chore: Set up CI/CD pipeline with GitHub Actions

[herokwon]

🔍 Overview

Set up CI/CD pipeline with GitHub Actions

🛠 Changes

• Configure GitHub Dependabot
• Configure Changesets with pnpm
• GitHub Actions
  • composite action
    • setup-env : Set up Node.js environment
    • setup-slack-payload : Set up slack notification message payload
  • workflows
    • CI Validation : Code validation check for Pull request
    • Release : Deployments and slack notification

❗ Related Issues

• [Setting] Set up CI/CD pipeline with GitHub Actions #7

💬 Additional Notes (Screenshots, URLs, etc.)

• Dependabot quickstart guide - GitHub Docs
• changesets/changesets: 🦋 A way to manage your versioning and changelogs with a focus on monorepos
• Using Changesets with pnpm | pnpm
• About continuous integration with GitHub Actions - GitHub Docs
• Deploying with GitHub Actions - GitHub Docs

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1cd5ecc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Summary by CodeRabbit

• New Features

  • Added automated workflows for continuous integration, release management, and Slack notifications.
  • Introduced custom GitHub Actions for environment setup and Slack payload generation.
  • Enabled public package publishing with detailed metadata and release scripts.

• Chores

  • Added configuration files for Changesets and Dependabot to automate versioning and dependency updates.
  • Included an MIT license file for the project.

Summary by CodeRabbit

• New Features
  • Added automated workflows for continuous integration, validation, and release processes, including UI testing and Slack notifications.
  • Introduced custom reusable GitHub Actions for environment setup and Slack message payload creation.
  • Configured automated dependency updates with scheduled and grouped updates for both npm and GitHub Actions.
• Chores
  • Added MIT license file.
  • Updated package configuration for public publishing, entry points, metadata, and release scripts.
  • Introduced configuration files for release and version management tools.

Walkthrough

This update introduces comprehensive configuration and automation files for project management, release, and CI/CD workflows. It adds configuration for Changesets, Dependabot, and GitHub Actions, including custom composite actions and workflow definitions for validation and release processes. The package is now public, with explicit entry points, publishing configuration, and MIT licensing.

Changes

File(s)	Change Summary
.changeset/config.json	Added Changesets configuration specifying changelog generator, versioning, package access, dependency update strategies, and base branch.
.github/actions/setup-env/action.yml	Introduced a composite GitHub Action for Node.js environment setup, pnpm installation, and dependency installation, with configurable Node.js version.
.github/actions/setup-slack-payload/action.yml	Added a composite GitHub Action to generate a Slack message payload JSON file based on publishing and pull request metadata, with customizable inputs and output file path.
.github/dependabot.yml	Added Dependabot configuration for automated dependency updates, grouping, scheduling, ignoring major updates for key packages, and custom commit message prefixes.
.github/workflows/ci-validation.yml	Added a CI workflow for pull requests with jobs for linting, type checking, testing, and conditional auto-merge for release or Dependabot branches.
.github/workflows/release.yml	Added a release workflow triggered on main branch pushes, including Storybook deployment, Chromatic UI testing, package publishing with Changesets, and Slack notifications.
LICENSE	Added the MIT License text, granting open-source permissions and disclaimers.
package.json	Made the package public, defined entry points, included only the dist folder, added publishing config, release script, changesets dev dependencies, and detailed metadata (author, contributors, bugs, homepage, keywords, repository, description, license).

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions
    participant Setup Env Action
    participant Changesets
    participant Chromatic
    participant Slack Payload Action
    participant Slack

    GitHub Actions->>Setup Env Action: Setup environment (Node.js, pnpm, install deps)
    GitHub Actions->>Chromatic: Run UI tests and deploy Storybook
    GitHub Actions->>Changesets: Run release (versioning, publish to npm)
    Changesets-->>GitHub Actions: Output published status/packages
    GitHub Actions->>Slack Payload Action: Generate Slack payload (publish/PR info)
    Slack Payload Action->>Slack: Send notification via webhook

Loading

Poem

🐇
New configs in the warren, a license to share,
Actions and bots now handle with care.
From linting to testing, releases take flight,
Slack gets the news in the middle of night.
With public intent and a Changeset’s delight,
This project now hops into open-source light!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 362595b and 1cd5ecc.

📒 Files selected for processing (2)

• .github/workflows/ci-validation.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/ci-validation.yml
• .github/workflows/release.yml

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Post Copyable Unit Tests in Comment
• Commit Unit Tests in branch chore/setup-cicd-pipeline

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR configures automated workflows for CI/CD with GitHub Actions, Dependabot, and Changesets to validate, build, release, and notify.

• Add package metadata and publish scripts in package.json
• Introduce Dependabot configuration and Changesets setup
• Create composite actions and workflows for lint/type/test, release, and Slack notifications

Reviewed Changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Update publishing metadata, scripts, and deps
LICENSE	Add MIT license
.github/workflows/release.yml	Define release pipeline: storybook, changesets, Slack
.github/workflows/ci-validation.yml	Define CI validation: lint, types, tests, auto-merge
.github/dependabot.yml	Configure Dependabot updates and grouping
.github/actions/setup-slack-payload/action.yml	Composite action to build Slack notification payload
.github/actions/setup-env/action.yml	Composite action to install Node.js/pnpm environment
.changeset/config.json	Changesets configuration

Comments suppressed due to low confidence (5)

.github/actions/setup-env/action.yml:8

• Node.js version '22' is not a valid release at this time; consider using a supported LTS version such as '18' or '20'.

    default: '22'

.github/workflows/release.yml:41

• Using context.sha on a push-to-main event may not reliably return an associated pull request. Add a guard for an empty response or derive the PR number from the merge commit/event payload to avoid errors.

            const issueNumber = (await github.rest.repos.listPullRequestsAssociatedWithCommit({

.github/workflows/release.yml:85

• The changesets/action expects the built-in GITHUB_TOKEN. If using a custom secret, ensure it’s correctly named or switch to ${{ secrets.GITHUB_TOKEN }}.

          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

.github/workflows/ci-validation.yml:71

• The GitHub CLI uses the GITHUB_TOKEN environment variable for auth; you provided GH_TOKEN. Change the env var to GITHUB_TOKEN so the auto-merge step can succeed.

        run: gh pr merge --auto --squash "$PR_URL" --delete-branch

.github/dependabot.yml:9

• [nitpick] Specifying a milestone by numeric ID can break if the ID changes; consider referencing the milestone by its title or verifying that the numeric ID stays in sync.

    milestone: 1

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (11)

.github/actions/setup-slack-payload/action.yml (2)

42-47: Handle published_packages JSON safely
Using single‐quoted echo can alter whitespace. Prefer:

echo "${{ inputs.published_packages }}" > packages.json

or

printf '%s' "${{ inputs.published_packages }}" > packages.json

---

48-129: Simplify JSON payload generation
The current single-quote/variable-break pattern is brittle. Switch to a here-document (EOF) or a double-quoted heredoc to improve maintainability and reduce quoting errors.

Also applies to: 130-196

.github/actions/setup-env/action.yml (1)

13-18: Pin pnpm version for reproducibility
Using version: latest risks unexpected behavior when pnpm releases a new major. Consider specifying a stable pnpm version.

.github/workflows/ci-validation.yml (5)

1-4: Consider restricting PR triggers to specific branches

Currently the workflow triggers on all pull requests (on: [pull_request]). To avoid unnecessary runs (e.g., forks or feature branches not targeting main), explicitly filter by target branch:

on:
  pull_request:
    branches:
      - main

---

5-8: Scope down permissions to least-privilege

You grant contents: write and pull-requests: write at the workflow level, even for lint and type-check steps that don’t need write access. Consider:

• Setting default permissions to read-all
• Elevating to write only in the merge job

---

19-27: Use a formatting check instead of auto-format in CI

Running pnpm format will modify files in CI rather than fail on bad formatting. Prefer a check command (e.g., pnpm format:check) to surface formatting issues as failures rather than side effects.

---

28-45: Cache dependencies to speed up type checks and builds

The check-types job installs and builds on each run. Adding a cache step for the pnpm store (e.g., actions/cache on ~/.pnpm-store) can significantly reduce CI runtime.

---

46-63: Add caching for Playwright installation

Installing Playwright browsers every run can be slow. Consider caching ~/.cache/ms-playwright between runs or pinning browser versions to speed up the pnpm exec playwright install step.

.github/workflows/release.yml (3)

10-14: Remove unused id-token permission

The id-token: write permission is not utilized in this workflow. Dropping it reduces unnecessary surface area:

permissions:
  contents: write
  pull-requests: write

---

37-53: Handle missing associated pull request gracefully

In the Storybook comment step, listPullRequestsAssociatedWithCommit may return an empty array (e.g., direct pushes). Add a guard to skip if no PR is found to prevent runtime errors.

---

99-109: Guard against no pull request in Slack notification

Similar to the Storybook step, listPullRequestsAssociatedWithCommit may yield no PRs. Validate result before accessing properties to avoid failures.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2814ee9 and 9234017.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (8)

• .changeset/config.json (1 hunks)
• .github/actions/setup-env/action.yml (1 hunks)
• .github/actions/setup-slack-payload/action.yml (1 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/ci-validation.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• LICENSE (1 hunks)
• package.json (4 hunks)

🔇 Additional comments (15)

LICENSE (1)

1-22: MIT License addition is appropriate
The MIT license text matches the license field in package.json and supports the public release.

.changeset/config.json (1)

1-12: Changesets configuration looks correct
The schema URL, changelog generator, access, and branch settings align with the intended CI/CD release process.

.github/dependabot.yml (2)

1-17: Dependabot schedule and ecosystems are set up
Weekly checks for GitHub Actions and npm dependencies with proper commit-message prefixes.

---

9-23: Verify existence of milestone 1
Ensure that milestone ID 1 is created in the repo so that Dependabot PRs are correctly assigned.

.github/actions/setup-slack-payload/action.yml (3)

4-14: Inputs are well defined
All required parameters for Slack notifications are declared and marked as required.

---

30-34: Outputs mapping is correct
The composite action exposes file-path via $GITHUB_OUTPUT for downstream steps.

---

199-201: File-path output step is correct
The action correctly writes the file-path to $GITHUB_OUTPUT.

.github/actions/setup-env/action.yml (3)

5-9: Default Node.js version
The default node-version: '22' may be ahead of the current LTS. Confirm compatibility or adjust to the project’s target Node.js version.

---

19-24: Node.js setup step is solid
actions/setup-node@v4 with cache: 'pnpm' ensures consistent environment caching.

---

25-27: Install dependencies with frozen lockfile
pnpm install --frozen-lockfile is the right choice for CI to guarantee reproducible installs.

.github/workflows/ci-validation.yml (1)

64-75: Verify correct auth token for GitHub CLI

You pass GH_TOKEN to gh pr merge, but the CLI typically reads GITHUB_TOKEN in Actions. Please confirm that GH_TOKEN is picked up; otherwise switch to:

env:
  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

.github/workflows/release.yml (1)

77-87: Confirm correct token name for Changesets action

You set GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} but the action context provides GITHUB_TOKEN by default. Ensure secrets.GH_TOKEN is defined, or switch to:

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package.json (3)

3-3: Public package requires a LICENSE file

You switched "private": false. Ensure the MIT LICENSE file is present at the repo root so that your license: "MIT" declaration is valid.

---

5-11: Verify build outputs match main/module entrypoints

You reference dist/index.cjs and dist/index.js. Confirm your build (tsup/tsc) is configured to emit these exact filenames, or adjust these fields to reflect real artifacts.

---

27-29: Validate Changesets publish command

Your "release": "pnpm build && changeset publish" script must invoke the correct CLI binary (changeset vs. changesets). Please ensure changeset publish is valid or update to changesets publish if required.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (5)

.changeset/config.json (1)

2-3: Consider pinning the Changesets schema version.
Using @latest can introduce breaking schema changes; pin to a known version for stability.

Example:

-  "$schema": "https://unpkg.com/@changesets/config@latest/schema.json",
+  "$schema": "https://unpkg.com/@changesets/config@1.0.0/schema.json",

.github/workflows/ci-validation.yml (1)

72-74: Use the built-in GITHUB_TOKEN.
Replace the custom GH_TOKEN secret with the automatic GITHUB_TOKEN to simplify authentication and reduce secret management.

       env:
         PR_URL: ${{ github.event.pull_request.html_url }}
-        GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/actions/setup-slack-payload/action.yml (1)

42-47: Only the first published package is processed.

This logic extracts only the first entry from published_packages, so additional packages won’t be reported. Consider iterating over the array or summarizing multiple entries if multi-package releases are common.

.github/workflows/release.yml (2)

37-53: Guard against missing PR association.

listPullRequestsAssociatedWithCommit(...).data[0] may be undefined when no PR is found. Add a check before accessing .number to avoid runtime errors.

---

99-117: Ensure robust PR lookup.

Consider handling cases where listPullRequestsAssociatedWithCommit returns an empty array to avoid undefined attribute access.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2814ee9 and 9234017.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (8)

• .changeset/config.json (1 hunks)
• .github/actions/setup-env/action.yml (1 hunks)
• .github/actions/setup-slack-payload/action.yml (1 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/ci-validation.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• LICENSE (1 hunks)
• package.json (4 hunks)

🔇 Additional comments (28)

LICENSE (1)

1-22: MIT license file is correctly added.
The license text is complete, and the year and copyright holder are accurate.

.changeset/config.json (1)

1-12: Changesets configuration is well-structured.
Settings align with the release workflow and public package setup.

.github/workflows/ci-validation.yml (1)

1-69: CI Validation workflow structure is solid.
Jobs are properly defined, the composite action ensures consistency, and the conditional merge is well-configured.

.github/dependabot.yml (1)

17-26: Missing commit-message configuration for npm updates.
Without a commit-message block, npm dependency PRs will not use the intended prefix.

Add the following under the npm update entry:

   - package-ecosystem: 'npm'
     directory: '/'
     schedule:
       interval: 'weekly'
       time: '02:00'
       timezone: 'Asia/Seoul'
     milestone: 1
+    commit-message:
+      prefix: 'chore(deps):'
     ignore:
       - dependency-name: 'react'
         update-types: ['version-update:semver-major']

Likely an incorrect or invalid review comment.

.github/actions/setup-slack-payload/action.yml (7)

1-3: Metadata declaration is clear and concise.

Action name and description accurately reflect the purpose of this composite action.

---

4-28: Input definitions look solid.

All required inputs are declared with clear descriptions.

---

30-34: Output is correctly declared.

The file-path output aligns with the composite step usage.

---

35-41: Composite action runner setup is correct.

Using bash shell is appropriate for JSON and file operations.

---

48-129: Validate the generated Slack JSON payload.

The quoted here-document is complex and prone to quoting issues—verify that environment variables expand correctly and produce valid JSON. You can add a jq sanity check (e.g., jq . slack_payload.json) after writing the file to catch syntax errors early.

---

130-196: Failure payload is consistent with success branch.

The fallback message correctly uses a red color and omits package details.

---

199-201: Setting the action output is correct.

Writing to $GITHUB_OUTPUT matches GitHub’s composite action output convention.

.github/workflows/release.yml (11)

1-7: Workflow trigger and naming are correct.

The Release workflow is properly scoped to pushes on main and clearly named.

---

16-24: Checkout step configuration is sound.

Using fetch-depth: 0 ensures the full history is available for Chromatic and PR comment steps.

---

25-27: Environment setup usage is correct.

The custom setup-env action encapsulates Node.js and pnpm configuration concisely.

---

28-30: Build step is appropriate.

Running pnpm build aligns with the monorepo’s build conventions.

---

61-65: Second checkout is correctly scoped.

Consistent use of fetch-depth: 0 across jobs ensures availability of full git history.

---

66-68: Environment setup usage is repeated correctly.

Reusing the setup-env composite action ensures consistent environment across jobs.

---

77-87: Verify GitHub token usage.

This step relies on secrets.GH_TOKEN. Confirm that this secret is defined and has the necessary scope, or switch to the built-in ${{ secrets.GITHUB_TOKEN }} to simplify authentication.

---

88-93: Slack notification job condition is correct.

The if condition properly handles both successful publishes and failures of the previous job.

---

94-98: Checkout for Slack job is consistent.

Full fetch ensures the PR lookup step can find associated pull requests.

---

118-129: Slack payload setup integration is correct.

Passing the PR metadata into the custom action aligns with the inputs schema defined earlier.

---

131-136: Using official Slack action is appropriate.

slackapi/slack-github-action@v2 with payload-file-path is the recommended pattern for sending complex messages.

package.json (6)

3-3: Package visibility updated.

Switching "private" to false correctly prepares the package for public publishing.

---

5-15: Entry points and publish config look good.

main, module, and types fields align with the dist outputs, and publishConfig ensures public access with provenance.

---

27-29: Build and release scripts are defined correctly.

Adding the release script to chain build and changeset publish integrates seamlessly with the workflow.

---

31-36: Verify dependency versions.

The react and react-dom dependencies target ^19, and tailwindcss is ^4—ensure these major versions exist and are intentional, as current stable releases are earlier majors.

---

43-44: Dev dependencies for Changesets are correct.

Including @changesets/cli and @changesets/changelog-git supports the automated versioning and changelog workflow.

---

84-119: Repository metadata is comprehensive.

author, bugs, contributors, homepage, keywords, and license fields provide essential context for end users.

[github-actions]

🚀 storybook: https://685287720d846fa1a1e06198-zvzhupltyc.chromatic.com/