feat(automation): Implement Autonomous Repository Management and AI Maintenance#89
feat(automation): Implement Autonomous Repository Management and AI Maintenance#89NITISH-R-G wants to merge 4 commits into
Conversation
…lligence - Add `AGENTS.md` guiding AI assistants on automated repository maintenance - Create `scripts/automation/improve-repo.ts` to identify technical debt using GenAI - Create `scripts/automation/issue-manager.ts` to automatically triage and label issues via GitHub API - Add `continuous-improvement.yml` and `issue-management.yml` GitHub actions - Implement basic `secret-scanning.yml` workflow for security auditing - Update `package.json` with new automation scripts Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Reviewer's GuideIntroduces AI-driven repo automation by adding AI assistant guidelines, two Node-based automation scripts (for continuous improvement reporting and AI-driven issue management), and three GitHub Actions workflows (continuous improvement, AI issue triage, and basic secret scanning), wired via new npm scripts. Sequence diagram for AI-driven issue management workflowsequenceDiagram
actor Developer
participant GitHub
participant Workflow_issue_management as Workflow_issue_management
participant Issue_manager_script as issue-manager.ts
participant GoogleGenAI
participant GitHub_API
Developer->>GitHub: Open or edit issue
GitHub-->>Workflow_issue_management: issues event (opened/edited)
Workflow_issue_management->>Workflow_issue_management: npm run issue:manage
Workflow_issue_management->>Issue_manager_script: main
Issue_manager_script->>GoogleGenAI: models.generateContent
GoogleGenAI-->>Issue_manager_script: response.text
Issue_manager_script->>GitHub_API: fetch /issues/{issueNumber}/labels
GitHub_API-->>Issue_manager_script: labels applied
Issue_manager_script->>GitHub_API: fetch /issues/{issueNumber}/assignees
GitHub_API-->>Issue_manager_script: assignees applied
Issue_manager_script-->>Workflow_issue_management: console.log results
Workflow_issue_management-->>GitHub: Job logs and updated issue metadata
Sequence diagram for continuous improvement reporting workflowsequenceDiagram
participant Scheduler as Cron_or_manual_trigger
participant GitHub
participant Workflow_continuous_improvement as Workflow_continuous_improvement
participant Analyze_repo_script as analyze:repo
participant Improve_repo_script as improve-repo.ts
participant GoogleGenAI
participant Docs as docs/tech-debt-report.md
Scheduler->>GitHub: Trigger workflow (cron or dispatch)
GitHub-->>Workflow_continuous_improvement: Start job improve-repo
Workflow_continuous_improvement->>Workflow_continuous_improvement: npm run analyze:repo
Workflow_continuous_improvement->>Improve_repo_script: npm run improve:repo
Improve_repo_script->>Improve_repo_script: read metadata.json
alt GEMINI_API_KEY set
Improve_repo_script->>GoogleGenAI: models.generateContent
GoogleGenAI-->>Improve_repo_script: response.text
else GEMINI_API_KEY missing
Improve_repo_script->>Improve_repo_script: write fallback message
end
Improve_repo_script->>Docs: fs.writeFileSync tech-debt-report.md
Improve_repo_script->>GitHub: fs.appendFileSync GITHUB_STEP_SUMMARY
Improve_repo_script-->>Workflow_continuous_improvement: console.log success
Workflow_continuous_improvement-->>GitHub: git commit and push report (if changed)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
📜 Recent review details🧰 Additional context used🧠 Learnings (1)📓 Common learnings🔇 Additional comments (8)
📝 WalkthroughSummary by CodeRabbitRelease Notes
WalkthroughAdds three GitHub Actions workflows (continuous-improvement, issue-management, secret-scanning), two TypeScript automation scripts (improve-repo.ts, issue-manager.ts), npm script registrations and metadata updates, AGENTS.md guidance, and minor architecture doc updates. ChangesGitHub Automation Infrastructure & AI Integration
Sequence Diagram(s)sequenceDiagram
participant Scheduler as Daily Scheduler
participant Workflow as continuous-improvement.yml
participant Script as improve-repo.ts
participant API as Gemini API
participant Repo as Repository
Scheduler->>Workflow: Trigger (daily/manual)
Workflow->>Script: npm run analyze:repo && npm run improve:repo
Script->>API: generateContent with metadata
API-->>Script: Tech debt report markdown
Script->>Repo: Write docs/tech-debt-report.md
Workflow->>Repo: Commit + push when changed
sequenceDiagram
participant Event as GitHub Issue Event
participant Workflow as issue-management.yml
participant Script as issue-manager.ts
participant API as Gemini API
participant REST as GitHub REST API
Event->>Workflow: issue opened/edited
Workflow->>Script: npm run issue:manage (env vars)
Script->>API: generateContent with issue title/body
API-->>Script: JSON labels & assignees
Script->>REST: POST /issues/{number}/labels
Script->>REST: POST /issues/{number}/assignees
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…ge graph [skip ci]
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In
issue-manager.ts, the prompt instructs the model to choose a priority label but the JSON schema and subsequent GitHub API calls ignore priority entirely; either add a separate priority field to the schema and apply it as a label or remove that requirement from the prompt to avoid confusion. - The issue management workflow uses
secrets.GITHUB_TOKEN, which requires a manually configured secret; consider using the built-in${{ github.token }}instead to reduce setup friction and ensure the token is always available with the appropriate permissions. - When applying labels in
issue-manager.ts, the AI output is sent directly to GitHub; it would be safer to validateparsedResponse.labelsagainst the known allowed label set from the prompt and drop unknown entries before calling the API to avoid noisy failures from hallucinated labels.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `issue-manager.ts`, the prompt instructs the model to choose a priority label but the JSON schema and subsequent GitHub API calls ignore priority entirely; either add a separate priority field to the schema and apply it as a label or remove that requirement from the prompt to avoid confusion.
- The issue management workflow uses `secrets.GITHUB_TOKEN`, which requires a manually configured secret; consider using the built-in `${{ github.token }}` instead to reduce setup friction and ensure the token is always available with the appropriate permissions.
- When applying labels in `issue-manager.ts`, the AI output is sent directly to GitHub; it would be safer to validate `parsedResponse.labels` against the known allowed label set from the prompt and drop unknown entries before calling the API to avoid noisy failures from hallucinated labels.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Actionable comments posted: 13
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/secret-scanning.yml (1)
11-34:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDeclare explicit minimal permissions for the workflow.
The workflow uses default GITHUB_TOKEN permissions, which grant read and write access to multiple scopes. This violates the principle of least privilege and increases the attack surface if the token is compromised. This job only performs read operations (checkout and scan), so it should declare minimal permissions.
🔒 Proposed fix to add explicit permissions
jobs: secret-scan: runs-on: ubuntu-latest + permissions: + contents: read steps:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/secret-scanning.yml around lines 11 - 34, The secret-scan job currently uses default GITHUB_TOKEN permissions; update the workflow to declare minimal explicit permissions for the secret-scan job by adding a permissions block that limits the token to read-only content access (e.g., add permissions: contents: read under the secret-scan job or at the top-level workflow), leaving other permissions unset or at least minimal; this change targets the job named "secret-scan" in the workflow so the checkout and local git grep only use a read-only token.docs/architecture/SERVICE_MAP.md (1)
1-15:⚠️ Potential issue | 🟡 MinorFix SERVICE_MAP scope clarity and add missing trailing newline
docs/architecture/SERVICE_MAP.mdis generated frommetadata.structure.srcand only builds thesubgraph Application Services(components,services,lib), so it won’t include.github/workflows/*orscripts/automation/*; if automation is expected here, extend/adjust the generator, otherwise clarify the header/scope (automation belongs indocs/architecture/dependency-graph.md).- Add a trailing newline to
docs/architecture/SERVICE_MAP.md(currently ends without one).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/architecture/SERVICE_MAP.md` around lines 1 - 15, The documentation currently presents a SERVICE_MAP that only contains the Mermaid "subgraph Application Services" (nodes components, services, lib) but is labeled generically; update the header or add one sentence under the title to clarify scope (for example change the title to "Service Map — Application Services" or add "This diagram only shows application services; automation/CI pipelines are documented in dependency-graph.md"). Also ensure the Mermaid block remains unchanged except for scope clarification and add a trailing newline at the end of the file so the file ends with a newline.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/continuous-improvement.yml:
- Line 16: Replace the floating action tag "actions/checkout@v4" with a pinned
commit SHA to harden the workflow supply chain; update the uses entry in the
workflow to the specific commit SHA for actions/checkout (obtain the expected
SHA from the actions/checkout GitHub repo release corresponding to v4) and do
the same for any other `uses:` lines that reference tags so they all use
explicit commit SHAs instead of version tags.
- Around line 15-18: Add persist-credentials: false to the actions/checkout@v4
step to avoid leaking the automatically provided GITHUB_TOKEN; specifically, in
the checkout step's with: block add the key persist-credentials: false and keep
the later manual git credential configuration (the existing steps that set up
git credentials) so the workflow can still push commits.
- Around line 3-6: Add a concurrency block to the workflow YAML to prevent
simultaneous runs: under the root level (next to "on:"), add a "concurrency:"
key with a stable group name (for example "continuous-improvement-${{ github.ref
}}") and set "cancel-in-progress: true" so only one run per branch/ref executes
at a time; this ensures scheduled runs and manual "workflow_dispatch" cannot run
concurrently and avoids conflicting commits/pushes.
- Around line 8-9: The workflow-level permissions block currently grants
"contents: write" at the top-level; move that permission into only the specific
job(s) that require repository write access by removing the top-level
"permissions: contents: write" and adding a "permissions:" mapping under the
relevant job(s) (e.g., under the job key that performs actions needing push/PR
operations) with "contents: write", and add a short comment above that job-level
permissions entry explaining why write access is scoped there (e.g., "Grant
contents: write only for this job because it pushes changes/creates tags").
In @.github/workflows/issue-management.yml:
- Line 15: Replace mutable tag references like actions/checkout@v4 with
immutable commit SHA pins: locate the uses: lines that reference actions (e.g.,
actions/checkout@v4) and change them to the corresponding full commit SHA form
(for example: actions/checkout@<commit-sha>) so the workflow always runs the
exact action code; update every similar occurrence in the workflow (including
the other uses line noted in the review) and optionally run a pinning tool
(e.g., pin-github-action) to discover and insert the correct SHAs.
- Around line 7-8: Remove the top-level workflow permission "issues: write" and
instead add a scoped permissions block under the specific job(s) that actually
need to modify issues (e.g., jobs.<job_id>.permissions: issues: write). Leave
other jobs with no elevated issue permissions (or use "issues: read" if only
reading is needed). This moves the "issues: write" grant from the global
permissions block to the relevant job-level permissions entries to apply
least-privilege.
- Around line 3-5: Add a top-level concurrency section to the workflow so only
one run handles a given issue number at a time: create a concurrency block
(placed at the top level of the YAML alongside the existing on: section) with
group set to something like issue-${{ github.event.issue.number }} and
cancel-in-progress: true to ensure new runs cancel any in-flight run for the
same issue and prevent race conditions when updating labels/assignees.
In @.github/workflows/secret-scanning.yml:
- Around line 15-17: The checkout step uses an unpinned tag and leaves
credentials persisted; change the actions/checkout reference to a pinned commit
SHA (replace actions/checkout@v4 with actions/checkout@<commit-sha>) and add the
input persist-credentials: false under the checkout step to disable credential
persistence; verify the chosen SHA corresponds to a trusted release (the
reviewer suggested 11bd71901bbe5b1630ceea73d27597364c9af683 as an example for
v4.2.2) before merging.
- Around line 24-30: The secret-scanning step uses a narrow regex and file
scope: update the SECRETS_FOUND assignment to expand scanned files (add .env*,
.yml, .yaml, .config.js and other common config patterns), relax the length
threshold to 12, and extend the regex to also match object-literal and
template-string forms (e.g., add ":" and `[:\s]*[:\s]*['"`]`/`[`\${]` patterns
or separate regexes for object keys and template literals) so it catches
patterns like apiKey: "..." and `key = `${token}`;` ; finally, consider
restoring or gating the exit 1 (enable exit on critical branches or behind a
strict branch rule) so detections can fail CI when required—refer to the
SECRETS_FOUND variable and the existing regex assignment when making these
edits.
- Around line 3-9: Add a concurrency block to the GitHub Actions workflow to
prevent overlapping runs: insert a top-level concurrency stanza in
.github/workflows/secret-scanning.yml that defines a unique group (for example
concurrency: group: "secret-scanning-${{ github.ref }}" and cancel-in-progress:
true) so pushes/PRs to main will cancel prior in-flight secret-scanning runs and
avoid redundant full-history scans.
In `@scripts/automation/improve-repo.ts`:
- Around line 18-22: The code reads and parses metadata.json without error
handling; wrap the JSON.parse(fs.readFileSync(...)) call in a try-catch so
malformed JSON doesn't crash the script: attempt to read the file into a string
and JSON.parse it inside try, on error catch the exception, log or warn about
the parse failure (including the error message) and leave the existing metadata
variable as the empty object fallback; keep metadataPath and the existence check
but ensure parse errors are handled gracefully in the catch block.
- Around line 11-13: The early-exit branch that runs
fs.writeFileSync(path.resolve(process.cwd(), 'docs/tech-debt-report.md'), ...)
when GEMINI_API_KEY is not set must ensure the docs directory exists first; add
a pre-write directory creation step (e.g., const outPath =
path.resolve(process.cwd(), 'docs/tech-debt-report.md');
fs.mkdirSync(path.dirname(outPath), { recursive: true });) before calling
fs.writeFileSync so it won't throw ENOENT. This mirrors the existing
directory-creation logic later in the script and uses the same path resolution
semantics.
In `@scripts/automation/issue-manager.ts`:
- Line 53: The current cleanup for aiResponse in the const cleanJson assignment
uses a brittle regex (/```json\n?|\n?```/g) that misses variations (CRLF, case,
extra whitespace); update the logic that sets cleanJson (the const cleanJson and
its use of aiResponse) to first remove an opening code fence with a
case-insensitive regex that allows optional whitespace after the language tag
(e.g., replace(/```json\s*/i, '')) and then remove any closing fence allowing
leading whitespace (e.g., replace(/\s*```/g, '')), and finally trim() the result
so all common markdown fence variants (including `\r\n`, ` ```JSON`, or spaces)
are handled robustly.
---
Outside diff comments:
In @.github/workflows/secret-scanning.yml:
- Around line 11-34: The secret-scan job currently uses default GITHUB_TOKEN
permissions; update the workflow to declare minimal explicit permissions for the
secret-scan job by adding a permissions block that limits the token to read-only
content access (e.g., add permissions: contents: read under the secret-scan job
or at the top-level workflow), leaving other permissions unset or at least
minimal; this change targets the job named "secret-scan" in the workflow so the
checkout and local git grep only use a read-only token.
In `@docs/architecture/SERVICE_MAP.md`:
- Around line 1-15: The documentation currently presents a SERVICE_MAP that only
contains the Mermaid "subgraph Application Services" (nodes components,
services, lib) but is labeled generically; update the header or add one sentence
under the title to clarify scope (for example change the title to "Service Map —
Application Services" or add "This diagram only shows application services;
automation/CI pipelines are documented in dependency-graph.md"). Also ensure the
Mermaid block remains unchanged except for scope clarification and add a
trailing newline at the end of the file so the file ends with a newline.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 35563df8-f5f7-49e8-8de7-c8e56f89d2ca
📒 Files selected for processing (10)
.github/workflows/continuous-improvement.yml.github/workflows/issue-management.yml.github/workflows/secret-scanning.ymlAGENTS.mddocs/architecture/SERVICE_MAP.mddocs/architecture/dependency-graph.mdmetadata.jsonpackage.jsonscripts/automation/improve-repo.tsscripts/automation/issue-manager.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**/metadata.json
📄 CodeRabbit inference engine (AGENTS.md)
Rely on
scripts/automation/directory,metadata.json, anddocs/architecturefiles to understand and maintain the repository's current state and architecture
Files:
metadata.json
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Automate every repetitive task that can be automated
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Use continuous self-healing to remediate the repository before requesting human help, including aggressive use of tools like `npm run fix` for linting, formatting, and known security issues
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Documentation should regenerate automatically whenever the code changes
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Maximize GitHub capabilities by utilizing GitHub Actions, Projects, Dependabot, CodeQL, and other native features to their fullest
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Always verify success after every action that modifies the codebase by using read-only tools
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Run `npm test` before committing or opening a PR to ensure unit tests pass without regressions
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Run `npm run format` before committing or opening a PR to format the codebase using Prettier
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Run `npm run lint` before committing or opening a PR for type checking and static analysis
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: When tests or linting fail, attempt to fix them autonomously using `npm run fix` as a first remediation step before stopping
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Proactively triage, categorize, and label issues in pull requests and issue tracking
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Provide actionable review feedback on pull requests as part of AI-driven code review processes
Learnt from: CR
Repo: NITISH-R-G/Intelli-Credit-V2
Timestamp: 2026-06-13T17:35:25.856Z
Learning: Generate architecture documentation, reports, and README updates automatically whenever code changes occur
🪛 GitHub Check: SonarCloud Code Analysis
scripts/automation/improve-repo.ts
[warning] 81-81: Prefer top-level await over using a promise chain.
[warning] 1-1: Prefer node:fs over fs.
[warning] 2-2: Prefer node:path over path.
scripts/automation/issue-manager.ts
[warning] 112-112: Prefer top-level await over using a promise chain.
🪛 markdownlint-cli2 (0.22.1)
docs/architecture/SERVICE_MAP.md
[warning] 15-15: Files should end with a single newline character
(MD047, single-trailing-newline)
docs/architecture/dependency-graph.md
[warning] 127-127: Files should end with a single newline character
(MD047, single-trailing-newline)
🪛 zizmor (1.25.2)
.github/workflows/issue-management.yml
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 8-8: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level
(excessive-permissions)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 11-11: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
.github/workflows/secret-scanning.yml
[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 1-34: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block
(excessive-permissions)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[info] 12-12: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-9: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
.github/workflows/continuous-improvement.yml
[warning] 15-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[error] 46-46: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 12-12: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🔇 Additional comments (8)
AGENTS.md (1)
1-34: LGTM!package.json (1)
22-24: LGTM!metadata.json (5)
70-72: LGTM!
74-79: LGTM!
100-106: LGTM!
113-113: LGTM!
147-148: LGTM!docs/architecture/dependency-graph.md (1)
25-25: LGTM!Also applies to: 28-28, 31-31, 36-36, 67-68, 127-127
| on: | ||
| schedule: | ||
| - cron: '0 4 * * *' # Daily at 4 AM | ||
| workflow_dispatch: |
There was a problem hiding this comment.
Add concurrency limits to prevent simultaneous runs.
The workflow can run via both schedule (daily at 4 AM) and manual dispatch. Without concurrency limits, multiple runs could attempt to commit and push simultaneously, causing git conflicts or race conditions.
🔒 Proposed fix to add concurrency group
on:
schedule:
- cron: '0 4 * * *' # Daily at 4 AM
workflow_dispatch:
+
+concurrency:
+ group: continuous-improvement
+ cancel-in-progress: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| schedule: | |
| - cron: '0 4 * * *' # Daily at 4 AM | |
| workflow_dispatch: | |
| on: | |
| schedule: | |
| - cron: '0 4 * * *' # Daily at 4 AM | |
| workflow_dispatch: | |
| concurrency: | |
| group: continuous-improvement | |
| cancel-in-progress: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/continuous-improvement.yml around lines 3 - 6, Add a
concurrency block to the workflow YAML to prevent simultaneous runs: under the
root level (next to "on:"), add a "concurrency:" key with a stable group name
(for example "continuous-improvement-${{ github.ref }}") and set
"cancel-in-progress: true" so only one run per branch/ref executes at a time;
this ensures scheduled runs and manual "workflow_dispatch" cannot run
concurrently and avoids conflicting commits/pushes.
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Move permissions to job level and add explanatory comment.
Workflow-level contents: write is overly broad. Job-level permissions are a security best practice, limiting the scope of write access to only the jobs that need it.
♻️ Proposed refactor
-permissions:
- contents: write
-
jobs:
improve-repo:
runs-on: ubuntu-latest
+ permissions:
+ contents: write # Required to commit and push improvement reports
steps:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: write | |
| jobs: | |
| improve-repo: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # Required to commit and push improvement reports | |
| steps: |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/continuous-improvement.yml around lines 8 - 9, The
workflow-level permissions block currently grants "contents: write" at the
top-level; move that permission into only the specific job(s) that require
repository write access by removing the top-level "permissions: contents: write"
and adding a "permissions:" mapping under the relevant job(s) (e.g., under the
job key that performs actions needing push/PR operations) with "contents:
write", and add a short comment above that job-level permissions entry
explaining why write access is scoped there (e.g., "Grant contents: write only
for this job because it pushes changes/creates tags").
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref || github.ref_name }} |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Add persist-credentials: false for defense in depth.
Although this workflow needs to push commits, explicitly setting persist-credentials: false and then configuring git credentials manually (as done on lines 39-40) is a security best practice that prevents accidental credential leakage in subsequent steps.
🛡️ Optional security hardening
- name: Checkout Repository
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ github.head_ref || github.ref_name }}🧰 Tools
🪛 zizmor (1.25.2)
[warning] 15-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/continuous-improvement.yml around lines 15 - 18, Add
persist-credentials: false to the actions/checkout@v4 step to avoid leaking the
automatically provided GITHUB_TOKEN; specifically, in the checkout step's with:
block add the key persist-credentials: false and keep the later manual git
credential configuration (the existing steps that set up git credentials) so the
workflow can still push commits.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚖️ Poor tradeoff
Pin actions to commit SHAs for supply chain security.
Using version tags (@v4) instead of commit SHAs exposes the workflow to tag manipulation attacks. Pinning to SHAs is a security hardening best practice.
Example (illustrative SHAs, verify current versions):
- uses: actions/checkout@v4
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-node@v4
+ uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2Also applies to: 21-21
🧰 Tools
🪛 zizmor (1.25.2)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/continuous-improvement.yml at line 16, Replace the
floating action tag "actions/checkout@v4" with a pinned commit SHA to harden the
workflow supply chain; update the uses entry in the workflow to the specific
commit SHA for actions/checkout (obtain the expected SHA from the
actions/checkout GitHub repo release corresponding to v4) and do the same for
any other `uses:` lines that reference tags so they all use explicit commit SHAs
instead of version tags.
| on: | ||
| issues: | ||
| types: [opened, edited] |
There was a problem hiding this comment.
Add concurrency control to prevent race conditions.
When multiple issues are opened or edited in rapid succession, concurrent workflow runs could conflict when updating labels/assignees via the GitHub API. Adding a concurrency group keyed to the issue number ensures only one management run processes each issue at a time.
🔒 Proposed fix to add concurrency limits
on:
issues:
types: [opened, edited]
+
+concurrency:
+ group: issue-management-${{ github.event.issue.number }}
+ cancel-in-progress: false
permissions:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| issues: | |
| types: [opened, edited] | |
| on: | |
| issues: | |
| types: [opened, edited] | |
| concurrency: | |
| group: issue-management-${{ github.event.issue.number }} | |
| cancel-in-progress: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/issue-management.yml around lines 3 - 5, Add a top-level
concurrency section to the workflow so only one run handles a given issue number
at a time: create a concurrency block (placed at the top level of the YAML
alongside the existing on: section) with group set to something like issue-${{
github.event.issue.number }} and cancel-in-progress: true to ensure new runs
cancel any in-flight run for the same issue and prevent race conditions when
updating labels/assignees.
Source: Linters/SAST tools
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Pin the checkout action to a commit SHA and disable credential persistence.
Two security concerns with the checkout step:
- Unpinned action reference: Using
actions/checkout@v4(tag) instead of a SHA allows the tag to be moved to a malicious commit, creating a supply-chain attack vector. - Credential persistence: Without
persist-credentials: false, Git credentials remain accessible to subsequent steps, increasing the risk of credential leakage.
🔐 Proposed fix to pin action and disable credentials
- - uses: actions/checkout@v4
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
+ persist-credentials: falseNote: The SHA 11bd71901bbe5b1630ceea73d27597364c9af683 corresponds to v4.2.2 of actions/checkout. Verify the latest secure version before merging.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 15-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/secret-scanning.yml around lines 15 - 17, The checkout
step uses an unpinned tag and leaves credentials persisted; change the
actions/checkout reference to a pinned commit SHA (replace actions/checkout@v4
with actions/checkout@<commit-sha>) and add the input persist-credentials: false
under the checkout step to disable credential persistence; verify the chosen SHA
corresponds to a trusted release (the reviewer suggested
11bd71901bbe5b1630ceea73d27597364c9af683 as an example for v4.2.2) before
merging.
| SECRETS_FOUND=$(git grep -i -E "(api[_-]?key|secret|token|password)[\s]*=[\s]*['\"][a-zA-Z0-9_\-]{16,}['\"]" -- '*.ts' '*.js' '*.json' || true) | ||
|
|
||
| if [ -n "$SECRETS_FOUND" ]; then | ||
| echo "::error::Potential hardcoded secrets found!" | ||
| echo "$SECRETS_FOUND" | ||
| # We don't fail the build here because regex can be noisy, but we flag it | ||
| # exit 1 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Consider expanding scan coverage or adopting GitHub Advanced Security.
The current regex pattern has known coverage limitations:
- Syntax: Only matches direct assignment (
key = "value"); misses object literals ({ apiKey: "..." }), function arguments, and environment variable access. - Length threshold: The 16+ character requirement may miss shorter secrets (e.g., 12-character tokens).
- File scope: Limited to
*.ts,*.js,*.json; excludes.env,.yml, configuration files, and other common secret locations. - Non-blocking: The commented
exit 1makes this informational only, not a merge gate.
The inline comment correctly notes that GitHub Advanced Security's native secret scanning is the recommended solution. If Advanced Security is not available, consider:
- Adding
.env,.yml,.yaml,.config.jsto the file scope - Lowering the length threshold to 12 characters
- Adding patterns for object literals and template strings
- Enabling
exit 1for critical branches (with false-positive review process)
🔍 Example: Expand file scope and add pattern variations
- SECRETS_FOUND=$(git grep -i -E "(api[_-]?key|secret|token|password)[\s]*=[\s]*['\"][a-zA-Z0-9_\-]{16,}['\"]" -- '*.ts' '*.js' '*.json' || true)
+ SECRETS_FOUND=$(git grep -i -E "(api[_-]?key|secret|token|password)[\s]*[:=][\s]*['\"][a-zA-Z0-9_\-]{12,}['\"]" -- '*.ts' '*.js' '*.json' '*.env*' '*.yml' '*.yaml' || true)Changes:
- Added
:to match object literal syntax - Lowered threshold to 12 characters
- Added
.env*,.yml,.yamlto file scope
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| SECRETS_FOUND=$(git grep -i -E "(api[_-]?key|secret|token|password)[\s]*=[\s]*['\"][a-zA-Z0-9_\-]{16,}['\"]" -- '*.ts' '*.js' '*.json' || true) | |
| if [ -n "$SECRETS_FOUND" ]; then | |
| echo "::error::Potential hardcoded secrets found!" | |
| echo "$SECRETS_FOUND" | |
| # We don't fail the build here because regex can be noisy, but we flag it | |
| # exit 1 | |
| SECRETS_FOUND=$(git grep -i -E "(api[_-]?key|secret|token|password)[\s]*[:=][\s]*['\"][a-zA-Z0-9_\-]{12,}['\"]" -- '*.ts' '*.js' '*.json' '*.env*' '*.yml' '*.yaml' || true) | |
| if [ -n "$SECRETS_FOUND" ]; then | |
| echo "::error::Potential hardcoded secrets found!" | |
| echo "$SECRETS_FOUND" | |
| # We don't fail the build here because regex can be noisy, but we flag it | |
| # exit 1 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/secret-scanning.yml around lines 24 - 30, The
secret-scanning step uses a narrow regex and file scope: update the
SECRETS_FOUND assignment to expand scanned files (add .env*, .yml, .yaml,
.config.js and other common config patterns), relax the length threshold to 12,
and extend the regex to also match object-literal and template-string forms
(e.g., add ":" and `[:\s]*[:\s]*['"`]`/`[`\${]` patterns or separate regexes for
object keys and template literals) so it catches patterns like apiKey: "..." and
`key = `${token}`;` ; finally, consider restoring or gating the exit 1 (enable
exit on critical branches or behind a strict branch rule) so detections can fail
CI when required—refer to the SECRETS_FOUND variable and the existing regex
assignment when making these edits.
| fs.writeFileSync( | ||
| path.resolve(process.cwd(), 'docs/tech-debt-report.md'), | ||
| '# Continuous Improvement Report\n\nGEMINI_API_KEY is not set. Skipping real improvement analysis.', |
There was a problem hiding this comment.
Critical: Directory existence check missing in early-exit path.
When GEMINI_API_KEY is not set, the script writes to docs/tech-debt-report.md without first ensuring the docs/ directory exists. The directory creation logic at lines 61-64 is only reached when the API key is present. If docs/ does not exist at workflow runtime and the key is missing, fs.writeFileSync will throw an ENOENT error and the job will fail.
🛡️ Proposed fix to ensure directory exists before writing
if (!apiKey) {
console.warn('GEMINI_API_KEY is not set. Skipping real improvement analysis.');
+ const outDir = path.resolve(process.cwd(), 'docs');
+ if (!fs.existsSync(outDir)) {
+ fs.mkdirSync(outDir, { recursive: true });
+ }
fs.writeFileSync(
- path.resolve(process.cwd(), 'docs/tech-debt-report.md'),
+ path.join(outDir, 'tech-debt-report.md'),
'# Continuous Improvement Report\n\nGEMINI_API_KEY is not set. Skipping real improvement analysis.',
);
return;
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/automation/improve-repo.ts` around lines 11 - 13, The early-exit
branch that runs fs.writeFileSync(path.resolve(process.cwd(),
'docs/tech-debt-report.md'), ...) when GEMINI_API_KEY is not set must ensure the
docs directory exists first; add a pre-write directory creation step (e.g.,
const outPath = path.resolve(process.cwd(), 'docs/tech-debt-report.md');
fs.mkdirSync(path.dirname(outPath), { recursive: true });) before calling
fs.writeFileSync so it won't throw ENOENT. This mirrors the existing
directory-creation logic later in the script and uses the same path resolution
semantics.
| const metadataPath = path.resolve(process.cwd(), 'metadata.json'); | ||
| let metadata: any = {}; | ||
| if (fs.existsSync(metadataPath)) { | ||
| metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8')); | ||
| } |
There was a problem hiding this comment.
Major: Missing error handling for malformed metadata.json.
JSON.parse at line 21 has no try-catch wrapper. If metadata.json is malformed or contains invalid JSON, the script will crash instead of falling back gracefully. This is particularly important given that metadata.json is expected to be updated frequently by automation scripts and could be corrupted or incomplete.
🛡️ Proposed fix to add error handling
const metadataPath = path.resolve(process.cwd(), 'metadata.json');
let metadata: any = {};
if (fs.existsSync(metadataPath)) {
- metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
+ try {
+ metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
+ } catch (error) {
+ console.warn('Failed to parse metadata.json, using empty metadata:', error);
+ }
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const metadataPath = path.resolve(process.cwd(), 'metadata.json'); | |
| let metadata: any = {}; | |
| if (fs.existsSync(metadataPath)) { | |
| metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8')); | |
| } | |
| const metadataPath = path.resolve(process.cwd(), 'metadata.json'); | |
| let metadata: any = {}; | |
| if (fs.existsSync(metadataPath)) { | |
| try { | |
| metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8')); | |
| } catch (error) { | |
| console.warn('Failed to parse metadata.json, using empty metadata:', error); | |
| } | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/automation/improve-repo.ts` around lines 18 - 22, The code reads and
parses metadata.json without error handling; wrap the
JSON.parse(fs.readFileSync(...)) call in a try-catch so malformed JSON doesn't
crash the script: attempt to read the file into a string and JSON.parse it
inside try, on error catch the exception, log or warn about the parse failure
(including the error message) and leave the existing metadata variable as the
empty object fallback; keep metadataPath and the existence check but ensure
parse errors are handled gracefully in the catch block.
| }); | ||
| aiResponse = response.text || '{}'; | ||
| // Remove markdown code block if present | ||
| const cleanJson = aiResponse.replace(/```json\n?|\n?```/g, '').trim(); |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Improve regex robustness for markdown fence cleaning.
The regex /```json\n?|\n?```/g may not handle all markdown code fence variations (e.g., Windows line endings \r\n, spaces before closing fence, case variations like ```JSON). While the prompt instructs the AI to output only JSON, defensive handling reduces the risk of parse failures if the AI occasionally wraps the response.
♻️ Proposed fix for more robust fence removal
- const cleanJson = aiResponse.replace(/```json\n?|\n?```/g, '').trim();
+ const cleanJson = aiResponse
+ .replace(/```json\s*/gi, '')
+ .replace(/\s*```/g, '')
+ .trim();This handles:
- Case-insensitive language identifier (
/json/gi) - Any whitespace after opening fence (
\s*) - Any whitespace before closing fence (
\s*)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/automation/issue-manager.ts` at line 53, The current cleanup for
aiResponse in the const cleanJson assignment uses a brittle regex
(/```json\n?|\n?```/g) that misses variations (CRLF, case, extra whitespace);
update the logic that sets cleanJson (the const cleanJson and its use of
aiResponse) to first remove an opening code fence with a case-insensitive regex
that allows optional whitespace after the language tag (e.g.,
replace(/```json\s*/i, '')) and then remove any closing fence allowing leading
whitespace (e.g., replace(/\s*```/g, '')), and finally trim() the result so all
common markdown fence variants (including `\r\n`, ` ```JSON`, or spaces) are
handled robustly.
…d invalid parameter names - Upgrade `vite` to version 6 (addresses `esbuild` high severity vulnerability reported by `npm audit`). - Fix `thollander/actions-comment-pull-request@v3` parameter names in `ai-documentation-agent.yml` (change `filePath` to `file-path` and `comment_tag` to `comment-tag`). Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
|
GEMINI_API_KEY is not set. Skipping real AI review generation. |
…ge graph [skip ci]




This PR establishes the foundation for a fully autonomous, self-healing, and self-documenting repository as requested. It maximizes free GitHub capabilities by introducing:
AGENTS.mdspecifying rules for AI contributors (e.g., usenpm run fix, always run validation).improve-repo.ts) and a daily Action (continuous-improvement.yml) that analyzes repository metadata to generate a technical debt and contributor experience report.issue-manager.ts) and Action (issue-management.yml) to automatically triage, categorize, label, and assign new or edited issues using the Google GenAI SDK and native Node.jsfetch(ensuring security against command injection).secret-scanning.ymlaction to passively audit commits for hardcoded API keys and secrets.PR created automatically by Jules for task 11973600290527538830 started by @NITISH-R-G
Summary by Sourcery
Introduce AI-driven continuous repository improvement, automated issue management, and basic secret scanning via new scripts, workflows, and guidelines for AI agents.
New Features:
Enhancements:
CI:
Documentation: