ci: add Windows test job

[rsbh]

Summary

• Add test-windows job to CI workflow running on windows-latest
• Mirrors existing test job (install + test) to catch Windows-specific issues (symlinks, path separators, nitro env)
• Skips lint (not platform-dependent)

Test plan

• CI passes on both ubuntu and windows runners

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
chronicle	Ready	Preview, Comment	Jun 2, 2026 8:42am

[coderabbitai]

Warning

Review limit reached

@rsbh, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 16 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c59582bb-0983-459f-8a0c-03d05d10fe4d

📥 Commits

Reviewing files that changed from the base of the PR and between 3983a8a and 142dc0e.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• packages/chronicle/src/cli/commands/dev.ts

📝 Walkthrough

Walkthrough

A new CI job test-windows is added to the GitHub Actions workflow to run tests on Windows. The job configures Bun v1.3.9, installs dependencies, and executes the test suite in the chronicle package directory, running in parallel with the existing Linux test job.

Changes

Windows CI Test Job

Layer / File(s)	Summary
Windows test job in CI workflow .github/workflows/ci.yml	A new test-windows job is added to run on windows-latest with a 10-minute timeout, installing Bun v1.3.9, dependencies via bun install --frozen-lockfile, and tests via bun test in the ./packages/chronicle directory.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add Windows test job' accurately and concisely summarizes the main change—adding a Windows test job to the CI workflow.
Description check	✅ Passed	The description clearly explains the purpose, implementation approach, and expected benefits of adding the Windows test job to catch platform-specific issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/add-windows-test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

43-44: ⚡ Quick win

Consider disabling credential persistence for better security posture.

Adding persist-credentials: false to the checkout action prevents the GitHub token from being exposed to subsequent steps, reducing the attack surface if any step were to execute untrusted code.

Note: The Ubuntu test job (line 18) has the same configuration. Consider applying this improvement to both jobs for consistency.

🔒 Proposed security improvement

     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

As per static analysis hints, this addresses the artipacked credential persistence warning.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 43 - 44, The checkout step using
actions/checkout@v4 should disable credential persistence to avoid exposing the
GitHub token: update the Checkout action (uses: actions/checkout@v4) to include
persist-credentials: false in its step configuration, and apply the same change
to the Ubuntu test job's Checkout step for consistency; ensure the option is
added as a top-level input for the checkout step so subsequent steps do not
receive the token.

---

44-44: ⚖️ Poor tradeoff

Consider pinning actions to SHA hashes per static analysis policy.

The static analysis tool flags unpinned action references and mentions a "blanket policy" requiring SHA-pinned actions. Pinning to commit SHAs provides stronger supply-chain security guarantees compared to version tags.

Note: The Ubuntu test job has the same unpinned actions (lines 18, 21). If your project has a policy requiring pinned actions, consider applying it to both jobs.

🔗 Example of SHA-pinned actions

You would need to look up the specific commit SHAs for the versions you want to use:

       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       
       - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@a1800f471a0bc25cddac36bb13e6f436ddf341d7 # v2.0.0

As per static analysis hints, this addresses the unpinned-uses errors.

Also applies to: 47-47

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 44, Replace the unpinned action references
(e.g., the occurrences of "uses: actions/checkout@v4") with SHA-pinned
references by finding the specific commit SHA for the desired release and using
that SHA in the uses line (e.g., "uses: actions/checkout@<commit-sha>"); apply
the same change to any other unpinned actions in the workflow (the other "uses:
..." entries flagged by the scanner) so all actions are pinned to explicit
commit SHAs for supply-chain safety.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 49: Update the bun-version pin from "1.3.9" to the current stable
"1.3.14" in the CI configuration (replace the value for bun-version) and run a
Windows CI job to confirm compatibility, or if you need to keep 1.3.9, add a
short justification comment adjacent to the bun-version entry explaining why
1.3.9 is required for Windows (e.g., reproducible failures or known regressions
in newer versions) and reference the specific Windows stability tests you ran.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 43-44: The checkout step using actions/checkout@v4 should disable
credential persistence to avoid exposing the GitHub token: update the Checkout
action (uses: actions/checkout@v4) to include persist-credentials: false in its
step configuration, and apply the same change to the Ubuntu test job's Checkout
step for consistency; ensure the option is added as a top-level input for the
checkout step so subsequent steps do not receive the token.
- Line 44: Replace the unpinned action references (e.g., the occurrences of
"uses: actions/checkout@v4") with SHA-pinned references by finding the specific
commit SHA for the desired release and using that SHA in the uses line (e.g.,
"uses: actions/checkout@<commit-sha>"); apply the same change to any other
unpinned actions in the workflow (the other "uses: ..." entries flagged by the
scanner) so all actions are pinned to explicit commit SHAs for supply-chain
safety.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ddfad5c8-600c-4f9c-be9e-889af2a559d0

📥 Commits

Reviewing files that changed from the base of the PR and between ddda8c2 and 3983a8a.

📒 Files selected for processing (1)

• .github/workflows/ci.yml