Upgrade dependencies and add release workflow#44
Conversation
- Bump React, Tailwind CSS, TypeScript, Vite to latest major versions - Add GitHub Actions release workflow (.github/workflows/release.yml)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThis PR adds a scheduled/manual GitHub Actions release workflow, bumps the package version, upgrades dependencies, migrates Tailwind/PostCSS configuration to v4 syntax, regenerates the TanStack Router route tree, removes tsconfig baseUrl settings, swaps a Lucide icon, and adds an ESLint suppression comment. ChangesRelease Automation
Tailwind v4 and Dependency Migration
Route Tree Regeneration and Minor Fixes
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
package.json (1)
24-24: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
bunlisted as a runtime dependency is unusual.
bun(and@types/bun) is the runtime/toolchain rather than an app dependency; pinning it underdependenciesdoesn't install a usable Bun binary and can be confusing. Consider relying on the CI/.tool-versions/engines to pin Bun instead, unless this is intentional for a specific reason.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` at line 24, The package.json dependency list includes bun as an app runtime dependency, which is unusual and can be misleading. Update the package metadata around the bun entry so Bun is pinned via the project’s runtime/tooling configuration instead of dependencies, unless there is a deliberate reason to keep it there; use the package.json dependency block and any related Bun/runtime settings as the location to adjust.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 27-30: The checkout step in the release workflow is persisting the
GITHUB_TOKEN in git config unnecessarily. Update the existing
actions/checkout@v4 configuration to disable credential persistence by setting
persist-credentials to false while keeping the full-history/tag fetch settings
unchanged.
In `@package.json`:
- Line 53: Remove the stray install dependency from package.json and update the
lockfile accordingly. The dependency is unused, so delete the install entry from
the dependencies section and regenerate or edit the lockfile so it no longer
references it, keeping the change consistent with the package manifest.
In `@src/index.css`:
- Around line 1-5: Stylelint is flagging Tailwind v4 directives as unknown
at-rules in the stylesheet; update the stylelint configuration to allowlist the
Tailwind-specific directives used in src/index.css. Adjust the rule that powers
scss/at-rule-no-unknown so it ignores `@config` and `@custom-variant` (and any other
Tailwind v4 at-rules already present in the stylesheet), keeping the change in
the stylelint config rather than the CSS itself.
---
Nitpick comments:
In `@package.json`:
- Line 24: The package.json dependency list includes bun as an app runtime
dependency, which is unusual and can be misleading. Update the package metadata
around the bun entry so Bun is pinned via the project’s runtime/tooling
configuration instead of dependencies, unless there is a deliberate reason to
keep it there; use the package.json dependency block and any related Bun/runtime
settings as the location to adjust.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0fcbc1e3-84e2-4be1-b02a-aca94aca1a5d
⛔ Files ignored due to path filters (1)
bun.lockis excluded by!**/*.lock
📒 Files selected for processing (12)
.github/workflows/release.ymlpackage.jsonpostcss.config.jssrc/components/ProfileDropdown.tsxsrc/index.csssrc/routeTree.gen.tssrc/views/Page.tsxtailwind.config.tstsconfig.app.jsontsconfig.app.tsbuildinfotsconfig.jsontsconfig.node.tsbuildinfo
💤 Files with no reviewable changes (2)
- tsconfig.json
- tsconfig.app.json
| - name: Checkout (full history + tags) | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Set persist-credentials: false on checkout.
actions/checkout persists the GITHUB_TOKEN in .git/config by default. This workflow never pushes via git (the release is created through action-gh-release using the token directly), so the persisted credential is unnecessary and leaves a credential exposed to any later step.
🔒️ Proposed hardening
- name: Checkout (full history + tags)
uses: actions/checkout@v4
with:
fetch-depth: 0
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout (full history + tags) | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout (full history + tags) | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 27-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 27 - 30, The checkout step in the
release workflow is persisting the GITHUB_TOKEN in git config unnecessarily.
Update the existing actions/checkout@v4 configuration to disable credential
persistence by setting persist-credentials to false while keeping the
full-history/tag fetch settings unchanged.
Source: Linters/SAST tools
| "eslint-plugin-react-hooks": "^7.1.1", | ||
| "eslint-plugin-react-refresh": "^0.5.3", | ||
| "globals": "^17.7.0", | ||
| "install": "^0.13.0", |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm nothing references the `install` package.
rg -nP "require\(['\"]install['\"]\)|from ['\"]install['\"]" .Repository: macintushar/draw
Length of output: 154
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- package.json excerpt ---'
cat -n package.json | sed -n '40,65p'
echo
echo '--- plain-text references to "install" (filtered to likely relevant paths) ---'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/.git/**' --glob '!package-lock.json' --glob '!pnpm-lock.yaml' --glob '!yarn.lock' '\binstall\b' .
echo
echo '--- package.json dependency entries ---'
python3 - <<'PY'
import json
from pathlib import Path
pkg = json.loads(Path('package.json').read_text())
for section in ('dependencies', 'devDependencies', 'optionalDependencies', 'peerDependencies'):
deps = pkg.get(section, {})
if 'install' in deps:
print(section, deps['install'])
PYRepository: macintushar/draw
Length of output: 2141
Remove the stray install dependency. install doesn’t appear to be used anywhere; remove it from package.json and the lockfile to avoid unnecessary supply-chain surface.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 53, Remove the stray install dependency from
package.json and update the lockfile accordingly. The dependency is unused, so
delete the install entry from the dependencies section and regenerate or edit
the lockfile so it no longer references it, keeping the change consistent with
the package manifest.
| @import "tailwindcss"; | ||
| @import "tw-animate-css"; | ||
| @config "../tailwind.config.ts"; | ||
|
|
||
| @custom-variant dark (&:is(.dark *)); |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Update stylelint to recognize Tailwind v4 at-rules.
Stylelint flags @config (Line 3) and @custom-variant (Line 5) as unknown at-rules via scss/at-rule-no-unknown. These are valid Tailwind v4 directives, so this will produce persistent CI/editor lint noise (and may fail lint gates) unless the stylelint config allowlists them.
🔧 Suggested stylelint config update
rules: {
"scss/at-rule-no-unknown": [
true,
{
- ignoreAtRules: [/* existing entries */],
+ ignoreAtRules: [
+ "tailwind",
+ "apply",
+ "layer",
+ "config",
+ "custom-variant",
+ "theme",
+ "utility",
+ "source",
+ /* existing entries */
+ ],
},
],
},🧰 Tools
🪛 Stylelint (17.14.0)
[error] 3-3: Unexpected unknown at-rule "@config" (scss/at-rule-no-unknown)
(scss/at-rule-no-unknown)
[error] 5-5: Unexpected unknown at-rule "@custom-variant" (scss/at-rule-no-unknown)
(scss/at-rule-no-unknown)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/index.css` around lines 1 - 5, Stylelint is flagging Tailwind v4
directives as unknown at-rules in the stylesheet; update the stylelint
configuration to allowlist the Tailwind-specific directives used in
src/index.css. Adjust the rule that powers scss/at-rule-no-unknown so it ignores
`@config` and `@custom-variant` (and any other Tailwind v4 at-rules already present
in the stylesheet), keeping the change in the stylelint config rather than the
CSS itself.
Source: Linters/SAST tools
Summary
package.jsonandbun.locktailwindcss-animate, addtw-animate-css).github/workflows/release.ymlwith cron (weekly Friday) and manual triggerspostcss.config.jslingering v3 config and update import paths (src/index.css,tailwind.config.ts)routeTree.gen.tsand rebuildtsconfig.app.tsbuildinfo/tsconfig.node.tsbuildinfoTesting
npm run build)npm run dev)import Reacterrors)npm run lint)Summary by CodeRabbit
0.1.0release.