ci(actions): add dedicated pull request workflow

[ndycode]

Introduce a lightweight CI run for pull requests while keeping the existing heavier workflow on push to main.

---

Summary by cubic

Adds a dedicated PR CI workflow for faster feedback while keeping the full CI only on pushes to main. Adds security parity on PRs and standardizes caching.

• New Features
  • Added pr-ci.yml for PRs to main with concurrency cancel and read-only permissions.
  • Runs on Node.js 20.x with install, security audit (audit:ci), lockfile floor guard, hygiene, typecheck, lint, tests, and build.
  • Updated ci.yml to trigger only on push to main and normalized cache: npm.

^{Written for commit 0aae5a0. Summary will update on new commits.}

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this pr successfully separates pr ci from the heavier push-to-main ci, maintaining clear triggers and caching strategy. the pr workflow correctly includes security audit (audit:ci), lockfile floor guard, hygiene check, type check, lint, tests, and build on node 20.x — all the gates needed for fast feedback on pull requests.

key changes:

• ci.yml now triggers only on push to main, eliminating duplicate runs
• pr-ci.yml introduces a focused validate job with essential checks
• read-only permissions and concurrency cancellation prevent race conditions

the lightweight design is intentional: some checks like full dependency audit (audit:all, non-blocking) and coverage reporting are deferred to the heavier main ci, keeping pr ci fast. this aligns with the stated goal of "lightweight CI run for pull requests."

Confidence Score: 5/5

• safe to merge — pr ci includes all critical blocking gates (audit:ci, lockfile floor, typecheck, lint, tests, build); lightweight design is a deliberate trade-off for fast feedback.
• no blockers identified. the pr correctly implements the stated goal of separating lightweight pr ci from the comprehensive push-to-main workflow. critical security gates (audit:ci, lockfile floor) are present; optional gates (audit:all coverage) are deferred to main ci as an intentional design choice for speed.
• no files require special attention

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[git event] --> B{trigger type?}
    B -->|push to main| C[ci.yml]
    B -->|pull_request to main| D[pr-ci.yml]

    C --> C1[test job\nNode 20.x + 22.x matrix]
    C --> C2[lint job]
    C --> C3[codex-compat job]

    C1 --> C1a[clean:repo:check]
    C1a --> C1b[audit:ci blocking]
    C1b --> C1c[lockfile-floor guard]
    C1c --> C1d[audit:all non-blocking]
    C1d --> C1e[typecheck]
    C1e --> C1f[npm run coverage]
    C1f --> C1g[build]

    C3 --> C3a[codex.test.ts\nhost-codex-prompt.test.ts\nrequest-transformer.test.ts\nfetch-helpers.test.ts]

    D --> D1[validate job\nNode 20.x only\nconcurrency cancel-in-progress\ncontents: read]
    D1 --> D1a[audit:ci blocking]
    D1a --> D1b[lockfile-floor guard]
    D1b --> D1c[clean:repo:check]
    D1c --> D1d[typecheck]
    D1d --> D1e[lint]
    D1e --> D1f[npm test]
    D1f --> D1g[build]

Loading

_{Last reviewed commit: 0aae5a0}

[coderabbitai]

📝 Walkthrough

Walkthrough

pr validation was moved into a dedicated workflow (.github/workflows/pr-ci.yml) triggered on pull requests to main; existing ci workflow (.github/workflows/ci.yml) now runs only on pushes to main and normalizes npm cache syntax.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	removed pull_request trigger for main; standardized cache: npm (removed string quoting); minor whitespace cleanup.
PR Validation Workflow .github/workflows/pr-ci.yml	added new PR validation workflow triggered on pull_request to main; single validate job on ubuntu-latest that runs checkout, node setup (20.x) with npm cache, npm ci, npm audit --audit-level=moderate/audit:ci, lockfile check, hygiene, typecheck, lint, tests, and build; uses concurrency keyed by PR number and read-only contents permission.

Sequence Diagram(s)

sequenceDiagram
    participant PR as pull_request
    participant GH as github_actions
    participant Runner as runner(ubuntu-latest)
    participant Node as node/npm
    participant Tests as test-suite

    PR->>GH: open/update PR to main
    GH->>Runner: schedule validate job (concurrency: pr number)
    Runner->>Node: setup node 20.x + npm cache
    Runner->>Node: npm ci
    Runner->>Node: npm audit / lockfile check
    Runner->>Tests: run hygiene → typecheck → lint → unit tests → build
    Tests-->>Runner: result (pass/fail)
    Runner-->>GH: report status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

notes and risks

• missing regression tests: no new or updated test/... entries accompany the workflow changes; add regression tests referenced by CI steps. see test/pr-ci.yml:1.
• windows edge cases: pr-ci.yml runs only on ubuntu-latest. add a Windows job to catch platform-specific failures. see test/windows-compat:1.
• concurrency risks: workflow uses PR-number-based concurrency which can mask race conditions for shared resources; ensure tests and any ephemeral resource usage are isolated. see lib/concurrency:1.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	title follows conventional commits format with type, scope, and lowercase imperative summary. '48 characters fits the <=72 requirement and clearly describes the main change: adding a dedicated PR workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	PR description covers summary, what changed, and includes cubic/greptile analyses. all major checklist items are addressed with technical detail.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/pr-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-ci.yml:
- Around line 29-33: Add the missing npm audit CI step by inserting a new
workflow step after the "Install dependencies" step to run "npm run audit:ci"
(name it something like "Run audit:ci" or "Security audit") so PRs run the same
vulnerability check as the main CI; ensure the step executes the npm script (npm
run audit:ci) and fails the job on any high-severity findings, colocating it
before the "Repository hygiene check" step.
- Around line 23-27: PR CI currently pins actions/setup-node to node-version:
20.x so PR validation only runs on 20.x while ci.yml tests both 20.x and 22.x;
update the PR workflow step that uses actions/setup-node@v4 to run a
node-version matrix (include 20.x and 22.x) or, if intentionally limited, add a
clear comment/README note explaining the gap; locate the setup step referencing
actions/setup-node@v4 and change it to use a matrix variable (node-version) or
add documentation in the workflow or repo README to justify and record this
decision.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 694b790e-135b-4f39-bf55-59d947ea70a6

📥 Commits

Reviewing files that changed from the base of the PR and between d36b04f and b63a57b.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/pr-ci.yml

📜 Review details

🔇 Additional comments (5)

.github/workflows/ci.yml (2)

24-24: cache syntax standardization looks good.

the unquoted npm is valid yaml and consistent across all three jobs now. no functional change.

---

63-63: lint and codex-compat jobs follow the same pattern.

cache config is now consistent across test, lint, and codex-compat jobs.

Also applies to: 83-83

.github/workflows/pr-ci.yml (3)

1-12: solid workflow structure with good security defaults.

concurrency group prevents redundant runs on rapid pushes, and permissions: contents: read follows least-privilege principle. the fallback to github.ref in the concurrency group handles edge cases where pull_request.number might be unavailable.

---

41-42: using npm test instead of npm run coverage is fine for pr validation.

coverage generation adds overhead; running tests without coverage for PRs keeps the feedback loop fast while the full coverage run happens on merge to main.

---

44-45: build step at the end ensures the pr produces valid artifacts.

good practice to catch build failures before merge.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

pr validation only runs on node 20.x, but ci.yml tests both 20.x and 22.x.

this means a regression specific to node 22.x could slip through PR validation and only fail after merge to main. consider adding a matrix here too, or at minimum document this gap is intentional.

suggested matrix addition

 jobs:
   validate:
     name: PR Validation
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [20.x, 22.x]

     steps:
       - name: Checkout code
         uses: actions/checkout@v4

       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: ${{ matrix.node-version }}
           cache: npm

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-ci.yml around lines 23 - 27, PR CI currently pins
actions/setup-node to node-version: 20.x so PR validation only runs on 20.x
while ci.yml tests both 20.x and 22.x; update the PR workflow step that uses
actions/setup-node@v4 to run a node-version matrix (include 20.x and 22.x) or,
if intentionally limited, add a clear comment/README note explaining the gap;
locate the setup step referencing actions/setup-node@v4 and change it to use a
matrix variable (node-version) or add documentation in the workflow or repo
README to justify and record this decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-ci.yml:
- Around line 35-36: The workflow currently runs
test/lockfile-version-floor.test.ts twice: once in the explicit "Lockfile floor
guard" step and again in the general npm test run; either remove the dedicated
"Lockfile floor guard" step so the guard only runs as part of the full "npm
test" step, or keep the dedicated step and change the general "npm test"
invocation to exclude test/lockfile-version-floor.test.ts (use your test
runner's exclude/ignore flag) so the guard only executes once.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e0734087-fc11-4c18-abe2-84bab7ef1b13

📥 Commits

Reviewing files that changed from the base of the PR and between b63a57b and 0aae5a0.

📒 Files selected for processing (1)

• .github/workflows/pr-ci.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🔇 Additional comments (5)

.github/workflows/pr-ci.yml (5)

1-12: workflow metadata and concurrency setup look solid.

concurrency group keyed by pr number with cancel-in-progress: true prevents stacking runs on force-pushes. read-only permissions follow least-privilege. good baseline.

---

23-27: pr validation only runs on node 20.x while ci.yml tests both 20.x and 22.x.

this was flagged previously and remains unaddressed. a node 22.x-specific regression could pass pr validation and fail only after merge to main. consider adding the matrix or document this gap as intentional.

---

32-33: audit:ci step now present - addresses prior review feedback.

.github/workflows/pr-ci.yml:32-33 now runs the same security audit as ci.yml, ensuring vulnerable dependencies are caught before merge. good fix.

---

41-45: typecheck and lint steps are correctly ordered.

static analysis runs before tests which is the expected flow. scripts match package.json definitions.

---

47-51: test and build steps complete the validation pipeline.

running npm test (vitest) followed by build ensures the pr is both functionally correct and compiles cleanly. no issues here.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

lockfile floor guard test runs twice in this workflow.

test/lockfile-version-floor.test.ts runs explicitly here (line 36) and again as part of npm test (line 48). this is a minor inefficiency. if fail-fast is the goal, consider excluding it from the full suite run:

       - name: Run tests
-        run: npm test
+        run: npm run test -- --exclude test/lockfile-version-floor.test.ts

alternatively, accept the duplication since it's fast and keeps the explicit guard visible.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-ci.yml around lines 35 - 36, The workflow currently
runs test/lockfile-version-floor.test.ts twice: once in the explicit "Lockfile
floor guard" step and again in the general npm test run; either remove the
dedicated "Lockfile floor guard" step so the guard only runs as part of the full
"npm test" step, or keep the dedicated step and change the general "npm test"
invocation to exclude test/lockfile-version-floor.test.ts (use your test
runner's exclude/ignore flag) so the guard only executes once.

[ndycode]

Blocking review comments are addressed; the only remaining bot note is the optional Node 22 parity suggestion. Please merge PR #67 first because it resolves the Hono audit finding that audit:ci now needs.

[ndycode]

Blocking review comments are addressed; the only remaining bot note is the optional Node 22 parity suggestion. Please merge PR #67 first because it resolves the Hono audit finding that audit:ci now needs.