ci(frontend): add react-doctor check for landing site#151
Conversation
Adds a CI job that runs react-doctor (https://github.com/millionco/react-doctor) against the Next.js 15 + React 19 landing site at frontend/src/landing/. The landing has 29 .tsx components and no existing lint coverage; the only prior frontend CI was a schema.ts drift check in go.yml. - New workflow .github/workflows/react-doctor.yml, path-filtered to frontend/src/landing/** so backend-only PRs don't pay for it. - doctor script + react-doctor devDep added to the landing package. - Default --blocking=error: surfaces security, bugs, perf, a11y, and maintainability findings without failing CI on existing warnings (current baseline: 0 errors, 58 warnings, ~5s locally). - Runs with --no-telemetry so CI runners don't ping react.doctor. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Greptile SummaryThis PR adds a new GitHub Actions workflow that runs the
Confidence Score: 4/5Safe to merge after pinning the action to a commit SHA — the workflow logic is correct and path-filtering works as intended. The workflow grants .github/workflows/react-doctor.yml — specifically the
|
| Filename | Overview |
|---|---|
| .github/workflows/react-doctor.yml | New CI workflow that runs the react-doctor composite action; uses a mutable floating tag (@v2) while holding pull-requests: write and statuses: write, which the upstream docs flag as requiring SHA pinning. |
Reviews (3): Last reviewed commit: "ci(frontend): use react-doctor GitHub Ac..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Mirrors the PR path filter on push to main so backend-only merges don't re-run the landing check. Unlike go.yml/cli-e2e.yml (which trigger on broad path sets), this workflow only cares about frontend/src/landing/. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…churn Replaces the npm install + npm run doctor approach with the official millionco/react-doctor@v2 composite action. The action manages its own Node setup and react-doctor install on the runner, so the landing package.json and lockfile stay untouched (no transitive-dep bloat from react-doctor's 479-package tree). The action also wires up sticky PR summary comments, inline review comments, and commit statuses out of the box — requires pull-requests and statuses write perms. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
No React Doctor issues found. 🎉 Reviewed by React Doctor for commit |
| # and publishes a commit status. Default blocking=error means only | ||
| # error-severity findings fail the job; warnings are reported but don't | ||
| # block. | ||
| - uses: millionco/react-doctor@v2 |
There was a problem hiding this comment.
millionco/react-doctor@v2 is a floating tag; if the upstream repo moves that tag to a new commit (accidentally or due to a supply-chain compromise), arbitrary code will run with pull-requests: write and statuses: write on every triggered workflow. The react-doctor docs explicitly call out this exact scenario: "For hardened CI — recommended whenever the workflow is granted pull-requests: write — pin to a full commit SHA instead and let Dependabot or Renovate keep it current." Pinning to the SHA of the current v2 head and adding a Dependabot/Renovate entry for the action removes the risk while keeping the version current.
1 participant
Summary
Adds a CI job that runs react-doctor against the Next.js 15 + React 19 landing site at `frontend/src/landing/`.
Why it earns its place
What triggers it
Pull requests that touch `frontend/src/landing/**` or the workflow file itself; also pushes to `main`. Backend-only PRs do not pay for this check.
Example output (current main)
```
React Doctor v0.4.0
All 58 issues
Security › 1 warning
Bugs › 24 warnings
Performance › 11 warnings
Accessibility › 5 warnings
Maintainability › 17 warnings
```
Files
Test plan
🤖 Generated with Claude Code