Skip to content

Add CI/CD automation: linting, formatting checks, and auto-fix workflow #964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AXD-dev01 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add CI/CD automation: linting, formatting checks, and auto-fix workflow #964

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e3c2a49
feat: add detect-and-fix workflow with ESLint integration
claude Feb 23, 2026
49626f4
style: fix markdown formatting in docs and config files
claude Feb 23, 2026
6f7d788
fix: resolve bun.lock merge conflict
AXD-dev01 Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .claude/commands/label-issue.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ TASK OVERVIEW:
1. First, fetch the list of labels available in this repository by running: `gh label list`. Run exactly this command with nothing else.

2. Next, use gh commands to get context about the issue:

- Use `gh issue view ${{ github.event.issue.number }}` to retrieve the current issue's details
- Use `gh search issues` to find similar issues that might provide context for proper categorization
- You have access to these Bash commands:
Expand All @@ -27,7 +26,6 @@ TASK OVERVIEW:
- Bash(gh search:\*) - to search for similar issues

3. Analyze the issue content, considering:

- The issue title and description
- The type of issue (bug report, feature request, question, etc.)
- Technical areas mentioned
Expand All @@ -36,7 +34,6 @@ TASK OVERVIEW:
- Components affected

4. Select appropriate labels from the available labels list provided above:

- Choose labels that accurately reflect the issue's nature
- Be specific but comprehensive
- IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from gh label list
Expand Down
31 changes: 31 additions & 0 deletions .eslintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"root": true,
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module",
"project": "./tsconfig.json"
},
"plugins": ["@typescript-eslint"],
"extends": ["eslint:recommended", "plugin:@typescript-eslint/recommended"],
"env": {
"node": true,
"es2024": true
},
"rules": {
"@typescript-eslint/no-unused-vars": [
"error",
{
"argsIgnorePattern": "^_",
"varsIgnorePattern": "^_"
}
],
"@typescript-eslint/no-explicit-any": "warn",
"@typescript-eslint/consistent-type-imports": "error",
"no-console": "warn",
"no-debugger": "error",
"prefer-const": "error",
"no-var": "error"
},
"ignorePatterns": ["node_modules/", "dist/", "test/fixtures/"]
}
126 changes: 126 additions & 0 deletions .github/workflows/detect_and_fix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
name: Detect and Fix

on:
push:
branches: [main, master]
pull_request:
branches: [main, master]

permissions:
contents: write
pull-requests: write

Comment on lines +9 to +12
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow sets repository-wide contents: write and pull-requests: write permissions for all jobs, including detect and audit, even though they only need read access. Consider setting top-level permissions to read-only (or omit), then granting write permissions only on the auto-fix job/step that pushes commits.

Copilot uses AI. Check for mistakes.
jobs:
detect:
name: Detect Issues
runs-on: ubuntu-latest
outputs:
format_failed: ${{ steps.format.outcome == 'failure' }}
lint_failed: ${{ steps.lint.outcome == 'failure' }}
typecheck_failed: ${{ steps.typecheck.outcome == 'failure' }}
test_failed: ${{ steps.test.outcome == 'failure' }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref || github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}

Comment on lines +23 to +27
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout is forced to ref: ${{ github.head_ref || github.ref_name }}. For pull_request events from forks, github.head_ref is a branch name that exists only in the fork, so checkout in the base repo will fail. Consider removing the explicit ref for PR events (so checkout uses the default PR merge ref), or conditionally set repository/ref (e.g., use github.event.pull_request.head.repo.full_name + github.event.pull_request.head.sha) when the PR is from a fork.

Suggested change
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref || github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout code (non-PR)
if: github.event_name != 'pull_request'
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref || github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout code (PRs, including forks)
if: github.event_name == 'pull_request'
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}

Copilot uses AI. Check for mistakes.
- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.2.12

- name: Install dependencies
run: bun install

- name: Check formatting
id: format
continue-on-error: true
run: bun run format:check

- name: Lint
id: lint
continue-on-error: true
run: bun run lint

- name: Type check
id: typecheck
continue-on-error: true
run: bun run typecheck

- name: Run tests
id: test
continue-on-error: true
run: bun test
Comment on lines +35 to +53
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All checks in detect use continue-on-error: true and there is no final gating step to fail the job when formatting/lint/typecheck/tests fail. This makes the workflow appear successful even when checks fail (especially on push events where auto-fix won’t run). Add a final step that evaluates the step outcomes (or needs.detect.outputs.*) and exits non-zero when any required check failed, after writing the step summary.

Copilot uses AI. Check for mistakes.

- name: Summarize results
run: |
echo "## Detection Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Formatting | ${{ steps.format.outcome == 'success' && '✅ Pass' || '❌ Fail' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Linting | ${{ steps.lint.outcome == 'success' && '✅ Pass' || '❌ Fail' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Type Check | ${{ steps.typecheck.outcome == 'success' && '✅ Pass' || '❌ Fail' }} |" >> $GITHUB_STEP_SUMMARY
echo "| Tests | ${{ steps.test.outcome == 'success' && '✅ Pass' || '❌ Fail' }} |" >> $GITHUB_STEP_SUMMARY

auto-fix:
name: Auto-fix Issues
needs: detect
if: |
github.event_name == 'pull_request' &&
(needs.detect.outputs.format_failed == 'true' || needs.detect.outputs.lint_failed == 'true')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}
Comment on lines +69 to +77
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

auto-fix runs on every pull_request where lint/format failed, but git push will fail for PRs from forks (read-only token) and may create noisy failures. Add an if guard to skip auto-fix when github.event.pull_request.head.repo.fork is true or when github.event.pull_request.head.repo.full_name != github.repository.

Copilot uses AI. Check for mistakes.

- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.2.12

- name: Install dependencies
run: bun install

- name: Fix formatting
if: needs.detect.outputs.format_failed == 'true'
run: bun run format

- name: Fix lint issues
if: needs.detect.outputs.lint_failed == 'true'
run: bun run lint:fix

- name: Commit fixes
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add -A
if git diff --cached --quiet; then
echo "No auto-fixable changes detected."
else
git commit -m "fix: auto-fix formatting and lint issues"
git push
fi

audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: oven-sh/setup-bun@v2
with:
bun-version: 1.2.12

- name: Install dependencies
run: bun install

- name: Audit dependencies
continue-on-error: true
run: bun pm ls --all > /dev/null 2>&1 || echo "Dependency audit completed with warnings"

- name: Check for known vulnerabilities
run: |
echo "## Security Audit" >> $GITHUB_STEP_SUMMARY
echo "Dependency tree checked for known issues." >> $GITHUB_STEP_SUMMARY
Comment on lines +119 to +126
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The audit job claims to perform a security audit, but bun pm ls --all only lists dependencies and (with continue-on-error) won’t fail on known vulnerabilities. Either switch to a real vulnerability scanner/audit command and surface results in the summary, or rename/reword the job so it doesn’t imply vulnerability detection.

Copilot uses AI. Check for mistakes.
7 changes: 7 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
.DS_Store
node_modules
dist/
*.log
.env
.env.*
!.env.example
coverage/
*.tsbuildinfo

**/.claude/settings.local.json
1 change: 0 additions & 1 deletion base-action/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ Thank you for your interest in contributing to Claude Code Base Action! This doc
```

This script:

- Installs `act` if not present (requires Homebrew on macOS)
- Runs the GitHub Action workflow locally using Docker
- Requires your `ANTHROPIC_API_KEY` to be set
Expand Down
41 changes: 20 additions & 21 deletions base-action/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,26 +85,26 @@ Add the following to your workflow file:

## Inputs

| Input | Description | Required | Default |
| ------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
| `prompt` | The prompt to send to Claude Code | No\* | '' |
| `prompt_file` | Path to a file containing the prompt to send to Claude Code | No\* | '' |
| `allowed_tools` | Comma-separated list of allowed tools for Claude Code to use | No | '' |
| `disallowed_tools` | Comma-separated list of disallowed tools that Claude Code cannot use | No | '' |
| `max_turns` | Maximum number of conversation turns (default: no limit) | No | '' |
| `mcp_config` | Path to the MCP configuration JSON file, or MCP configuration JSON string | No | '' |
| `settings` | Path to Claude Code settings JSON file, or settings JSON string | No | '' |
| `system_prompt` | Override system prompt | No | '' |
| `append_system_prompt` | Append to system prompt | No | '' |
| `claude_env` | Custom environment variables to pass to Claude Code execution (YAML multiline format) | No | '' |
| `model` | Model to use (provider-specific format required for Bedrock/Vertex) | No | 'claude-4-0-sonnet-20250219' |
| `anthropic_model` | DEPRECATED: Use 'model' instead | No | 'claude-4-0-sonnet-20250219' |
| `fallback_model` | Enable automatic fallback to specified model when default model is overloaded | No | '' |
| `anthropic_api_key` | Anthropic API key (required for direct Anthropic API) | No | '' |
| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key) | No | '' |
| `use_bedrock` | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No | 'false' |
| `use_vertex` | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No | 'false' |
| `use_node_cache` | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files) | No | 'false' |
| Input | Description | Required | Default |
| ------------------------- | ---------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
| `prompt` | The prompt to send to Claude Code | No\* | '' |
| `prompt_file` | Path to a file containing the prompt to send to Claude Code | No\* | '' |
| `allowed_tools` | Comma-separated list of allowed tools for Claude Code to use | No | '' |
| `disallowed_tools` | Comma-separated list of disallowed tools that Claude Code cannot use | No | '' |
| `max_turns` | Maximum number of conversation turns (default: no limit) | No | '' |
| `mcp_config` | Path to the MCP configuration JSON file, or MCP configuration JSON string | No | '' |
| `settings` | Path to Claude Code settings JSON file, or settings JSON string | No | '' |
| `system_prompt` | Override system prompt | No | '' |
| `append_system_prompt` | Append to system prompt | No | '' |
| `claude_env` | Custom environment variables to pass to Claude Code execution (YAML multiline format) | No | '' |
| `model` | Model to use (provider-specific format required for Bedrock/Vertex) | No | 'claude-4-0-sonnet-20250219' |
| `anthropic_model` | DEPRECATED: Use 'model' instead | No | 'claude-4-0-sonnet-20250219' |
| `fallback_model` | Enable automatic fallback to specified model when default model is overloaded | No | '' |
| `anthropic_api_key` | Anthropic API key (required for direct Anthropic API) | No | '' |
| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key) | No | '' |
| `use_bedrock` | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No | 'false' |
| `use_vertex` | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No | 'false' |
| `use_node_cache` | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files) | No | 'false' |
| `show_full_output` | Show full JSON output (⚠️ May expose secrets - see [security docs](../docs/security.md#️-full-output-security-warning)) | No | 'false'\*\* |

\*Either `prompt` or `prompt_file` must be provided, but not both.
Expand Down Expand Up @@ -490,7 +490,6 @@ This example shows how to use OIDC authentication with GCP Vertex AI:
To securely use your Anthropic API key:

1. Add your API key as a repository secret:

- Go to your repository's Settings
- Navigate to "Secrets and variables" → "Actions"
- Click "New repository secret"
Expand Down
1 change: 0 additions & 1 deletion docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,6 @@ The `additional_permissions` input allows Claude to access GitHub Actions workfl
To allow Claude to view workflow run results, job logs, and CI status:

1. **Grant the necessary permission to your GitHub token**:

- When using the default `GITHUB_TOKEN`, add the `actions: read` permission to your workflow:

```yaml
Expand Down
2 changes: 0 additions & 2 deletions docs/migration-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,12 +228,10 @@ jobs:
The action now automatically detects the appropriate mode:

1. **If `prompt` is provided** → Runs in **automation mode**

- Executes immediately without waiting for @claude mentions
- Perfect for scheduled tasks, PR automation, etc.

2. **If no `prompt` but @claude is mentioned** → Runs in **interactive mode**

- Waits for and responds to @claude mentions
- Creates tracking comments with progress

Expand Down
2 changes: 0 additions & 2 deletions docs/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,14 +85,12 @@ Commits will show as verified and attributed to the GitHub account that owns the
```

2. Add the **public key** to your GitHub account:

- Go to GitHub → Settings → SSH and GPG keys
- Click "New SSH key"
- Select **Key type: Signing Key** (important)
- Paste the contents of `~/.ssh/signing_key.pub`

3. Add the **private key** to your repository secrets:

- Go to your repo → Settings → Secrets and variables → Actions
- Create a new secret named `SSH_SIGNING_KEY`
- Paste the contents of `~/.ssh/signing_key`
Expand Down
9 changes: 0 additions & 9 deletions docs/setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,27 +31,23 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
**🚀 [Download the Quick Setup Tool](./create-app.html)** (Right-click → "Save Link As" or "Download Linked File")

After downloading, open `create-app.html` in your web browser:

- **For Personal Accounts:** Click the "Create App for Personal Account" button
- **For Organizations:** Enter your organization name and click "Create App for Organization"

The tool will automatically configure all required permissions and submit the manifest.

Alternatively, you can use the manifest file directly:

- Use the [`github-app-manifest.json`](../github-app-manifest.json) file from this repository
- Visit http://github.com/settings/apps/new (for personal) or your organization's app settings
- Look for the "Create from manifest" option and paste the JSON content

2. **Complete the creation flow:**

- GitHub will show you a preview of the app configuration
- Confirm the app name (you can customize it)
- Click "Create GitHub App"
- The app will be created with all required permissions automatically configured

3. **Generate and download a private key:**

- After creating the app, you'll be redirected to the app settings
- Scroll down to "Private keys"
- Click "Generate a private key"
Expand All @@ -64,7 +60,6 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
If you prefer to configure the app manually or need custom permissions:

1. **Create a new GitHub App:**

- Go to http://github.com/settings/apps (for personal apps) or your organization's settings
- Click "New GitHub App"
- Configure the app with these minimum permissions:
Expand All @@ -77,19 +72,16 @@ If you prefer to configure the app manually or need custom permissions:
- Create the app

2. **Generate and download a private key:**

- After creating the app, scroll down to "Private keys"
- Click "Generate a private key"
- Download the `.pem` file (keep this secure!)

3. **Install the app on your repository:**

- Go to the app's settings page
- Click "Install App"
- Select the repositories where you want to use Claude

4. **Add the app credentials to your repository secrets:**

- Go to your repository's Settings → Secrets and variables → Actions
- Add these secrets:
- `APP_ID`: Your GitHub App's ID (found in the app settings)
Expand Down Expand Up @@ -138,7 +130,6 @@ For more information on creating GitHub Apps, see the [GitHub documentation](htt
To securely use your Anthropic API key:

1. Add your API key as a repository secret:

- Go to your repository's Settings
- Navigate to "Secrets and variables" → "Actions"
- Click "New repository secret"
Expand Down
5 changes: 5 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
"scripts": {
"format": "prettier --write .",
"format:check": "prettier --check .",
"lint": "eslint . --ext .ts,.tsx",
"lint:fix": "eslint . --ext .ts,.tsx --fix",
"install-hooks": "bun run scripts/install-hooks.sh",
"test": "bun test",
"typecheck": "tsc --noEmit"
Expand All @@ -26,6 +28,9 @@
"@types/node": "^20.0.0",
"@types/node-fetch": "^2.6.12",
"@types/shell-quote": "^1.7.5",
"@typescript-eslint/eslint-plugin": "^7.0.0",
"@typescript-eslint/parser": "^7.0.0",
"eslint": "^8.57.0",
"prettier": "3.5.3",
"typescript": "^5.8.3"
}
Expand Down