Skip to content

Configure Renovate #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mehdi-Bl merged 5 commits into from
Feb 8, 2026
Merged

Configure Renovate #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
06f8d80
Add renovate.json
renovate-bot Feb 8, 2026
d1a8ca3
ci: harden and pin GitHub Actions workflows
Mehdi-Bl Feb 8, 2026
e1e8623
ci: fix policy findings and stabilize PR security checks
Mehdi-Bl Feb 8, 2026
3f5cf51
ci: remove duplicate gitleaks workflow
Mehdi-Bl Feb 8, 2026
63c3773
ci: do not block PRs on SonarCloud auth failures
Mehdi-Bl Feb 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Dependency Review Action
#
# This Action scans dependency manifest files changed in pull requests
# and surfaces vulnerable or policy-violating dependencies.
name: 'Dependency review'

on:
pull_request:
branches: ["main"]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
Comment thread
coderabbitai[bot] marked this conversation as resolved.
permissions:
contents: read
pull-requests: write
steps:
- name: 'Checkout repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false

- name: 'Dependency Review'
uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3
with:
comment-summary-in-pr: always
82 changes: 47 additions & 35 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,29 @@ on:
- 'v*'

permissions:
contents: write
packages: read
contents: read

jobs:
build-windows:
runs-on: windows-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false

- name: Install Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 18
node-version: 20
package-manager-cache: false

- name: Install dependencies
run: npm install
run: npm ci

- name: Prepare build
run: node scripts/prepare-build.js windows

- name: Build CSS
run: npm run build:css

- name: Build Webpack
run: npm run build:webpack

Expand All @@ -39,25 +38,32 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Windows Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: windows-artifacts
path: dist/*.exe
path: |
dist/*.exe
dist/*.msi
dist/latest*.yml
dist/*.blockmap
retention-days: 5

build-linux:
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false

- name: Install Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 18
node-version: 20
package-manager-cache: false

- name: Install dependencies
run: npm install
run: npm ci

- name: Install required system packages
run: |
Expand Down Expand Up @@ -91,9 +97,6 @@ jobs:
fs.writeFileSync(packageJsonPath, JSON.stringify(packageJson, null, 2) + '\n');
"

- name: Build CSS
run: npm run build:css

- name: Build Webpack
run: npm run build:webpack

Expand All @@ -103,32 +106,36 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Linux Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: linux-artifacts
path: dist/*.AppImage
path: |
dist/*.AppImage
dist/*.AppImage.zsync
dist/latest*.yml
dist/*.blockmap
retention-days: 5

build-macos:
runs-on: macos-latest
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false

- name: Install Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 18
node-version: 20
package-manager-cache: false

- name: Install dependencies
run: npm install
run: npm ci

- name: Prepare build
run: node scripts/prepare-build.js mac

- name: Build CSS
run: npm run build:css

- name: Build Webpack
run: npm run build:webpack

Expand All @@ -138,61 +145,66 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload macOS Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: macos-artifacts
path: |
dist/*.dmg
dist/*.zip
dist/latest*.yml
dist/*.blockmap
retention-days: 5

create-release:
needs: [build-windows, build-linux, build-macos]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
persist-credentials: false

- name: Get version from tag
id: get_version
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

- name: Get Changelog Entry
id: changelog_reader
uses: mindsers/changelog-reader-action@v2
uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656
with:
validation_level: warn
path: ./CHANGELOG.md
version: ${{ steps.get_version.outputs.VERSION }}
continue-on-error: true

- name: Download Windows artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: windows-artifacts
path: artifacts

- name: Download Linux artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: linux-artifacts
path: artifacts

- name: Download macOS artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
name: macos-artifacts
path: artifacts
Comment on lines 183 to 199

@coderabbitai coderabbitai Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Potential artifact file overwrites — all OS artifacts downloaded to the same directory.

All three download-artifact steps write into path: artifacts without OS-specific subdirectories. If any files share the same name across platforms (e.g., blockmap files, or if electron-builder generates identically named latest.yml), later downloads silently overwrite earlier ones, and the release will be missing artifacts.

Consider downloading into OS-specific subdirectories:

Proposed fix 
       - name: Download Windows artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: windows-artifacts
-          path: artifacts
+          path: artifacts/windows

       - name: Download Linux artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: linux-artifacts
-          path: artifacts
+          path: artifacts/linux

       - name: Download macOS artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
         with:
           name: macos-artifacts
-          path: artifacts
+          path: artifacts/macos

The existing artifacts/** glob on line 208 would still match all files recursively.

🤖 Prompt for AI Agents 
In @.github/workflows/release.yml around lines 183 - 199, The three download
steps ("Download Windows artifacts", "Download Linux artifacts", "Download macOS
artifacts") currently all use path: artifacts causing later downloads to
overwrite earlier ones; update each step to write into separate OS-specific
subdirectories (e.g., path: artifacts/windows, artifacts/linux, artifacts/macos)
so files don't collide, and leave the existing artifacts/** release glob as-is
so it still matches recursively; ensure the step names and path values are the
only changes.


- name: Create Release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090
with:
name: Release ${{ steps.get_version.outputs.VERSION }}
body: ${{ steps.changelog_reader.outputs.changes || 'No changelog provided' }}
draft: true
files: |
artifacts/*
artifacts/**
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47 changes: 47 additions & 0 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: SBOM Generation

on:
push:
branches: ['main']
pull_request:
branches: ['main']
workflow_dispatch:

permissions:
contents: read

jobs:
sbom:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 20
package-manager-cache: false

- name: Install dependencies
run: |
if [ -f package-lock.json ]; then
npm ci --ignore-scripts
else
npm install --ignore-scripts --no-audit --no-fund
fi

- name: Generate CycloneDX SBOM
run: |
mkdir -p dist/security/sbom
npx --yes @cyclonedx/cyclonedx-npm --output-format json --output-file dist/security/sbom/sbom.cyclonedx.json

- name: Upload SBOM artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: sbom-cyclonedx
path: dist/security/sbom/sbom.cyclonedx.json
retention-days: 30
65 changes: 65 additions & 0 deletions .github/workflows/sonarcloud.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: SonarCloud QA Gate

on:
workflow_dispatch:
pull_request:
push:
branches:
- main

permissions:
contents: read

jobs:
sonarcloud:
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
persist-credentials: false

- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: 20
package-manager-cache: false

- name: Install dependencies
run: npm install
Comment on lines +30 to +31

@coderabbitai coderabbitai Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Use npm ci instead of npm install for reproducible CI builds.

All other workflows in this PR (sbom.yml, release.yml) use npm ci. This should be consistent — npm ci ensures a clean, lockfile-based install.

Proposed fix 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Install dependencies
run: npm install
- name: Install dependencies
run: npm ci
🤖 Prompt for AI Agents 
In @.github/workflows/sonarcloud.yml around lines 28 - 29, Replace the CI
dependency step "Install dependencies" that currently runs `npm install` with
`npm ci` to ensure a clean, lockfile-based install; update the step command in
the "Install dependencies" job to `npm ci` and ensure the repository includes a
package-lock.json so the workflow uses the lockfile for reproducible builds.


- name: Run tests with coverage
continue-on-error: true
run: npm test -- --coverage --runInBand

- name: Ensure coverage report exists
run: |
if [ ! -f coverage/lcov.info ]; then
mkdir -p coverage
touch coverage/lcov.info
fi

- name: SonarCloud scan
continue-on-error: true
uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.host.url=https://sonarcloud.io
-Dsonar.organization=${{ vars.SONAR_ORGANIZATION || 'codingworkflow' }}
-Dsonar.projectKey=${{ vars.SONAR_PROJECT_KEY || 'codingworkflow_ai-code-fusion' }}
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info

- name: SonarCloud quality gate
continue-on-error: true
uses: SonarSource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b
with:
scanMetadataReportFile: .scannerwork/report-task.txt
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: https://sonarcloud.io
timeout-minutes: 5
3 changes: 3 additions & 0 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
}
Comment on lines +1 to +3

@gemini-code-assist gemini-code-assist Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current Renovate configuration is very basic and will result in a large number of individual pull requests (34, as noted in the PR description), which can be overwhelming to manage.

To improve this, I suggest grouping related dependencies. This will consolidate updates for packages like Babel, Jest, ESLint, and GitHub Actions into single, more manageable PRs. Extending config:base is also a good practice for sensible defaults.

Here is a suggested configuration that implements these improvements:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "packageRules": [
    {
      "matchDatasources": ["github-actions"],
      "groupName": "github actions"
    },
    {
      "matchPackagePatterns": ["^@babel/"],
      "groupName": "babel"
    },
    {
      "matchPackagePatterns": ["^@testing-library/"],
      "groupName": "testing-library"
    },
    {
      "matchPackagePatterns": ["^eslint"],
      "groupName": "eslint"
    },
    {
      "matchPackagePatterns": ["^jest", "^@jest/", "babel-jest"],
      "groupName": "jest"
    }
  ]
}

Comment on lines +1 to +3

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Renovate prs unvalidated 🐞 Bug ⛯ Reliability

• The repo now contains renovate.json, which enables Renovate-driven dependency update PRs, but
  the existing GitHub Actions workflow shown triggers only on tag pushes and won’t validate pull
  requests.
• With dependencies like Electron/electron-builder in the toolchain, merging unvalidated dependency
  bumps can more easily break builds or runtime behavior.
Agent Prompt 
## Issue description
Renovate will open dependency update PRs, but the repo’s GitHub Actions workflow shown runs only on tag pushes, meaning Renovate PRs won’t be validated by CI.

## Issue Context
The repo uses Electron and build tooling where dependency bumps can break builds/runtime.

## Fix Focus Areas
- .github/workflows/release.yml[1-7]
- renovate.json[1-3]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Loading