Integrate review feedback for Renovate + CI lockfile installs

[Mehdi-Bl]

Summary

• track package-lock.json and stop ignoring it so npm ci is reproducible
• switch SonarCloud workflow dependency install to npm ci
• prevent release asset overwrite by downloading artifacts into per-OS directories
• make Renovate config explicit with limits and package grouping

Why

PR #19 review feedback highlighted reproducibility and workflow reliability gaps. This change applies the valid recommendations without altering release signing behavior.

Validation

• npm install --package-lock-only --ignore-scripts
• npm ci --ignore-scripts
• node -e "JSON.parse(require('fs').readFileSync('renovate.json','utf8'));"

Summary by Sourcery

Improve dependency management reproducibility and CI workflows while refining release artifact handling and Renovate configuration.

Bug Fixes:

• Avoid overwriting release assets by downloading build artifacts into OS-specific subdirectories during the release workflow.

Enhancements:

• Track and commit package-lock.json to ensure reproducible npm installs.
• Update the SonarCloud workflow to install dependencies using npm ci for deterministic installs.
• Clarify and tighten Renovate configuration, including explicit limits and package grouping.

CI:

• Adjust CI workflows to rely on npm ci and segregated artifact download paths for more reliable pipeline runs.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Makes CI dependency installs reproducible with npm ci and a tracked package-lock.json, prevents release artifacts from overwriting each other by using per-OS directories, and tightens Renovate configuration with explicit limits and package grouping.

Flow diagram for per-OS artifact download paths in release workflow

flowchart TD
  A[Start release job] --> B[Download windows-artifacts]
  B -->|path artifacts/windows| C[Windows files stored]

  C --> D[Download linux-artifacts]
  D -->|path artifacts/linux| E[Linux files stored]

  E --> F[Download macos-artifacts]
  F -->|path artifacts/macos| G[macOS files stored]

  G --> H[Create GitHub Release using artifacts/windows, artifacts/linux, artifacts/macos]
  H --> I[End release job]

Loading

File-Level Changes

Change	Details	Files
Ensure release artifacts from different OS jobs do not overwrite each other when downloaded for GitHub Releases.	Change artifact download path for Windows artifacts to a Windows-specific subdirectory under artifacts Change artifact download path for Linux artifacts to a Linux-specific subdirectory under artifacts Change artifact download path for macOS artifacts to a macOS-specific subdirectory under artifacts	.github/workflows/release.yml
Make SonarCloud workflow dependency installation reproducible by using the lockfile.	Switch dependency installation command in the SonarCloud workflow from npm install to npm ci to respect the lockfile and speed up CI	.github/workflows/sonarcloud.yml
Track npm lockfile in the repo and stop ignoring it so CI can rely on it.	Remove package-lock.json from .gitignore so it is committed to the repository Add a generated package-lock.json file to version control to lock dependency graph for reproducible installs	.gitignore package-lock.json
Make Renovate configuration more explicit and controlled.	Update renovate.json to explicitly configure update limits and package grouping to better control automated dependency PRs	renovate.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Rate limit exceeded

@Mehdi-Bl has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 19 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/integrate-review-feedback

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's dependency management and CI/CD reliability. It ensures build reproducibility by tracking package-lock.json and standardizing npm ci for dependency installations in workflows. Additionally, the Renovate bot configuration has been made more robust with explicit limits and intelligent package grouping, streamlining dependency updates and improving overall project maintainability.

Highlights

• Dependency Tracking: The package-lock.json file is no longer ignored, ensuring it is tracked in version control for reproducible npm ci builds.
• Renovate Configuration: The Renovate bot configuration has been significantly expanded to include recommended settings, enable npm and github-actions managers, set PR limits, separate major/minor updates, and define explicit package grouping rules for better update management.
• CI Workflow Enhancement: The SonarCloud workflow will now utilize npm ci for dependency installation, which improves build reliability and reproducibility.
• Release Asset Management: Release artifacts will be downloaded into per-OS directories to prevent overwriting existing assets, enhancing the release process.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .gitignore
  • Removed package-lock.json from the ignore list to ensure it is tracked in version control.
• renovate.json
  • Introduced config:recommended preset for Renovate.
  • Enabled npm and github-actions package managers.
  • Activated dependencyDashboard for better overview of updates.
  • Set prHourlyLimit to 2 and prConcurrentLimit to 8 to manage pull request volume.
  • Configured separateMajorMinor to true for distinct major and minor update pull requests.
  • Added packageRules to group updates for github-actions, react ecosystem, test tooling, and build tooling.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/release.yml
  • .github/workflows/sonarcloud.yml

Activity

• This pull request directly addresses and implements feedback received from a review of a previous pull request (PR Configure Renovate #19), focusing on improving reproducibility and workflow reliability.
• No further human activity (comments, reviews) has been recorded on this specific pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Integrate review feedback for Renovate and CI lockfile installs

✨ Enhancement

Walkthroughs

Description

• Organize release artifacts into per-OS directories to prevent overwrites
• Switch SonarCloud workflow to use npm ci for reproducible installs
• Expand Renovate configuration with explicit limits and package grouping
• Enable recommended Renovate settings with manager and dashboard controls

Diagram

flowchart LR
  A["Release Workflow"] -->|"Separate artifact paths"| B["artifacts/windows<br/>artifacts/linux<br/>artifacts/macos"]
  C["SonarCloud Workflow"] -->|"Use npm ci"| D["Reproducible installs"]
  E["Renovate Config"] -->|"Add rules & limits"| F["Organized dependency updates"]

Loading

File Changes

1. .github/workflows/release.yml ⚙️ Configuration changes +3/-3

Separate release artifacts by operating system

• Changed artifact download paths from shared artifacts to OS-specific directories
 (artifacts/windows, artifacts/linux, artifacts/macos)
• Prevents accidental overwriting of release assets from different operating systems

.github/workflows/release.yml

---

2. .github/workflows/sonarcloud.yml ✨ Enhancement +1/-1

Switch to npm ci for reproducible installs

• Replaced npm install with npm ci for dependency installation
• Ensures reproducible and locked dependency versions in CI environment

.github/workflows/sonarcloud.yml

---

3. renovate.json ⚙️ Configuration changes +25/-1

Expand Renovate with explicit limits and grouping

• Added extends: ["config:recommended"] for recommended Renovate defaults
• Configured manager enablement for npm and github-actions only
• Set rate limits with prHourlyLimit: 2 and prConcurrentLimit: 8
• Added package grouping rules for react ecosystem, test tooling, build tooling, and github actions
• Enabled dependency dashboard for visibility

renovate.json

---

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Now that package-lock.json is committed and npm ci is used in CI, consider pinning a specific Node/npm version in the workflows to avoid lockfile format mismatches across environments.
• Given that artifact downloads now go into OS-specific subdirectories, double-check any later steps in the release workflow that read from artifacts/ to ensure they traverse the new structure rather than assuming a flat directory.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Now that `package-lock.json` is committed and `npm ci` is used in CI, consider pinning a specific Node/npm version in the workflows to avoid lockfile format mismatches across environments.
- Given that artifact downloads now go into OS-specific subdirectories, double-check any later steps in the release workflow that read from `artifacts/` to ensure they traverse the new structure rather than assuming a flat directory.

## Individual Comments

### Comment 1
<location> `.github/workflows/sonarcloud.yml:28` </location>
<code_context>
           package-manager-cache: false

       - name: Install dependencies
-        run: npm install
+        run: npm ci

       - name: Run tests with coverage
</code_context>

<issue_to_address>
**suggestion (performance):** You might want to enable the built-in dependency cache now that `npm ci` is being used.

Given this job now uses `npm ci` with `setup-node` configured for `package-manager: npm`, consider setting `package-manager-cache: npm` instead of `false` to speed up repeat SonarCloud runs while retaining deterministic installs.

```suggestion
          package-manager-cache: npm
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (performance): You might want to enable the built-in dependency cache now that npm ci is being used.

Given this job now uses npm ci with setup-node configured for package-manager: npm, consider setting package-manager-cache: npm instead of false to speed up repeat SonarCloud runs while retaining deterministic installs.

Suggested change

	package-manager-cache: false
	package-manager-cache: npm

[gemini-code-assist]

Code Review

This pull request implements feedback from a previous review, focusing on improving dependency management and CI workflows. The changes to track package-lock.json by removing it from .gitignore are a great step towards reproducible builds. The new renovate.json configuration is much more explicit and provides better control over dependency updates. I have one suggestion to make the package grouping for build tooling even more comprehensive.

[gemini-code-assist]

The current package pattern for build tooling misses @babel/* packages. To ensure all babel-related build dependencies are grouped together, you should add a pattern for @babel/.

Suggested change

	"matchPackagePatterns": ["^webpack", "^babel", "^eslint", "^prettier"],
	"matchPackagePatterns": ["^webpack", "^@babel/", "^babel", "^eslint", "^prettier"],

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

Dependency Review Summary

The full dependency review summary is too large to display here. Please download the artifact named "dependency-review-summary" to view the complete report.

View full job summary

[Mehdi-Bl]

Follow-up review triage completed:

• Addressed valid suggestion by adding ^@babel/ to Renovate build-tooling grouping in PR chore(renovate): include @babel scope in build tooling group #21 (now merged).
• Kept package-manager-cache: false intentionally to stay aligned with workflow hardening/cache-poisoning policy and prior zizmor constraints.

All required checks for PR #21 passed before merge.