feat: autonomous repository management and workflows#87
Conversation
- Added AGENTS.md for AI contributor guidelines. - Created `improve-repo.ts` to autonomously detect tech debt. - Created `issue-manage.ts` to auto-respond to and label issues. - Updated `package.json` with new run scripts. - Added GitHub actions for continuous improvement, issue management, GitHub pages deployment, and automated releases. Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Reviewer's GuideAdds autonomous repository management capabilities using Gemini AI, including AI-powered repo improvement reports, automated issue triage and responses, standardized AI assistant guidelines, and supporting npm scripts and GitHub Actions workflows for continuous improvement, issue handling, docs deployment, and release automation. Sequence diagram for AI-driven GitHub issue management workflowsequenceDiagram
actor GitHubUser
participant GitHub_Issues as GitHubIssues
participant Issue_Management_Workflow as IssueManagementWorkflow
participant Issue_Manager_Script as issue_manage_ts
participant Google_GenAI as GoogleGenAI
participant Comment_Action as create_or_update_comment
participant Label_Action as github_script
GitHubUser->>GitHub_Issues: Open issue
GitHub_Issues-->>Issue_Management_Workflow: issues opened event
Issue_Management_Workflow->>Issue_Manager_Script: npm run issue:manage
Issue_Manager_Script->>Google_GenAI: models.generateContent
Google_GenAI-->>Issue_Manager_Script: AI issue response
Issue_Manager_Script->>Issue_Manager_Script: Write ai-issue-response.md
Issue_Manager_Script->>Issue_Manager_Script: Write ai-issue-label.txt
Issue_Management_Workflow->>Comment_Action: Post body-path ai-issue-response.md
Issue_Management_Workflow->>Label_Action: Read ai-issue-label.txt and addLabels
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
📝 WalkthroughSummary by CodeRabbit
WalkthroughAdds GitHub Actions for AI issue management, scheduled repo improvement, Pages deployment, and releases; adds two Gemini-backed automation scripts, npm scripts, AGENTS.md, and updates metadata and architecture docs. ChangesAI-Powered Repository Automation and CI/CD Infrastructure
Sequence DiagramssequenceDiagram
participant GitHub as GitHub Issue Event
participant Workflow as .github/workflows/issue-management.yml
participant Script as scripts/automation/issue-manage.ts
participant Gemini as Gemini API
participant GitHubAPI as GitHub REST (comments/labels)
GitHub->>Workflow: issues.opened event
Workflow->>Script: run npm script with ISSUE_TITLE, ISSUE_BODY, GEMINI_API_KEY
Script->>Gemini: generateContent(prompt with issue context)
Gemini-->>Script: response.text (AI reply)
Script->>Workflow: write ai-issue-response.md & ai-issue-label.txt
Workflow->>GitHubAPI: create/update issue comment from ai-issue-response.md
Workflow->>GitHubAPI: add label from ai-issue-label.txt (if non-empty)
sequenceDiagram
participant Scheduler as Weekly Cron / manual
participant Workflow as .github/workflows/continuous-improvement.yml
participant Script as scripts/automation/improve-repo.ts
participant Metadata as metadata.json
participant Gemini as Gemini API
participant Repo as repository (docs/improvements/)
Scheduler->>Workflow: scheduled or manual trigger
Workflow->>Script: run npm improve:repo with GEMINI_API_KEY
Script->>Metadata: read metadata.json (if present)
Script->>Gemini: generateContent(prompt with metadata)
Gemini-->>Script: improvement text
Script->>Repo: write improvement-<ts>.md
Workflow->>Repo: commit & push docs/improvements/ when changed
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
…ge graph [skip ci]
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- AGENTS.md references commands like
npm run analyze:repoandnpm run generate:diagramsthat are not defined in package.json, which can confuse contributors and automation – either add these scripts or update the guidelines to match the current tooling. - In
improve-repo.ts, themetadataobject is typed asany; consider defining a minimal interface or narrowing its shape so future changes tometadata.jsonare easier to reason about and less error-prone. - The label inference in
issue-manage.tsis based on simple substring checks of the AI response; you could make this more reliable by asking the model for a machine-readable label (e.g., JSON with atypefield) and parsing that instead of inferring from free-form text.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- AGENTS.md references commands like `npm run analyze:repo` and `npm run generate:diagrams` that are not defined in package.json, which can confuse contributors and automation – either add these scripts or update the guidelines to match the current tooling.
- In `improve-repo.ts`, the `metadata` object is typed as `any`; consider defining a minimal interface or narrowing its shape so future changes to `metadata.json` are easier to reason about and less error-prone.
- The label inference in `issue-manage.ts` is based on simple substring checks of the AI response; you could make this more reliable by asking the model for a machine-readable label (e.g., JSON with a `type` field) and parsing that instead of inferring from free-form text.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
- Fixed deprecated property names in `.github/workflows/ai-documentation-agent.yml` for the `thollander/actions-comment-pull-request@v3` action (`filePath` -> `file-path`, `comment_tag` -> `comment-tag`). - Fixed type and formatting issues in `improve-repo.ts` and `issue-manage.ts` ensuring compliance with ESLint rules (removed dynamic `require()` of `@google/genai` to use static import, fixed types and removed unused imports). - Ensured `npm run lint` and `npm run test` pass successfully. Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
…ge graph [skip ci]
|
GEMINI_API_KEY is not set. Skipping real AI review generation. |
There was a problem hiding this comment.
Actionable comments posted: 10
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/issue-management.yml:
- Around line 7-8: Workflows currently use unpinned actions and leave checkout
credentials persistent; update .github/workflows/issue-management.yml and
.github/workflows/continuous-improvement.yml to pin each third-party action
(actions/checkout@v4, actions/setup-node@v4,
peter-evans/create-or-update-comment@v4, actions/github-script@v7) to their
specific commit SHAs, add with: persist-credentials: false to the
actions/checkout step in both workflows, and move the write-scoped permissions
(issues: write / contents: write) from the top-level workflow permissions into
only the specific job(s) that need write access so least-privilege is enforced
at the job boundary.
In @.github/workflows/pages.yml:
- Around line 10-13: Add short inline comments explaining each GitHub Actions
permission under the permissions block: annotate "contents: read" to indicate
repository content read access is required to fetch site artifacts, "pages:
write" to indicate deployment permission to GitHub Pages, and "id-token: write"
to indicate OIDC token issuance for secure authentication; place these comments
next to the keys (contents, pages, id-token) so future reviewers understand why
each scope is required.
- Around line 26-27: The Checkout step using actions/checkout@v4 (the step with
name: Checkout) currently leaves credentials in .git/config; update that step to
explicitly disable credential persistence by adding persist-credentials: false
to the step configuration so the checkout does not store repository credentials
(since the workflow only reads the repo and does not push).
- Around line 1-8: The GitHub Pages workflow will publish the docs/ folder but
GitHub Pages expects docs/index.html as the site root, and currently only
docs/dashboard.html exists; fix by adding a root entry point: either rename
docs/dashboard.html to docs/index.html, or create docs/index.html that performs
a client-side redirect to dashboard.html, or update the Pages configuration to
use docs/dashboard.html as the landing page so the site root no longer 404s
(refer to docs/dashboard.html and docs/index.html in your changes).
- Line 27: Replace mutable action tags with immutable commit SHAs: for each
usage of actions/checkout@v4, actions/configure-pages@v3,
actions/upload-pages-artifact@v1, and actions/deploy-pages@v1 in the workflow,
update the reference to the corresponding commit SHA from the action's GitHub
repo (e.g., actions/checkout@<commit-sha>) so the workflow pins to an immutable
release; locate these usages by the action identifiers (actions/checkout,
actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages)
and substitute the tag with the exact commit hash, then test the workflow to
ensure compatibility.
In @.github/workflows/release.yml:
- Around line 15-16: The checkout step currently uses actions/checkout@v4 which
persists the GITHUB_TOKEN by default; update the Checkout Repository step
(actions/checkout@v4) to disable persisted credentials by adding
persist-credentials: false to the step so the workflow does not expose the token
to subsequent npm install scripts.
- Around line 8-9: Move the workflow-level permissions block that sets
"contents: write" out of the top-level "permissions" and instead add it under
the specific release job as "jobs.release.permissions: contents: write"; remove
the top-level "permissions: contents: write" so workflow defaults remain
read-only and only the release job has write access. Ensure the key names match
"permissions" and "contents" and the job id is "release" to locate where to add
the scoped permission.
In `@docs/architecture/dependency-graph.md`:
- Line 128: Add a single final newline character at the end of the document
immediately after the closing triple-backtick fence (the final ``` in the file)
so the file ends with one newline; ensure there are no extra blank lines beyond
that single newline.
In `@docs/architecture/SERVICE_MAP.md`:
- Line 15: The file docs/architecture/SERVICE_MAP.md is missing a trailing
newline after the closing code fence; edit SERVICE_MAP.md and ensure there is a
single newline character at the end of the file immediately after the final ```
closing fence so the file ends with one newline.
In `@scripts/automation/issue-manage.ts`:
- Line 62: The top-level promise handler currently uses
main().catch(console.error) which only logs errors and can still allow a
successful exit; update the final promise handling in this file (and the sibling
scripts/automation/improve-repo.ts) so the catch handler logs the error and
fails the process—e.g., replace the simple console.error handler on the main()
call with a catch that logs the error and sets process.exitCode = 1 (or
rethrows) to ensure CI fails on unexpected runtime failures.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 91e9e674-4d3e-457d-8013-30b8e08fd2ab
📒 Files selected for processing (11)
.github/workflows/continuous-improvement.yml.github/workflows/issue-management.yml.github/workflows/pages.yml.github/workflows/release.ymlAGENTS.mddocs/architecture/SERVICE_MAP.mddocs/architecture/dependency-graph.mdmetadata.jsonpackage.jsonscripts/automation/improve-repo.tsscripts/automation/issue-manage.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (2)
docs/**/*.{md,md,png,jpg,jpeg,svg,diagram}
📄 CodeRabbit inference engine (AGENTS.md)
Ensure documentation, architecture diagrams, and repository health metrics are always up-to-date. Refer to
docs/for auto-generated insights.
Files:
docs/architecture/SERVICE_MAP.mddocs/architecture/dependency-graph.md
{README.md,metadata.json}
📄 CodeRabbit inference engine (AGENTS.md)
Keep the
README.mdand architecture documentation synchronized with reality. Themetadata.jsonacts as the source of truth for the automated repo mapping.
Files:
metadata.json
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:24:50.053Z
Learning: Every repetitive task that can be automated MUST be automated. Leverage the `scripts/automation/` directory and GitHub Actions workflows.
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:24:50.053Z
Learning: Use `npm run fix` to attempt automatic linting, formatting, and security fixes before requesting human intervention.
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:24:50.053Z
Learning: Before committing any changes, ensure tests pass (`npm test`) and code quality is maintained (`npm run lint`, `npm run format`). Always run the `pre_commit_instructions` tool and follow its guidelines before final submission.
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:24:50.053Z
Learning: Expect the AI reviewer (`ai-reviewer.ts`) to analyze pull requests and address its findings constructively.
🪛 GitHub Check: SonarCloud Code Analysis
scripts/automation/issue-manage.ts
[warning] 1-1: Prefer node:fs over fs.
[warning] 62-62: Prefer top-level await over using a promise chain.
[warning] 2-2: Prefer node:path over path.
scripts/automation/improve-repo.ts
[warning] 69-69: Prefer top-level await over using a promise chain.
[warning] 1-1: Prefer node:fs over fs.
[warning] 2-2: Prefer node:path over path.
🪛 LanguageTool
AGENTS.md
[style] ~19-~19: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...o auto-heal formatting and linting. 4. Run npm run analyze:repo and `npm run gen...
(ENGLISH_WORD_REPEAT_BEGINNING_RULE)
🪛 markdownlint-cli2 (0.22.1)
docs/architecture/SERVICE_MAP.md
[warning] 15-15: Files should end with a single newline character
(MD047, single-trailing-newline)
docs/architecture/dependency-graph.md
[warning] 128-128: Files should end with a single newline character
(MD047, single-trailing-newline)
🪛 zizmor (1.25.2)
.github/workflows/pages.yml
[warning] 26-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level
(excessive-permissions)
[error] 13-13: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level
(excessive-permissions)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 20-20: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
.github/workflows/continuous-improvement.yml
[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 12-12: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
.github/workflows/release.yml
[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[error] 19-19: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
[info] 12-12: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
[info] 29-29: action functionality is already included by the runner (superfluous-actions): use gh release in a script step
(superfluous-actions)
.github/workflows/issue-management.yml
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 8-8: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level
(excessive-permissions)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 11-11: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
[info] 34-34: action functionality is already included by the runner (superfluous-actions): use gh pr comment or gh issue comment in a script step
(superfluous-actions)
🔇 Additional comments (10)
.github/workflows/pages.yml (1)
15-17: LGTM!package.json (1)
22-24: LGTM!AGENTS.md (1)
1-24: LGTM!metadata.json (4)
70-72: LGTM!
74-79: LGTM!
100-114: LGTM!
148-149: LGTM!docs/architecture/dependency-graph.md (1)
25-69: docs/architecture/dependency-graph.md: missing workflow→script edges are expected given generator scope
scripts/automation/generate-diagrams.tsdocuments thatdependency-graph.mdis “auto-generated based on the repository structure and dependencies”, and its dependency edges are built frommetadata.dependencies(no workflow/YAML parsing logic found). Therefore the diagram intentionally won’t show runtime edges likecontinuous-improvement.yml → improve-repo.tsorissue-management.yml → issue-manage.ts. Approve the node additions indocs/architecture/dependency-graph.md(lines 25-69) as structurally correct..github/workflows/release.yml (2)
1-7: LGTM!Also applies to: 11-14, 23-27, 31-34
16-16: Pin GitHub Actions to immutable commit SHAs in.github/workflows/release.yml(lines 16, 19, 29)Current workflow uses moving tags, which can cause supply-chain drift—use the resolved SHAs instead:
actions/checkout@v4→actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node@v4→actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020softprops/action-gh-release@v2→softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65
| permissions: | ||
| issues: write |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
files=(
".github/workflows/issue-management.yml"
".github/workflows/continuous-improvement.yml"
)
for f in "${files[@]}"; do
echo "===== $f (head 120 lines with numbers) ====="
if [ -f "$f" ]; then
nl -ba "$f" | head -n 160
else
echo "MISSING: $f"
fi
echo
done
echo "===== Find permissions blocks ====="
rg -n --hidden -S "^(permissions:|\\s*permissions:)" .github/workflows/*.yml || true
echo "===== Find actions/checkout usage + persist-credentials ====="
rg -n --hidden -S "uses:\s*actions/checkout@|persist-credentials" .github/workflows/*.yml || true
echo "===== Find all uses:@ references (to assess pinning) ====="
rg -n --hidden -S "uses:\s*[^@]+@(v|V|main|master|release|\\^|\\*|[0-9]+\\.[0-9]+\\.[0-9]+|\\w+)" .github/workflows/*.yml || true
echo "===== Find uses with commit SHA patterns (40 hex) ====="
rg -n --hidden -S "uses:\s*[^@]+@[0-9a-fA-F]{40}" .github/workflows/*.yml || trueRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 215
🏁 Script executed:
#!/bin/bash
set -euo pipefail
files=(
".github/workflows/issue-management.yml"
".github/workflows/continuous-improvement.yml"
)
for f in "${files[@]}"; do
echo "===== $f (first 200 lines with numbers via cat -n) ====="
if [ -f "$f" ]; then
cat -n "$f" | head -n 200
else
echo "MISSING: $f"
fi
echo
done
echo "===== Find permissions blocks ====="
rg -n --hidden -S "^(permissions:|\\s*permissions:)" .github/workflows/*.yml || true
echo "===== Find actions/checkout usage + persist-credentials ====="
rg -n --hidden -S "uses:\\s*actions/checkout@|persist-credentials" .github/workflows/*.yml || true
echo "===== Find uses:@ references in the two target files ====="
for f in "${files[@]}"; do
echo "--- $f ---"
rg -n --hidden -S "uses:\\s*[^@]+@.+$" "$f" || true
done
echo "===== Find uses with commit SHA patterns (40 hex) in the two target files ====="
sha_pat='uses:\s*[^@]+@[0-9a-fA-F]{40}'
for f in "${files[@]}"; do
echo "--- $f ---"
rg -n --hidden -S "$sha_pat" "$f" || true
done
echo "===== Find checkout persist-credentials exact key/values ====="
for f in "${files[@]}"; do
echo "--- $f ---"
rg -n --hidden -S "persist-credentials\\s*:" "$f" || true
doneRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 5956
Harden both workflows with pinned actions + disabled checkout credential persistence under write-scoped permissions.
- .github/workflows/issue-management.yml (permissions:
issues: write):actions/checkout@v4,actions/setup-node@v4,peter-evans/create-or-update-comment@v4,actions/github-script@v7are not pinned to commit SHAs; addwith: persist-credentials: falseto theactions/checkoutstep. - .github/workflows/continuous-improvement.yml (permissions:
contents: write):actions/checkout@v4/actions/setup-node@v4are not pinned to commit SHAs; addwith: persist-credentials: falseto theactions/checkoutstep. - Keep
permissionsas least-privilege at the job boundary (only what’s required for the job that performs writes).
🧰 Tools
🪛 zizmor (1.25.2)
[error] 8-8: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level
(excessive-permissions)
[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/issue-management.yml around lines 7 - 8, Workflows
currently use unpinned actions and leave checkout credentials persistent; update
.github/workflows/issue-management.yml and
.github/workflows/continuous-improvement.yml to pin each third-party action
(actions/checkout@v4, actions/setup-node@v4,
peter-evans/create-or-update-comment@v4, actions/github-script@v7) to their
specific commit SHAs, add with: persist-credentials: false to the
actions/checkout step in both workflows, and move the write-scoped permissions
(issues: write / contents: write) from the top-level workflow permissions into
only the specific job(s) that need write access so least-privilege is enforced
at the job boundary.
Source: Linters/SAST tools
| name: Deploy Documentation to GitHub Pages | ||
|
|
||
| on: | ||
| push: | ||
| branches: ['main'] | ||
| paths: | ||
| - 'docs/**' | ||
| workflow_dispatch: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify if index.html exists in docs/ directory
if [ -f "docs/index.html" ]; then
echo "✓ index.html exists"
cat docs/index.html
else
echo "✗ index.html missing - GitHub Pages will serve 404"
echo "Primary artifact found:"
fd -t f . docs/ -d 1
fiRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 167
Fix GitHub Pages landing (missing docs/index.html can cause root 404)
docs/index.html is missing (only docs/dashboard.html was found), but the workflow uploads docs/ as-is—GitHub Pages serves /index.html by default at the site root. Add a root entry point by renaming docs/dashboard.html to docs/index.html, or adding docs/index.html that redirects to dashboard.html (or configure Pages to use dashboard.html as the landing page).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pages.yml around lines 1 - 8, The GitHub Pages workflow
will publish the docs/ folder but GitHub Pages expects docs/index.html as the
site root, and currently only docs/dashboard.html exists; fix by adding a root
entry point: either rename docs/dashboard.html to docs/index.html, or create
docs/index.html that performs a client-side redirect to dashboard.html, or
update the Pages configuration to use docs/dashboard.html as the landing page so
the site root no longer 404s (refer to docs/dashboard.html and docs/index.html
in your changes).
| permissions: | ||
| contents: read | ||
| pages: write | ||
| id-token: write |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Add explanatory comments for permissions.
While these permissions are correctly scoped for GitHub Pages deployment with OIDC authentication, adding comments would improve maintainability and help future reviewers understand why each permission is required.
📝 Proposed addition of permission comments
permissions:
- contents: read
- pages: write
- id-token: write
+ contents: read # Required to checkout the repository
+ pages: write # Required to deploy to GitHub Pages
+ id-token: write # Required for OIDC authentication with Pages📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| permissions: | |
| contents: read # Required to checkout the repository | |
| pages: write # Required to deploy to GitHub Pages | |
| id-token: write # Required for OIDC authentication with Pages |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 12-12: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level
(excessive-permissions)
[error] 13-13: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level
(excessive-permissions)
[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pages.yml around lines 10 - 13, Add short inline comments
explaining each GitHub Actions permission under the permissions block: annotate
"contents: read" to indicate repository content read access is required to fetch
site artifacts, "pages: write" to indicate deployment permission to GitHub
Pages, and "id-token: write" to indicate OIDC token issuance for secure
authentication; place these comments next to the keys (contents, pages,
id-token) so future reviewers understand why each scope is required.
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Security: Set persist-credentials to false to prevent credential leakage.
The checkout action persists credentials by default in .git/config. When combined with artifact uploads (line 33-35), this creates a credential exposure risk. Since this workflow only reads the repository and doesn't push changes, credentials should be disabled.
🔒 Proposed fix to disable credential persistence
- name: Checkout
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 26-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pages.yml around lines 26 - 27, The Checkout step using
actions/checkout@v4 (the step with name: Checkout) currently leaves credentials
in .git/config; update that step to explicitly disable credential persistence by
adding persist-credentials: false to the step configuration so the checkout does
not store repository credentials (since the workflow only reads the repo and
does not push).
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Fetch latest commit SHAs for pinned action versions
echo "Fetching commit SHAs for action tags..."
# Function to get SHA for a tag
get_sha() {
repo=$1
tag=$2
gh api "repos/${repo}/git/ref/tags/${tag}" --jq '.object.sha' 2>/dev/null || \
gh api "repos/${repo}/commits/${tag}" --jq '.sha' 2>/dev/null
}
echo "actions/checkout@v4: $(get_sha actions/checkout v4)"
echo "actions/configure-pages@v4: $(get_sha actions/configure-pages v4)"
echo "actions/upload-pages-artifact@v3: $(get_sha actions/upload-pages-artifact v3)"
echo "actions/deploy-pages@v4: $(get_sha actions/deploy-pages v4)"Repository: NITISH-R-G/Intelli-Credit-V2
Length of output: 384
Security: Pin GitHub Actions to commit SHAs instead of mutable tags.
.github/workflows/pages.yml uses mutable tags (@v4, @v3) for actions/checkout, actions/configure-pages, actions/upload-pages-artifact, and actions/deploy-pages, which enables supply-chain retagging. Pin to immutable SHAs instead (lines 27-39):
🔒 Proposed SHA-pinning fix
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Pages
- uses: actions/configure-pages@v4
+ uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4
- name: Upload artifact
- uses: actions/upload-pages-artifact@v3
+ uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
- name: Deploy to GitHub Pages
id: deployment
- uses: actions/deploy-pages@v4
+ uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4🧰 Tools
🪛 zizmor (1.25.2)
[warning] 26-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pages.yml at line 27, Replace mutable action tags with
immutable commit SHAs: for each usage of actions/checkout@v4,
actions/configure-pages@v3, actions/upload-pages-artifact@v1, and
actions/deploy-pages@v1 in the workflow, update the reference to the
corresponding commit SHA from the action's GitHub repo (e.g.,
actions/checkout@<commit-sha>) so the workflow pins to an immutable release;
locate these usages by the action identifiers (actions/checkout,
actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages)
and substitute the tag with the exact commit hash, then test the workflow to
ensure compatibility.
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
Scope write permissions at the job level (Line 8) instead of workflow-wide.
contents: write at workflow scope grants write to every current/future job. Restrict it to jobs.release.permissions and leave workflow defaults read-only.
Suggested patch
-permissions:
- contents: write
-
jobs:
release:
+ permissions:
+ contents: write # required to create/edit GitHub Releases
runs-on: ubuntu-latest🧰 Tools
🪛 zizmor (1.25.2)
[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 8 - 9, Move the workflow-level
permissions block that sets "contents: write" out of the top-level "permissions"
and instead add it under the specific release job as "jobs.release.permissions:
contents: write"; remove the top-level "permissions: contents: write" so
workflow defaults remain read-only and only the release job has write access.
Ensure the key names match "permissions" and "contents" and the job id is
"release" to locate where to add the scoped permission.
Source: Linters/SAST tools
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Disable persisted GitHub token credentials on checkout (Lines 15-16).
actions/checkout persists credentials by default. Because Line 25 runs npm ci (which may execute install scripts), a compromised dependency script can exfiltrate the token.
Suggested patch
- name: Checkout Repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 15 - 16, The checkout step
currently uses actions/checkout@v4 which persists the GITHUB_TOKEN by default;
update the Checkout Repository step (actions/checkout@v4) to disable persisted
credentials by adding persist-credentials: false to the step so the workflow
does not expose the token to subsequent npm install scripts.
Source: Linters/SAST tools
| console.log('AI Issue response generated successfully.'); | ||
| }; | ||
|
|
||
| main().catch(console.error); |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# List files exist
ls -la scripts/automation || true
# Show surrounding lines for the reported locations
echo "---- issue-manage.ts around line 62 ----"
nl -ba scripts/automation/issue-manage.ts | sed -n '40,95p'
echo "---- improve-repo.ts around line 69 ----"
nl -ba scripts/automation/improve-repo.ts | sed -n '40,110p'
# Search for top-level main().catch(console.error) usage in automation scripts
echo "---- Search for catch(console.error) in scripts/automation ----"
rg -n "catch\\(console\\.error\\)|\\.catch\\(console\\.error\\)" scripts/automation || trueRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 826
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- issue-manage.ts around line 62 ----"
awk 'NR>=40 && NR<=95 {printf "%5d %s\n", NR, $0}' scripts/automation/issue-manage.ts
echo "---- improve-repo.ts around line 69 ----"
awk 'NR>=40 && NR<=110 {printf "%5d %s\n", NR, $0}' scripts/automation/improve-repo.ts
echo "---- Search for catch(console.error) in scripts/automation ----"
rg -n "catch\\(console\\.error\\)|\\.catch\\(console\\.error\\)" scripts/automation || trueRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 2563
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- issue-manage.ts: locate main() ----"
rg -n "function main\\b|const main\\b|async function main\\b" scripts/automation/issue-manage.ts
awk 'NR>=1 && NR<=120 {print}' scripts/automation/issue-manage.ts
echo "---- improve-repo.ts: locate main() ----"
rg -n "function main\\b|const main\\b|async function main\\b" scripts/automation/improve-repo.ts
awk 'NR>=1 && NR<=140 {print}' scripts/automation/improve-repo.tsRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 4573
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- issue-manage.ts: main() line numbers ----"
main_lines=$(rg -n "async function main\\b|function main\\b|const main\\b|let main\\b" scripts/automation/issue-manage.ts | head -n 5 | cut -d: -f1 | tr '\n' ' ')
echo "Lines: $main_lines"
# print a window around each possible match (or just around 55-90 if no match)
awk 'NR>=1 && NR<=120 {print}' scripts/automation/issue-manage.ts
echo "---- improve-repo.ts: main() line numbers ----"
rg -n "async function main\\b|function main\\b|const main\\b|let main\\b" scripts/automation/improve-repo.ts | head -n 10
awk 'NR>=1 && NR<=140 {print}' scripts/automation/improve-repo.tsRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 4566
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- issue-manage.ts (first 140 lines) ----"
awk 'NR>=1 && NR<=140 {print}' scripts/automation/issue-manage.ts
echo "---- improve-repo.ts (first 170 lines) ----"
awk 'NR>=1 && NR<=170 {print}' scripts/automation/improve-repo.tsRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 4521
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- issue-manage.ts (first 140 lines) ----"
awk 'NR>=1 && NR<=140 {print}' scripts/automation/issue-manage.ts
echo "---- improve-repo.ts (first 170 lines) ----"
awk 'NR>=1 && NR<=170 {print}' scripts/automation/improve-repo.tsRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 4521
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- process.exit / exitCode usage in issue-manage.ts ----"
rg -n "process\\.(exitCode|exit)\\b" scripts/automation/issue-manage.ts || true
echo "---- process.exit / exitCode usage in improve-repo.ts ----"
rg -n "process\\.(exitCode|exit)\\b" scripts/automation/improve-repo.ts || true
echo "---- main() declaration in issue-manage.ts (search) ----"
rg -n "async function main\\b|function main\\b|const main\\b|let main\\b" scripts/automation/issue-manage.ts
echo "---- main() declaration in improve-repo.ts (search) ----"
rg -n "async function main\\b|function main\\b|const main\\b|let main\\b" scripts/automation/improve-repo.tsRepository: NITISH-R-G/Intelli-Credit-V2
Length of output: 362
Fail fast in CI for unexpected automation errors in issue-manage and improve-repo.
Both scripts/automation/issue-manage.ts and scripts/automation/improve-repo.ts end with main().catch(console.error);, which only logs if main() rejects (e.g., errors outside the inner try/catch) and does not set process.exitCode/rethrow—so the process may exit successfully. Set process.exitCode = 1 (or rethrow) inside the catch for both files.
🧰 Tools
🪛 GitHub Check: SonarCloud Code Analysis
[warning] 62-62: Prefer top-level await over using a promise chain.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/automation/issue-manage.ts` at line 62, The top-level promise handler
currently uses main().catch(console.error) which only logs errors and can still
allow a successful exit; update the final promise handling in this file (and the
sibling scripts/automation/improve-repo.ts) so the catch handler logs the error
and fails the process—e.g., replace the simple console.error handler on the
main() call with a catch that logs the error and sets process.exitCode = 1 (or
rethrows) to ensure CI fails on unexpected runtime failures.
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
scripts/automation/improve-repo.ts (1)
17-19:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winHandle malformed
metadata.jsongracefully.At Line 18,
JSON.parsecan throw and stop report generation. Since metadata is optional here, catch parse errors and continue with{}to keep automation resilient.Suggested patch
let metadata: any = {}; if (fs.existsSync(metadataPath)) { - metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8')); + try { + metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8')); + } catch (error) { + console.warn('metadata.json is invalid JSON. Continuing with empty metadata.', error); + metadata = {}; + } }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/automation/improve-repo.ts` around lines 17 - 19, Wrap the JSON.parse call that reads metadataPath in a try/catch so malformed metadata.json doesn't throw and halt execution; when fs.existsSync(metadataPath) is true, read the file with fs.readFileSync as before but catch any JSON.parse errors and set metadata = {} (and optionally log a warning) instead of letting the exception propagate — update the block that references metadataPath / metadata / JSON.parse to handle parse failures gracefully.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@scripts/automation/improve-repo.ts`:
- Around line 17-19: Wrap the JSON.parse call that reads metadataPath in a
try/catch so malformed metadata.json doesn't throw and halt execution; when
fs.existsSync(metadataPath) is true, read the file with fs.readFileSync as
before but catch any JSON.parse errors and set metadata = {} (and optionally log
a warning) instead of letting the exception propagate — update the block that
references metadataPath / metadata / JSON.parse to handle parse failures
gracefully.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: e08b9914-eccf-44af-9a67-192d410c714c
📒 Files selected for processing (3)
.github/workflows/ai-documentation-agent.ymlscripts/automation/improve-repo.tsscripts/automation/issue-manage.ts
📜 Review details
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:33:09.040Z
Learning: Automate every repetitive task by leveraging the `scripts/automation/` directory and GitHub Actions workflows
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:33:09.040Z
Learning: Use `npm run fix` to attempt automatic linting, formatting, and security fixes before requesting human intervention
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:33:09.040Z
Learning: Ensure tests pass with `npm test` and code quality is maintained with `npm run lint` and `npm run format` before committing
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:33:09.040Z
Learning: Expect the AI reviewer (`ai-reviewer.ts`) to analyze pull requests and address its findings constructively
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:33:09.040Z
Learning: Run `npm run analyze:repo` and `npm run generate:diagrams` to update the repository knowledge graph when structural changes are made
🔇 Additional comments (5)
.github/workflows/ai-documentation-agent.yml (1)
42-43: LGTM!scripts/automation/issue-manage.ts (2)
62-62: Duplicate: fail-fast top-level error handling is still missing.
main().catch(console.error)at Line 62 can mask unhandled failures with a successful exit; this was already reported, and the same pattern also appears inscripts/automation/improve-repo.tsat Line 69.
1-61: LGTM!scripts/automation/improve-repo.ts (2)
69-69: Already covered by the duplicate cross-file finding.
1-17: LGTM!Also applies to: 20-68
- Replaced `console.log` with `console.info` in `scripts/automation/improve-repo.ts` and `scripts/automation/issue-manage.ts` to clear logging-related SonarCloud warnings. - Fixed an `any` type warning in `improve-repo.ts` by strongly typing the `metadata` object as `Record<string, unknown>`. - Ensured all automation scripts pass `npm run lint` and ESLint checks. Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
…ge graph [skip ci]
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
scripts/automation/issue-manage.ts (2)
50-54: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick winConsider more robust label classification.
The current label heuristic uses simple case-insensitive substring matching on the AI response text. This is fragile—if the AI rephrases slightly (e.g., "This appears to be a bug" instead of "bug report"), the label won't match. Consider asking the AI to return structured output (JSON with
{ type: 'bug' | 'enhancement' | 'question' | 'triage', ... }) or use a second, focused prompt for classification.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/automation/issue-manage.ts` around lines 50 - 54, The current heuristic using responseText.toLowerCase() and substring checks for suggestedLabel is fragile; change the flow so the AI returns a structured classification (e.g., JSON with a "type" field) or call a second focused prompt to classify into 'bug'|'enhancement'|'question'|'triage', then parse that JSON safely (try/catch, validate the "type" value) and set suggestedLabel from the parsed type with a fallback to 'triage'; update references in the code around suggestedLabel and responseText handling to use the new parsed result and validation logic.
38-41:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftMissing timeout on AI generation calls in
scripts/automation/issue-manage.tsandscripts/automation/improve-repo.ts.Both
issue-manage.ts(lines 38-41) andimprove-repo.ts(lines 42-45) callai.models.generateContentwithout a timeout. If the Gemini API hangs or responds slowly, the GitHub Actions workflows will run until the default timeout (360 minutes), wasting CI resources and delaying feedback. Wrap both calls withPromise.raceand a timeout promise (suggested: 30s for issue triage, 60s for repo analysis) to fail fast and provide clear error messages.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/automation/issue-manage.ts` around lines 38 - 41, Wrap the ai.models.generateContent call in scripts/automation/issue-manage.ts (and the analogous call in scripts/automation/improve-repo.ts) with a Promise.race between the generateContent promise and a timeout promise (suggested 30s for issue-manage, 60s for improve-repo); implement the timeout promise to reject with a clear error message like "AI generation timed out after X ms" so callers can catch/handle it, and ensure the code cleans up/propagates the original generateContent error if it fails before the timeout.scripts/automation/improve-repo.ts (1)
28-28: 🧹 Nitpick | 🔵 Trivial | 💤 Low valueMagic number: extract truncation limit as a named constant.
The 50000-character truncation limit is arbitrary and hardcoded. Extract it as a named constant (e.g.,
MAX_METADATA_CHARS) to improve maintainability and make it easier to tune if needed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/automation/improve-repo.ts` at line 28, Extract the hardcoded 50000 truncation limit into a named constant (e.g., MAX_METADATA_CHARS) and replace the substring call that uses 50000 with that constant; update the usage around JSON.stringify(metadata, null, 2).substring(0, 50000) so it reads JSON.stringify(metadata, null, 2).substring(0, MAX_METADATA_CHARS) and declare the constant near the top of scripts/automation/improve-repo.ts so it's easy to find and adjust.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@scripts/automation/improve-repo.ts`:
- Line 28: Extract the hardcoded 50000 truncation limit into a named constant
(e.g., MAX_METADATA_CHARS) and replace the substring call that uses 50000 with
that constant; update the usage around JSON.stringify(metadata, null,
2).substring(0, 50000) so it reads JSON.stringify(metadata, null,
2).substring(0, MAX_METADATA_CHARS) and declare the constant near the top of
scripts/automation/improve-repo.ts so it's easy to find and adjust.
In `@scripts/automation/issue-manage.ts`:
- Around line 50-54: The current heuristic using responseText.toLowerCase() and
substring checks for suggestedLabel is fragile; change the flow so the AI
returns a structured classification (e.g., JSON with a "type" field) or call a
second focused prompt to classify into 'bug'|'enhancement'|'question'|'triage',
then parse that JSON safely (try/catch, validate the "type" value) and set
suggestedLabel from the parsed type with a fallback to 'triage'; update
references in the code around suggestedLabel and responseText handling to use
the new parsed result and validation logic.
- Around line 38-41: Wrap the ai.models.generateContent call in
scripts/automation/issue-manage.ts (and the analogous call in
scripts/automation/improve-repo.ts) with a Promise.race between the
generateContent promise and a timeout promise (suggested 30s for issue-manage,
60s for improve-repo); implement the timeout promise to reject with a clear
error message like "AI generation timed out after X ms" so callers can
catch/handle it, and ensure the code cleans up/propagates the original
generateContent error if it fails before the timeout.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 5a878f6f-5200-4983-82a0-604e5c70c1a7
📒 Files selected for processing (2)
scripts/automation/improve-repo.tsscripts/automation/issue-manage.ts
📜 Review details
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Automate every repetitive task using scripts in the `scripts/automation/` directory and GitHub Actions workflows
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Use `npm run fix` to automatically remediate linting, formatting, and security fixes before requesting human intervention
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Keep documentation, architecture diagrams, and repository health metrics in the `docs/` directory up-to-date
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Ensure tests pass with `npm test` and code quality is maintained with `npm run lint` and `npm run format` before committing changes
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Use `metadata.json` as the source of truth for automated repository mapping
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Keep the `README.md` and architecture documentation synchronized with the actual repository structure
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Address findings from the AI reviewer (`ai-reviewer.ts`) constructively in pull requests
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-12T17:40:18.727Z
Learning: Run `npm run analyze:repo` and `npm run generate:diagrams` to update the repository knowledge graph when making structural changes
🔇 Additional comments (6)
scripts/automation/issue-manage.ts (3)
62-62: Process exit handling already flagged in previous review.The catch handler logs but doesn't fail the process. This was identified in the past review and remains unresolved.
6-6: LGTM!Also applies to: 59-59
39-39: Confirm Gemini model name (gemini-2.5-flash) is valid
Official Gemini API model docs listgemini-2.5-flashas a supported model identifier, so themodel: 'gemini-2.5-flash'usage inscripts/automation/issue-manage.tsis consistent with the API (repo uses@google/genaiv1.29.x / resolved 1.46.0).scripts/automation/improve-repo.ts (3)
69-69: Process exit handling already flagged in previous review.The catch handler logs but doesn't fail the process. This was identified in the past review (for both scripts) and remains unresolved.
6-6: LGTM!Also applies to: 66-66
16-16: Good type narrowing fromanytoRecord<string, unknown>.This change improves type safety and follows TypeScript best practices.



Implemented requested enhancements to transform the repository into an advanced, autonomous ecosystem:
AGENTS.mdwith strict rules for automation, self-healing, and pre-commit validations.scripts/automation/improve-repo.tsto detect technical debt and architectural flaws.scripts/automation/issue-manage.tsfor automated issue triage, labeling, and responding using Gemini AI.package.json.PR created automatically by Jules for task 12401965109460807617 started by @NITISH-R-G
Summary by Sourcery
Introduce autonomous repository management with AI-driven improvement reports, automated issue handling, and supporting workflows and guidelines.
New Features:
Enhancements:
CI:
Documentation: