Switch to ESM, switch to Rolldown, bump deps, switch dev tools

[MrSquaare]

Pull Request

Related issue(s)

• N/A

Description

• Switch to ESM bundle instead of CommonJS (as indicated by https://docs.github.com/en/actions/tutorials/create-actions/create-a-javascript-action#commit-tag-and-push-your-action + applied by https://github.com/actions/javascript-action)
• Switch to Rolldown for bundling (using vercel's ncc before)
• Bump dependencies
• Switch to oxlint + oxfmt for linting and formatting (using eslint + prettier before)

Summary by CodeRabbit

Release Notes

• Chores

  • Version bumped to 3.1.2 and package metadata updated.
  • Updated core dependencies and package manager to pnpm 10.30.3.
  • Introduced new build tooling and bundler configuration.
  • Added formatting and linting configs for OxFMT and Oxlint.

• New Features

  • Added a reusable CI setup step and streamlined workflow for builds and checks.

• Style

  • Formatting and minor documentation whitespace/indentation adjustments.

[coderabbitai]

Walkthrough

Updates build and CI tooling, adds OxFMT/Oxlint configs, introduces Rolldown build config, migrates cleanup to ESM, removes ESLint config, bumps package metadata/dependencies, and replaces workflow steps with a new setup-env composite action and streamlined GitHub Actions workflow.

Changes

Cohort / File(s)	Summary
Linting & Formatting Configs .codacy.yml, .oxlintrc.json, .oxfmtrc.json	Normalized YAML quoting in Codacy; added Oxlint and OxFMT config files with schema refs and ignore patterns (.github, .pnpm-store, lib/**).
Build Configuration & Tooling rolldown.config.ts, package.json, eslint.config.mjs	Added a two-entry Rolldown config mapping src/*.ts → lib/*.js; updated package.json (version bump to 3.1.2, metadata, scripts, devDependencies, packageManager); removed content/export from eslint.config.mjs.
Source → Lib Migration src/cleanup.ts, lib/cleanup.js, src/index.ts	Converted cleanup module toward ESM (import syntax, explicit export {}), wrapped SSH-agent stop in try/catch with formatted logging; minor formatting changes in src/index.ts and src/cleanup.ts without behavior changes.
CI / Actions .github/actions/setup-env/action.yml, .github/workflows/pull-request.yml	Added setup-env composite action to install pnpm and Node; rewrote pull-request workflow to use scheduled/pull_request/workflow_dispatch triggers, use setup-env, streamline build/test jobs and update checkout/actions versions.
Docs & Misc README.md, CONTRIBUTING.md	Whitespace and YAML code-block indentation adjustments and a blank-line insertion; no functional changes.

Sequence Diagram(s)

sequenceDiagram
  participant PR as Pull Request / Trigger
  participant Runner as GitHub Actions Runner
  participant Checkout as actions/checkout
  participant SetupEnv as .github/actions/setup-env
  participant PNPM as pnpm (installer)
  participant Node as Node.js setup
  participant Scripts as repo scripts (build/test)

  PR->>Runner: workflow triggered
  Runner->>Checkout: checkout repository
  Runner->>SetupEnv: run composite setup action
  SetupEnv->>PNPM: install pnpm (pnpm/action-setup)
  SetupEnv->>Node: setup Node 20 (actions/setup-node)
  SetupEnv->>Runner: dependencies installed (pnpm install)
  Runner->>Scripts: run lint/build/test scripts (via pnpm)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

build, chore

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main changes: switching to ESM and Rolldown, bumping dependencies, and switching dev tools.
Description check	✅ Passed	The description follows the template structure and provides concrete details about the changes, though it lacks information about specific related issues or GitHub issue references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch build/bundler-and-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

rolldown.config.ts (1)

3-21: Deduplicate the repeated bundle config.

Both entries only differ by input and output.file. Pulling the shared options into a small helper will make future build changes less error-prone.

Refactor sketch

 import { defineConfig } from "rolldown";
 
+const createBundle = (input: string, file: string) => ({
+  input,
+  output: {
+    file,
+    format: "esm",
+    comments: false,
+  },
+  platform: "node" as const,
+});
+
 export default defineConfig([
-  {
-    input: "src/index.ts",
-    output: {
-      file: "lib/index.js",
-      format: "esm",
-      comments: false,
-    },
-    platform: "node",
-  },
-  {
-    input: "src/cleanup.ts",
-    output: {
-      file: "lib/cleanup.js",
-      format: "esm",
-      comments: false,
-    },
-    platform: "node",
-  },
+  createBundle("src/index.ts", "lib/index.js"),
+  createBundle("src/cleanup.ts", "lib/cleanup.js"),
 ]);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rolldown.config.ts` around lines 3 - 21, The two config objects passed into
defineConfig are duplicated except for input and output.file; extract the shared
settings into a small factory helper (e.g., makeConfig or createBundleConfig)
that accepts inputPath and outputFile and returns an object with the common
output (format: "esm", comments: false) and platform: "node", then replace the
two inline objects with calls to that helper (referencing defineConfig, input,
output.file, output.format, comments, and platform to locate where to change).

package.json (1)

33-33: Consider pinning to stable Rolldown once available.

Using a release candidate (1.0.0-rc.7) for build tooling is acceptable, but be aware that RC versions may introduce breaking changes between releases. Consider upgrading to a stable version once Rolldown reaches 1.0.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 33, The package.json currently pins the build tool
dependency "rolldown" to the release candidate "1.0.0-rc.7"; update the version
field for "rolldown" to the stable 1.0.0 (or the first stable semver you adopt)
once it is released and consider using a stable pin (e.g., "1.0.0" or a caret
range like "^1.0.0" per your project's dependency policy) to avoid tracking RC
releases in the future.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/cleanup.ts`:
- Around line 8-11: Remove the duplicate warning by logging only once: inside
the block that checks "error instanceof Error" (the cleanup code that stops the
SSH agent), replace the two console.warn calls with a single console.warn that
conditionally includes error.message/details when the error is an Error and
otherwise logs a generic message; ensure the code path that handles Error
instances does not fall through to the generic console.warn so you don't emit
two warnings.

---

Nitpick comments:
In `@package.json`:
- Line 33: The package.json currently pins the build tool dependency "rolldown"
to the release candidate "1.0.0-rc.7"; update the version field for "rolldown"
to the stable 1.0.0 (or the first stable semver you adopt) once it is released
and consider using a stable pin (e.g., "1.0.0" or a caret range like "^1.0.0"
per your project's dependency policy) to avoid tracking RC releases in the
future.

In `@rolldown.config.ts`:
- Around line 3-21: The two config objects passed into defineConfig are
duplicated except for input and output.file; extract the shared settings into a
small factory helper (e.g., makeConfig or createBundleConfig) that accepts
inputPath and outputFile and returns an object with the common output (format:
"esm", comments: false) and platform: "node", then replace the two inline
objects with calls to that helper (referencing defineConfig, input, output.file,
output.format, comments, and platform to locate where to change).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f6643f79-1fb6-4b09-9165-243cacb207c7

📥 Commits

Reviewing files that changed from the base of the PR and between 7c2bf61 and e4e36d9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (12)

• .codacy.yml
• .oxfmtrc.json
• .oxlintrc.json
• CONTRIBUTING.md
• README.md
• eslint.config.mjs
• lib/cleanup.js
• lib/index.js
• package.json
• rolldown.config.ts
• src/cleanup.ts
• src/index.ts

💤 Files with no reviewable changes (1)

• eslint.config.mjs

[coderabbitai]

🧹 Nitpick comments (3)

.github/actions/setup-env/action.yml (1)

8-14: Pin these action references to full commit SHAs.

pnpm/action-setup@v4 and actions/setup-node@v6 are mutable tags. Since this helper is reused across CI jobs, pin them to full-length SHAs and keep the human-readable version in a comment. GitHub’s hardening guidance calls a full commit SHA the only immutable way to consume an action. (docs.github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/setup-env/action.yml around lines 8 - 14, Replace the
mutable action references `pnpm/action-setup@v4` and `actions/setup-node@v6`
with their corresponding full commit SHAs (e.g. `pnpm/action-setup@<full-sha>`
and `actions/setup-node@<full-sha>`), keeping the human-readable tag (v4 / v6)
as a comment for clarity; update the `uses:` entries where those two strings
appear and verify the SHAs point to the intended commits on each action's
repository per GitHub hardening guidance.

.github/workflows/pull-request.yml (2)

14-14: Pin actions/checkout here as well.

All three jobs reference actions/checkout through the mutable v6 tag. In the test job, that step runs before local action code and shell steps that later consume SSH private keys, so a full commit SHA is the safer default. GitHub documents full-length SHAs as the only immutable action reference. (docs.github.com)

Also applies to: 33-33, 52-52

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml at line 14, Replace the mutable
actions/checkout@v6 references with an immutable full commit SHA in every job
that uses it (the three occurrences of actions/checkout in the workflow) so the
checkout action is pinned; locate the steps referencing actions/checkout@v6 and
update them to actions/checkout@<full-commit-sha> (use the corresponding
full-length commit SHA for the version you want to pin) to ensure reproducible,
immutable action resolution.

---

3-7: Declare least-privilege workflow permissions.

This workflow does not set permissions, so every job inherits the repository default GITHUB_TOKEN scope. These jobs only appear to need read access to repository contents, so it is safer to lock that in at the workflow level and only widen a job if it later needs more. GitHub recommends granting the minimum required access because actions can read github.token even when it is not passed explicitly. (docs.github.com)

🔒 Suggested hardening

 name: Pull Request
 
 on:
   pull_request:
     branches:
       - main
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 3 - 7, Add a top-level
least-privilege permissions block to the workflow so the GITHUB_TOKEN is limited
to read-only repo contents; specifically, add a permissions section (e.g.,
permissions: contents: read) alongside the existing on: pull_request /
workflow_dispatch settings so jobs inherit only read access and can be widened
per-job if needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/actions/setup-env/action.yml:
- Around line 8-14: Replace the mutable action references `pnpm/action-setup@v4`
and `actions/setup-node@v6` with their corresponding full commit SHAs (e.g.
`pnpm/action-setup@<full-sha>` and `actions/setup-node@<full-sha>`), keeping the
human-readable tag (v4 / v6) as a comment for clarity; update the `uses:`
entries where those two strings appear and verify the SHAs point to the intended
commits on each action's repository per GitHub hardening guidance.

In @.github/workflows/pull-request.yml:
- Line 14: Replace the mutable actions/checkout@v6 references with an immutable
full commit SHA in every job that uses it (the three occurrences of
actions/checkout in the workflow) so the checkout action is pinned; locate the
steps referencing actions/checkout@v6 and update them to
actions/checkout@<full-commit-sha> (use the corresponding full-length commit SHA
for the version you want to pin) to ensure reproducible, immutable action
resolution.
- Around line 3-7: Add a top-level least-privilege permissions block to the
workflow so the GITHUB_TOKEN is limited to read-only repo contents;
specifically, add a permissions section (e.g., permissions: contents: read)
alongside the existing on: pull_request / workflow_dispatch settings so jobs
inherit only read access and can be widened per-job if needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b7ac0ec-d003-45ba-9bba-8e8bf3273d26

📥 Commits

Reviewing files that changed from the base of the PR and between e4e36d9 and cc11af7.

📒 Files selected for processing (4)

• .github/actions/setup-env/action.yml
• .github/workflows/pull-request.yml
• .oxfmtrc.json
• .oxlintrc.json

🚧 Files skipped from review as they are similar to previous changes (2)

• .oxfmtrc.json
• .oxlintrc.json