Conversation
All listed plugins (Waku RSC, Lingui) are required framework plugins that cannot be optimized. Disable the diagnostic to reduce build noise.
- Add .claude/rules/git-workflow.md defining branch strategy - Add sync-dev.yml workflow to auto-sync dev after main merge - Update CLAUDE.md rules table
Stable releases now compare against the last stable tag (skipping alpha/beta/rc), so release notes include all changes since the previous production release.
chore: add git workflow rules and dev sync automation
docs: clarify branch deletion steps in git workflow rules
- Merge release flow and branch strategy into github-workflow.md - Remove redundant .claude/rules/git-workflow.md - Add workflow reference to CLAUDE.md
chore: unify workflow rules into issue-driven development
GitHub only auto-closes issues on merge to default branch (main). This workflow parses Closes/Fixes/Resolves from PR bodies and closes referenced issues when PRs merge to dev.
chore: auto-close issues when PRs merge to dev
- Pin all GitHub Actions to commit SHAs (third-party + official) - Pin Bun to 1.3.14 and Node to 24 (was: latest/20) - Add bun install --frozen-lockfile to all install steps - Default workflow GITHUB_TOKEN to contents: read; opt-in to write per job - Add Dependency Review action to PR checks (fails on high severity) - Add Dependabot config for github-actions and npm (root + 3 packages) Mitigates: tj-actions/changed-files style tag-rewrite attacks, shai-hulud-style malicious dep injection via lockfile drift, over-privileged tokens leaking via compromised actions.
- waku: ^1.0.0-alpha.6 → ^1.0.0-beta.0 (semver range bump, registry latest) - Apply all in-range minor/patch updates across root + 3 packages Backend: - @aws-sdk/client-s3 3.1025 → 3.1045 (patch) - better-sqlite3 12.8 → 12.10 (minor) - bullmq 5.73 → 5.76 (minor) - hono 4.12.12 → 4.12.18 (patch) - mysql2 3.20 → 3.22 (minor) - zod 4.3.6 → 4.4.3 (minor) - bun-types 1.3.11 → 1.3.14, vitest 4.1.3 → 4.1.6 Frontend: - jotai 2.19 → 2.20 (minor) - lucide-react 1.7 → 1.14 (minor) - react/react-dom/react-server-dom-webpack 19.2.4 → 19.2.6 (patch) - react-aria-components 1.16 → 1.17 (minor) - react-hook-form 7.72 → 7.75 (minor) - vite 8.0.7 → 8.0.12 (patch) - @rolldown/plugin-babel 0.2.2 → 0.2.3 - @tailwindcss/vite, tailwindcss 4.2.2 → 4.3.0 (minor) - @storybook/* 10.3.4 → 10.3.6 (patch) Root: @playwright/test, playwright 1.59 → 1.60 (minor), typedoc patch, vite-plus 0.1.15 → 0.1.21, bun-types/types/bun patch. Shared: vite-plus and bun-types patches. Verification: - bun run typecheck (backend + frontend) — pass - bun run lint — 0 warnings, 0 errors (577 files) - bun test src/tests/unit/ — 1012 pass, 0 fail - bun run build (backend + frontend) — succeeds Note on axios: this repo has no direct nor transitive axios dependency (verified in source, package.json, and bun.lock). Skipped (require dedicated PRs due to breaking changes): - typescript 5.9 → 6.0 - @lingui/* 5 → 6 - @hono/zod-validator 0.7 → 0.8 - mfm-js 0.25 → 0.26 - rollup-plugin-visualizer 6 → 7
Address CodeRabbit nitpick: hoist Bun version to env.BUN_VERSION in docs.yml for consistency with ci.yml. Skipped: trailing-newline nitpick on dependabot.yml — file already ends with LF (verified via wc -l / tail -c).
…rdening chore: harden CI/CD against supply-chain attacks
…a-and-deps chore: bump Waku to 1.0.0-beta.0 and audit dependencies
Eliminates the C++ native module `better-sqlite3` in favor of Bun's
built-in `bun:sqlite`, removing the need for Node.js in CI and
simplifying the toolchain.
Driver swap (db/index.ts):
- drizzle-orm/better-sqlite3 → drizzle-orm/bun-sqlite
- better-sqlite3 → bun:sqlite (built-in)
- sqlite.pragma("journal_mode = WAL") → sqlite.exec("PRAGMA ...")
- Export SqliteDatabase type for shared use
Type renames across 22 repositories:
- BetterSQLite3Database → BunSQLiteDatabase
Tests consolidated to Bun test runner:
- Removed src/tests/node/sqlite-repositories.test.ts (vitest)
- Migrated full coverage into src/tests/integration/sqlite-repositories.test.ts
using bun:test + bun:sqlite
- 28 SQLite integration tests pass under bun test
Dependencies removed:
- better-sqlite3 (native module)
- @types/better-sqlite3
- vitest (only used for the SQLite tests above)
CI simplification:
- Drop actions/setup-node step from sqlite-tests job
- bunx vitest → bun test
Verification (local):
- bun run typecheck (backend + frontend) — pass
- bun run lint — 0 warnings, 0 errors
- bun test src/tests/unit/ — 1012 pass / 0 fail
- bun test src/tests/integration/ — 70 pass / 0 fail
- bun run build (backend) — succeeds
- node_modules/better-sqlite3 — not installed (optional peer only)
…ation chore: replace better-sqlite3 with bun:sqlite
Adds SBOM generation and build provenance attestation to release workflows. Users can now audit dependency trees and verify that release artifacts originate from this repository at a specific commit. Workflows: - auto-tag.yml, release.yml: generate SPDX-JSON SBOM via Syft (anchore/sbom-action), attest provenance via Sigstore (actions/attest-build-provenance), attach SBOM to GitHub Release - Permissions: opt-in id-token: write, attestations: write per job Pinned to SHA: - anchore/sbom-action@e22c389 (v0.24.0) - actions/attest-build-provenance@a2bbfa2 (v4.1.0) Side fix: - .gitignore: add .playwright-mcp/ to prevent Playwright MCP snapshot/screenshot artifacts from being tracked
…ase2 chore: phase 2 supply-chain hardening (SBOM + provenance)
chore: bump version to 2026.5.0
Contributor
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughウォークスルーSQLiteドライバを 変更内容SQLiteドライバ移行とリポジトリ型更新
CI/ワークフロー自動化の構築
ドキュメント・バージョン管理
推定コード審査工数🎯 4 (Complex) | ⏱️ ~60 minutes 複数の異質な変更が含まれています:24個のSQLiteリポジトリ型更新(繰り返しパターンだが型の追跡が必要)、複雑なワークフロー設定(権限・SBOM・タグロジック)、大規模なテスト書き直し(+825行)、バージョンバンプ、ドキュメント追加。これらは相互に依存しており、全体の一貫性の確認が必要です。 関連する可能性のあるissue
関連する可能性のあるPR
ポエム
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/backend/src/db/index.ts (1)
143-147:⚠️ Potential issue | 🟠 Major | ⚡ Quick winD1 の公開型が実装ドライバと不一致です
Line 143-147 の
createD1Databaseはdrizzle-orm/d1ドライバを使用していますが、Line 183 のD1DatabaseInstanceはBunSQLiteDatabaseとして定義されており、型契約がズレています。D1 経路で誤ったメソッドシグネチャ前提を通してしまい、型安全性が失われるリスクがあります。修正案
-export function createD1Database(d1Binding: D1Database): D1DatabaseInstance { +export function createD1Database(d1Binding: D1Database) { // Dynamic import to avoid loading d1 driver in non-Workers environment // eslint-disable-next-line `@typescript-eslint/no-require-imports` const { drizzle: drizzleD1 } = require("drizzle-orm/d1"); return drizzleD1(d1Binding, { schema: sqliteSchema }); } -export type D1DatabaseInstance = BunSQLiteDatabase<typeof sqliteSchema>; +export type D1DatabaseInstance = ReturnType<typeof createD1Database>;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/backend/src/db/index.ts` around lines 143 - 147, The createD1Database function uses the drizzle-orm/d1 driver but the declared return type D1DatabaseInstance is currently defined as BunSQLiteDatabase, causing a type mismatch; update the types so the function signature matches the actual driver return: either change D1DatabaseInstance to the correct drizzle D1 database type (import the proper type from "drizzle-orm/d1" or declare a union/adapter type that encompasses both BunSQLiteDatabase and the drizzle D1 instance), or adjust createD1Database to return the declared BunSQLiteDatabase wrapper by adding a small adapter that conforms to D1DatabaseInstance; update references to D1DatabaseInstance, createD1Database, and any uses of sqliteSchema accordingly so the exported type matches the real implementation.
🧹 Nitpick comments (2)
.github/workflows/sync-dev.yml (1)
1-27: ⚡ Quick win同時実行レースを避けるため
concurrencyを追加してください。
mainへの連続 push で古いジョブが後勝ち/後負けになり、git push origin devが不要に失敗する可能性があります。♻️ 提案差分
name: Sync dev with main on: push: branches: - main +concurrency: + group: sync-dev-with-main + cancel-in-progress: true + permissions: contents: write🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sync-dev.yml around lines 1 - 27, Add a concurrency block to the workflow to avoid race conditions when multiple pushes to main trigger overlapping runs; inside the top-level (or the "jobs: sync" scope) add a concurrency configuration with a stable group key (e.g., "sync-dev-${{ github.ref }}" or a fixed "sync-dev") and cancel-in-progress: true so older runs are cancelled before a new run performs git merge/push; update the workflow where the job is defined (the "name: Sync dev with main" / job "sync") to include this concurrency stanza..claude/workflows/github-workflow.md (1)
96-96: 💤 Low valueMarkdown フォーマットの軽微な問題
静的解析ツールが、テーブルの前後に空行が必要であることを検出しました。
📝 修正案
## 自動化 + | イベント | ワークフロー | |---------|------------| | mainへのpush時にタグ + リリース作成 | `auto-tag.yml` | | mainマージ後にdevを同期 | `sync-dev.yml` | | PR/push時のCI実行 | `ci.yml` | +🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.claude/workflows/github-workflow.md at line 96, The markdown table line "| イベント | ワークフロー |" is missing surrounding blank lines; add a single empty line immediately before the table and another empty line immediately after it (i.e., ensure there is a blank line separating the table from surrounding paragraphs or headings) so the static checker accepts the table formatting.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/close-issues.yml:
- Around line 32-40: The loop currently calls github.rest.issues.update for
every issueNumber and may close PRs; before calling github.rest.issues.update,
call github.rest.issues.get for the same owner/repo/issue_number (using the
issueNumber variable) and inspect response.data.pull_request — if that field is
present, skip/continue to avoid closing PRs; only call github.rest.issues.update
when response.data.pull_request is undefined. Keep the existing try/catch and
logging behavior while adding this pre-check to safely filter out pull requests.
In `@packages/backend/src/tests/integration/sqlite-repositories.test.ts`:
- Around line 392-395: The beforeEach cleanup currently calls sqlite.exec with a
DELETE that excludes testUserId, leaving test fixtures behind; update the
beforeEach (the sqlite.exec call) in the sqlite-repositories.test.ts test suite
so it deletes all rows from the notes table (e.g., use a plain "DELETE FROM
notes" statement or equivalent) to ensure no test data (including records with
testUserId) persists between tests.
---
Outside diff comments:
In `@packages/backend/src/db/index.ts`:
- Around line 143-147: The createD1Database function uses the drizzle-orm/d1
driver but the declared return type D1DatabaseInstance is currently defined as
BunSQLiteDatabase, causing a type mismatch; update the types so the function
signature matches the actual driver return: either change D1DatabaseInstance to
the correct drizzle D1 database type (import the proper type from
"drizzle-orm/d1" or declare a union/adapter type that encompasses both
BunSQLiteDatabase and the drizzle D1 instance), or adjust createD1Database to
return the declared BunSQLiteDatabase wrapper by adding a small adapter that
conforms to D1DatabaseInstance; update references to D1DatabaseInstance,
createD1Database, and any uses of sqliteSchema accordingly so the exported type
matches the real implementation.
---
Nitpick comments:
In @.claude/workflows/github-workflow.md:
- Line 96: The markdown table line "| イベント | ワークフロー |" is missing surrounding
blank lines; add a single empty line immediately before the table and another
empty line immediately after it (i.e., ensure there is a blank line separating
the table from surrounding paragraphs or headings) so the static checker accepts
the table formatting.
In @.github/workflows/sync-dev.yml:
- Around line 1-27: Add a concurrency block to the workflow to avoid race
conditions when multiple pushes to main trigger overlapping runs; inside the
top-level (or the "jobs: sync" scope) add a concurrency configuration with a
stable group key (e.g., "sync-dev-${{ github.ref }}" or a fixed "sync-dev") and
cancel-in-progress: true so older runs are cancelled before a new run performs
git merge/push; update the workflow where the job is defined (the "name: Sync
dev with main" / job "sync") to include this concurrency stanza.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 6efa937d-b1e5-4cde-9c28-912f605053db
⛔ Files ignored due to path filters (1)
bun.lockis excluded by!**/*.lock
📒 Files selected for processing (41)
.claude/workflows/github-workflow.md.github/dependabot.yml.github/workflows/auto-tag.yml.github/workflows/ci.yml.github/workflows/close-issues.yml.github/workflows/docs.yml.github/workflows/release.yml.github/workflows/sync-dev.yml.gitignoreCLAUDE.mdpackage.jsonpackages/backend/package.jsonpackages/backend/src/db/index.tspackages/backend/src/db/schema/sqlite.tspackages/backend/src/repositories/sqlite/SqliteCustomEmojiRepository.tspackages/backend/src/repositories/sqlite/SqliteDriveFileRepository.tspackages/backend/src/repositories/sqlite/SqliteDriveFolderRepository.tspackages/backend/src/repositories/sqlite/SqliteFollowRepository.tspackages/backend/src/repositories/sqlite/SqliteInstanceBlockRepository.tspackages/backend/src/repositories/sqlite/SqliteInstanceSettingsRepository.tspackages/backend/src/repositories/sqlite/SqliteInvitationCodeRepository.tspackages/backend/src/repositories/sqlite/SqliteModerationAuditLogRepository.tspackages/backend/src/repositories/sqlite/SqliteNoteRepository.tspackages/backend/src/repositories/sqlite/SqliteNotificationRepository.tspackages/backend/src/repositories/sqlite/SqliteOAuthAccountRepository.tspackages/backend/src/repositories/sqlite/SqlitePasskeyChallengeRepository.tspackages/backend/src/repositories/sqlite/SqlitePasskeyCredentialRepository.tspackages/backend/src/repositories/sqlite/SqliteReactionRepository.tspackages/backend/src/repositories/sqlite/SqliteRemoteInstanceRepository.tspackages/backend/src/repositories/sqlite/SqliteRoleAssignmentRepository.tspackages/backend/src/repositories/sqlite/SqliteRoleRepository.tspackages/backend/src/repositories/sqlite/SqliteScheduledNoteRepository.tspackages/backend/src/repositories/sqlite/SqliteSessionRepository.tspackages/backend/src/repositories/sqlite/SqliteUserReportRepository.tspackages/backend/src/repositories/sqlite/SqliteUserRepository.tspackages/backend/src/repositories/sqlite/SqliteUserWarningRepository.tspackages/backend/src/tests/integration/sqlite-repositories.test.tspackages/backend/src/tests/node/sqlite-repositories.test.tspackages/frontend/package.jsonpackages/frontend/waku.config.tspackages/shared/package.json
💤 Files with no reviewable changes (1)
- packages/backend/src/tests/node/sqlite-repositories.test.ts
- close-issues.yml: skip pull requests when auto-closing references. The `Closes #N` pattern can match PR numbers; since PRs are issues in GitHub's data model, the previous code would close a PR if its number was referenced. Now we issues.get first and skip when target.data.pull_request is set. - sqlite-repositories.test.ts: delete all notes in beforeEach cleanup. The previous WHERE clause kept testUserId rows, which leaked between tests. Drop the predicate so each test starts from a clean state.
- db/index.ts: fix D1DatabaseInstance type mismatch. The type was declared as BunSQLiteDatabase<typeof sqliteSchema> (bun:sqlite driver) but createD1Database actually returns the drizzle-orm/d1 driver. Drop the explicit return type and derive D1DatabaseInstance via ReturnType<typeof createD1Database> so the public type follows what the function really produces. - sync-dev.yml: add concurrency group to prevent races on consecutive pushes to main (older runs cancel-in-progress so the latest sync wins).
2 tasks
…-v2026.5.0 fix: address CodeRabbit nitpicks from Release PR #171
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v2026.4.1 からの安定版リリース。サプライチェーン堅牢化、Waku beta 移行、bun:sqlite への置換が主な変更。
Versions
Highlights
🔐 Supply-chain hardening
Phase 1 (#164)
tj-actions/changed-files攻撃対策)bun install --frozen-lockfileを CI で強制contents: read最小化actions/dependency-review-actionを PR チェックに追加(high severity で fail)Phase 2 (#169)
🚀 Major dependency updates (#165)
⚡ Runtime simplification (#167)
🧹 Housekeeping
.playwright-mcp/を gitignore に追加Verification
Post-merge
Summary by CodeRabbit
リリースノート
New Features
Chores