Skip to content

Improve/review p0 p1#46

Merged
sunnylqm merged 6 commits into
mainfrom
improve/review-p0-p1
Jul 4, 2026
Merged

Improve/review p0 p1#46
sunnylqm merged 6 commits into
mainfrom
improve/review-p0-p1

Conversation

@sunnylqm

@sunnylqm sunnylqm commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features

    • Added a reusable page container and refreshed page layouts for more consistent headers and spacing.
    • Introduced localized notices and expanded language support across login, search, logs, and account-related screens.
    • Added a new automated check pipeline to run type checks, linting, and tests before merges.
  • Bug Fixes

    • Improved theme consistency across the app with updated colors and styling.
    • Refined request and response handling for more reliable error messaging and sign-out behavior.

sunnylqm and others added 3 commits July 4, 2026 19:52
P0 bug 与门禁:
- request.ts:401 改为 throw RequestError(避免 .then 里的乐观缓存误更新);
  按 response.ok + content-type 处理响应,避免 204/HTML 错误页 JSON 解析崩溃;
  响应处理逻辑抽到 response.ts 并新增 response.test.ts(7 用例)
- api.ts:修复 packages 系列 setQueryData updater 未防 undefined 的崩溃
- 补齐 20 个缺失 i18n key,修复 admin-users 失效的 translate helper
- 新增 test/lint/ci 脚本与 .github/workflows/ci.yml(PR 门禁),gh-pages 部署前加门禁
- 移除全局 dayjs.locale('zh-cn'),新建 utils/dayjs.ts 随 i18n 语言切换

P1 设计系统地基:
- 新增 theme.ts(colorPrimary #4483ed + cssVar),index.css 用 @theme 对接 antd CSS 变量
- 全仓替换"三种蓝"与硬编码语义色为 token/语义类;配额三态色抽 getCheckQuotaColors
- 定义幽灵类 .page-section,新增 PageContainer 组件,统一标题层级为 level 4
- i18n 化 request/auth/notice/hooks/bind-package/admin-users/apps 的硬编码中文
- notice 重构为显式 showNotices(),消除 import 即弹窗副作用
- bind-package changeType 中文枚举改英文标识符 + 显示层 t()

默认语言保持中文(fallbackLng: zh-CN)。ci 全绿(typecheck + lint + 179 测试)。

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- 扩展 query-keys.ts 覆盖 app/package/binding/user/audit/apiToken/activate/
  metrics/admin 全量 key,替代散落在 api.ts、hooks.ts 及各页面的魔法字符串
- adminKeys.users/apps 保留 base 与带参数两种形态,维持
  invalidateQueries 的前缀部分匹配语义(新增测试验证该不变量)
- 新增 8 个 key 工厂的单测

ci 全绿(typecheck + lint + 187 测试)。

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- 删除 globals.d.ts 中 18 个 `type X = import('./types').X` 全局别名,
  它们污染全局命名空间、隐藏依赖、妨碍 IDE 跳转与重构
- 在实际使用处补上 `import type { ... } from '@/types'`(11 个文件)
- commit.tsx 的 Commit 类型与同名组件冲突,改用 `Commit as CommitType`

ci 全绿(typecheck + lint + 187 测试)。

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploy Preview for pushy ready!

Name Link
🔨 Latest commit 91bc660
🔍 Latest deploy log https://app.netlify.com/projects/pushy/deploys/6a492d4d2f3ffd00083be224
😎 Deploy Preview https://deploy-preview-46--pushy.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@sunnylqm, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 7 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc85a74e-4af4-49ab-89dc-68ff22f11c7a

📥 Commits

Reviewing files that changed from the base of the PR and between 0b88c9c and 91bc660.

📒 Files selected for processing (11)
  • .github/workflows/ci.yml
  • .github/workflows/gh-pages.yml
  • docs/project-review.md
  • package.json
  • src/i18n/locales/en.json
  • src/i18n/locales/zh-CN.json
  • src/index.tsx
  • src/pages/admin-users.tsx
  • src/utils/dayjs.ts
  • src/utils/hooks.ts
  • src/utils/notice.tsx
📝 Walkthrough

Walkthrough

This PR adds CI/CD workflow updates, migrates UI styling to a centralized Ant Design CSS-variable-driven primary theme, introduces a PageContainer component, centralizes React Query cache keys across services/hooks/pages, refactors request/response error handling into a dedicated module, and standardizes i18n/dayjs locale handling with expanded locale files.

Changes

Tooling and CI Governance

Layer / File(s) Summary
CI workflow, build scripts, and lint config
.github/workflows/ci.yml, .github/workflows/gh-pages.yml, biome.json, package.json
Adds a PR-triggered CI job, restructures gh-pages deploy into install/check/build steps, tightens Biome includes, and adds test/ci scripts with a read-only lint variant.
Project review documentation
docs/project-review.md
Adds a structured review document covering UI, architecture, i18n, and performance findings with a prioritized roadmap.

Primary Theme and Visual Consistency

Layer / File(s) Summary
Theme config and CSS variable wiring
src/theme.ts, src/index.css, src/index.tsx
Adds a themeConfig using Ant Design CSS variables, wires it into ConfigProvider, and aliases Tailwind colors/page-section utility to Ant Design tokens.
Component styling migration to primary theme
src/components/*, src/pages/*
Replaces blue-themed Tailwind classes with primary-themed classes across navigation, drawers, tabs, and multiple pages.
Reusable PageContainer component
src/components/page-container.tsx, src/components/index.ts
Adds a new page wrapper component with optional title/description/extra header, exported from the components index.
Quota warning color helper and consumption
src/utils/check-quota-warning.ts, src/components/daily-check-quota.tsx, src/pages/user.tsx
Centralizes quota progress bar colors via a new helper, replacing inline ternary color logic.

i18n and Dayjs Locale Infrastructure

Layer / File(s) Summary
i18n config and locale content updates
src/i18n/index.ts, src/i18n/locales/*.json
Changes fallback language and adds new notice/login/request/user/audit/admin locale keys.
Centralized dayjs locale sync
src/utils/dayjs.ts, src/pages/audit-logs.tsx, src/pages/manage/components/commit.tsx, src/utils/hooks.ts
Adds a shared dayjs module with i18n-driven locale syncing, removing per-component locale setup.
i18n-driven deprecation notice modal
src/utils/notice.tsx
Replaces the auto-popup notice with an exported showNotices() function using translated content.
Localized auth messaging and tests
src/services/auth.ts, src/services/auth.test.ts
Switches login success/failure messages to i18n keys and updates tests accordingly.
Admin/user page translation-only cleanup
src/pages/admin-users.tsx, src/pages/apps.tsx
Removes hardcoded fallback strings, relying solely on translation keys.

React Query Key Centralization

Layer / File(s) Summary
Query key factory contracts and tests
src/utils/query-keys.ts, src/utils/query-keys.test.ts
Adds new query-key factories for apps, packages, bindings, users, audits, tokens, metrics, and admin domains with test coverage.
Services and hooks query key wiring
src/services/api.ts, src/utils/hooks.ts
Migrates cache operations to use centralized key factories instead of hardcoded arrays.
Page-level query key adoption
src/pages/*, src/components/app-settings-modal.tsx
Replaces hardcoded query keys/invalidations with centralized factories across multiple pages.

Response Handling and Request Error Refactor

Layer / File(s) Summary
Centralized response handler and tests
src/services/response.ts, src/services/response.test.ts
Adds handleResponse with 401/JSON/error handling and a new test suite.
Request wrapper delegates to response handler
src/services/request.ts
Delegates response parsing to the new module and switches error toasts to i18n keys.
bun:test type declarations for new mocks
src/globals.d.ts
Extends bun:test typings with new matchers and mock.restore().

Dependency Diff Type Refactor

Layer / File(s) Summary
English changeType values and rendering
src/pages/manage/components/bind-package.tsx
Converts Chinese changeType literals to English keys across filtering, counting, and rendering logic.

TypeScript Type-Only Import Cleanup

Layer / File(s) Summary
Type-only import additions
src/pages/manage/components/package-list.tsx, .../version-table.tsx, .../hooks/useManageContext.tsx, src/pages/manage/index.tsx, src/utils/helper.ts, src/services/admin-api.ts
Adds type-only imports for shared types without runtime changes.

Estimated code review effort: 4 (Complex) | ~75 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is vague and generic; it hints at P0/P1 work but does not clearly describe the main change. Rename it to a concise, specific summary of the primary change, e.g. "Add CI workflow and standardize query keys".
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch improve/review-p0-p1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
src/components/app-drawer.tsx (1)

376-424: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Partial primary-theme migration leaves mismatched colors in the active row.

Within the same AppDrawerRow, the dot indicator (Line 384) and settings icon (Lines 422-423) were migrated to primary, but the row's own active background/text (Line 380: bg-blue-100 text-blue-800) and check-count text (Line 411: text-blue-700) were left on hardcoded Tailwind blue. Since BRAND_PRIMARY (#4483ed) doesn't exactly match Tailwind's blue-600/800 scale, the active row now mixes two slightly different blues, undermining the single-color-source goal of this migration.

🎨 Suggested fix to complete the migration
-        isActive ? 'bg-blue-100 text-blue-800 hover:bg-blue-100' : undefined,
+        isActive ? 'bg-primary/10 text-primary hover:bg-primary/10' : undefined,
...
-              isActive ? 'text-blue-700' : 'text-slate-500',
+              isActive ? 'text-primary' : 'text-slate-500',
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/app-drawer.tsx` around lines 376 - 424, The AppDrawerRow
active-state styling still mixes hardcoded Tailwind blue shades with the new
primary color, so complete the primary-theme migration by replacing the row’s
active background/text and the check-count text in AppDrawerRow with
primary-based tokens/classes to match the dot indicator and settings icon.
Update the cn() usage in the row component so the active row uses a single
primary color source consistently across the row container, app name/check
count, and any active hover states.
src/pages/admin-users.tsx (2)

158-195: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

"ID" label left untranslated amid otherwise fully i18n'd block.

Every other label in this Descriptions block (name, email, status, tier, tier expiry) now goes through translate(...), but Line 162 still hardcodes label="ID". A col_id key already exists (used at Line 482 for the table column). Inconsistent given the stated goal of relying solely on translation keys.

🌐 Suggested fix
-              <Descriptions.Item label="ID">{detail.user.id}</Descriptions.Item>
+              <Descriptions.Item label={translate('admin_users.col_id')}>
+                {detail.user.id}
+              </Descriptions.Item>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/admin-users.tsx` around lines 158 - 195, The Descriptions block in
admin-users is mostly fully internationalized, but the ID field still uses a
hardcoded label. Update the Descriptions.Item for the user ID in the admin user
detail view to use the existing translate('admin_users.col_id') key, matching
the other fields in this block and keeping the localization approach consistent.

399-410: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Invalidate the edited user's detail query on save. adminKeys.users() refreshes the list, but adminKeys.userDetail(editingUser.id) can stay cached and show old tier/quota data when the drawer is reopened; invalidate that key too when editingUser is present.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/admin-users.tsx` around lines 399 - 410, The save flow in the
updateMutation only refreshes the users list, so the edited user’s cached detail
can remain stale when reopening the drawer. Update the onSuccess handler in
admin-users.tsx to also invalidate the specific detail query for the current
editing user by using adminKeys.userDetail(editingUser.id) whenever editingUser
is available, alongside the existing adminKeys.users() invalidation.
🧹 Nitpick comments (3)
src/pages/apps.tsx (1)

27-38: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider extracting formatAppKey to a shared utility.

This is now duplicated (same logic and signature) in src/components/top-navigation.tsx. Centralizing avoids drift like signature mismatches between call sites (see comment on top-navigation.tsx).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/apps.tsx` around lines 27 - 38, The app key formatting logic is
duplicated in formatAppKey, which risks drift between pages and top navigation.
Extract this helper into a shared utility used by both apps.tsx and
top-navigation.tsx, keeping the same null/undefined handling, translation
fallback via t('apps.key_pending'), and truncation behavior so both call sites
share one implementation and signature.
src/components/top-navigation.tsx (1)

689-693: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Inconsistent primary-theme migration: leftover blue- utilities mixed with text-primary.*

hover:border-blue-300 hover:bg-blue-50 still hardcode blue while the text color was migrated to text-primary. If BRAND_PRIMARY (#4483ed) diverges from Tailwind's blue-300/blue-50, the hover border/background won't visually match the new primary-themed text, and border-blue-200 bg-blue-50 for the active state has the same issue.

🎨 Suggested fix
               <button
                 className={cn(
-                  'inline-flex max-w-[180px] cursor-pointer items-center gap-1.5 rounded-full border border-gray-200 bg-gray-50 px-2 py-1 text-gray-600 text-xs transition-colors hover:border-blue-300 hover:bg-blue-50 hover:text-primary',
+                  'inline-flex max-w-[180px] cursor-pointer items-center gap-1.5 rounded-full border border-gray-200 bg-gray-50 px-2 py-1 text-gray-600 text-xs transition-colors hover:border-primary/30 hover:bg-primary/10 hover:text-primary',
                   app.id === currentAppId
-                    ? 'border-blue-200 bg-blue-50 text-primary'
+                    ? 'border-primary/20 bg-primary/10 text-primary'
                     : undefined,
                 )}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/top-navigation.tsx` around lines 689 - 693, The top navigation
badge still mixes hardcoded blue utilities with the migrated primary theme, so
update the styling in the component that builds the className for the app
switcher to use primary-themed border/background states instead of blue-*
classes. Replace the hover and active-state blue border/background utilities in
the top-navigation.tsx JSX with the corresponding primary variants so they stay
consistent with text-primary and BRAND_PRIMARY.
src/pages/admin-users.tsx (1)

142-142: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant translate wrapper around t.

translate just forwards to t(key) with no added behavior (no fallback, no interpolation), while t is also called directly elsewhere in the same component (e.g. Line 203, 403). Consider dropping the alias and using t consistently.

♻️ Suggested cleanup
   const { t } = useTranslation();
   const { data, isLoading } = useQuery({
     queryKey: adminKeys.userDetail(userId),
     queryFn: () => (userId ? adminApi.getUserDetail(userId) : null),
     enabled: !!userId && open,
   });
 
-  const translate = (key: string) => t(key);
-
   const detail = data;

Then replace translate(...) calls with t(...).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/admin-users.tsx` at line 142, The admin-users component has a
redundant translate alias that only forwards to t without adding behavior.
Remove the translate wrapper from admin-users and replace its call sites with t
directly, keeping translation usage consistent with the other existing t calls
in the same component.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 17: The checkout step in the CI workflow should be hardened by disabling
persisted credentials on the actions/checkout invocation. Update the checkout
configuration in the workflow job so that the action does not leave GITHUB_TOKEN
available to later steps, and verify the change applies to the existing checkout
use in the CI pipeline.

In @.github/workflows/gh-pages.yml:
- Line 17: The gh-pages workflow has the same checkout credential-persistence
issue as ci.yml, so update the actions/checkout usage to match the secure CI
setup. In the workflow job that uses actions/checkout@v4, explicitly disable
persisted credentials (or otherwise align the checkout options with ci.yml) so
the token is not left available for later steps.

In `@docs/project-review.md`:
- Line 211: Line 211 in the review doc has a stale statement about the final
i18n fallback locale and antd fallback. Update the wording to match the actual
i18n config outcome reflected by the later section: use the real fallback locale
and keep the antd locale note consistent with it. Refer to the `dayjs`
locale/i18n summary text in the document and make sure the entry no longer says
`enUS` if the PR settled on `zh-CN`/`zhCN`.

In `@src/pages/admin-users.tsx`:
- Around line 228-237: The per-day quota labels in the admin users drawer are
hardcoded in English and bypass the i18n flow. Update the rendering inside the
detail.quotaDetail.last7Days.counts map to use the existing translation helper
instead of the literal “Day {i + 1}”, and add matching admin_users locale
entries for English and Chinese (for example, a day_label key). Keep the
surrounding Descriptions.Item structure and only swap the label text source.

In `@src/utils/dayjs.ts`:
- Around line 22-29: The initial Dayjs locale sync in syncDayjsLocale is
happening too early because i18n.init is async, so the first call can still fall
back to the default language. Move the one-time startup call off import time and
trigger it after i18n finishes initializing, either in the init callback or via
the initialized event, while keeping the existing i18n.on('languageChanged',
syncDayjsLocale) listener unchanged.

In `@src/utils/hooks.ts`:
- Around line 189-203: In the remaining-days logic inside the hook in hooks.ts,
`isExpiringSoon` is currently true for negative `remainingDays`, which lets
expired tiers render `user.remaining_note` with a negative count. Update the
`isExpiringSoon` check to require `remainingDays >= 0` in addition to the
existing 90-day threshold, and keep the existing `displayRemainingDays` branch
in sync so expired tiers fall back to the expired-state message instead of the
remaining-days text.

In `@src/utils/notice.tsx`:
- Around line 36-51: The deprecation notice is no longer triggered implicitly,
so `showNotices()` in `notice.tsx` currently has no active caller and the notice
will never appear. Add an explicit invocation from the app startup/bootstrap or
router entry path, using the existing `showNotices` export so the notice runs
once during initialization without restoring import-time side effects.

---

Outside diff comments:
In `@src/components/app-drawer.tsx`:
- Around line 376-424: The AppDrawerRow active-state styling still mixes
hardcoded Tailwind blue shades with the new primary color, so complete the
primary-theme migration by replacing the row’s active background/text and the
check-count text in AppDrawerRow with primary-based tokens/classes to match the
dot indicator and settings icon. Update the cn() usage in the row component so
the active row uses a single primary color source consistently across the row
container, app name/check count, and any active hover states.

In `@src/pages/admin-users.tsx`:
- Around line 158-195: The Descriptions block in admin-users is mostly fully
internationalized, but the ID field still uses a hardcoded label. Update the
Descriptions.Item for the user ID in the admin user detail view to use the
existing translate('admin_users.col_id') key, matching the other fields in this
block and keeping the localization approach consistent.
- Around line 399-410: The save flow in the updateMutation only refreshes the
users list, so the edited user’s cached detail can remain stale when reopening
the drawer. Update the onSuccess handler in admin-users.tsx to also invalidate
the specific detail query for the current editing user by using
adminKeys.userDetail(editingUser.id) whenever editingUser is available,
alongside the existing adminKeys.users() invalidation.

---

Nitpick comments:
In `@src/components/top-navigation.tsx`:
- Around line 689-693: The top navigation badge still mixes hardcoded blue
utilities with the migrated primary theme, so update the styling in the
component that builds the className for the app switcher to use primary-themed
border/background states instead of blue-* classes. Replace the hover and
active-state blue border/background utilities in the top-navigation.tsx JSX with
the corresponding primary variants so they stay consistent with text-primary and
BRAND_PRIMARY.

In `@src/pages/admin-users.tsx`:
- Line 142: The admin-users component has a redundant translate alias that only
forwards to t without adding behavior. Remove the translate wrapper from
admin-users and replace its call sites with t directly, keeping translation
usage consistent with the other existing t calls in the same component.

In `@src/pages/apps.tsx`:
- Around line 27-38: The app key formatting logic is duplicated in formatAppKey,
which risks drift between pages and top navigation. Extract this helper into a
shared utility used by both apps.tsx and top-navigation.tsx, keeping the same
null/undefined handling, translation fallback via t('apps.key_pending'), and
truncation behavior so both call sites share one implementation and signature.
🪄 Autofix (Beta)

✅ Autofix completed


ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ed74ff5a-5e6c-420e-941f-830fab190ae9

📥 Commits

Reviewing files that changed from the base of the PR and between 70608be and 0b88c9c.

📒 Files selected for processing (53)
  • .github/workflows/ci.yml
  • .github/workflows/gh-pages.yml
  • biome.json
  • docs/project-review.md
  • package.json
  • src/components/app-detail-header.tsx
  • src/components/app-drawer.tsx
  • src/components/app-settings-modal.tsx
  • src/components/daily-check-quota.tsx
  • src/components/index.ts
  • src/components/main-layout.tsx
  • src/components/page-container.tsx
  • src/components/top-navigation.tsx
  • src/globals.d.ts
  • src/i18n/index.ts
  • src/i18n/locales/en.json
  • src/i18n/locales/zh-CN.json
  • src/index.css
  • src/index.tsx
  • src/pages/activate.tsx
  • src/pages/admin-apps.tsx
  • src/pages/admin-config.tsx
  • src/pages/admin-metrics.tsx
  • src/pages/admin-service-status.tsx
  • src/pages/admin-users.tsx
  • src/pages/api-tokens.tsx
  • src/pages/apps.tsx
  • src/pages/audit-logs.tsx
  • src/pages/login.tsx
  • src/pages/manage/components/bind-package.tsx
  • src/pages/manage/components/commit.tsx
  • src/pages/manage/components/package-list.tsx
  • src/pages/manage/components/version-table.tsx
  • src/pages/manage/hooks/useManageContext.tsx
  • src/pages/manage/index.tsx
  • src/pages/realtime-metrics.tsx
  • src/pages/register.tsx
  • src/pages/user.tsx
  • src/services/admin-api.ts
  • src/services/api.ts
  • src/services/auth.test.ts
  • src/services/auth.ts
  • src/services/request.ts
  • src/services/response.test.ts
  • src/services/response.ts
  • src/theme.ts
  • src/utils/check-quota-warning.ts
  • src/utils/dayjs.ts
  • src/utils/helper.ts
  • src/utils/hooks.ts
  • src/utils/notice.tsx
  • src/utils/query-keys.test.ts
  • src/utils/query-keys.ts

Comment thread .github/workflows/ci.yml Outdated
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Harden checkout against credential persistence.

Static analysis flags this checkout step for not disabling credential persistence, which leaves GITHUB_TOKEN accessible to any later step in the job (including third-party actions).

🔒 Proposed fix
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, The checkout step in the CI workflow
should be hardened by disabling persisted credentials on the actions/checkout
invocation. Update the checkout configuration in the workflow job so that the
action does not leave GITHUB_TOKEN available to later steps, and verify the
change applies to the existing checkout use in the CI pipeline.

Source: Linters/SAST tools

Comment thread .github/workflows/gh-pages.yml Outdated
timeout-minutes: 8
timeout-minutes: 12
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Same credential-persistence gap as ci.yml.

🔒 Proposed fix
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gh-pages.yml at line 17, The gh-pages workflow has the
same checkout credential-persistence issue as ci.yml, so update the
actions/checkout usage to match the secure CI setup. In the workflow job that
uses actions/checkout@v4, explicitly disable persisted credentials (or otherwise
align the checkout options with ci.yml) so the token is not left available for
later steps.

Source: Linters/SAST tools

Comment thread docs/project-review.md Outdated
Comment thread src/pages/admin-users.tsx
Comment thread src/utils/dayjs.ts
Comment thread src/utils/hooks.ts
Comment thread src/utils/notice.tsx
Comment on lines +36 to +51

/**
* 显示尚未被用户关闭("不再显示")的公告。
* 显式调用,避免 import 即弹窗的副作用。
*/
export function showNotices() {
(['v8-deprecation'] as NoticeKey[]).forEach((key) => {
if (localStorage.getItem(key)) {
return;
}
const notice = buildNotice(key);
if (notice) {
confirm(notice);
}
});
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Confirm showNotices() is called somewhere in the app.
rg -n --type=ts --type=tsx 'showNotices\s*\(' -g '!**/*.test.*'

Repository: reactnativecn/pushy-admin

Length of output: 191


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '== showNotices references =='
rg -n 'showNotices\s*\(' .

echo
echo '== notice.tsx context =='
sed -n '1,140p' src/utils/notice.tsx

Repository: reactnativecn/pushy-admin

Length of output: 1812


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '== imports of notice.tsx =='
rg -n "from ['\"].*notice['\"]|from ['\"].*notice\.tsx['\"]|import .*notice" src .

echo
echo '== broader references to v8-deprecation =='
rg -n 'v8-deprecation|notice\.v8_deprecation' src .

Repository: reactnativecn/pushy-admin

Length of output: 1763


Invoke showNotices() during app startup

The export no longer runs on import, and there’s no active caller in the app. Add an explicit call from the bootstrap/router path, or the deprecation notice will never appear.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/utils/notice.tsx` around lines 36 - 51, The deprecation notice is no
longer triggered implicitly, so `showNotices()` in `notice.tsx` currently has no
active caller and the notice will never appear. Add an explicit invocation from
the app startup/bootstrap or router entry path, using the existing `showNotices`
export so the notice runs once during initialization without restoring
import-time side effects.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 8 file(s) based on 7 unresolved review comments.

Files modified:

  • docs/project-review.md
  • package.json
  • src/i18n/locales/en.json
  • src/i18n/locales/zh-CN.json
  • src/index.tsx
  • src/pages/admin-users.tsx
  • src/utils/dayjs.ts
  • src/utils/hooks.ts

Commit: 33196f4c263bc7070794929bcd3206efb3878248

The changes have been pushed to the improve/review-p0-p1 branch.

Time taken: 7m 4s


⚠️ 2 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/ci.yml — 1 change:

Lines 15–20
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@v2
 
       - name: Install

.github/workflows/gh-pages.yml — 1 change:

Lines 15–20
     timeout-minutes: 12
     steps:
       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@v2
 
       - name: Install

coderabbitai Bot and others added 2 commits July 4, 2026 15:51
Fixed 8 file(s) based on 7 unresolved review comments.

Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
@sunnylqm sunnylqm merged commit 3a3980e into main Jul 4, 2026
3 of 6 checks passed
@sunnylqm sunnylqm deleted the improve/review-p0-p1 branch July 4, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant