chore: standardize repository maintenance#189
Conversation
|
Warning Review limit reached
Next review available in: 57 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
Walkthrough本次变更更新了 CI 与安全扫描工作流、Dependabot 分组、覆盖率上传动作版本,以及项目资助、许可证、README 文档和发布脚本配置。 ChangesCI 工作流与依赖治理
项目文档与发布配置
Estimated code review effort: 2 (Simple) | ~12 分钟 Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Code Review
This pull request updates repository configuration files (funding and dependabot), adds an MIT license, and significantly enhances the documentation in both English and Chinese. Additionally, it replaces the np dependency with @rc-component/np in package.json and updates the prepublish script accordingly. The feedback recommends maintaining alphabetical sorting of the dependencies in package.json by moving the newly added @rc-component/np package to its correct position.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
🧹 Nitpick comments (5)
README.zh-CN.md (1)
4-4: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value中文描述与英文版本存在细微差异。
第 4 行和第 21 行的中文描述增加了 "GitHub Actions 工作流",而英文版本仅提及 "Jest workflow and test runner"。请确认此扩展是 intentional 的,以保持两版本一致性。
- <p>🧪 rc-component 包共享的 Jest 测试运行器与 GitHub Actions 工作流。</p> + <p>🧪 rc-component 包共享的 Jest 测试运行器与测试工作流。</p>或同步更新英文版:
- <p>🧪 Shared Jest workflow and test runner for rc-component packages.</p> + <p>🧪 Shared Jest workflow, test runner and GitHub Actions workflow for rc-component packages.</p>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@README.zh-CN.md` at line 4, The Chinese README description adds “GitHub Actions workflow” while the English version only mentions the Jest workflow/test runner, so align the two versions for consistency. Update the relevant description text in the README content around the shared Jest runner/workflow description, and if the extra GitHub Actions wording is intentional, mirror that wording in the English version; otherwise remove it from the Chinese version so both locales match. Reference the README description text where the “Jest” and “GitHub Actions” wording appears to keep both localized summaries consistent.LICENSE (1)
3-3: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value版权行建议补充年份
当前版权行为
Copyright (c) react-component,未包含年份。虽然 MIT 许可证明文不强制要求年份,但 react-component 组织下的其他项目通常包含年份以保持一致性。建议补充为Copyright (c) 2024-present react-component或类似格式。🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@LICENSE` at line 3, The LICENSE copyright notice is missing a year, so update the copyright line to include a year range or start year in the existing react-component notice. Keep the change limited to the LICENSE header and preserve the current owner text while making it consistent with other react-component projects..github/workflows/react-doctor.yml (1)
3-23: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win建议补充
concurrency配置以避免重复扫描。官方文档示例包含
concurrency分组(按 PR 编号/ref 取消进行中的重复运行),当前文件缺失,PR 频繁 push 时会产生冗余的并行扫描,浪费 CI 资源。♻️ 建议的优化
on: pull_request: push: branches: [main] +concurrency: + group: react-doctor-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/react-doctor.yml around lines 3 - 23, The react-doctor workflow is missing a concurrency guard, so repeated pull_request or push runs can overlap and waste CI resources. Update the react-doctor job/workflow to add a concurrency group that keys off the PR number or ref and cancels in-progress runs for the same target, using the existing workflow/job definition as the place to apply it..github/workflows/main.yml (1)
12-24: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win建议使用
npm ci并恢复依赖缓存。
npm install --legacy-peer-deps在 CI 中可能因解析结果差异而修改 lockfile,不如npm ci具有可复现性;同时移除旧缓存逻辑后,每次运行都会全量下载依赖,增加 CI 耗时。♻️ 建议的优化
- uses: actions/setup-node@v6 with: node-version: 22 - - run: npm install --legacy-peer-deps + cache: npm + - run: npm ci --legacy-peer-deps🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/main.yml around lines 12 - 24, The workflow in the test job currently uses npm install --legacy-peer-deps, which is less reproducible in CI and can mutate the lockfile; switch the install step to npm ci in the main test job so it installs exactly from the lockfile. Also restore dependency caching in the setup-node step (the actions/setup-node configuration) so repeated runs do not redownload all packages, improving CI speed..github/dependabot.yml (1)
11-14: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value分组粒度较粗,可考虑按更新类型细分(可选)。
将 npm 生态下所有依赖更新(含 major/minor/patch)统一归入
npm-dependencies单一分组,能减少 PR 数量,但也会把不相关的更新捆绑在一起,一旦某个依赖存在问题会阻塞整组合并。如果希望兼顾维护成本与风险隔离,可考虑按update-types(如minor/patch一组,major单独处理)细分。🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/dependabot.yml around lines 11 - 14, The current Dependabot grouping in the `groups` configuration under `npm-dependencies` is too broad because it bundles all npm updates together. Update the Dependabot rules to split the `patterns: ["*"]` grouping by `update-types`, using the existing group name as a guide and creating separate group definitions for safer maintenance, such as keeping minor/patch updates together while handling major updates separately.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/dependabot.yml:
- Around line 11-14: The current Dependabot grouping in the `groups`
configuration under `npm-dependencies` is too broad because it bundles all npm
updates together. Update the Dependabot rules to split the `patterns: ["*"]`
grouping by `update-types`, using the existing group name as a guide and
creating separate group definitions for safer maintenance, such as keeping
minor/patch updates together while handling major updates separately.
In @.github/workflows/main.yml:
- Around line 12-24: The workflow in the test job currently uses npm install
--legacy-peer-deps, which is less reproducible in CI and can mutate the
lockfile; switch the install step to npm ci in the main test job so it installs
exactly from the lockfile. Also restore dependency caching in the setup-node
step (the actions/setup-node configuration) so repeated runs do not redownload
all packages, improving CI speed.
In @.github/workflows/react-doctor.yml:
- Around line 3-23: The react-doctor workflow is missing a concurrency guard, so
repeated pull_request or push runs can overlap and waste CI resources. Update
the react-doctor job/workflow to add a concurrency group that keys off the PR
number or ref and cancels in-progress runs for the same target, using the
existing workflow/job definition as the place to apply it.
In `@LICENSE`:
- Line 3: The LICENSE copyright notice is missing a year, so update the
copyright line to include a year range or start year in the existing
react-component notice. Keep the change limited to the LICENSE header and
preserve the current owner text while making it consistent with other
react-component projects.
In `@README.zh-CN.md`:
- Line 4: The Chinese README description adds “GitHub Actions workflow” while
the English version only mentions the Jest workflow/test runner, so align the
two versions for consistency. Update the relevant description text in the README
content around the shared Jest runner/workflow description, and if the extra
GitHub Actions wording is intentional, mirror that wording in the English
version; otherwise remove it from the Chinese version so both locales match.
Reference the README description text where the “Jest” and “GitHub Actions”
wording appears to keep both localized summaries consistent.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6d728d42-f3be-48c5-9b12-54dc4b23696a
📒 Files selected for processing (12)
.github/FUNDING.yml.github/dependabot.yml.github/workflows/codeql.yml.github/workflows/main.yml.github/workflows/react-doctor.yml.github/workflows/test-npm.yml.github/workflows/test-utoo.yml.github/workflows/test.ymlLICENSEREADME.mdREADME.zh-CN.mdpackage.json
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Summary
@rc-component/npwhere applicable.Refs ant-design/ant-design#58514
Test
npm run compile\n-npm run test:only\n-git diff --checkSummary by CodeRabbit
main上触发测试,强化代码扫描(CodeQL)与健康检查(React Doctor),并改进覆盖率上传流程。