Skip to content

feat/uis-package-bump-automation#5

Merged
ThomasRalee merged 2 commits into
masterfrom
feat/uis-package-bump-automation
Jul 16, 2026
Merged

feat/uis-package-bump-automation#5
ThomasRalee merged 2 commits into
masterfrom
feat/uis-package-bump-automation

Conversation

@Frederick-88

@Frederick-88 Frederick-88 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

goal: injective-ts package publishes >> trigger package bump on this repo >> make PR branched out from dev

related PRs = InjectiveLabs/injective-ts#695

this new file is referencing current working package bump action file + add necessary changes for injective-uis, changelog:

image image

Summary by CodeRabbit

  • New Features
    • Added an automated workflow action for creating or updating pull requests after npm package bumps.
    • Supports configurable repositories, branches, pull request details, commit messages, installation folders, propagation delays, and post-install commands.
    • Automatically installs dependencies, prepares Nuxt projects when applicable, commits changes, and avoids duplicate open pull requests.

@Frederick-88 Frederick-88 changed the title feat: injective-uis package bump automation feat/uis-package-bump-automation Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a composite GitHub Action that checks out a repository, installs dependencies, optionally prepares a project, and creates or updates a package-bump pull request.

Changes

Package bump pull request automation

Layer / File(s) Summary
Action contract and runtime setup
actions/package-bump-make-pr/action.yml
Defines configurable inputs, composite execution, propagation delay, repository checkout, Node.js, and pnpm setup.
Dependency installation and project preparation
actions/package-bump-make-pr/action.yml
Installs dependencies in an optional folder, runs an optional post-install command, and conditionally executes Nuxt preparation.
Branch push and pull request handling
actions/package-bump-make-pr/action.yml
Commits and force-pushes changes, detects an existing open pull request, and creates one when needed.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: thomasralee, 0xa1337

Sequence Diagram(s)

sequenceDiagram
  participant PackageBumpAction
  participant TargetRepository
  participant Pnpm
  participant GitHubCLI
  PackageBumpAction->>TargetRepository: checkout target branch
  PackageBumpAction->>Pnpm: install dependencies and run preparation
  PackageBumpAction->>TargetRepository: commit and push package-bump branch
  PackageBumpAction->>GitHubCLI: check for an existing open pull request
  GitHubCLI-->>PackageBumpAction: return pull request status
  PackageBumpAction->>GitHubCLI: create pull request when none exists
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: automation for the injective-uis package bump.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/uis-package-bump-automation

Comment @coderabbitai help to get the list of available commands.

@Frederick-88
Frederick-88 marked this pull request as ready for review July 16, 2026 15:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
actions/package-bump-make-pr/action.yml (2)

72-108: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Repeated cd boilerplate across three steps.

The same "cd into tmp/${{ inputs.folder_path }} or tmp" logic is duplicated in "Install dependencies", "Run post-install command", and "Prepare Nuxt". Since composite-action steps don't share a working directory, consider computing the target directory once (e.g., an initial step writing to $GITHUB_OUTPUT) and using working-directory: on each subsequent step instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@actions/package-bump-make-pr/action.yml` around lines 72 - 108, Eliminate the
duplicated directory-selection logic across the “Install dependencies”, “Run
post-install command”, and “Prepare Nuxt” steps. Add an initial step that
computes the target directory from inputs.folder_path and exposes it via
GITHUB_OUTPUT, then apply that output with working-directory on each subsequent
step while preserving their existing commands and conditions.

72-108: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Inputs interpolated directly into shell instead of via env:.

inputs.folder_path (Lines 75-79, 86-90, 96-100) and github.actor (Lines 122-123) are spliced directly into the run: script text, while the later "Create or update pull request" step correctly routes its templated values through env:. Direct ${{ }} interpolation into run: bodies is a known GitHub Actions injection surface — composite-action inputs are not exempt even when the immediate caller is presumed trusted, since callers may themselves be passing along less-trusted values (e.g., a workflow_dispatch input). Recommend consistently using env: + $VAR for all of these, matching the pattern already used later in the file.

♻️ Example fix for one occurrence
     - name: Install dependencies
       shell: bash
+      env:
+        FOLDER_PATH: ${{ inputs.folder_path }}
       run: |
-        if [ -n "${{ inputs.folder_path }}" ]; then
-          cd "tmp/${{ inputs.folder_path }}"
+        if [ -n "$FOLDER_PATH" ]; then
+          cd "tmp/$FOLDER_PATH"
         else
           cd tmp
         fi
         pnpm install

Also applies to: 122-123

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@actions/package-bump-make-pr/action.yml` around lines 72 - 108, Route all
templated values used by the shell scripts through step-level env variables
instead of interpolating them directly in run bodies. Update the Install
dependencies, Run post-install command, and Prepare Nuxt steps to use an
env-backed folder path, and update the github.actor usage in the relevant step
similarly; preserve the existing directory-selection and command behavior while
referencing the shell variables.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@actions/package-bump-make-pr/action.yml`:
- Around line 11-13: Update the repository_url input definition in the action
metadata so its description explicitly requires the owner/repo repository
specification rather than a full URL; preserve the existing input name unless
the action’s callers are also updated consistently.

---

Nitpick comments:
In `@actions/package-bump-make-pr/action.yml`:
- Around line 72-108: Eliminate the duplicated directory-selection logic across
the “Install dependencies”, “Run post-install command”, and “Prepare Nuxt”
steps. Add an initial step that computes the target directory from
inputs.folder_path and exposes it via GITHUB_OUTPUT, then apply that output with
working-directory on each subsequent step while preserving their existing
commands and conditions.
- Around line 72-108: Route all templated values used by the shell scripts
through step-level env variables instead of interpolating them directly in run
bodies. Update the Install dependencies, Run post-install command, and Prepare
Nuxt steps to use an env-backed folder path, and update the github.actor usage
in the relevant step similarly; preserve the existing directory-selection and
command behavior while referencing the shell variables.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 38f02f16-6451-437d-9d13-9dda9beecca7

📥 Commits

Reviewing files that changed from the base of the PR and between ccb3457 and b1f7d64.

📒 Files selected for processing (1)
  • actions/package-bump-make-pr/action.yml

Comment thread actions/package-bump-make-pr/action.yml
@ThomasRalee
ThomasRalee merged commit d75ac50 into master Jul 16, 2026
4 checks passed
@ThomasRalee
ThomasRalee deleted the feat/uis-package-bump-automation branch July 16, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants