Skip to content

chore: adopt Astro toolchain (typecheck, format, lint, dead-code, security)#16

Merged
cevheri merged 10 commits into
mainfrom
feat/toolchain
Jun 27, 2026
Merged

chore: adopt Astro toolchain (typecheck, format, lint, dead-code, security)#16
cevheri merged 10 commits into
mainfrom
feat/toolchain

Conversation

@cevheri

@cevheri cevheri commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Toolchain for libredb-website (Astro)

Adapts the sibling libredb-database TOOLCHAIN.md decision record to this Astro static site — keeping the correctness gates (typecheck, format, dead-code, secrets) and dropping the packaging ones (attw/publint/size-limit/changesets) that only apply to a published npm library.

Astro-specific corrections vs the DB doc:

  • Typecheck = astro check (not tsc) — tsc can't see .astro files.
  • Formatter = Prettier + prettier-plugin-astro (not Biome) — Biome's .astro support is still experimental.
  • Lint = oxlint for .ts + embedded .astro scripts.

Shipped in phases, each its own commit, each gated green by CI before the next.

Phases — all complete ✅

  • 1 — Reproducible env: .editorconfig, bunfig.toml exact installs
  • 2 — Typecheck: @astrojs/check, typecheck script, gate wired into CI (tsconfig types:[bun] so bun:test resolves)
  • 3 — Formatter: Prettier (+ astro + tailwind plugins), repo-wide format; public/, synced compose, docs/ ignored
  • 4 — Lint + dead-code: oxlint + knip; dropped needless exports, fixed unused var, scoped-disabled the Meta Pixel vendor snippet
  • 5 — Finalize gate: full chain typecheck → format → lint → knip → test
  • 6 — Security + hooks: secretlint, bun audit (advisory), zero-dep .githooks (pre-commit: secrets+format; pre-push: gate+audit)

The gate

bun run gate = typecheck → format → lint → knip → test. CI runs it plus a blocking secret scan and a non-blocking dependency audit, then builds.

Reviewer note — bun audit is intentionally non-blocking

8 advisories exist in transitive build-time deps (picomatch ReDoS, js-yaml DoS via Astro/tooling). These have no attack surface in a static-site build (no attacker-controlled input), so audit reports them as an informational notice rather than failing CI. Dependabot (already configured) tracks the upstream bumps.

Explicitly rejected (library-only, N/A to a website)

attw, publint, size-limit, isolatedDeclarations, changesets, license-checker.

🤖 Generated with Claude Code

cevheri and others added 7 commits June 27, 2026 21:35
Phase 1 of the toolchain rollout: reproducible environment.
- .editorconfig: 2-space, LF, UTF-8, final newline, trim trailing
  (markdown exempt, hard breaks use trailing spaces)
- bunfig.toml [install] exact=true: lockfile/package.json never drift

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 2 of the toolchain rollout: type safety.
- @astrojs/check + typescript devDeps (the Astro-native typecheck;
  tsc alone can't see .astro files)
- tsconfig: types:[bun] so bun:test resolves in *.test.ts (also pulls
  Node globals via bun-types' node reference)
- typecheck/test/gate scripts; gate grows each phase
- ci.yml runs 'bun run gate' before build, so every later phase is
  validated end-to-end by CI automatically

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 3 of the toolchain rollout: formatting.
- prettier + prettier-plugin-astro + prettier-plugin-tailwindcss
- .prettierrc.json: singleQuote, printWidth 100, tailwindStylesheet
  pointed at the v4 entry (src/styles/global.css)
- .prettierignore: dist/.astro/node_modules/bun.lock, public (served
  verbatim), the synced docker-compose.example.yml, docs (design/plan
  artifacts whose fenced blocks aren't valid JS)
- format/format:fix scripts; gate grown to typecheck + format
- one-time repo-wide reformat

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 4 of the toolchain rollout: linting + dead-code.
- oxlint (.oxlintrc.json): correctness=error, suspicious=warn; lints .ts
  and embedded .astro scripts. no-underscore-dangle off (noise on
  __dirname, _fbq, project analytics globals)
- knip: zero-config, Astro plugin auto-detected; respects .gitignore
- fixes: drop needless 'export' on internal interfaces (SectionColumn,
  ConsoleCta); replace unused Object.entries key with Object.values;
  scope-disable no-unused-expressions around the Meta Pixel vendor snippet
- .gitignore: .remember/ (local session state, like .superpowers/)
- lint/knip scripts; gate = typecheck + format + lint + knip

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 5 of the toolchain rollout: finalize the gate.
- gate is now the full chain: typecheck -> format -> lint -> knip -> test
- ci.yml already runs 'bun run gate' (added in phase 2), so CI now
  enforces the complete chain on every push/PR
- no coverage threshold: relaxed for a website (tests run, but we don't
  gate on a percentage the way the library repo does)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Phase 6 of the toolchain rollout: edge security + hooks.
- secretlint (.secretlintrc.json, recommend preset): scans for committed
  secrets. .secretlintignore excludes the synced docker-compose example
  (its connection string is a commented-out template default, not a secret)
- bun audit: advisory, NON-blocking in CI (continue-on-error) and pre-push.
  Current advisories are transitive build-time deps (picomatch/js-yaml)
  with no static-site attack surface; Dependabot bumps them upstream
- .githooks/ (zero-dep, via core.hooksPath set by prepare script):
  pre-commit = secrets + format (fast); pre-push = gate + audit
- knip.json: ignore the secretlint preset (loaded via config, untraceable)
- secrets/audit scripts; secret scan added to CI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A continue-on-error step still surfaces a red 'exit code 1' annotation,
which reads as a failure on an otherwise-clean PR. Use '|| echo ::notice::'
so the step is green and advisories show as a blue informational notice
instead — matching the pre-push hook's non-blocking 'bun audit || true'.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cevheri cevheri marked this pull request as ready for review June 27, 2026 18:56
@cevheri cevheri requested a review from Copilot June 27, 2026 18:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adopts a Bun-based toolchain for this Astro static site, wiring typechecking, formatting, linting, dead-code detection, secret scanning, and an advisory dependency audit into local workflows and CI to improve correctness and consistency.

Changes:

  • Adds bun run gate (typecheck → format → lint → knip → test) plus secret scanning and non-blocking bun audit, and wires them into CI and git hooks.
  • Introduces tool configuration files for Prettier, oxlint, knip, and secretlint, plus Bun install settings.
  • Applies repo-wide formatting/cleanup across Astro/TS/CSS sources to align with the new formatter/linter.

Reviewed changes

Copilot reviewed 64 out of 68 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tsconfig.json Adds Bun types for tests
src/styles/global.css Prettier-driven formatting only
src/scripts/studio.ts Formatting + minor refactor formatting
src/scripts/lib/export.test.ts Formatting only
src/scripts/lib/console-copy.ts Formatting; unexports internal type
src/scripts/lib/console-copy.test.ts Formatting + small test loop tweak
src/pages/privacy-policy.astro Formatting/layout only
src/pages/index.astro Formatting only
src/pages/404.astro Formatting/layout only
src/pages/[section].astro Formatting of JSON-LD mapping
src/lib/github-stars.ts Parentheses for clarity in ternary
src/lib/github-stars.test.ts Formatting only
src/layouts/Layout.astro Formatting + JSON-LD key style
src/data/sections.ts Formatting + internal type visibility tweak
src/data/sections.test.ts Formatting only
src/data/section-seo.ts Formatting only
src/data/schemas.ts Formatting only
src/data/deploy-targets.ts Large formatting expansion (no logic change)
src/data/deploy-categories.ts Formatting only
src/components/studio/TopBar.astro Formatting/layout only
src/components/studio/StudioShell.astro Formatting/layout only
src/components/studio/StatusBar.astro Formatting/layout only
src/components/studio/Sql.astro Keyword list formatting only
src/components/studio/SectionShell.astro Formatting/layout only
src/components/studio/QueryChrome.astro Formatting/layout only
src/components/studio/MobileTopBar.astro Formatting/layout only
src/components/studio/MobileQueryCard.astro Formatting/layout only
src/components/studio/Explorer.astro Formatting/layout + map layout changes
src/components/studio/Console.astro Formatting only
src/components/studio/CommandPalette.astro Formatting/layout only
src/components/sections/TechStackSection.astro Formatting/layout only
src/components/sections/SectionHeader.astro Formatting only
src/components/sections/ProvidersSection.astro Formatting/layout only
src/components/sections/PlatformSection.astro Formatting/layout only
src/components/sections/HomeSection.astro Formatting/layout only
src/components/sections/GetStartedSection.astro Formatting/layout only
src/components/sections/FeaturesSection.astro Formatting/layout only
src/components/sections/FaqSection.astro Formatting/layout only
src/components/sections/DockerComposeSection.astro Formatting/layout only
src/components/sections/DeploySection.astro Formatting/layout only
src/components/sections/DatabaseSection.astro Formatting/layout only
src/components/sections/DatabaseReliabilitySection.astro Formatting/layout only
src/components/sections/DatabaseCtaFooter.astro Formatting/layout only
src/components/sections/DatabaseArchitectureSection.astro Formatting/layout only
src/components/sections/CompareSection.astro Formatting/layout only
src/components/Header.astro Formatting/layout only
src/components/deploy/StatusBadge.astro Formatting/layout only
src/components/deploy/PlatformCard.astro Formatting/layout only
src/components/CookieConsent.astro Formatting + oxlint suppression comments
scripts/sync-docker-compose.mjs Formatting only
package.json Adds toolchain scripts/deps; gate + hooks
knip.json Adds knip config + ignore deps
bunfig.toml Enables exact installs; documents intent
astro.config.mjs Formatting only
.secretlintrc.json Adds secretlint config
.secretlintignore Adds secretlint ignore paths
.prettierrc.json Adds Prettier config + plugins
.prettierignore Adds Prettier ignore paths
.oxlintrc.json Adds oxlint config + ignores
.gitignore Ignores local tooling state directory
.github/workflows/deploy.yml YAML formatting tweak
.github/workflows/ci.yml Runs gate + secret scan + advisory audit
.github/dependabot.yml YAML formatting tweak
.githooks/pre-push Adds pre-push gate + advisory audit
.githooks/pre-commit Adds pre-commit secrets + format check
.editorconfig Adds editor consistency settings

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread bunfig.toml Outdated
Comment on lines +1 to +3
# Reproducible installs: pin exact versions (no ^ ranges) so the lockfile and
# package.json never drift. Mirrors the toolchain decision in the sibling
# libredb-database repo, relaxed for a website.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in the pin commit: @astrojs/sitemap and @types/bun are now pinned exact (same resolved versions), so the manifest matches the reproducible-install intent. The bunfig.toml comment was also reworded to describe what install.exact actually guarantees. Dependabot proposes future bumps explicitly.

Copilot flagged that bunfig.toml claimed 'no ^ ranges' while package.json
still had carets on @astrojs/sitemap and @types/bun. Pin both exact (same
resolved versions) so the manifest matches the stated reproducible-install
intent, and reword the bunfig.toml comment to describe what install.exact
actually guarantees. Dependabot proposes bumps explicitly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 64 out of 68 changed files in this pull request and generated 4 comments.

Comment thread bunfig.toml Outdated
Comment on lines +1 to +3
# Reproducible installs: pin exact versions (no ^ ranges) so the lockfile and
# package.json never drift. Mirrors the toolchain decision in the sibling
# libredb-database repo, relaxed for a website.
Comment thread package.json Outdated
Comment thread package.json
"audit": "bun audit",
"test": "bun test",
"gate": "bun run typecheck && bun run format && bun run lint && bun run knip && bun run test",
"prepare": "git config core.hooksPath .githooks"
Comment thread .secretlintignore
Comment on lines +1 to +4
dist
.astro
node_modules
bun.lock
cevheri and others added 2 commits June 27, 2026 22:07
Align with the sibling libredb-database repo and the JetBrains default
(80 is terminal-era inertia; 120 keeps one logical statement per line
without straining side-by-side review). Repo-wide reflow, no logic change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cevheri cevheri merged commit 44404c2 into main Jun 27, 2026
4 checks passed
@cevheri cevheri deleted the feat/toolchain branch June 27, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants