Skip to content

PR for v0.1.2#293

Open
ThomasJejkal wants to merge 26 commits into
mainfrom
dev
Open

PR for v0.1.2#293
ThomasJejkal wants to merge 26 commits into
mainfrom
dev

Conversation

@ThomasJejkal

@ThomasJejkal ThomasJejkal commented May 18, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Chores
    • Updated GitHub Pages and artifact-handling GitHub Actions workflows to newer action versions for improved reliability.
    • Bumped development dependencies (including Vite and tooling used for testing/linting) to newer patch/minor versions for improved stability.

renovate Bot and others added 20 commits January 26, 2026 04:23
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update dependency puppeteer to v25
@coderabbitai

coderabbitai Bot commented May 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1043923-2b32-45db-bf62-32a9a73223ad

📥 Commits

Reviewing files that changed from the base of the PR and between 3b91fe9 and 07fddce.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • packages/stencil-library/package.json

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions versions for Storybook deployment and npm publishing, and bumps the Vite, Puppeteer, and eslint-plugin-storybook development dependencies.

Changes

Routine Maintenance Version Bumps

Layer / File(s) Summary
GitHub Actions action version bumps
.github/workflows/deploy-storybook.yml, .github/workflows/real-npm-publish.yml
Pages deployment actions move from v4 to v5; artifact upload moves from v6 to v7; artifact downloads move from v7 to v8.
Development dependency version bumps
package.json, packages/stencil-library/package.json
Vite moves from 7.3.1 to 7.3.2; Puppeteer moves from ^24.0.0 to ^25.0.0; eslint-plugin-storybook moves from 10.1.11 to 10.5.0.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is too generic and only references the release version, not the actual changes in workflows and dependencies. Use a descriptive title that summarizes the main change, such as updating deployment workflows and dependency versions for v0.1.2.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

ThomasJejkal and others added 5 commits May 18, 2026 09:26
…-pages-artifact-5.x

chore(deps): update actions/upload-pages-artifact action to v5
…rability

fix(deps): update dependency vite to v7.3.2 [security]
…-pages-5.x

chore(deps): update actions/deploy-pages action to v5
…rtifact-actions

chore(deps): update github artifact actions (major)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-storybook.yml:
- Around line 28-33: The GitHub Actions in the deploy-storybook.yml workflow
file are using mutable version tags (`@v5`) which violates the security policy.
Replace both the actions/upload-pages-artifact@v5 and actions/deploy-pages@v5
references with their respective full commit SHAs to ensure immutable action
versions and reduce supply-chain risk.

In @.github/workflows/real-npm-publish.yml:
- Line 30: Replace all tag-pinned action references with full commit SHA pins in
the workflow file. Specifically, update the `uses: actions/upload-artifact@v7`
entry at line 30 and the similar tag-pinned upload-artifact entries at lines 49
and 79 by replacing the version tags (like `@v7`, `@v8`) with their corresponding
full commit SHA values to comply with the unpinned-actions policy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3817bbe4-c371-4905-95c0-cedbb46c3484

📥 Commits

Reviewing files that changed from the base of the PR and between 99c3f54 and 3b91fe9.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (4)
  • .github/workflows/deploy-storybook.yml
  • .github/workflows/real-npm-publish.yml
  • package.json
  • packages/stencil-library/package.json

Comment on lines +28 to +33
uses: actions/upload-pages-artifact@v5
with:
path: "packages/stencil-library/storybook-static"

- name: Deploy to GitHub Pages
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to immutable commit SHAs instead of mutable tags.

@v5 tags are mutable and violate the repository’s unpinned-actions policy. Pin both actions to full commit SHAs to reduce supply-chain risk.

Suggested change
-      - name: Upload Storybook to GitHub Pages
-        uses: actions/upload-pages-artifact@v5
+      - name: Upload Storybook to GitHub Pages
+        uses: actions/upload-pages-artifact@<full-length-commit-sha>
         with:
           path: "packages/stencil-library/storybook-static"

       - name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@<full-length-commit-sha>
         with:
           token: ${{ github.token }}
🧰 Tools
🪛 zizmor (1.25.2)

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-storybook.yml around lines 28 - 33, The GitHub
Actions in the deploy-storybook.yml workflow file are using mutable version tags
(`@v5`) which violates the security policy. Replace both the
actions/upload-pages-artifact@v5 and actions/deploy-pages@v5 references with
their respective full commit SHAs to ensure immutable action versions and reduce
supply-chain risk.

Source: Linters/SAST tools

# - run: npx lerna run test
- name: Upload build artifacts
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use SHA-pinned action references for artifact actions.

These uses entries are tag-pinned (@v7, @v8) and fail the unpinned-actions policy. Please pin each to a full commit SHA.

Suggested change
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@<full-length-commit-sha>

-      - name: Download build artifacts
-        uses: actions/download-artifact@v8
+      - name: Download build artifacts
+        uses: actions/download-artifact@<full-length-commit-sha>

-      - name: Download build artifacts
-        uses: actions/download-artifact@v8
+      - name: Download build artifacts
+        uses: actions/download-artifact@<full-length-commit-sha>

Also applies to: 49-49, 79-79

🧰 Tools
🪛 zizmor (1.25.2)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/real-npm-publish.yml at line 30, Replace all tag-pinned
action references with full commit SHA pins in the workflow file. Specifically,
update the `uses: actions/upload-artifact@v7` entry at line 30 and the similar
tag-pinned upload-artifact entries at lines 49 and 79 by replacing the version
tags (like `@v7`, `@v8`) with their corresponding full commit SHA values to comply
with the unpinned-actions policy.

Source: Linters/SAST tools

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant