Skip to content

Merge for up to date #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
devin-ai-integration merged 23 commits into from
Jun 3, 2026
Merged

Merge for up to date #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
ee8e78b
Bump the npm_and_yarn group across 1 directory with 7 updates (#40)
dependabot[bot] May 23, 2026
6698711
Bump next in the npm_and_yarn group across 1 directory (#41)
dependabot[bot] May 23, 2026
ec90d52
Readme (#44)
LCSOGthb May 23, 2026
1a2c969
Update SECURITY.md (#45)
LCSOGthb May 24, 2026
c0bc2bf
Launch responsive games application with a modern dark theme (#46)
LCSOGthb May 24, 2026
158ebec
Modernize UI design and accessibility (#48)
LCSOGthb May 24, 2026
7130270
Launch Coming Soon page with animated gradient and language selector …
LCSOGthb May 25, 2026
cf5d54c
Add CodSpeed performance benchmarks (#51)
codspeed-hq[bot] May 25, 2026
485d280
Readme (#52)
LCSOGthb May 25, 2026
fe7ddb1
Delete .github/workflows/codeql.yml
LCSOGthb May 27, 2026
5b31265
Delete .github/workflows/codescan.yml
LCSOGthb May 27, 2026
3311255
Delete .github/workflows/codacy-coverage-reporter.yaml
LCSOGthb May 27, 2026
4ac89ff
Delete .github/workflows/defender-for-devops.yml
LCSOGthb May 27, 2026
620b114
Delete .github/workflows/ossar.yml
LCSOGthb May 27, 2026
8895630
Delete .github/workflows/osv-scanner.yml
LCSOGthb May 27, 2026
a901143
Delete .github/workflows/msvc.yml
LCSOGthb May 27, 2026
a2f8011
Delete .github/workflows/codacy.yml
LCSOGthb May 27, 2026
a7a952c
Bump ws in the npm_and_yarn group across 1 directory (#47)
dependabot[bot] May 27, 2026
8c57279
Create eslint.yml
LCSOGthb May 27, 2026
56f9104
Create ossar.yml
LCSOGthb May 27, 2026
974586a
Refine "Coming Soon" card UI and update version to 0.13 Beta (#53)
LCSOGthb May 27, 2026
a60f240
feat: update version label to 0.14 β (#54)
LCSOGthb May 29, 2026
01611ee
Saved progress at the end of the loop
May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 0 additions & 19 deletions .github/workflows/codacy-coverage-reporter.yaml
View file
Open in desktop

This file was deleted.

61 changes: 0 additions & 61 deletions .github/workflows/codacy.yml
View file
Open in desktop

This file was deleted.

90 changes: 0 additions & 90 deletions .github/workflows/codeql.yml
View file
Open in desktop

This file was deleted.

35 changes: 0 additions & 35 deletions .github/workflows/codescan.yml
View file
Open in desktop

This file was deleted.

35 changes: 35 additions & 0 deletions .github/workflows/codspeed.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: CodSpeed

on:
push:
branches:
- main
pull_request:
# `workflow_dispatch` allows CodSpeed to trigger backtest
# performance analysis in order to generate initial data.
workflow_dispatch:

permissions:
contents: read
id-token: write

jobs:
benchmarks:
name: Run benchmarks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

@cubic-dev-ai cubic-dev-ai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Workflow actions are pinned to mutable tags (@v4) instead of immutable commit SHAs, weakening CI supply-chain integrity.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codspeed.yml, line 21:

<comment>Workflow actions are pinned to mutable tags (`@v4`) instead of immutable commit SHAs, weakening CI supply-chain integrity.</comment>

<file context>
@@ -0,0 +1,35 @@
+    name: Run benchmarks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
</file context>


- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm

- name: Install dependencies
run: npm ci

- name: Run benchmarks
uses: CodSpeedHQ/action@v4

Check warning on line 32 in .github/workflows/codspeed.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/codspeed.yml#L32 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
with:
mode: simulation
run: npx vitest bench --run
Comment on lines +12 to +35

@qodo-code-review qodo-code-review Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Unpinned codspeed action 🐞 Bug ⛨ Security

The CodSpeed workflow runs CodSpeedHQ/action@v4 (floating tag) while granting id-token: write,
which increases supply-chain risk because the executed action code can change without review.
Pinning to a commit SHA is needed to make the workflow execution immutable.
Agent Prompt 
### Issue description
The workflow uses a third-party GitHub Action by floating tag (`CodSpeedHQ/action@v4`) while also enabling OIDC token minting (`id-token: write`). If the tag ever changes unexpectedly, the workflow could run unreviewed code with elevated permissions.

### Issue Context
This is a CI supply-chain hardening issue. GitHub recommends pinning actions to commit SHAs.

### Fix Focus Areas
- .github/workflows/codspeed.yml[12-35]

### Suggested fix
- Replace `uses: CodSpeedHQ/action@v4` with `uses: CodSpeedHQ/action@<full_commit_sha>`.
- (Optional hardening) Scope `permissions` to the job level and keep `id-token: write` only if CodSpeed requires OIDC in your setup.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

47 changes: 0 additions & 47 deletions .github/workflows/defender-for-devops.yml
View file
Open in desktop

This file was deleted.

52 changes: 52 additions & 0 deletions .github/workflows/eslint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# ESLint is a tool for identifying and reporting on patterns
# found in ECMAScript/JavaScript code.
# More details at https://github.com/eslint/eslint
# and https://eslint.org

name: ESLint

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '19 1 * * 0'

jobs:
eslint:
name: Run eslint scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Install ESLint
run: |
npm install eslint@8.10.0

@cubic-dev-ai cubic-dev-ai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: CI pins ESLint 8.10.0 even though the repository is configured for ESLint 9, creating inconsistent lint results.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/eslint.yml, line 35:

<comment>CI pins ESLint 8.10.0 even though the repository is configured for ESLint 9, creating inconsistent lint results.</comment>

<file context>
@@ -0,0 +1,52 @@
+
+      - name: Install ESLint
+        run: |
+          npm install eslint@8.10.0
+          npm install @microsoft/eslint-formatter-sarif@3.1.0
+
</file context>

npm install @microsoft/eslint-formatter-sarif@3.1.0
Comment on lines +34 to +36

@devin-ai-integration devin-ai-integration Bot Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 ESLint workflow installs a separate eslint@8 instead of using the project's eslint@9

Beyond the missing .eslintrc.js config (reported as a bug), the ESLint workflow at .github/workflows/eslint.yml:35 installs eslint@8.10.0 directly rather than running npm ci to use the project's own eslint@^9. This means even if the config file issue were fixed, the workflow would use a completely different (much older) ESLint version than the project's devDependencies specify. The --ext flag used on line 43 is also removed in ESLint 9. This workflow appears to be boilerplate that wasn't adapted to the actual project setup.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Comment on lines +33 to +36

@sourcery-ai sourcery-ai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): The workflow pins ESLint to 8.10.0, which likely diverges from the project’s configured ESLint version.

Here the workflow installs eslint@8.10.0 while package.json specifies ^9, which can cause config incompatibilities and different lint results in CI vs. local. Please either use the version from package.json (e.g., npm ci then npx eslint) or update the pinned version here to match it.

Suggested implementation:

      - name: Install dependencies
        run: |
          npm ci
          npm install @microsoft/eslint-formatter-sarif@3.1.0


      - name: Run ESLint
        env:
          SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
        run: |
          npx eslint .
            --config .eslintrc.js
            --ext .js,.jsx,.ts,.tsx
            --format @microsoft/eslint-formatter-sarif
            --output-file eslint-results.sarif
        continue-on-error: true
  1. Ensure that eslint is declared in devDependencies in package.json (e.g., "eslint": "^9.x.x"), so npm ci installs the correct version used locally.
  2. Optionally, add @microsoft/eslint-formatter-sarif as a dev dependency in package.json to avoid installing it separately in CI and improve reproducibility.

Comment on lines +33 to +36

@llamapreview llamapreview Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 | Confidence: High

The workflow installs eslint@8.10.0 globally via npm install, but the project’s package.json declares "eslint": "^9" as a devDependency. This creates a version mismatch: CI may run linting with a much older version (8.10.0) that could produce different results or miss rules/configurations defined for ESLint 9. Additionally, the workflow does not use the project’s local ESLint installation (npx eslint will pick up the globally installed one), leading to potential false passes or failures. To ensure consistency, CI should either use the project’s locally installed ESLint or align the installed version with the project’s requirement.

Suggested change
- name: Install ESLint
run: |
npm install eslint@8.10.0
npm install @microsoft/eslint-formatter-sarif@3.1.0
- name: Install dependencies
run: npm ci
- name: Run ESLint
run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif
continue-on-error: true

Evidence: path:package.json


- name: Run ESLint
env:
SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
run: npx eslint .
--config .eslintrc.js

@cubic-dev-ai cubic-dev-ai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Workflow references a non-existent ESLint config file (.eslintrc.js), so the lint scan will fail immediately.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/eslint.yml, line 42:

<comment>Workflow references a non-existent ESLint config file (`.eslintrc.js`), so the lint scan will fail immediately.</comment>

<file context>
@@ -0,0 +1,52 @@
+        env:
+          SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
+        run: npx eslint .
+          --config .eslintrc.js
+          --ext .js,.jsx,.ts,.tsx
+          --format @microsoft/eslint-formatter-sarif
</file context>

--ext .js,.jsx,.ts,.tsx
Comment on lines +33 to +43

@codeant-ai codeant-ai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

The ESLint workflow step references a .eslintrc.js config that does not exist anywhere in the repo, so npx eslint . --config .eslintrc.js cannot run with the specified configuration.

Suggestion: Either add and maintain the .eslintrc.js file, or update the workflow to use the project's real lint entrypoint (for example npm run lint or a config-less next lint) so the CI ESLint job actually runs.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/eslint.yml
**Line:** 33:43
**Comment:**
	*HIGH: The ESLint workflow step references a `.eslintrc.js` config that does not exist anywhere in the repo, so `npx eslint . --config .eslintrc.js` cannot run with the specified configuration.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

--format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
Comment on lines +41 to +45

@devin-ai-integration devin-ai-integration Bot Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 ESLint workflow references non-existent .eslintrc.js config file

The new ESLint workflow at .github/workflows/eslint.yml:42 runs npx eslint . --config .eslintrc.js, but no .eslintrc.js file exists in the repository. ESLint will fail to find the config and error out. Although continue-on-error: true prevents the step from failing the workflow, the eslint-results.sarif output file will never be generated, causing the subsequent SARIF upload step to also fail. The entire workflow is effectively non-functional.

Prompt for agents 
The ESLint workflow installs eslint@8.10.0 and uses --config .eslintrc.js --ext flags (ESLint 8 style), but the project uses eslint ^9 (flat config) with eslint-config-next, and no .eslintrc.js file exists. The workflow needs to be updated to either: (1) create a compatible .eslintrc.js config file in the repo, or (2) update the workflow to use ESLint 9 flat config (eslint.config.mjs) without --config and --ext flags (which are removed in ESLint 9). The project's package.json already has eslint-config-next 15.3.4 and eslint ^9 as devDependencies, so aligning the workflow with the project's own ESLint setup would be the simplest fix.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

continue-on-error: true

- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: eslint-results.sarif
wait-for-processing: true
Loading
Loading