Skip to content

feat: add Lighthouse CI workflow and configuration for automated perf…#110

Open
kpj2006 wants to merge 9 commits into
AOSSIE-Org:mainfrom
kpj2006:patch-1
Open

feat: add Lighthouse CI workflow and configuration for automated perf…#110
kpj2006 wants to merge 9 commits into
AOSSIE-Org:mainfrom
kpj2006:patch-1

Conversation

@kpj2006

@kpj2006 kpj2006 commented Jul 4, 2026

Copy link
Copy Markdown
Member

…ormance auditing

Addressed Issues:

Fixes #(issue number)

Screenshots/Recordings:

Additional Notes:

Checklist

  • My code follows the project's code style and conventions
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have joined the Discord server and I will share a link to this PR with the project maintainers there
  • I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

  • New Features
    • Added Lighthouse CI audits on pushes to the main branch, pull requests targeting main, and manual runs.
    • Generates and publishes Lighthouse category badges (plus an overall badge) to the repository after audits complete.
  • Chores
    • Excluded Lighthouse CI artifacts from version control.
  • Documentation
    • Updated the README to display Lighthouse badges and added an optional Docker deployment section with example Compose/CLI commands and expected URLs.

@github-actions github-actions Bot added the no-issue-linked PR has no linked issue label Jul 4, 2026
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@kpj2006, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 38 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 81392746-56e3-4b9e-8e67-05e2f06217e4

📥 Commits

Reviewing files that changed from the base of the PR and between 92c25c2 and 57b308f.

📒 Files selected for processing (2)
  • .github/scripts/generate-lighthouse-badges.cjs
  • .github/workflows/lighthouse.yml

Walkthrough

Adds a Lighthouse CI workflow, a manifest-driven badge generation script, ignore/config updates, and README changes that display the badges and document Docker deployment commands.

Changes

Lighthouse CI Setup

Layer / File(s) Summary
Workflow and config
.github/workflows/lighthouse.yml, lighthouserc.json, .gitignore
Adds push, pull request, and manual Lighthouse CI triggers, configures the CI run thresholds and upload target, and ignores the generated .lighthouseci/ directory.
Badge generation script
.github/scripts/generate-lighthouse-badges.cjs
Reads the LHCI manifest, extracts representative category scores, downloads per-category and aggregate SVG badges, and exits with an error on invalid input or request failures.
README updates
README.md
Adds Lighthouse badges near the top of the page and extends the key user journeys section with optional Docker deployment commands and URLs.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant Runner
  participant LighthouseCIAction
  participant BadgeScript

  GitHubActions->>Runner: trigger on push, pull_request, or workflow_dispatch
  Runner->>Runner: checkout, setup Node 22, npm ci, npm run build
  Runner->>LighthouseCIAction: run with lighthouserc.json
  LighthouseCIAction-->>Runner: write LHCI manifest
  Runner->>BadgeScript: generate-lighthouse-badges.cjs
  BadgeScript->>BadgeScript: read manifest and compute badge scores
  BadgeScript->>Runner: write badges/
Loading

Suggested labels: Documentation, Typescript Lang

Poem

I’m a rabbit with a badge so bright,
Hopping through audits day and night.
Scores turn golden, tidy, and neat,
README glows with a Docker treat.
Hop, hop—Lighthouse sings all right! 🐇

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main Lighthouse CI workflow and configuration changes for automated performance auditing.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added ci-cd CI/CD changes configuration Config file changes github-actions GitHub Actions changes javascript JavaScript/TypeScript changes size/M 51-200 lines changed member Org member and removed size/M 51-200 lines changed labels Jul 4, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/lighthouse.yml:
- Line 19: The workflow uses mutable action tags, which should be replaced with
commit SHA pins to satisfy the supply-chain check. Update the GitHub Actions
references in lighthouse.yml for actions/checkout, actions/setup-node, and
treosh/lighthouse-ci-action to specific commit SHAs while preserving the
existing version intent in comments if needed. Locate the entries by their
action names in the workflow and pin each one to an immutable SHA instead of the
current `@v4/`@v12 tags.
- Around line 33-37: The Lighthouse CI action configuration uses an invalid
input name, so the upload setting is being ignored. Update the Run Lighthouse CI
step in the workflow to use the correct treosh/lighthouse-ci-action@v12 input
name (for example, temporaryPublicStorage or uploadArtifacts) and make sure it
matches the intended upload behavior already defined in lighthouserc.json.
- Around line 13-19: Add an explicit permissions block for the lighthouse job to
limit the default GITHUB_TOKEN scope, and update the Checkout repository step to
disable credential persistence. In the lighthouse workflow, use the job-level
permissions setting to grant only what subsequent steps need, and set
persist-credentials to false on actions/checkout@v4 so credentials are not left
on disk for the rest of the job.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f629cbe1-1af1-45ab-a256-a84c7e632df8

📥 Commits

Reviewing files that changed from the base of the PR and between d904719 and d0000fa.

📒 Files selected for processing (3)
  • .github/workflows/lighthouse.yml
  • .gitignore
  • lighthouserc.json

Comment thread .github/workflows/lighthouse.yml Outdated
Comment thread .github/workflows/lighthouse.yml Outdated
Comment thread .github/workflows/lighthouse.yml Outdated
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@github-actions github-actions Bot added size/M 51-200 lines changed and removed size/M 51-200 lines changed labels Jul 4, 2026
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@github-actions github-actions Bot added size/M 51-200 lines changed and removed size/M 51-200 lines changed labels Jul 4, 2026
@github-actions github-actions Bot added size/M 51-200 lines changed and removed size/M 51-200 lines changed labels Jul 4, 2026
@github-actions github-actions Bot added documentation Documentation updates size/L 201-500 lines changed and removed size/M 51-200 lines changed size/L 201-500 lines changed labels Jul 5, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

♻️ Duplicate comments (1)
.github/workflows/lighthouse.yml (1)

19-24: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Persist-credentials still not disabled; permissions block undocumented.

Past review flagged persist-credentials: false as addressed, but the current checkout step doesn't set it — zizmor still reports this at lines 23-24. Note: if kept true intentionally (needed for the later git push), add an explanatory comment for the permissions: contents: write block per zizmor's "undocumented-permissions" hint, and consider using an explicit GITHUB_TOKEN-based remote instead of relying on persisted default credentials.

🔒️ Proposed fix
   lighthouse:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to commit and push generated badge SVGs back to the branch
       contents: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
+        with:
+          persist-credentials: true # required for the later git push step

As per static analysis hints, zizmor reports "credential persistence through GitHub Actions artifacts (artipacked)" at lines 23-24 and "permissions without explanatory comments (undocumented-permissions)" at line 20.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lighthouse.yml around lines 19 - 24, Update the GitHub
Actions workflow checkout step in the lighthouse job so credentials are not
implicitly persisted unless intentionally required: set the checkout action to
disable persisted credentials, or if you must keep them for the later push, add
an explanatory comment on the permissions: contents: write block and make the
push use an explicit GITHUB_TOKEN-based remote. Use the Checkout repository step
and the permissions block in the lighthouse workflow as the places to adjust.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/generate-lighthouse-badges.cjs:
- Line 23: The filename normalization in generate-lighthouse-badges.cjs includes
a dead `%20` replacement because label is already unencoded. Update the filename
निर्माण in the badge generation logic to keep only the actual space-to-dash
conversion, and leave the rest of the label normalization in place so the
generated SVG name still comes from the raw label string.
- Around line 21-43: `downloadBadge` needs stronger stream and request failure
handling to avoid hanging or leaking sockets. Update the `https.get` flow to add
`res.on('error', ...)` and `fileStream.on('error', ...)`, and make sure the
non-200 branch drains or destroys the response before rejecting. Also set a
timeout on the request and reject/abort on timeout so a stalled Shields.io call
cannot block the job; keep the changes localized to `downloadBadge` in the
lighthouse badge generator script.
- Around line 68-74: The categories map in generate-lighthouse-badges.cjs still
includes a PWA entry even though the Lighthouse config does not enable it, so
summary.pwa will never be populated. Update the categories object in
generate-lighthouse-badges.cjs to remove the PWA key, or only keep it if the
Lighthouse configuration is changed to include PWA; use the categories mapping
and summary.pwa as the locating symbols.

In @.github/workflows/lighthouse.yml:
- Around line 47-54: The badge update step in the lighthouse workflow can fail
on non-fast-forward pushes if the branch advances mid-job or another run updates
badges first. Update the Commit and Push Badges step to handle push conflicts by
syncing with the remote branch before pushing, or by retrying after a failed
push, using the existing git commands in that step so failures don’t silently
skip badge updates.
- Around line 47-54: The `Commit and Push Badges` step is interpolating
`github.ref_name` directly into the shell command, which creates a
template-injection risk. Update this step to pass the ref name through an
environment variable and reference that variable in the `git push` command
instead of expanding `github.ref_name` inline. Use the existing `git push origin
HEAD:${{ github.ref_name }}` location to adjust the workflow safely without
changing the badge update logic.

In `@README.md`:
- Around line 306-323: Add blank lines around the fenced code blocks in the
Docker Deployment section of README.md to satisfy markdownlint MD031. Update the
markdown around the two code fences in the Docker Compose and Docker CLI
subsections so each fence is separated from the surrounding text by an empty
line, keeping the structure of the README intact.

---

Duplicate comments:
In @.github/workflows/lighthouse.yml:
- Around line 19-24: Update the GitHub Actions workflow checkout step in the
lighthouse job so credentials are not implicitly persisted unless intentionally
required: set the checkout action to disable persisted credentials, or if you
must keep them for the later push, add an explanatory comment on the
permissions: contents: write block and make the push use an explicit
GITHUB_TOKEN-based remote. Use the Checkout repository step and the permissions
block in the lighthouse workflow as the places to adjust.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 30e1694e-bb68-4d74-a7f4-3b4be0e5db6d

📥 Commits

Reviewing files that changed from the base of the PR and between d0000fa and 82014e7.

⛔ Files ignored due to path filters (6)
  • badges/lighthouse-accessibility.svg is excluded by !**/*.svg
  • badges/lighthouse-best-practices.svg is excluded by !**/*.svg
  • badges/lighthouse-performance.svg is excluded by !**/*.svg
  • badges/lighthouse-pwa.svg is excluded by !**/*.svg
  • badges/lighthouse-seo.svg is excluded by !**/*.svg
  • badges/lighthouse.svg is excluded by !**/*.svg
📒 Files selected for processing (3)
  • .github/scripts/generate-lighthouse-badges.cjs
  • .github/workflows/lighthouse.yml
  • README.md

Comment thread .github/scripts/generate-lighthouse-badges.cjs
Comment thread .github/scripts/generate-lighthouse-badges.cjs Outdated
Comment thread .github/scripts/generate-lighthouse-badges.cjs
Comment thread .github/workflows/lighthouse.yml Outdated
Comment thread README.md
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@github-actions github-actions Bot added size/L 201-500 lines changed and removed size/L 201-500 lines changed labels Jul 5, 2026
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@github-actions github-actions Bot added size/L 201-500 lines changed and removed size/L 201-500 lines changed labels Jul 5, 2026
@github-actions github-actions Bot added size/L 201-500 lines changed and removed size/L 201-500 lines changed labels Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci-cd CI/CD changes configuration Config file changes documentation Documentation updates github-actions GitHub Actions changes javascript JavaScript/TypeScript changes member Org member no-issue-linked PR has no linked issue size/L 201-500 lines changed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant