feat : add build github ci#1
Merged
teamssUTXO merged 4 commits intomainfrom May 3, 2026
Merged
Conversation
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow that detects changes under ChangesConditional Monorepo Build Pipeline
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant PF as Paths Filter (dorny/paths-filter)
participant FE as Frontend Job (pnpm)
participant BE as Backend Job (Maven)
participant DC as Docker Job
GH->>PF: on push/pr to main -> run changes job
PF-->>GH: outputs frontend=true/false, backend=true/false
alt frontend=true
GH->>FE: trigger frontend job
FE-->>GH: build success/failure
end
alt backend=true
GH->>BE: trigger backend job
BE-->>GH: build success/failure
end
GH->>DC: if jobs not cancelled/failed and >=1 success -> run docker job
DC-->>GH: docker compose build
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-services.yml:
- Around line 3-8: Add an explicit least-privilege permissions block to the
GitHub Actions workflow by defining a top-level permissions field (e.g.,
permissions: contents: read, id-token: write if needed) so the GITHUB_TOKEN only
has read-only access by default; update the workflow that defines the "on:"
triggers (push/pull_request) to include this permissions block and adjust any
job-specific permissions only where broader rights are strictly required.
- Around line 17-61: Replace mutable action tags with pinned commit SHAs: update
each uses entry shown (actions/checkout@v4, pnpm/action-setup@v4,
actions/setup-node@v4, actions/setup-java@v4) to reference the corresponding
full-length commit SHA for the action repository; for each uses line in the
workflow, look up the action's repository (e.g., actions/checkout,
pnpm/action-setup, actions/setup-node, actions/setup-java) and replace the `@v4`
tag with the full commit SHA string, ensuring all occurrences in the file are
updated and tested by re-running the workflow.
- Around line 19-22: The workflow step using pnpm/action-setup@v4 currently sets
version: latest which makes CI non-reproducible; update this by pinning an
explicit pnpm version (replace version: latest with a specific semver, e.g.,
"version: 7.18.1") or alternatively add a packageManager field to package.json
(e.g., packageManager: "pnpm@<version>") so pnpm is fixed; locate the
pnpm/action-setup step in the workflow and make one of these changes to ensure
consistent CI builds.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 3a0a99cc-68a3-4fab-b829-149bd2ec8d59
📒 Files selected for processing (1)
.github/workflows/build-services.yml
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-services.yml:
- Around line 80-95: The docker build job ("docker") currently runs when both
frontend and backend are skipped because the if condition only excludes
failure/cancelled; update the if expression to also require that at least one
upstream job succeeded (i.e., ensure a real service change). Replace the
existing if block with a compound expression that keeps the existing checks and
adds (contains(needs.frontend.result, 'success') ||
contains(needs.backend.result, 'success')) so the docker job only runs when
either frontend or backend actually ran and succeeded.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: e110ee6a-52ec-436a-9e30-51dd0d54b1fb
📒 Files selected for processing (1)
.github/workflows/build-services.yml
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/build-services.yml (1)
20-21:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
uses:actions to full commit SHAs (mutable tags still in use).
@v4/@v3refs are mutable and weaken CI supply-chain guarantees. This was raised earlier and is still present on Line 20, Line 21, Line 39, Line 41, Line 45, Line 66, Line 68, and Line 90.Suggested patch pattern
- - uses: actions/checkout@v4 + - uses: actions/checkout@<full_40_char_commit_sha> - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@<full_40_char_commit_sha> ... - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@<full_40_char_commit_sha> - - uses: actions/setup-node@v4 + - uses: actions/setup-node@<full_40_char_commit_sha> ... - - uses: actions/setup-java@v4 + - uses: actions/setup-java@<full_40_char_commit_sha>#!/bin/bash set -euo pipefail file=".github/workflows/build-services.yml" echo "All uses entries:" rg -n '^\s*-\s+uses:\s+' "$file" echo echo "Non-SHA-pinned uses entries (should be empty):" python - <<'PY' import re p = re.compile(r'^\s*-\s+uses:\s+([^@\s]+)@([^\s]+)\s*$') sha = re.compile(r'^[0-9a-f]{40}$') bad = [] with open(".github/workflows/build-services.yml", "r", encoding="utf-8") as f: for i, line in enumerate(f, 1): m = p.match(line.rstrip("\n")) if m and not sha.match(m.group(2)): bad.append((i, m.group(1), m.group(2))) if not bad: print("OK: all actions are SHA pinned") else: for i, repo, ref in bad: print(f"Line {i}: {repo}@{ref}") PYAlso applies to: 39-42, 45-45, 66-68, 90-90
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-services.yml around lines 20 - 21, Replace mutable action tags with immutable commit SHAs: locate each "uses:" entry for actions/checkout@v4, dorny/paths-filter@v3 and the other workflow actions referenced (the entries flagged around the same block) and update their ref (the '@...' suffix) to the full 40-character commit SHA for that action's repo. Edit the .github workflow file to swap the tag/major ref to the corresponding SHA, verify the SHA is correct by checking the action repo's tags/commits, and commit the change so all "uses:" lines are pinned to exact SHAs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/build-services.yml:
- Around line 20-21: Replace mutable action tags with immutable commit SHAs:
locate each "uses:" entry for actions/checkout@v4, dorny/paths-filter@v3 and the
other workflow actions referenced (the entries flagged around the same block)
and update their ref (the '@...' suffix) to the full 40-character commit SHA for
that action's repo. Edit the .github workflow file to swap the tag/major ref to
the corresponding SHA, verify the SHA is correct by checking the action repo's
tags/commits, and commit the change so all "uses:" lines are pinned to exact
SHAs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: c20a9e99-23c2-4d5d-8ff7-41fddc9b8e95
📒 Files selected for processing (1)
.github/workflows/build-services.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit