Support preview release using pkg-pr-new

[ciscorn]

Summary by CodeRabbit

• New Features

  • Introduced a new GitHub Actions workflow for automating the preview release process.
  • Added a new dependency for improved package management.

• Documentation

  • Updated project files to reflect the new workflow and dependency changes.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow named preview.yml has been added to automate the preview release process for the project. This workflow is triggered on pushes to the main branch and pull requests, executing a series of steps including code checkout, enabling Corepack, setting up Node.js, installing dependencies, building the project, and publishing packages in preview mode. Additionally, the package.json file has been updated to include a new development dependency, pkg-pr-new, which is likely utilized in the publishing step of the workflow.

Changes

File	Change Summary
.github/workflows/preview.yml	New workflow file created for automating preview releases.
package.json	Added new dependency "pkg-pr-new": "^0.0.37" in devDependencies.

Possibly related PRs

• ci: Lint #31: The introduction of the lint.yml workflow is related to the preview.yml workflow as both are GitHub Actions workflows that automate processes triggered by pushes to the main branch and pull requests.
• Add a utility component for loading images from URLs #35: The addition of the ImageLoader component in this PR is relevant because it enhances the functionality of loading images, which could be related to the publishing process in the preview.yml workflow that may involve image assets.
• Add pmtiles, deck.gl, maplibre-contour to peerDependencies #36: Updates to the package.json file, including the addition of dependencies, are relevant as they may impact the build process defined in the preview.yml workflow.
• Add PMTiles and Three.js demo #43: The changes in this PR also involve updates to the package.json, which could affect the build and release processes automated by the preview.yml workflow.

🐰 In the meadow, we hop with glee,
A new workflow blooms, as bright as can be!
With pkg-pr-new to help us along,
Our preview releases will sing a sweet song.
So let’s build and publish, with joy in our hearts,
For every new change, a fresh start imparts! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[cloudflare-workers-and-pages]

Deploying svelte-maplibre-gl with    Cloudflare Pages

Latest commit:	f24d393
Status:	✅  Deploy successful!
Preview URL:	https://111a99f4.svelte-maplibre-gl.pages.dev
Branch Preview URL:	https://pkg-pr-new.svelte-maplibre-gl.pages.dev

View logs

[pkg-pr-new]

Open in Stackblitz

npm i https://pkg.pr.new/MIERUNE/svelte-maplibre-gl@54

commit: f24d393

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)

.github/workflows/preview.yml (1)

17-20: Consider using LTS Node.js version

Node.js 22 is currently in pre-release status. Consider using Node.js 20 (LTS) for better stability in the CI environment.

       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 20
           cache: 'pnpm'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f2c534 and f24d393.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/preview.yml (1 hunks)
• package.json (1 hunks)

🔇 Additional comments (1)

package.json (1)

74-74: Verify pkg-pr-new package security and stability

The package is in early development (v0.0.37). Let's verify:

1. Package security
2. Recent releases and maintenance status
3. Community adoption

✅ Verification successful

Let me gather more information about the package usage and its repository to make a more informed decision.

---

Package appears to be legitimate but requires careful integration

The package pkg-pr-new shows positive indicators:

• Maintained by StackBlitz organization (reputable company)
• No security vulnerabilities reported
• MIT licensed
• Recently updated (Dec 13, 2024)
• Hosted on GitHub under stackblitz-labs

However, due to its early development stage (v0.0.37):

• Ensure proper error handling is implemented when using this package
• Keep track of updates as breaking changes are more likely in pre-1.0 versions
• Consider pinning the exact version instead of using the caret (^) to prevent unexpected updates

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check package details and security info
echo "Checking npm package info..."
curl -s https://registry.npmjs.org/pkg-pr-new | jq '{
  "latest_version": .["dist-tags"].latest,
  "maintainers": .maintainers,
  "modified": .time.modified,
  "downloads_last_week": .downloads_last_week
}'

# Check for known vulnerabilities
echo "Checking for vulnerabilities..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "pkg-pr-new") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
    }
  }
}'

Length of output: 900

---

Script:

#!/bin/bash
# Check package.json for dependencies on this package
echo "Checking package usage..."
rg -l "pkg-pr-new" --type json

# Get repository info if available
echo "Checking repository info..."
curl -s https://registry.npmjs.org/pkg-pr-new | jq '{
  "repository": .repository,
  "homepage": .homepage,
  "license": .license,
  "description": .description
}'

# Check if package is used in source code
echo "Checking imports in source code..."
rg -l "pkg-pr-new"

Length of output: 719

[coderabbitai]

🛠️ Refactor suggestion

Add permissions and consider restricting PR triggers

The workflow should:

1. Declare required permissions explicitly
2. Consider restricting PR triggers to trusted sources to prevent unauthorized preview releases

 name: Preview Release

 on:
   push:
     branches:
       - main
   pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+
+permissions:
+  contents: read
+  packages: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	push:
	branches:
	- main
	pull_request:
	on:
	push:
	branches:
	- main
	pull_request:
	types: [opened, synchronize]
	branches:
	- main
	permissions:
	contents: read
	packages: write

[coderabbitai]

⚠️ Potential issue

Add authentication setup for package publishing

The publish step needs:

1. Authentication setup for the package registry
2. Error handling for failed publishes
3. Conditional execution based on branch/PR context

       - name: Publish packages preview with pkg-pr-new CLI
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
         run: pnpx pkg-pr-new publish

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish packages preview with pkg-pr-new CLI
	run: pnpx pkg-pr-new publish
	- name: Publish packages preview with pkg-pr-new CLI
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
	run: pnpx pkg-pr-new publish