Add workflow

[gentamura]

Summary by CodeRabbit

• Chores
  • Established a continuous integration workflow that automatically runs linting and type checks on pull requests and commits to the main branch.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow at .github/workflows/ci.yml that triggers on pushes to main and on pull requests; it grants repository contents: write permission and runs two reusable workflows (lint and typecheck) from the listee-ci repo.

Changes

Cohort / File(s)	Summary
GitHub Actions CI Workflow \.github/workflows/ci.yml``	New workflow defining CI triggers for pushes to main and pull requests; sets contents: write repository permission and invokes reusable lint and typecheck workflows from listee-dev/listee-ci on main.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Verification focus:
  • Confirm trigger scopes (push to main, pull_request any branch).
  • Validate repository permission contents: write is intentional and minimally scoped.
  • Check reusable workflow references and branch (listee-dev/listee-ci/.github/workflows/...@main).

Poem

🐰 A tiny CI hop so spry,
Workflows scurry, tests run by,
Lint and types take beat and pace,
Keeping code a tidy place. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add workflow' is vague and generic. While it correctly indicates that a workflow is being added, it lacks specificity about which workflow or its purpose.	Consider using a more specific title like 'Add CI workflow for lint and typecheck' or 'Add GitHub Actions CI workflow' to better convey the change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add-workflow

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c002539 and 045ee6c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6c592ee and c002539.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/ci.yml (1)

1-9: Workflow structure and triggers look good.

The workflow is correctly configured to run on pushes to main and on all pull request events. Standard naming and structure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Try to access the external repository to check workflow requirements
cd /tmp
gh repo clone listee-dev/listee-ci --depth 1 2>&1 | head -20

Repository: listee-dev/listee-web

Length of output: 302

---

🏁 Script executed:

# Clone the external reusable workflows repository
git clone --depth 1 https://github.com/listee-dev/listee-ci.git /tmp/listee-ci 2>&1 && \
echo "=== lint.yml ===" && \
cat /tmp/listee-ci/.github/workflows/lint.yml 2>/dev/null || echo "Not found" && \
echo "" && \
echo "=== typecheck.yml ===" && \
cat /tmp/listee-ci/.github/workflows/typecheck.yml 2>/dev/null || echo "Not found"

Repository: listee-dev/listee-web

Length of output: 1026

---

🏁 Script executed:

# Check the full CI workflow to see all jobs and whether pull-requests or id-token are needed elsewhere
cat /tmp/listee-ci/.github/workflows/ci.yml 2>/dev/null || echo "Not found in external repo"

# Also check the current repo's ci.yml to see all workflows
echo "=== Current repo ci.yml ===" && \
head -50 .github/workflows/ci.yml

Repository: listee-dev/listee-web

Length of output: 444

---

Reduce permissions to contents: read only.

The reusable workflows lint.yml and typecheck.yml from listee-dev/listee-ci require only contents: read. The current permissions (contents: write, pull-requests: write, id-token: write) exceed the principle of least privilege. Neither workflow updates pull requests, generates OIDC tokens, or modifies repository contents—they only analyze code.

Recommended change:

permissions:
  contents: read

🤖 Prompt for AI Agents

.github/workflows/ci.yml around lines 11 to 14: the workflow currently grants
overly broad permissions (contents: write, pull-requests: write, id-token:
write); change the permissions block to grant only contents: read and remove
pull-requests and id-token entries so the reusable lint/typecheck workflows run
with least privilege.

[gentamura]

@coderabbitai 045ee6c fixed

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the specific commit to see what changes were made
git show 045ee6c:.github/workflows/ci.yml | head -25

Length of output: 283

---

@gentamura, thank you for addressing this! You've removed the pull-requests: write and id-token: write permissions, which is great progress.

However, I notice that contents is still set to write. Since the reusable lint and typecheck workflows only read and analyze code without modifying repository contents, this should be:

permissions:
  contents: read

This would fully align with the principle of least privilege. The workflows don't commit changes or push code, so read access is sufficient.