扫src/和tests/,这些文件里的导入或 JSX/TS 语法问题会直接失去 ESLint 覆盖。建议改法
- "lint": "eslint src/ tests/ --ext .tsx,.ts", + "lint": "eslint src/ tests/ docs/ .dumirc.ts .fatherrc.ts --ext .tsx,.ts",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` around lines 28 - 34, Update the package.json lint script so ESLint also checks the docs directory and the root TypeScript config files that are part of the supported TS inputs. The current lint command only covers src/ and tests/, so adjust the lint target list in the package.json scripts entry to include docs, .dumirc.ts, and .fatherrc.ts alongside the existing paths. Use the lint script as the place to make this change so docs/examples/*.tsx and root TS files continue to receive ESLint coverage.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cloudflare-pages-preview.yml:
- Line 41: The Cloudflare Pages deploy command is directly interpolating
github.head_ref into wrangler-action’s command string, which creates a
shell-injection risk from user-controlled branch names. Update the workflow to
stop concatenating the branch name in the command and instead pass it through an
environment variable or equivalent safe input, then reference that variable from
the deploy step so the branch value is not parsed as shell syntax. Use the
existing deploy step in cloudflare-pages-preview and the command field as the
location to apply the fix.
In @.github/workflows/react-component-ci.yml:
- Line 5: The reusable workflow reference in react-component-ci.yml is too
loosely pinned and the current secret forwarding is broader than necessary.
Update the workflow invocation that uses test-utoo.yml to reference a specific
commit SHA instead of `@main`, and replace secrets: inherit with an explicit
CODECOV_TOKEN mapping so only the required secret is passed through.
---
Nitpick comments:
In @.github/workflows/cloudflare-pages-preview.yml:
- Line 31: The Cloudflare Pages preview workflow is using npm install, which can
produce non-reproducible builds. Update the workflow step in
cloudflare-pages-preview to use npm ci instead, keeping the install behavior
locked to package-lock.json for consistent preview deployments.
In `@package.json`:
- Around line 28-34: Update the package.json lint script so ESLint also checks
the docs directory and the root TypeScript config files that are part of the
supported TS inputs. The current lint command only covers src/ and tests/, so
adjust the lint target list in the package.json scripts entry to include docs,
.dumirc.ts, and .fatherrc.ts alongside the existing paths. Use the lint script
as the place to make this change so docs/examples/*.tsx and root TS files
continue to receive ESLint coverage.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b2658724-fa8c-4104-b238-dc60346f9716
📒 Files selected for processing (19)
.dumirc.ts.github/FUNDING.yml.github/workflows/cloudflare-pages-preview.yml.github/workflows/codeql.yml.github/workflows/react-component-ci.yml.github/workflows/react-doctor.yml.github/workflows/site-deploy.yml.github/workflows/surge-preview.ymlREADME.mddocs/examples/dynaymicCSS.tsxdocs/examples/focus.tsxdocs/examples/getScrollBarSize.tsxdocs/examples/portal.tsxdocs/examples/styleChecker.tsxdocs/examples/toArray.tsxdocs/index.mdpackage.jsontsconfig.jsonvercel.json
| with: | ||
| apiToken: ${{ env.CLOUDFLARE_API_TOKEN }} | ||
| accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }} | ||
| command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
避免将 github.head_ref 直接插值到 command 中(模板注入隐患)。
command 会被 wrangler-action 作为 shell 命令执行,而 github.head_ref 是用户可控的分支名。Git 引用名允许包含 $、反引号、; 等 shell 元字符,攻击者可构造特制分支名注入命令。虽然此处密钥仅对同仓库 PR 可用(fork PR 因密钥为空被跳过)从而限制了暴露面,但仍建议通过环境变量间接引用,避免在表达式中直接拼接。
🛡️ 建议改为通过 env 传递分支名
- name: Deploy preview
if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }}
uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0
+ env:
+ HEAD_REF: ${{ github.head_ref }}
with:
apiToken: ${{ env.CLOUDFLARE_API_TOKEN }}
accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }}
- command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }}
+ command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch="$HEAD_REF"
gitHubToken: ${{ secrets.GITHUB_TOKEN }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch=${{ github.head_ref }} | |
| - name: Deploy preview | |
| if: ${{ env.CLOUDFLARE_API_TOKEN != '' && env.CLOUDFLARE_ACCOUNT_ID != '' && env.CLOUDFLARE_PAGES_PROJECT != '' }} | |
| uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 | |
| env: | |
| HEAD_REF: ${{ github.head_ref }} | |
| with: | |
| apiToken: ${{ env.CLOUDFLARE_API_TOKEN }} | |
| accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }} | |
| command: pages deploy .doc --project-name=${{ env.CLOUDFLARE_PAGES_PROJECT }} --branch="$HEAD_REF" | |
| gitHubToken: ${{ secrets.GITHUB_TOKEN }} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cloudflare-pages-preview.yml at line 41, The Cloudflare
Pages deploy command is directly interpolating github.head_ref into
wrangler-action’s command string, which creates a shell-injection risk from
user-controlled branch names. Update the workflow to stop concatenating the
branch name in the command and instead pass it through an environment variable
or equivalent safe input, then reference that variable from the deploy step so
the branch value is not parsed as shell syntax. Use the existing deploy step in
cloudflare-pages-preview and the command field as the location to apply the fix.
| jobs: | ||
| test: | ||
| uses: react-component/rc-test/.github/workflows/test-npm.yml@main | ||
| uses: react-component/rc-test/.github/workflows/test-utoo.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# 验证目标可复用工作流是否存在及其声明的 inputs/secrets
gh api repos/react-component/rc-test/contents/.github/workflows/test-utoo.yml \
--jq '.content' 2>/dev/null | base64 -d || \
echo "未能获取 test-utoo.yml,请确认该工作流在 react-component/rc-test 的 main 分支存在"Repository: react-component/util
Length of output: 690
确认 test-utoo.yml 存在,建议固定引用版本以增强安全性。
已验证 react-component/rc-test 仓库的 main 分支包含 test-utoo.yml 工作流,其通过 workflow_call 触发且无需自定义输入,依赖 secrets.CODECOV_TOKEN。当前 secrets: inherit 的配置在逻辑上合规,但存在以下风险:
- 未锁定版本:引用
@main使 CI 易受上游非预期变更影响。建议固定为具体 Commit SHA。 - 密钥传递:
secrets: inherit会无条件传递所有继承密钥。若上游仓库不完全可信,建议仅显式传递CODECOV_TOKEN。
# 建议修改示例
uses: react-component/rc-test/.github/workflows/test-utoo.yml@<commit-sha>
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}🧰 Tools
🪛 zizmor (1.26.1)
[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow
(secrets-inherit)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/react-component-ci.yml at line 5, The reusable workflow
reference in react-component-ci.yml is too loosely pinned and the current secret
forwarding is broader than necessary. Update the workflow invocation that uses
test-utoo.yml to reference a specific commit SHA instead of `@main`, and replace
secrets: inherit with an explicit CODECOV_TOKEN mapping so only the required
secret is passed through.
Source: Linters/SAST tools
|
直接 codex 里一个 /goal 平推了~~ |
哈哈发现就close了,这种就很适合直接平推;互相参考几乎不会出问题; |
变更
@rc-component/util标题、scoped npm 徽章、Ant Design 生态说明、Highlights、Install、Usage、Examples、API、Development、Release 和 License 结构。rc-utilAPI 文档。tsc和prettier,修正lint为单条 eslint 命令,更新 lint-staged 的 Prettier 写法。react-component/rc-test/.github/workflows/test-utoo.yml@main。@rc-component/utilpath,更新 docs 首页标题。兼容性
.doc。验证
npx prettier --write --ignore-unknown README.md package.json tsconfig.json docs/index.md vercel.json .github/FUNDING.yml .github/workflows/*.ymlnpm run tscnpm run lintnpm test -- --runInBandnpm run compilenpm run buildgit diff --check说明:
npm run lint和npm run compile仍有两个既有 warning(findDOMNode.ts的 type import、Portal.tsx的{}类型),没有新增 error。Summary by CodeRabbit
New Features
Documentation
Chores