Automate CI and review workflows

.coderabbit.yaml

@@ -0,0 +1,42 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# Reference: https://docs.coderabbit.ai/reference/configuration
+language: en-US
+tone_instructions: "Review with a calm, practical tone and highlight blockers first."
+reviews:
+  profile: assertive
+  high_level_summary: true
+  high_level_summary_in_walkthrough: true
+  path_filters:
+    - "!dist/**"
+    - "!node_modules/**"
+    - "!coverage/**"
+    - "src/**"
+    - "lib/**"
+    - "test/**"
+  auto_review:
+    enabled: true
+    drafts: false
+    base_branches:
+      - main
+  tools:
+    eslint:
+      enabled: true
+    biome:
+      enabled: true
+    gitleaks:
+      enabled: true
+    actionlint:
+      enabled: true
+knowledge_base:
+  code_guidelines:
+    enabled: true
+    filePatterns:
+      - "docs/**"
+      - "AGENTS.md"
+      - "spec/**/*.md"
+  learnings:
+    scope: auto
+  issues:
+    scope: auto
+  pull_requests:
+    scope: auto

.github/workflows/ci.yml

@@ -2,57 +2,190 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches:
+      - '**'
   pull_request:
-    branches: [main]
 
 jobs:
-  test:
-    name: Test on Node.js ${{ matrix.node-version }}
+  lint:
+    name: Lint & Typecheck
     runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.15.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
 
+      - name: Run lint
+        run: pnpm lint
+
+      - name: Run typecheck
+        run: pnpm typecheck
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         node-version: [20.x, 22.x]
-
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.15.0
+
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: pnpm
 
       - name: Install dependencies
-        run: npm ci
-
-      - name: Run type check
-        run: npm run typecheck
+        run: pnpm install --frozen-lockfile
 
       - name: Run tests
-        run: npm test
+        run: pnpm test
 
       - name: Build
-        run: npm run build
+        run: pnpm run build
 
-  lint:
-    name: Lint and Format Check
+  mutation:
+    name: Mutation Tests
     runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.15.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run mutation tests
+        run: pnpm test:mutation
+
+      - name: Upload Stryker reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: stryker-reports
+          path: |
+            coverage/stryker.html
+            coverage/stryker.json
+          if-no-files-found: ignore
 
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs:
+      - lint
+      - test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: write
+    env:
+      OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+      OPENCODE_API_URL: ${{ secrets.OPENCODE_API_URL }}
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.15.0
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
-          cache: 'npm'
+          node-version: 22.x
+          cache: pnpm
 
       - name: Install dependencies
-        run: npm ci
+        run: pnpm install --frozen-lockfile
+
+      - name: Validate release secrets
+        run: |
+          if [ -z "$NPM_TOKEN" ]; then
+            echo "NPM_TOKEN secret is required to publish" >&2
+            exit 1
+          fi
+          if [ -z "$OPENCODE_API_KEY" ]; then
+            echo "OPENCODE_API_KEY secret is required to classify releases" >&2
+            exit 1
+          fi
+
+      - name: Analyze repository for release
+        id: analyze
+        run: |
+          node scripts/detect-release-type.mjs --output release-analysis.json
+          echo "release_type=$(jq -r '.releaseType' release-analysis.json)" >> "$GITHUB_OUTPUT"
+          echo "next_version=$(jq -r '.nextVersion' release-analysis.json)" >> "$GITHUB_OUTPUT"
+          {
+            echo "notes<<'EOF'"
+            jq -r '.releaseNotes' release-analysis.json
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Remove analyzer scratch file
+        run: rm -f release-analysis.json
+
+      - name: Configure git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Run type check
-        run: npm run typecheck
+      - name: Configure npm auth
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+
+      - name: Bump version and tag
+        run: pnpm version ${{ steps.analyze.outputs.next_version }}
+
+      - name: Build package
+        run: pnpm run build
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
+        run: pnpm publish --access public
+
+      - name: Push changes
+        run: |
+          git push origin HEAD:main --follow-tags
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.analyze.outputs.next_version }}
+          name: Release ${{ steps.analyze.outputs.next_version }}
+          body: ${{ steps.analyze.outputs.notes }}

.github/workflows/review-response.yml

@@ -0,0 +1,103 @@
+name: review-response
+
+on:
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  auto-review-response:
+    if: github.event.comment.user.type != 'Bot'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Verify OpenCode secret
+        run: |
+          if [ -z "$OPENCODE_API_KEY" ]; then
+            echo "OPENCODE_API_KEY secret is required" >&2
+            exit 1
+          fi
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Install OpenCode CLI
+        run: |
+          curl -fsSL https://opencode.ai/install.sh | sh
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Prepare review context
+        id: context
+        run: node scripts/review-response-context.mjs
+
+      - name: Start fix branch
+        id: branch
+        run: |
+          branch="${{ steps.context.outputs.branch_name }}-${{ github.run_id }}"
+          git checkout -b "$branch"
+          echo "name=$branch" >> "$GITHUB_OUTPUT"
+
+      - name: Run review-response agent
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          opencode run \
+            --agent review-response \
+            --model opencode/big-pickle \
+            --file review-context.md \
+            "Follow the instructions inside review-context.md and resolve the review comment precisely."
+
+      - name: Detect changes
+        id: diff
+        run: |
+          if git diff --quiet; then
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit and push
+        if: steps.diff.outputs.has_changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -m "Auto-resolve review comment #${{ steps.context.outputs.comment_id }}" || exit 0
+          git push origin "${{ steps.branch.outputs.name }}"
+
+      - name: Open pull request
+        if: steps.diff.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          comment_url="${{ steps.context.outputs.comment_url }}"
+          reviewer="${{ steps.context.outputs.reviewer }}"
+          pr_number="${{ steps.context.outputs.pr_number }}"
+          printf "%s\n%s\n%s\n" \
+            "Automated follow-up for ${comment_url} by @${reviewer}." \
+            "This branch contains a single commit generated by the review-response agent." \
+            "Original PR: #${pr_number}." \
+            > pr-body.txt
+          gh pr create \
+            --base "${{ steps.context.outputs.base_ref }}" \
+            --head "${{ steps.branch.outputs.name }}" \
+            --title "Resolve review comment #${{ steps.context.outputs.comment_id }}" \
+            --body-file pr-body.txt
+
+      - name: No-op notification
+        if: steps.diff.outputs.has_changes != 'true'
+        run: echo "Review-response agent produced no changes; skipping PR creation."

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing Guidelines
 
-Thank you for your interest in contributing to openhax/codex!
+Thank you for your interest in contributing to @openhax/codex!
 
 Before submitting contributions, please review these guidelines to ensure all changes maintain compliance with OpenAI's Terms of Service and the project's goals.