Update GitHub workflow

[danielsitek]

This pull request updates the GitHub Actions workflows to improve reliability, security, and automation. The main changes include upgrading action versions, adding permissions and concurrency controls, and introducing a new release workflow.

Workflow improvements and automation:

• Added a new .github/workflows/release.yml workflow to automate release creation on tag pushes, including release notes generation and proper permissions.
• Introduced concurrency controls to both the development and release workflows to prevent overlapping runs and ensure resource efficiency. [1] [2]

Security and reliability enhancements:

• Explicitly set permissions for jobs in .github/workflows/dev.yml to limit GitHub token access to only what is necessary. [1] [2] [3]

Dependency and performance updates:

• Upgraded all major GitHub Actions (actions/checkout, actions/setup-node, and actions/upload-artifact) to version 6 for improved features and support. [1] [2] [3] [4] [5]
• Enabled npm caching and disabled fail-fast in matrix jobs to improve CI performance and resilience. [1] [2] [3]

Summary by CodeRabbit

• Chores
  • Optimized CI/CD pipeline with npm dependency caching and workflow concurrency controls for faster build times and improved resource efficiency.
  • Added automated release workflow that creates and publishes releases automatically whenever version tags are pushed to the repository.
  • Updated GitHub Actions tools to their latest versions for enhanced security, compatibility, and overall performance improvements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates the dev workflow with concurrency control, updated GitHub Actions versions (v4 to v6), npm caching, and per-job permissions. Introduces a new release workflow that automatically creates GitHub releases when version tags are pushed to the repository.

Changes

Cohort / File(s)	Summary
Dev workflow updates .github/workflows/dev.yml	Added concurrency control with cancel-in-progress, upgraded actions (checkout, setup-node, upload-artifact) from v4 to v6, introduced npm cache configuration, added per-job contents read permissions, and enabled fail-fast: false strategy across jobs
Release automation .github/workflows/release.yml	New workflow file that triggers on version tags (v*) to automatically create GitHub releases using softprops/action-gh-release@v2.5.0

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Action version upgrades are straightforward and follow a consistent pattern across all jobs
• Configuration additions (concurrency, permissions, caching) are standard GitHub Actions patterns
• New release workflow is minimal with a single job and three simple steps

Possibly related PRs

• Github actions #1: Modifies .github/workflows/dev.yml with changes to the same build, test, and coverage jobs and steps.

Poem

🐰 A rabbit hops through workflows new,
From v4 to v6, we make them fly true,
With caches that speed and releases that flow,
Our GitHub Actions sparkle and glow! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is vague and generic, using 'Update GitHub workflow' without specifying which workflows are updated or what the main improvements are (concurrency controls, action upgrades, new release automation).	Consider using a more specific title like 'Upgrade GitHub Actions workflows with concurrency controls, action upgrades, and automated release workflow' to better reflect the comprehensive nature of the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/ds-update-github-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f879788) to head (65ede45).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main        #9   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           21        21           
  Branches         5         5           
=========================================
  Hits            21        21           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/dev.yml (1)

114-118: Codecov step: add fork PR guard and pin to commit SHA for security.

On pull_request from forks, secrets.CODECOV_TOKEN is unavailable and the upload will fail unless Codecov's tokenless uploads are enabled or OIDC is configured. Add a conditional to skip fork PRs, or alternatively configure OIDC with use_oidc: true and permissions: id-token: write. Additionally, pin codecov/codecov-action@v5 to a commit SHA (e.g., codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5) for reproducibility and security.

       - name: Upload coverage reports to Codecov
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

🧹 Nitpick comments (2)

.github/workflows/release.yml (1)

17-31: Pin third-party actions to commit SHAs to reduce supply-chain risk.
softprops/action-gh-release@v2.5.0 (and even first-party actions) are mutable tags; pinning to a SHA is the standard hardening step for release automation.

-        uses: softprops/action-gh-release@v2.5.0
+        uses: softprops/action-gh-release@<PINNED_SHA>

.github/workflows/dev.yml (1)

31-36: npm cache enabled, but ensure lockfile path assumptions match your repo.
actions/setup-node’s npm cache keys off the lockfile; if you have a non-root workspace/lockfile layout, you may want to set cache-dependency-path.

       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
+          # cache-dependency-path: package-lock.json

Also applies to: 68-73, 99-104

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f879788 and 65ede45.

📒 Files selected for processing (2)

• .github/workflows/dev.yml (5 hunks)
• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (3)

.github/workflows/release.yml (1)

3-11: Concurrency group looks fine; consider whether “no cancel” is intentional for tags.
With cancel-in-progress: false, multiple tags pushed quickly will run concurrently; if you’d rather serialize releases, set cancel-in-progress: true (or group by workflow only).

.github/workflows/dev.yml (2)

10-13: Concurrency config is solid for PR/update storms.
Grouping by workflow+ref with cancel-in-progress: true is a good default to avoid wasting runners on superseded commits.

---

19-21: Good least-privilege default (contents: read).
Nice hardening—keeps the GITHUB_TOKEN scoped for typical checkout/build/test usage.

Also applies to: 56-58, 88-90