docs: switch spectrum-ts docs to git source#111
Conversation
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (47)
Disabled knowledge base sources:
📝 WalkthroughWalkthroughThe docs workflow now authenticates checkout and docs generation with a GitHub App token. The Spectrum TS source config no longer includes the local fallback option. The Spectrum TS documentation pages and navigation file were removed. ChangesCI Workflow and Source Config
Spectrum TypeScript Docs Removal
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
2eaee95 to
587c6b4
Compare
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/typecheck-docs.yml (2)
65-65: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueNaming clash risk: env var named
GITHUB_TOKEN.
scripts/sync-docs/index.tsreadsDOCS_GH_TOKENfirst and falls back toGITHUB_TOKEN, so this works, but naming the custom app tokenGITHUB_TOKENhere can be confused with the Actions-native ambient token and may mask which credential is actually in use during debugging. Consider using the already-supportedDOCS_GH_TOKENname for clarity.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/typecheck-docs.yml at line 65, The workflow is exporting the app token under GITHUB_TOKEN, which can be confused with the built-in Actions token and makes debugging credential usage harder. Update the env mapping in the typecheck-docs workflow to use DOCS_GH_TOKEN instead, since scripts/sync-docs/index.ts already prefers that variable and falls back to GITHUB_TOKEN. Keep the token source unchanged, but rename the environment variable at the workflow boundary for clarity.
39-39: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winUpgrade
actions/create-github-app-tokento@v3.v1is behind the current stable major, and active development is onv3.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/typecheck-docs.yml at line 39, The workflow is still using an outdated major version of actions/create-github-app-token, so update the step in the typecheck-docs workflow from the current v1 reference to v3. Keep the same job and token-generation behavior, but make sure the actions/create-github-app-token usage is aligned with the latest stable major version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/typecheck-docs.yml:
- Around line 48-50: In the checkout step for the workflow using
actions/checkout@v4, disable git credential persistence by setting
persist-credentials to false alongside the existing token input. Update the
checkout configuration in this workflow so the app-installation token is not
retained in local git config after the repository is checked out.
- Around line 37-46: The GitHub App token created in the “Generate GitHub App
token” step is missing an explicit read-only contents scope. Update the
`actions/create-github-app-token@v1` usage in this workflow to include the
`permission-contents` input set to `read`, alongside the existing `app-id`,
`private-key`, `owner`, and `repositories` inputs, so the `app-token` step only
grants the minimal contents permission needed.
---
Nitpick comments:
In @.github/workflows/typecheck-docs.yml:
- Line 65: The workflow is exporting the app token under GITHUB_TOKEN, which can
be confused with the built-in Actions token and makes debugging credential usage
harder. Update the env mapping in the typecheck-docs workflow to use
DOCS_GH_TOKEN instead, since scripts/sync-docs/index.ts already prefers that
variable and falls back to GITHUB_TOKEN. Keep the token source unchanged, but
rename the environment variable at the workflow boundary for clarity.
- Line 39: The workflow is still using an outdated major version of
actions/create-github-app-token, so update the step in the typecheck-docs
workflow from the current v1 reference to v3. Keep the same job and
token-generation behavior, but make sure the actions/create-github-app-token
usage is aligned with the latest stable major version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4c0661f1-097c-41a0-86c5-0b2a842d07f6
📒 Files selected for processing (47)
.github/workflows/typecheck-docs.ymldocs-src/spectrum-ts/content.mdx.veldocs-src/spectrum-ts/content/app.mdx.veldocs-src/spectrum-ts/content/attachments.mdx.veldocs-src/spectrum-ts/content/avatar.mdx.veldocs-src/spectrum-ts/content/composing-content.mdx.veldocs-src/spectrum-ts/content/contacts.mdx.veldocs-src/spectrum-ts/content/custom.mdx.veldocs-src/spectrum-ts/content/edits.mdx.veldocs-src/spectrum-ts/content/groups.mdx.veldocs-src/spectrum-ts/content/markdown.mdx.veldocs-src/spectrum-ts/content/polls.mdx.veldocs-src/spectrum-ts/content/rename.mdx.veldocs-src/spectrum-ts/content/replies.mdx.veldocs-src/spectrum-ts/content/rich-links.mdx.veldocs-src/spectrum-ts/content/text.mdx.veldocs-src/spectrum-ts/content/typing-indicators.mdx.veldocs-src/spectrum-ts/content/unsend.mdx.veldocs-src/spectrum-ts/content/voice.mdx.veldocs-src/spectrum-ts/custom-events-and-lifecycle.mdx.veldocs-src/spectrum-ts/custom-platforms.mdx.veldocs-src/spectrum-ts/getting-started.mdx.veldocs-src/spectrum-ts/introduction.mdx.veldocs-src/spectrum-ts/messages.mdx.veldocs-src/spectrum-ts/nav.jsondocs-src/spectrum-ts/platform-narrowing.mdx.veldocs-src/spectrum-ts/providers.mdx.veldocs-src/spectrum-ts/providers/imessage.mdx.veldocs-src/spectrum-ts/providers/imessage/connection-and-routing.mdx.veldocs-src/spectrum-ts/providers/imessage/messaging-features.mdx.veldocs-src/spectrum-ts/providers/slack.mdx.veldocs-src/spectrum-ts/providers/slack/conversations-and-events.mdx.veldocs-src/spectrum-ts/providers/slack/setup.mdx.veldocs-src/spectrum-ts/providers/telegram.mdx.veldocs-src/spectrum-ts/providers/telegram/conversations-and-features.mdx.veldocs-src/spectrum-ts/providers/telegram/setup.mdx.veldocs-src/spectrum-ts/providers/terminal.mdx.veldocs-src/spectrum-ts/providers/terminal/interactions.mdx.veldocs-src/spectrum-ts/providers/terminal/setup-and-usage.mdx.veldocs-src/spectrum-ts/providers/whatsapp-business.mdx.veldocs-src/spectrum-ts/providers/whatsapp-business/conversations.mdx.veldocs-src/spectrum-ts/providers/whatsapp-business/setup.mdx.veldocs-src/spectrum-ts/reactions-and-replies.mdx.veldocs-src/spectrum-ts/spaces-and-users.mdx.veldocs-src/spectrum-ts/troubleshooting/imessage.mdx.veldocs-src/spectrum-ts/webhooks.mdx.velscripts/sources.json
💤 Files with no reviewable changes (45)
- docs-src/spectrum-ts/content/voice.mdx.vel
- docs-src/spectrum-ts/introduction.mdx.vel
- docs-src/spectrum-ts/content/text.mdx.vel
- docs-src/spectrum-ts/content/groups.mdx.vel
- docs-src/spectrum-ts/content/polls.mdx.vel
- docs-src/spectrum-ts/providers/terminal/interactions.mdx.vel
- docs-src/spectrum-ts/providers/slack/conversations-and-events.mdx.vel
- docs-src/spectrum-ts/providers.mdx.vel
- docs-src/spectrum-ts/messages.mdx.vel
- docs-src/spectrum-ts/webhooks.mdx.vel
- docs-src/spectrum-ts/content/markdown.mdx.vel
- docs-src/spectrum-ts/providers/telegram.mdx.vel
- docs-src/spectrum-ts/content/contacts.mdx.vel
- docs-src/spectrum-ts/providers/imessage/messaging-features.mdx.vel
- docs-src/spectrum-ts/providers/telegram/conversations-and-features.mdx.vel
- docs-src/spectrum-ts/content/rename.mdx.vel
- docs-src/spectrum-ts/content/edits.mdx.vel
- docs-src/spectrum-ts/getting-started.mdx.vel
- docs-src/spectrum-ts/providers/telegram/setup.mdx.vel
- docs-src/spectrum-ts/content/rich-links.mdx.vel
- docs-src/spectrum-ts/providers/terminal/setup-and-usage.mdx.vel
- docs-src/spectrum-ts/providers/imessage/connection-and-routing.mdx.vel
- docs-src/spectrum-ts/nav.json
- docs-src/spectrum-ts/platform-narrowing.mdx.vel
- docs-src/spectrum-ts/content/custom.mdx.vel
- docs-src/spectrum-ts/content/composing-content.mdx.vel
- docs-src/spectrum-ts/content/replies.mdx.vel
- docs-src/spectrum-ts/content/app.mdx.vel
- docs-src/spectrum-ts/spaces-and-users.mdx.vel
- docs-src/spectrum-ts/providers/whatsapp-business/conversations.mdx.vel
- docs-src/spectrum-ts/providers/imessage.mdx.vel
- docs-src/spectrum-ts/custom-platforms.mdx.vel
- docs-src/spectrum-ts/content.mdx.vel
- docs-src/spectrum-ts/content/unsend.mdx.vel
- docs-src/spectrum-ts/providers/whatsapp-business/setup.mdx.vel
- docs-src/spectrum-ts/providers/slack.mdx.vel
- docs-src/spectrum-ts/content/typing-indicators.mdx.vel
- docs-src/spectrum-ts/reactions-and-replies.mdx.vel
- docs-src/spectrum-ts/providers/terminal.mdx.vel
- docs-src/spectrum-ts/content/attachments.mdx.vel
- docs-src/spectrum-ts/providers/slack/setup.mdx.vel
- docs-src/spectrum-ts/content/avatar.mdx.vel
- docs-src/spectrum-ts/custom-events-and-lifecycle.mdx.vel
- docs-src/spectrum-ts/providers/whatsapp-business.mdx.vel
- docs-src/spectrum-ts/troubleshooting/imessage.mdx.vel
📜 Review details
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/typecheck-docs.yml
[warning] 48-50: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 39-39: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🔇 Additional comments (2)
.github/workflows/typecheck-docs.yml (1)
31-35: LGTM!scripts/sources.json (1)
2-2: LGTM!Also applies to: 11-11
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v1 | ||
| with: | ||
| app-id: ${{ secrets.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| owner: ${{ steps.parse-repo.outputs.owner }} | ||
| repositories: | | ||
| ${{ steps.parse-repo.outputs.name }} | ||
| spectrum-ts |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Does actions/create-github-app-token@v1 support permission-* inputs, or only v2+?
💡 Result:
The permission-* inputs are supported in version 1.12.0 and later of actions/create-github-app-token, not just in v2+ [1]. While the feature was associated with PR #168 [1][2], which was tagged with a v2 milestone [1], it was officially released in version 1.12.0 [1]. Before this change, older v1 releases (such as v1.9.2) did not include these specific permission-* inputs [3]. Therefore, if you are using a version of actions/create-github-app-token at or above 1.12.0, you can use the permission-* inputs to explicitly define the permissions for your token [4][1].
Citations:
- 1: feat: permissions actions/create-github-app-token#168
- 2: actions/create-github-app-token@0e0aa99
- 3: https://github.com/actions/create-github-app-token/tree/v1.9.2
- 4: https://github.com/actions/create-github-app-token/blob/main/README.md
Scope the GitHub App token to read-only contents. actions/create-github-app-token@v1 supports permission-* inputs, so add permission-contents: read here.
🔒 Proposed fix
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ steps.parse-repo.outputs.owner }}
repositories: |
${{ steps.parse-repo.outputs.name }}
spectrum-ts
+ permission-contents: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ steps.parse-repo.outputs.owner }} | |
| repositories: | | |
| ${{ steps.parse-repo.outputs.name }} | |
| spectrum-ts | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ steps.parse-repo.outputs.owner }} | |
| repositories: | | |
| ${{ steps.parse-repo.outputs.name }} | |
| spectrum-ts | |
| permission-contents: read |
🧰 Tools
🪛 zizmor (1.26.1)
[error] 39-39: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/typecheck-docs.yml around lines 37 - 46, The GitHub App
token created in the “Generate GitHub App token” step is missing an explicit
read-only contents scope. Update the `actions/create-github-app-token@v1` usage
in this workflow to include the `permission-contents` input set to `read`,
alongside the existing `app-id`, `private-key`, `owner`, and `repositories`
inputs, so the `app-token` step only grants the minimal contents permission
needed.
Source: Linters/SAST tools
| - uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ steps.app-token.outputs.token }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set persist-credentials: false on checkout.
The checked-out repo will retain the app-installation token in git config for the remainder of the job. Since no later step pushes back to the repo, disable credential persistence to reduce exposure if a later step (or a compromised dependency in pnpm install) reads local git config.
🔒 Proposed fix
- uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
+ persist-credentials: falseAs per static analysis hints (zizmor artipacked), checkout does not set persist-credentials: false.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| - uses: actions/checkout@v4 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 48-50: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/typecheck-docs.yml around lines 48 - 50, In the checkout
step for the workflow using actions/checkout@v4, disable git credential
persistence by setting persist-credentials to false alongside the existing token
input. Update the checkout configuration in this workflow so the
app-installation token is not retained in local git config after the repository
is checked out.
Source: Linters/SAST tools
Summary
spectrum-tslocal docs fallback fromscripts/sources.json.docs-src/spectrum-tstemplate tree.typecheck-docsbuild job and pass it asGITHUB_TOKENfor git-backed docs sync.Verification
pnpm docs:generatepassed and fetchedphoton-hq/spectrum-ts#main:docswithout env overrides.pnpm typecheck:docsfailed on existingadvanced-kits/imessageexamples:advanced-kits/imessage/error-handling.mdx:98advanced-kits/imessage/locations.mdx:36advanced-kits/imessage/messages.mdx:195advanced-kits/imessage/messages.mdx:484pnpm lintfailed on pre-existing dirtyAGENTS.mdformatting issues.AGENTS.mdis not part of this PR.Closes ENG-1744.
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.Summary by CodeRabbit
Documentation
Chores