From 7af53578fa0bd8e2e15f62aa0f804adf49b5a529 Mon Sep 17 00:00:00 2001 From: Axiom Bot <0xAxiom@users.noreply.github.com> Date: Sat, 14 Mar 2026 05:51:15 -0700 Subject: [PATCH 1/2] feat: enhance dependency management and code quality monitoring - Improve renovate.json with sophisticated dependency grouping and rules - Security updates get high priority and auto-merge - Group related packages (TypeScript, testing, linting) - Different strategies for major/minor/patch updates - Pin exact versions for CLI tools - Separate schedules for different update types - Add comprehensive code quality workflow - Automated complexity analysis and metrics - Technical debt tracking (TODO/FIXME comments) - Documentation coverage analysis - Bundle size monitoring - Enhanced dependency security auditing - PR comments with actionable quality insights These improvements provide better automated dependency management and continuous code quality monitoring without manual overhead. --- .github/workflows/code-quality.yml | 200 +++++++++++++++++++++++++++++ renovate.json | 91 ++++++++++++- 2 files changed, 287 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/code-quality.yml diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml new file mode 100644 index 00000000..815d3ee4 --- /dev/null +++ b/.github/workflows/code-quality.yml @@ -0,0 +1,200 @@ +name: Code Quality + +on: + push: + branches: [main] + pull_request: + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + checks: write + +jobs: + code-metrics: + name: Code Quality Metrics + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + fetch-depth: 0 # Full history for better analysis + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version: "20" + cache: "npm" + + - name: Install dependencies + run: npm ci + + - name: Run complexity analysis + run: | + echo "## Code Complexity Analysis" >> complexity-report.md + echo "" >> complexity-report.md + + # Analyze TypeScript files for complexity + find . -name "*.ts" -not -path "*/node_modules/*" -not -path "*/builds/*" -not -path "*/outputs/*" | head -20 | while read -r file; do + if [ -f "$file" ]; then + lines=$(wc -l < "$file" 2>/dev/null || echo "0") + echo "- \`$file\`: $lines lines" >> complexity-report.md + fi + done + + - name: Check for TODO/FIXME comments + run: | + echo "" >> complexity-report.md + echo "## Technical Debt Tracking" >> complexity-report.md + echo "" >> complexity-report.md + + todo_count=$(grep -r "TODO\|FIXME\|XXX\|HACK" --include="*.ts" --include="*.js" . | wc -l || echo "0") + echo "- Total TODO/FIXME comments: $todo_count" >> complexity-report.md + + if [ "$todo_count" -gt 0 ]; then + echo "- Top items:" >> complexity-report.md + grep -r "TODO\|FIXME\|XXX\|HACK" --include="*.ts" --include="*.js" . | head -5 | while read -r line; do + echo " - $line" >> complexity-report.md + done + fi + + - name: Analyze bundle sizes (if applicable) + run: | + echo "" >> complexity-report.md + echo "## Bundle Size Analysis" >> complexity-report.md + echo "" >> complexity-report.md + + # Check for common bundle analysis files + if [ -f "package-lock.json" ]; then + total_deps=$(jq -r '.packages | length' package-lock.json 2>/dev/null || echo "N/A") + echo "- Total dependencies: $total_deps" >> complexity-report.md + fi + + # Count TypeScript files + ts_files=$(find . -name "*.ts" -not -path "*/node_modules/*" | wc -l) + echo "- TypeScript files: $ts_files" >> complexity-report.md + + - name: Generate documentation coverage report + run: | + echo "" >> complexity-report.md + echo "## Documentation Coverage" >> complexity-report.md + echo "" >> complexity-report.md + + # Count documented vs undocumented exports + total_exports=$(grep -r "export " --include="*.ts" --include="*.js" . | grep -v node_modules | wc -l || echo "0") + documented_exports=$(grep -r "\/\*\*" --include="*.ts" --include="*.js" . -A 5 | grep -c "export " || echo "0") + + echo "- Total exports: $total_exports" >> complexity-report.md + echo "- Documented exports: $documented_exports" >> complexity-report.md + + if [ "$total_exports" -gt 0 ]; then + coverage_percent=$(( documented_exports * 100 / total_exports )) + echo "- Documentation coverage: ~${coverage_percent}%" >> complexity-report.md + fi + + - name: Comment PR with analysis + if: github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + + let report = ''; + try { + report = fs.readFileSync('complexity-report.md', 'utf8'); + } catch (error) { + report = 'Unable to generate complexity report.'; + } + + const body = `## 📊 Code Quality Analysis + + ${report} + +
+ 📝 Quality Guidelines + + - Keep functions under 50 lines when possible + - Limit cognitive complexity (max 15 per ESLint) + - Maintain documentation coverage above 70% + - Address TODO/FIXME comments in separate PRs + - Consider breaking down large files (>500 lines) + +
`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: body + }); + + dependency-audit: + name: Dependency Security Audit + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version: "20" + cache: "npm" + + - name: Run comprehensive dependency audit + run: | + echo "## 🔍 Dependency Security Audit" > audit-report.md + echo "" >> audit-report.md + + # Run npm audit and capture results + if npm audit --audit-level=moderate 2>&1 | tee audit-output.txt; then + echo "✅ No security vulnerabilities found" >> audit-report.md + else + echo "⚠️ Security vulnerabilities detected:" >> audit-report.md + echo "" >> audit-report.md + echo "\`\`\`" >> audit-report.md + head -20 audit-output.txt >> audit-report.md + echo "\`\`\`" >> audit-report.md + fi + + echo "" >> audit-report.md + echo "### Dependency Statistics" >> audit-report.md + echo "" >> audit-report.md + + if [ -f "package-lock.json" ]; then + total_packages=$(jq -r '.packages | keys | length' package-lock.json) + echo "- Total packages: $total_packages" >> audit-report.md + fi + + # Check for outdated packages + echo "- Checking for outdated packages..." >> audit-report.md + if npm outdated --depth=0 2>/dev/null | tail -n +2 | wc -l | grep -q "^[0-9]*$"; then + outdated_count=$(npm outdated --depth=0 2>/dev/null | tail -n +2 | wc -l) + echo "- Outdated packages: $outdated_count" >> audit-report.md + fi + + - name: Comment PR with audit results + if: github.event_name == 'pull_request' && failure() + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + + let report = ''; + try { + report = fs.readFileSync('audit-report.md', 'utf8'); + } catch (error) { + report = '## 🔍 Dependency Security Audit\n\nUnable to generate audit report.'; + } + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: report + }); diff --git a/renovate.json b/renovate.json index 5320e07e..026b9c8d 100644 --- a/renovate.json +++ b/renovate.json @@ -9,13 +9,80 @@ "labels": ["dependencies"], "packageRules": [ { + "description": "Auto-merge non-major updates for production dependencies", "matchUpdateTypes": ["minor", "patch"], + "matchDepTypes": ["dependencies"], + "automerge": true, + "automergeType": "pr", + "platformAutomerge": true + }, + { + "description": "Auto-merge patch updates for dev dependencies", + "matchUpdateTypes": ["patch"], + "matchDepTypes": ["devDependencies"], "automerge": true }, { - "matchPackagePatterns": ["*"], + "description": "Security updates get high priority and auto-merge", + "matchDatasources": ["npm"], + "vulnerabilityAlerts": true, + "labels": ["dependencies", "security"], + "priority": 100, + "automerge": true, + "schedule": ["at any time"] + }, + { + "description": "Major version updates need manual review", "matchUpdateTypes": ["major"], - "labels": ["dependencies", "major"] + "labels": ["dependencies", "major"], + "reviewers": ["team:core-maintainers"], + "automerge": false + }, + { + "description": "Group TypeScript ecosystem updates", + "matchPackageNames": ["typescript", "@types/node", "ts-node", "tsx"], + "groupName": "TypeScript ecosystem", + "labels": ["dependencies", "typescript"] + }, + { + "description": "Group testing framework updates", + "matchPackageNames": [ + "vitest", + "@vitest/coverage-v8", + "playwright", + "@playwright/test" + ], + "groupName": "Testing frameworks", + "labels": ["dependencies", "testing"] + }, + { + "description": "Group linting and formatting tools", + "matchPackageNames": [ + "eslint", + "prettier", + "@eslint/js", + "typescript-eslint", + "eslint-config-prettier" + ], + "groupName": "Code quality tools", + "labels": ["dependencies", "code-quality"] + }, + { + "description": "Pin exact versions for CLI tools", + "matchDepTypes": ["devDependencies"], + "matchPackageNames": [ + "standard-version", + "husky", + "lint-staged", + "@commitlint/cli" + ], + "rangeStrategy": "pin" + }, + { + "description": "High-impact dependencies get slower rollout", + "matchPackageNames": ["react", "next", "express", "@anthropic-ai/sdk"], + "minimumReleaseAge": "3 days", + "labels": ["dependencies", "high-impact"] } ], "ignorePaths": [ @@ -24,6 +91,22 @@ "**/dapp-builds/**", "**/website-builds/**", "**/vendor/**", - "**/runs/**" - ] + "**/runs/**", + "**/generated/**", + "**/templates/**" + ], + "assignees": ["team:core-maintainers"], + "reviewersFromCodeOwners": true, + "separateMajorMinor": true, + "separateMinorPatch": false, + "rebaseWhen": "conflicted", + "lockFileMaintenance": { + "enabled": true, + "schedule": ["before 3am on the first day of the month"] + }, + "vulnerabilityAlerts": { + "labels": ["dependencies", "security", "vulnerability"], + "assignees": ["team:security-maintainers"], + "schedule": ["at any time"] + } } From b24747d35b3b9f348394d7c16fee62caa9eead48 Mon Sep 17 00:00:00 2001 From: Axiom Bot <0xAxiom@users.noreply.github.com> Date: Sat, 14 Mar 2026 06:23:39 -0700 Subject: [PATCH 2/2] fix: resolve high severity security vulnerability in dependencies - Run npm audit fix to resolve security issues - All tests passing locally after dependency resolution - CI should now pass with clean dependencies --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0393acab..90794c3e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4239,9 +4239,9 @@ } }, "node_modules/flatted": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz", - "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==", + "version": "3.4.1", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.1.tgz", + "integrity": "sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==", "dev": true, "license": "ISC" },