Skip to content

chore: standardize repository maintenance#189

Open
afc163 wants to merge 7 commits into
mainfrom
codex/standardize-rc-infra
Open

chore: standardize repository maintenance#189
afc163 wants to merge 7 commits into
mainfrom
codex/standardize-rc-infra

Conversation

@afc163

@afc163 afc163 commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

  • Refresh README and README.zh-CN with centered heading, badges, Ant Design ecosystem branding, install, usage, development, release, and license sections.
  • Align Funding, grouped Dependabot updates, CodeQL, and CI workflow configuration.
  • Align release documentation and scripts with @rc-component/np where applicable.

Refs ant-design/ant-design#58514

Test

  • npm run compile\n- npm run test:only\n- git diff --check
  • JSON parse check for package/config files
  • README consistency scan

Summary by CodeRabbit

  • 文档
    • 更新项目 README,并新增中文版;补充安装、使用、API、开发与发布说明,同时完善徽标/徽章与亮点概览展示。
  • 改进
    • 更新持续集成:在 main 上触发测试,强化代码扫描(CodeQL)与健康检查(React Doctor),并改进覆盖率上传流程。
    • 升级覆盖率上传组件版本以提升结果稳定性。
    • 调整依赖自动更新分组与发布流程工具,并更新包用途描述。
  • Chores
    • 新增资金支持配置与 MIT 许可证文本展示。

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@afc163, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 57 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e139b143-ebde-42a1-ba8e-a9ccf0a6537a

📥 Commits

Reviewing files that changed from the base of the PR and between e30f29e and 75c1609.

📒 Files selected for processing (3)
  • README.md
  • README.zh-CN.md
  • package.json

Walkthrough

本次变更更新了 CI 与安全扫描工作流、Dependabot 分组、覆盖率上传动作版本,以及项目资助、许可证、README 文档和发布脚本配置。

Changes

CI 工作流与依赖治理

Layer / File(s) Summary
主 CI 工作流重构
.github/workflows/main.yml
触发分支切换为 main,权限声明更新,构建与测试流程简化为单个 test 作业,并升级依赖安装和测试命令。
新增 CodeQL 安全扫描工作流
.github/workflows/codeql.yml
新增 CodeQL 工作流,包含 main 分支和定时触发、analyze 作业权限与语言矩阵,以及检出、初始化、自动构建和分析步骤。
新增 React Doctor 工作流
.github/workflows/react-doctor.yml
新增 React Doctor 工作流,在 main 分支推送和拉取请求时运行,并配置代码检出和所需权限。
Codecov 上传版本升级
.github/workflows/test-npm.yml, .github/workflows/test-utoo.yml, .github/workflows/test.yml
三个工作流中的 codecov/codecov-action 引用从 v5 升级到 v7。
Dependabot 依赖分组配置
.github/dependabot.yml
为 npm 和 github-actions 更新配置新增 groups 分组,并将对应更新归入各自分组。

项目文档与发布配置

Layer / File(s) Summary
资助与许可证文件
.github/FUNDING.yml, LICENSE
新增 FUNDING.yml 的赞助渠道配置,并补充完整的 MIT LICENSE 文本。
README 文档重写
README.md, README.zh-CN.md
README.md 被重写为完整文档结构,同时新增 README.zh-CN.md 中文版本。
发布脚本与依赖更新
package.json
package.json 的 description、prepublishOnly 脚本和发布相关依赖更新为新的 rc-np 方案。

Estimated code review effort: 2 (Simple) | ~12 分钟

Poem

小兔子跳进 CI 花园,
main 分支上风铃轻轻转。
CodeQL 听风,Doctor 量脉,
README 换新衣,中文英文都灿烂。
许可证铺好软草垫,
我抱着胡萝卜,开心地去发布啦 🐰🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed 标题与本次对仓库文档、CI、Dependabot、CodeQL 和发布脚本的维护性统一更新相符,能概括主要变化。
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/standardize-rc-infra

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates repository configuration files (funding and dependabot), adds an MIT license, and significantly enhances the documentation in both English and Chinese. Additionally, it replaces the np dependency with @rc-component/np in package.json and updates the prepublish script accordingly. The feedback recommends maintaining alphabetical sorting of the dependencies in package.json by moving the newly added @rc-component/np package to its correct position.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread package.json Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (5)
README.zh-CN.md (1)

4-4: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

中文描述与英文版本存在细微差异。

第 4 行和第 21 行的中文描述增加了 "GitHub Actions 工作流",而英文版本仅提及 "Jest workflow and test runner"。请确认此扩展是 intentional 的,以保持两版本一致性。

-  <p>🧪 rc-component 包共享的 Jest 测试运行器与 GitHub Actions 工作流。</p>
+  <p>🧪 rc-component 包共享的 Jest 测试运行器与测试工作流。</p>

或同步更新英文版:

-  <p>🧪 Shared Jest workflow and test runner for rc-component packages.</p>
+  <p>🧪 Shared Jest workflow, test runner and GitHub Actions workflow for rc-component packages.</p>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.zh-CN.md` at line 4, The Chinese README description adds “GitHub
Actions workflow” while the English version only mentions the Jest workflow/test
runner, so align the two versions for consistency. Update the relevant
description text in the README content around the shared Jest runner/workflow
description, and if the extra GitHub Actions wording is intentional, mirror that
wording in the English version; otherwise remove it from the Chinese version so
both locales match. Reference the README description text where the “Jest” and
“GitHub Actions” wording appears to keep both localized summaries consistent.
LICENSE (1)

3-3: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

版权行建议补充年份

当前版权行为 Copyright (c) react-component,未包含年份。虽然 MIT 许可证明文不强制要求年份,但 react-component 组织下的其他项目通常包含年份以保持一致性。建议补充为 Copyright (c) 2024-present react-component 或类似格式。

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@LICENSE` at line 3, The LICENSE copyright notice is missing a year, so update
the copyright line to include a year range or start year in the existing
react-component notice. Keep the change limited to the LICENSE header and
preserve the current owner text while making it consistent with other
react-component projects.
.github/workflows/react-doctor.yml (1)

3-23: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

建议补充 concurrency 配置以避免重复扫描。

官方文档示例包含 concurrency 分组(按 PR 编号/ref 取消进行中的重复运行),当前文件缺失,PR 频繁 push 时会产生冗余的并行扫描,浪费 CI 资源。

♻️ 建议的优化
 on:
   pull_request:
   push:
     branches: [main]

+concurrency:
+  group: react-doctor-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/react-doctor.yml around lines 3 - 23, The react-doctor
workflow is missing a concurrency guard, so repeated pull_request or push runs
can overlap and waste CI resources. Update the react-doctor job/workflow to add
a concurrency group that keys off the PR number or ref and cancels in-progress
runs for the same target, using the existing workflow/job definition as the
place to apply it.
.github/workflows/main.yml (1)

12-24: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

建议使用 npm ci 并恢复依赖缓存。

npm install --legacy-peer-deps 在 CI 中可能因解析结果差异而修改 lockfile,不如 npm ci 具有可复现性;同时移除旧缓存逻辑后,每次运行都会全量下载依赖,增加 CI 耗时。

♻️ 建议的优化
       - uses: actions/setup-node@v6
         with:
           node-version: 22
-      - run: npm install --legacy-peer-deps
+          cache: npm
+      - run: npm ci --legacy-peer-deps
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 12 - 24, The workflow in the test
job currently uses npm install --legacy-peer-deps, which is less reproducible in
CI and can mutate the lockfile; switch the install step to npm ci in the main
test job so it installs exactly from the lockfile. Also restore dependency
caching in the setup-node step (the actions/setup-node configuration) so
repeated runs do not redownload all packages, improving CI speed.
.github/dependabot.yml (1)

11-14: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

分组粒度较粗,可考虑按更新类型细分(可选)。

将 npm 生态下所有依赖更新(含 major/minor/patch)统一归入 npm-dependencies 单一分组,能减少 PR 数量,但也会把不相关的更新捆绑在一起,一旦某个依赖存在问题会阻塞整组合并。如果希望兼顾维护成本与风险隔离,可考虑按 update-types(如 minor/patch 一组,major 单独处理)细分。

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 11 - 14, The current Dependabot grouping
in the `groups` configuration under `npm-dependencies` is too broad because it
bundles all npm updates together. Update the Dependabot rules to split the
`patterns: ["*"]` grouping by `update-types`, using the existing group name as a
guide and creating separate group definitions for safer maintenance, such as
keeping minor/patch updates together while handling major updates separately.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/dependabot.yml:
- Around line 11-14: The current Dependabot grouping in the `groups`
configuration under `npm-dependencies` is too broad because it bundles all npm
updates together. Update the Dependabot rules to split the `patterns: ["*"]`
grouping by `update-types`, using the existing group name as a guide and
creating separate group definitions for safer maintenance, such as keeping
minor/patch updates together while handling major updates separately.

In @.github/workflows/main.yml:
- Around line 12-24: The workflow in the test job currently uses npm install
--legacy-peer-deps, which is less reproducible in CI and can mutate the
lockfile; switch the install step to npm ci in the main test job so it installs
exactly from the lockfile. Also restore dependency caching in the setup-node
step (the actions/setup-node configuration) so repeated runs do not redownload
all packages, improving CI speed.

In @.github/workflows/react-doctor.yml:
- Around line 3-23: The react-doctor workflow is missing a concurrency guard, so
repeated pull_request or push runs can overlap and waste CI resources. Update
the react-doctor job/workflow to add a concurrency group that keys off the PR
number or ref and cancels in-progress runs for the same target, using the
existing workflow/job definition as the place to apply it.

In `@LICENSE`:
- Line 3: The LICENSE copyright notice is missing a year, so update the
copyright line to include a year range or start year in the existing
react-component notice. Keep the change limited to the LICENSE header and
preserve the current owner text while making it consistent with other
react-component projects.

In `@README.zh-CN.md`:
- Line 4: The Chinese README description adds “GitHub Actions workflow” while
the English version only mentions the Jest workflow/test runner, so align the
two versions for consistency. Update the relevant description text in the README
content around the shared Jest runner/workflow description, and if the extra
GitHub Actions wording is intentional, mirror that wording in the English
version; otherwise remove it from the Chinese version so both locales match.
Reference the README description text where the “Jest” and “GitHub Actions”
wording appears to keep both localized summaries consistent.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d728d42-f3be-48c5-9b12-54dc4b23696a

📥 Commits

Reviewing files that changed from the base of the PR and between 8ac6486 and c4a077a.

📒 Files selected for processing (12)
  • .github/FUNDING.yml
  • .github/dependabot.yml
  • .github/workflows/codeql.yml
  • .github/workflows/main.yml
  • .github/workflows/react-doctor.yml
  • .github/workflows/test-npm.yml
  • .github/workflows/test-utoo.yml
  • .github/workflows/test.yml
  • LICENSE
  • README.md
  • README.zh-CN.md
  • package.json

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm data-urls is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/jest-environment-jsdom@30.4.1npm/data-urls@5.0.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/data-urls@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm rrweb-cssom is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/jest-environment-jsdom@30.4.1npm/rrweb-cssom@0.8.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rrweb-cssom@0.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants