feat: add Lighthouse CI workflow and configuration for automated perf…#110
feat: add Lighthouse CI workflow and configuration for automated perf…#110kpj2006 wants to merge 9 commits into
Conversation
|
Warning Review limit reached
Next review available in: 38 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughAdds a Lighthouse CI workflow, a manifest-driven badge generation script, ignore/config updates, and README changes that display the badges and document Docker deployment commands. ChangesLighthouse CI Setup
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant Runner
participant LighthouseCIAction
participant BadgeScript
GitHubActions->>Runner: trigger on push, pull_request, or workflow_dispatch
Runner->>Runner: checkout, setup Node 22, npm ci, npm run build
Runner->>LighthouseCIAction: run with lighthouserc.json
LighthouseCIAction-->>Runner: write LHCI manifest
Runner->>BadgeScript: generate-lighthouse-badges.cjs
BadgeScript->>BadgeScript: read manifest and compute badge scores
BadgeScript->>Runner: write badges/
Suggested labels: Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/lighthouse.yml:
- Line 19: The workflow uses mutable action tags, which should be replaced with
commit SHA pins to satisfy the supply-chain check. Update the GitHub Actions
references in lighthouse.yml for actions/checkout, actions/setup-node, and
treosh/lighthouse-ci-action to specific commit SHAs while preserving the
existing version intent in comments if needed. Locate the entries by their
action names in the workflow and pin each one to an immutable SHA instead of the
current `@v4/`@v12 tags.
- Around line 33-37: The Lighthouse CI action configuration uses an invalid
input name, so the upload setting is being ignored. Update the Run Lighthouse CI
step in the workflow to use the correct treosh/lighthouse-ci-action@v12 input
name (for example, temporaryPublicStorage or uploadArtifacts) and make sure it
matches the intended upload behavior already defined in lighthouserc.json.
- Around line 13-19: Add an explicit permissions block for the lighthouse job to
limit the default GITHUB_TOKEN scope, and update the Checkout repository step to
disable credential persistence. In the lighthouse workflow, use the job-level
permissions setting to grant only what subsequent steps need, and set
persist-credentials to false on actions/checkout@v4 so credentials are not left
on disk for the rest of the job.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f629cbe1-1af1-45ab-a256-a84c7e632df8
📒 Files selected for processing (3)
.github/workflows/lighthouse.yml.gitignorelighthouserc.json
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 6
♻️ Duplicate comments (1)
.github/workflows/lighthouse.yml (1)
19-24: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winPersist-credentials still not disabled; permissions block undocumented.
Past review flagged
persist-credentials: falseas addressed, but the current checkout step doesn't set it — zizmor still reports this at lines 23-24. Note: if kepttrueintentionally (needed for the latergit push), add an explanatory comment for thepermissions: contents: writeblock per zizmor's "undocumented-permissions" hint, and consider using an explicitGITHUB_TOKEN-based remote instead of relying on persisted default credentials.🔒️ Proposed fix
lighthouse: runs-on: ubuntu-latest permissions: + # Needed to commit and push generated badge SVGs back to the branch contents: write steps: - name: Checkout repository uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 + with: + persist-credentials: true # required for the later git push stepAs per static analysis hints, zizmor reports "credential persistence through GitHub Actions artifacts (artipacked)" at lines 23-24 and "permissions without explanatory comments (undocumented-permissions)" at line 20.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lighthouse.yml around lines 19 - 24, Update the GitHub Actions workflow checkout step in the lighthouse job so credentials are not implicitly persisted unless intentionally required: set the checkout action to disable persisted credentials, or if you must keep them for the later push, add an explanatory comment on the permissions: contents: write block and make the push use an explicit GITHUB_TOKEN-based remote. Use the Checkout repository step and the permissions block in the lighthouse workflow as the places to adjust.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/generate-lighthouse-badges.cjs:
- Line 23: The filename normalization in generate-lighthouse-badges.cjs includes
a dead `%20` replacement because label is already unencoded. Update the filename
निर्माण in the badge generation logic to keep only the actual space-to-dash
conversion, and leave the rest of the label normalization in place so the
generated SVG name still comes from the raw label string.
- Around line 21-43: `downloadBadge` needs stronger stream and request failure
handling to avoid hanging or leaking sockets. Update the `https.get` flow to add
`res.on('error', ...)` and `fileStream.on('error', ...)`, and make sure the
non-200 branch drains or destroys the response before rejecting. Also set a
timeout on the request and reject/abort on timeout so a stalled Shields.io call
cannot block the job; keep the changes localized to `downloadBadge` in the
lighthouse badge generator script.
- Around line 68-74: The categories map in generate-lighthouse-badges.cjs still
includes a PWA entry even though the Lighthouse config does not enable it, so
summary.pwa will never be populated. Update the categories object in
generate-lighthouse-badges.cjs to remove the PWA key, or only keep it if the
Lighthouse configuration is changed to include PWA; use the categories mapping
and summary.pwa as the locating symbols.
In @.github/workflows/lighthouse.yml:
- Around line 47-54: The badge update step in the lighthouse workflow can fail
on non-fast-forward pushes if the branch advances mid-job or another run updates
badges first. Update the Commit and Push Badges step to handle push conflicts by
syncing with the remote branch before pushing, or by retrying after a failed
push, using the existing git commands in that step so failures don’t silently
skip badge updates.
- Around line 47-54: The `Commit and Push Badges` step is interpolating
`github.ref_name` directly into the shell command, which creates a
template-injection risk. Update this step to pass the ref name through an
environment variable and reference that variable in the `git push` command
instead of expanding `github.ref_name` inline. Use the existing `git push origin
HEAD:${{ github.ref_name }}` location to adjust the workflow safely without
changing the badge update logic.
In `@README.md`:
- Around line 306-323: Add blank lines around the fenced code blocks in the
Docker Deployment section of README.md to satisfy markdownlint MD031. Update the
markdown around the two code fences in the Docker Compose and Docker CLI
subsections so each fence is separated from the surrounding text by an empty
line, keeping the structure of the README intact.
---
Duplicate comments:
In @.github/workflows/lighthouse.yml:
- Around line 19-24: Update the GitHub Actions workflow checkout step in the
lighthouse job so credentials are not implicitly persisted unless intentionally
required: set the checkout action to disable persisted credentials, or if you
must keep them for the later push, add an explanatory comment on the
permissions: contents: write block and make the push use an explicit
GITHUB_TOKEN-based remote. Use the Checkout repository step and the permissions
block in the lighthouse workflow as the places to adjust.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 30e1694e-bb68-4d74-a7f4-3b4be0e5db6d
⛔ Files ignored due to path filters (6)
badges/lighthouse-accessibility.svgis excluded by!**/*.svgbadges/lighthouse-best-practices.svgis excluded by!**/*.svgbadges/lighthouse-performance.svgis excluded by!**/*.svgbadges/lighthouse-pwa.svgis excluded by!**/*.svgbadges/lighthouse-seo.svgis excluded by!**/*.svgbadges/lighthouse.svgis excluded by!**/*.svg
📒 Files selected for processing (3)
.github/scripts/generate-lighthouse-badges.cjs.github/workflows/lighthouse.ymlREADME.md
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…ormance auditing
Addressed Issues:
Fixes #(issue number)
Screenshots/Recordings:
Additional Notes:
Checklist
We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.
Summary by CodeRabbit