Skip to content

Build out new ahoy docs website for v3 release#3

Merged
ocean merged 29 commits into
mainfrom
develop
Jun 30, 2026
Merged

Build out new ahoy docs website for v3 release#3
ocean merged 29 commits into
mainfrom
develop

Conversation

@ocean

@ocean ocean commented Jun 28, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features

    • Added a full documentation site with a landing page, guides, and reference pages covering setup, command writing, execution, imports, environment variables, shell completion, and YAML configuration.
    • Added automatic documentation deployment to GitHub Pages on main branch updates and manual runs.
    • Added automated dependency update checks and security analysis in CI.
  • Style

    • Added formatting, TypeScript, and ignore rules to improve consistency and keep generated files out of version control.

Drew Robinson and others added 26 commits September 26, 2024 22:19
Docs in progress - test Astro staging workflow
Replace npm with bun for faster installs and lockfile management.
Add oxlint (Rust-based linter) and oxfmt (Prettier-compatible formatter)
as dev dependencies with matching scripts, and configure .oxfmtrc.json
to exclude MDX and YAML files where oxfmt's handling is immature.
Rename guides/yaml-config to guides/writing-commands and rewrite it as
a practical patterns guide covering arguments, multi-line scripts,
descriptions, aliases, chaining, env-specific commands, and real-world
examples. Update all cross-references and the sidebar.

Also sets site: "https://ahoy-cli.github.io" in astro.config.mjs to
fix the sitemap warning and enable correct canonical URLs on deploy.
Rewrites getting-started, next-steps, and index for clarity while
updating the writing-commands links throughout.
Rewrite command-execution, environment, importing, CLI reference, and
environment reference pages for clarity and consistency. Remove verbose
prose and redundant headings, align import quote style to double-quotes,
and tighten descriptions throughout.
Remove <Steps> and nested <Tabs> inside numbered lists, which produced
single-line collapsed code fences that broke Rolldown's ESM parser at
build time. Replace with plain markdown numbered lists and properly
multi-line code blocks inside <TabItem> elements.
Switch from setup-node/npm to oven-sh/setup-bun. Move pages: write and
id-token: write to the deploy job only (previously they were set at
workflow level). Remove the staging gh-pages branch deploy complexity.
Pin all action references to commit SHAs. Add persist-credentials: false
to checkout. Fix template injection by removing github.ref_name from
inline shell commands.
Mirrors the workflow from the ahoy CLI repository. Runs on push to main
and all PRs, reports findings to GitHub Security via SARIF upload.
Weekly updates for both github-actions and npm (bun uses the npm
ecosystem for dependabot version tracking), assigned to ocean.
@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ocean, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Free

Run ID: b511f796-ff9d-4e2c-bc61-be15f5f93d4a

📥 Commits

Reviewing files that changed from the base of the PR and between dd9f4ed and 7c1619a.

📒 Files selected for processing (1)
  • .github/workflows/zizmor.yml

Walkthrough

Bootstraps a new Astro/Starlight documentation site for the ahoy-cli project. Adds all project scaffolding (package.json, tsconfig, Astro config, content collection), CI/CD workflows (GitHub Pages deploy, zizmor security scan, Dependabot), custom CSS theme variables, and a full documentation content tree covering guides and reference pages.

Changes

Ahoy CLI Documentation Site

Layer / File(s) Summary
Project scaffolding and tooling
package.json, tsconfig.json, .gitignore, .oxfmtrc.json, astro.config.mjs, src/content.config.ts, src/styles/custom.css
Sets up the Astro/Starlight project: dependencies (astro, @astrojs/starlight, sharp, oxlint, oxfmt), TypeScript config, formatter ignore rules, sidebar navigation structure, content collection registration, and CSS theme variables for dark/light modes.
CI/CD and dependency automation
.github/workflows/deploy-docs.yml, .github/workflows/zizmor.yml, .github/dependabot.yml
Adds a Pages deploy workflow (build + deploy jobs with concurrency control), a zizmor GitHub Actions security scan workflow, and Dependabot config for weekly npm and github-actions updates.
Docs landing and navigation hub
src/content/docs/index.mdx, src/content/docs/guides/next-steps.mdx
Adds the docs landing page with hero, feature cards, quick-start, and explore sections, plus the next-steps hub page linking out to all guides and reference pages.
User guides
src/content/docs/guides/getting-started.mdx, src/content/docs/guides/writing-commands.mdx, src/content/docs/guides/command-execution.mdx, src/content/docs/guides/importing.mdx, src/content/docs/guides/environment.mdx, src/content/docs/guides/shell-autocompletion.mdx
Adds six guide pages covering installation/quick-start, command authoring patterns (arguments, chaining, aliases, wrappers, env), config discovery and execution semantics, YAML imports and overrides, environment variable loading, and shell tab completion setup.
Reference pages
src/content/docs/reference/cli.mdx, src/content/docs/reference/environment.mdx, src/content/docs/reference/yaml-schema.mdx
Adds the CLI reference (flags, built-in commands, discovery, exit codes, injected env vars), environment variable reference (file format, precedence, organisation patterns), and YAML schema reference (all top-level and per-command fields with a full example).
Removed/replaced files
astro-starlight-README.md, README.md, LICENSE
Adds the Starlight starter-kit README (marked for deletion), removes the old repository README and MIT licence text.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity-hop, a new docs site appears,
With Starlight and Astro to calm devs' fears!
Guides for commands, env vars and more,
CI deploys pages right to your door.
The rabbit typed fast — now go explore! 🌟


Note

🎁 Summarized by CodeRabbit Free

The PR author is not assigned a seat. To perform a comprehensive line-by-line review, please assign a seat to the pull request author through the subscription management page by visiting https://app.coderabbit.ai/login.

Comment @coderabbitai help to get the list of available commands.

@socket-security

socket-security Bot commented Jun 28, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedoxfmt@​0.56.0691008996100
Added@​astrojs/​starlight@​0.41.0931008595100
Addedastro@​7.0.2881008898100
Addedoxlint@​1.71.0991009296100
Addedsharp@​0.35.29710010095100

View full report

@socket-security

socket-security Bot commented Jun 28, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/sharp@0.35.2npm/astro@7.0.2npm/@astrojs/starlight@0.41.0npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/astro@7.0.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm css-tree is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/astro@7.0.2npm/css-tree@3.2.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/astro@7.0.2npm/@astrojs/starlight@0.41.0npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm node-fetch-native is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/astro@7.0.2npm/node-fetch-native@1.6.7

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch-native@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

codeql-action/upload-sarif needs actions: read to fetch workflow run
metadata for telemetry. Without it the SARIF upload step fails with
"Resource not accessible by integration".
ocean added 2 commits June 30, 2026 13:37
The zizmorcore/zizmor-action bundles a codeql upload-sarif step that
requires GitHub Advanced Security code scanning regardless of repo
settings. Replace with a plain pip install + zizmor run, which exits
non-zero on findings and needs no special permissions or features.
@ocean ocean merged commit 87fcca1 into main Jun 30, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant