ci: test and build against Node 20 and 22#133
Conversation
📝 WalkthroughWalkthroughThe CI workflow's test and build jobs were updated to run on a Node.js version matrix (20 and 22) instead of a single fixed Node version, with corresponding updates to the Setup Node.js steps and job display names. ChangesCI Workflow Matrix Update
Estimated code review effort: 1 (Trivial) | ~3 minutes PoemA rabbit hops through workflows bright, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
52-52: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider disabling credential persistence on checkout.
Static analysis flags both checkout steps for not setting
persist-credentials: false, which leaves the GitHub token persisted in the git config for the remainder of the job and could be exfiltrated by any script executed later in the workflow (e.g., duringnpm ci/npm run buildif a malicious postinstall script runs).🔒 Proposed fix
- uses: actions/checkout@v5 + with: + persist-credentials: falseApply to both the
testandbuildjob checkout steps.Also applies to: 72-72
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 52, The checkout steps in the workflow currently persist the GitHub token in git config, which should be disabled for both jobs. Update each `actions/checkout` usage in the `test` and `build` jobs to set `persist-credentials: false`, using the existing checkout step identifiers so the token is not left available to later commands in the job.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 52: The checkout steps in the workflow currently persist the GitHub token
in git config, which should be disabled for both jobs. Update each
`actions/checkout` usage in the `test` and `build` jobs to set
`persist-credentials: false`, using the existing checkout step identifiers so
the token is not left available to later commands in the job.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 1e9f5874-06ee-4b11-b788-386051747500
📒 Files selected for processing (1)
.github/workflows/ci.yml
zeshi-du
left a comment
There was a problem hiding this comment.
Reviewed and verified — merging. Thanks for the contribution!
What
Run the Unit Tests and Build CI jobs across a Node version matrix of 20 and 22, instead of only 22.
Why
package.json declares engines.node >= 20 and the README/quickstart advertise Node 20 as supported, but CI only exercises Node 22. A regression that breaks on Node 20 (the advertised minimum) would pass CI today and only surface for users on 20. Testing the floor closes that gap.
Change
No source changes; CI-only. Both legs run on ubuntu-latest with npm caching unchanged.
Summary by CodeRabbit