- Migrate the build-and-run job in ci.yml to `node --run build --
--sourceMap --declaration` so the inline command matches the
`node --run` style of the test job (claude review round 2 #1)
- Update the hi github-actions.md matrix example from `[22, 24]` to
`[22, 24, 26]` so the doc mirrors the project's actual CI matrix
(gemini-code-assist / coderabbitai inline comment)
- Bump the stale "(Node 20+)" baseline in reviewer-performance.md to
"(Node 22+)" to track the new engines floor (claude review round 2
minor)
Now that the minimum supported Node.js version is 22, `node --run` is
available everywhere. It avoids the npm process-spawn overhead and
matches the style already used in package.json scripts.
Affects all GitHub Actions workflows that invoke npm scripts and the
website/server Dockerfile bundle step. `npm ci` is left as-is since it
is npm-specific.
Node.js 20 reaches end-of-life on 2026-04-30, so raise the minimum
supported version to 22 (the next active LTS) and add Node.js 26 to the
CI matrix as the current release line.
- Bump engines.node to >=22.0.0 in package.json and scripts/memory
- Update CI matrix to [22.x, 24.x, 26.x] (drop 20.x and 25.x; 25.x EOL 2026-06)
- Update test-action.yml matrix to [22, 24, 26]
- Drop the obsolete `node --run` workaround comment in ci.yml since
`node --run` is supported on all matrix versions
- Update Node.js version mentions in English docs, llms-install.md,
configShard, bug report template, and code samples in hi/vi
github-actions guides
Dockerfile (node:22-slim) is intentionally left at the minimum supported
version so the published image confirms Repomix runs on the floor.
Add JUnit XML reporting to the test-coverage job and upload results
via codecov/test-results-action. This enables Test Analytics features
(test run times, failure rates, flaky test detection, and PR comments
with failed test summaries).
Also update the README Codecov badge URL to include the graph token,
following Codecov's new recommended badge format.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the CI workflow into focused files with appropriate path filters:
- ci.yml: Core lint, test, and build (paths-ignore website/, browser/)
- ci-website.yml: Website client/server lint and bundle (paths: website/**)
- ci-browser.yml: Browser extension lint and test (paths: browser/**)
- ci-quality.yml: actionlint, zizmor, typos (broad paths-ignore)
This reduces unnecessary job execution by ~40 jobs when only a subset
of the codebase changes, and improves workflow readability.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Skip unnecessary CI runs when only documentation or unrelated files
change. Benchmarks, schema generation, CodeQL, and Docker builds now
trigger only on source code changes. CI, autofix, and pack-repository
use paths-ignore to skip docs-only changes. Docker workflow push/PR
path filters are unified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
prepack does not reliably run when installing repomix as a git dependency,
causing the server Docker build to fail (lib/ directory missing).
Change to prepare which reliably runs for git dependency installation.
Also change npm ci --omit=dev to npm prune --omit=dev in Dockerfile and CI,
since npm prune does not trigger lifecycle scripts (avoiding prepare failure
when devDependencies are no longer available).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Now that `prepare` has been replaced with `prepack` (which only runs on
npm pack/publish), `npm ci --omit=dev` no longer triggers an unwanted
build. This allows a cleaner approach: install all deps, build, then
reinstall with only production dependencies via `npm ci --omit=dev`.
https://claude.ai/code/session_01WorTDgSv8c9jvVpa1YsSeo
npm 10.x (shipped with Node 22) deprecates the --production flag.
Use --omit=dev instead for both Dockerfile and CI workflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Same change as Dockerfile — replace `npm ci --omit=dev --ignore-scripts`
with `npm prune --production` for consistency and efficiency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix all findings from actionlint and zizmor security linters:
- Add persist-credentials: false to all checkout steps across 14 workflows
- Fix template injection in repomix action by using env vars instead of ${{ inputs.* }}
- Pin Homebrew actions to SHA (50b8c2ab) instead of @main tag
- Add zizmor config to ignore artipacked for schema-update.yml (needs credentials for push)
- Add zizmor linter job and config path to ci.yml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename lint-action to lint-actionlint for consistency
- Add lint-zizmor job using zizmorcore/zizmor-action (SHA-pinned)
- Add timeout-minutes to both jobs
- zizmor provides security-focused static analysis for GitHub Actions
workflows, detecting issues like pull_request_target misuse,
expression injection, and overly permissive permissions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add author_association check (OWNER/MEMBER/COLLABORATOR) to claude.yml
to prevent external users from triggering Claude via @claude mentions
in comments and issues. This mitigates prompt injection attack vectors
similar to the hackerbot-claw campaign targeting GitHub Actions.
Add explicit `permissions: contents: read` to ci.yml, benchmark.yml,
pack-repository.yml, and test-action.yml which previously relied on
default permissions, ensuring least-privilege principle.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added Node.js 25.x to the CI test matrix to ensure compatibility with the latest Node.js version.
This change updates both the `test` and `build-and-run` jobs to include Node.js 25.x alongside the existing versions (20.x, 22.x, 24.x).
Each job will now run across 12 combinations (3 OS × 4 Node.js versions).
This replaces the ratchet tool with pinact for managing GitHub Actions SHA pinning across all workflow files. The changes include:
- Remove ratchet-update.yml and ratchet-verify.yml workflows
- Add new pinact.yml workflow for automated SHA pinning
- Update all workflow files to use pinact-style comments (# v1.2.3 instead of # ratchet:action@v1)
- Add .pinact.yaml configuration file with ignore rules for Homebrew actions and local actions
- Update package.json scripts to use pinact commands instead of ratchet
Pinact provides more reliable SHA pinning with better GitHub Actions integration.
Kazuki Yamada
renovate[bot]
Claude