[ENG-3641] Adds amplify support#23
Conversation
📝 WalkthroughWalkthroughThe PR updates CI, toolchain, and Amplify Hosting configuration. It pins Node and pnpm versions, sets hoisted package linking, replaces the CI mise action with inline installation, and adds a two-app Amplify build setup. ChangesBuild and hosting configuration
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 22-23: The Checkout step in the CI workflow should disable
persisted Git credentials. Update the actions/checkout usage in the Checkout job
to set persist-credentials to false so later install/build steps cannot reuse
the checkout token.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5bb829f3-717f-4589-af48-f170c41873f3
⛔ Files ignored due to path filters (1)
mise.lockis excluded by!**/*.lock
📒 Files selected for processing (5)
.github/workflows/ci.yml.npmrcamplify.ymlmise.tomlvercel.json
💤 Files with no reviewable changes (1)
- vercel.json
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
git ls-files .github/workflows/ci.yml
echo '---'
cat -n .github/workflows/ci.yml | sed -n '1,220p'Repository: stakekit/perps-widget
Length of output: 1610
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show workflow structure and any later steps that might rely on git credentials.
ast-grep outline .github/workflows/ci.yml --view expanded || true
echo '---'
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.ymlRepository: stakekit/perps-widget
Length of output: 507
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "File:"
git ls-files .github/workflows/ci.yml
echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'
echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || trueRepository: stakekit/perps-widget
Length of output: 1946
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "File:"
git ls-files .github/workflows/ci.yml
echo
echo "Content:"
cat -n .github/workflows/ci.yml | sed -n '1,220p'
echo
echo "Relevant matches:"
rg -n "checkout|persist-credentials|git config|push|fetch|submodule|npm|pnpm|yarn|cargo|go test|pip|install" .github/workflows/ci.yml || trueRepository: stakekit/perps-widget
Length of output: 1946
🌐 Web query:
actions/checkout persist-credentials default true documentation
💡 Result:
In the GitHub actions/checkout action, the persist-credentials input is enabled by default (default: true) [1][2]. When set to true (the default), the action configures the authentication token or SSH key with the local Git configuration [3][1]. This allows subsequent steps in your workflow to execute authenticated Git commands (such as git fetch or git push) without requiring additional configuration [3][4]. The action automatically removes these credentials during the post-job cleanup process [3][5]. If you wish to prevent the action from configuring these credentials, you can set persist-credentials to false [3][6]: - with: persist-credentials: false Recent updates have improved the security of this feature by storing credentials in a file under $RUNNER_TEMP rather than directly within.git/config, while maintaining the same default behavior and functionality [3][7].
Citations:
- 1: https://github.com/actions/checkout/blob/master/action.yml
- 2: https://github.com/actions/checkout/blob/main/action.yml
- 3: https://github.com/actions/checkout/?tab=readme-ov-file
- 4: https://github.com/marketplace/actions/checkout?version=v3.6.0
- 5: https://github.com/actions/checkout
- 6: https://github.com/actions/checkout/blob/main/README.md
- 7: https://github.com/marketplace/actions/checkout
Disable persisted checkout credentials. This workflow only reads the repo, so persist-credentials: false avoids leaving the checkout token available to later install/build steps.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 22 - 23, The Checkout step in the CI
workflow should disable persisted Git credentials. Update the actions/checkout
usage in the Checkout job to set persist-credentials to false so later
install/build steps cannot reuse the checkout token.
Source: Linters/SAST tools
1 participant
Migrated widget and dashboard to aomplify and removed vercel dependencies
Summary by CodeRabbit
New Features
Bug Fixes
Chores