Add CI workflow without release

[gentamura]

Summary

• add lint/test/typecheck CI workflow
• run on pushes to main and pull requests only (no release job)

Testing

• none

Summary by CodeRabbit

• Chores
  • Implemented automated continuous integration workflow to run code quality checks, type validation, and tests on pull requests and main branch updates.

[coderabbitai]

Walkthrough

A new GitHub Actions CI workflow is added that automatically runs linting, type-checking, and testing jobs on pushes to the main branch and on pull requests by orchestrating three reusable workflows from the listee-ci repository.

Changes

Cohort / File(s)	Summary
GitHub Actions CI Workflow ​.github/workflows/ci.yml	New workflow file that defines CI pipeline triggering on main branch pushes and pull requests, configures permissions (contents, pull-requests, id-token), and calls reusable workflows for lint, typecheck, and test jobs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• This is a straightforward workflow configuration file with no complex logic or custom implementation.

Poem

🐰 A workflow so neat, now the code will be checked,
Linting and types and tests—nothing's left unchecked!
On every push forward, the CI runs fast,
Keeping bugs at the gate, so no bad code will pass. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add CI workflow without release" is directly and clearly related to the main change in the changeset. It accurately summarizes the primary addition of a GitHub Actions CI workflow configured with lint, typecheck, and test jobs. The phrase "without release" is a meaningful clarification that distinguishes this workflow from a more comprehensive CI/CD setup, which aligns with the PR objectives. The title is concise, specific, and conveys enough information that a teammate scanning the repository history would understand the essential nature of the change.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

3-9: Redundant branch filter in pull_request trigger.

The pull_request event triggers on all branches by default when branches is not specified. Explicitly specifying branches: ["**"] is redundant.

Apply this diff to remove the redundant branch filter:

 on:
   push:
     branches:
       - main
   pull_request:
-    branches:
-      - "**"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d0f964 and cda6e71.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Overly broad permissions; verify necessity of contents: write.

A linting, type-checking, and testing workflow typically only requires read access to repository contents. The contents: write permission should be limited to workflows that commit or push changes back to the repository. Verify that the reusable workflows actually require write access; if not, reduce to contents: read.

---

I'll verify the review comment by inspecting the CI workflow and checking if contents: write is actually necessary.

---

🏁 Script executed:

```shell
#!/bin/bash
# Inspect the CI workflow file
cat .github/workflows/ci.yml

Length of output: 396

---

🏁 Script executed:

#!/bin/bash
# Find all GitHub Actions workflow files to understand the structure
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -20

Length of output: 24

---

🏁 Script executed:

#!/bin/bash
# Search for any commit/push operations in the CI workflow
rg -n "git|commit|push|write" .github/workflows/ci.yml -A 2 -B 2

Length of output: 402

---

🏁 Script executed:

#!/bin/bash
# Check if there are reusable workflows and what permissions they declare
find .github/workflows -name "*.yml" -o -name "*.yaml" | xargs grep -l "on:" | head -20

Length of output: 24

---

🏁 Script executed:

#!/bin/bash
# Look for uses of actions that typically require write access
rg -n "uses:" .github/workflows/ci.yml

Length of output: 202

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check for any documentation or comments about workflow permissions
rg -n "contents.*write|permissions" . --type=md -C 3

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Look for any comments in workflow files or docs about why write access is needed
find . -name "README*" -o -name "CONTRIBUTING*" | head -10

Length of output: 11

---

🏁 Script executed:

#!/bin/bash
# Check if there are any other CI-related files that explain the workflow setup
find . -path "./.git" -prune -o -name "*workflow*" -o -name "*ci*" | grep -E "\.(md|yml|yaml|txt)$" | head -20

Length of output: 26

---

Change contents: write to contents: read in the CI workflow.

The ci.yml workflow is a pure orchestrator that delegates to external reusable workflows for linting, type-checking, and testing. It performs no direct write, commit, or push operations. Since these are inherently read-only operations, contents: write is unnecessary and violates the principle of least privilege. Update line 12 to contents: read.

🤖 Prompt for AI Agents

.github/workflows/ci.yml lines 11-14: the workflow grants repository contents
write access though it only orchestrates reusable workflows and requires
read-only access; change the permissions entry from "contents: write" to
"contents: read" while leaving the other permissions (pull-requests: write,
id-token: write) unchanged so the workflow follows least-privilege.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Pin reusable workflows to specific tags or commit SHAs instead of @main.

Using @main for reusable workflows creates a security risk: if the external listee-dev/listee-ci repository is compromised or the main branch is modified unexpectedly, your CI pipeline could execute malicious code. Always pin to specific, immutable references (e.g., @v1.0.0 or @abc123def456...).

Identify the appropriate version or commit SHA for each reusable workflow and apply a diff similar to this:

   lint:
-    uses: listee-dev/listee-ci/.github/workflows/lint.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/lint.yml@v1.0.0

   typecheck:
-    uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@v1.0.0

   test:
-    uses: listee-dev/listee-ci/.github/workflows/test.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/test.yml@v1.0.0

Once you identify the appropriate versions, please verify the reusable workflows documentation to confirm the exact version or commit SHA to use.

---

I'll verify the appropriate versions available for the listee-dev/listee-ci repository to determine what specific tags should be used for pinning.

---

🏁 Script executed:

```shell
#!/bin/bash
# Check if the repo exists and list available refs
gh repo view listee-dev/listee-ci 2>/dev/null | head -20

Length of output: 951

---

🌐 Web query:

listee-dev/listee-ci GitHub repository releases versions

💡 Result:

Releases for listee-dev/listee-ci (versions and publish dates):

• v1.2.0 — 20 Sep 2025. [1]
• v1.1.0 — 18 Sep 2025. [1]
• v1.0.0 — 15 Sep 2025. [1]

Sources: GitHub repository and Releases page. [1] GitHub — listee-dev/listee-ci Releases. [2] GitHub — listee-dev/listee-ci repository main page.

---

Pin reusable workflows to specific, immutable references instead of @main.

Using @main creates a security risk: if the listee-dev/listee-ci repository is compromised, your CI pipeline could execute malicious code. The repository has available releases v1.2.0 (Sep 20, 2025), v1.1.0 (Sep 18, 2025), and v1.0.0 (Sep 15, 2025). Additionally, the repository includes a pinact.yml workflow that validates reusable workflows reference full-length commit SHAs, indicating that commit SHA pinning is the preferred approach.

Update the three workflows to use either the latest stable version or full commit SHAs:

   lint:
-    uses: listee-dev/listee-ci/.github/workflows/lint.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/lint.yml@v1.2.0

   typecheck:
-    uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@v1.2.0

   test:
-    uses: listee-dev/listee-ci/.github/workflows/test.yml@main
+    uses: listee-dev/listee-ci/.github/workflows/test.yml@v1.2.0

Alternatively, resolve to full commit SHAs for even stronger immutability guarantees.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	lint:
	uses: listee-dev/listee-ci/.github/workflows/lint.yml@main
	typecheck:
	uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@main
	test:
	uses: listee-dev/listee-ci/.github/workflows/test.yml@main
	lint:
	uses: listee-dev/listee-ci/.github/workflows/lint.yml@v1.2.0
	typecheck:
	uses: listee-dev/listee-ci/.github/workflows/typecheck.yml@v1.2.0
	test:
	uses: listee-dev/listee-ci/.github/workflows/test.yml@v1.2.0

🤖 Prompt for AI Agents

.github/workflows/ci.yml lines 17-24: the reusable workflows are referenced with
the mutable @main ref which is insecure; update the three uses lines to point to
immutable refs by replacing @main with either a specific released tag (e.g.,
v1.2.0) or the full commit SHA for each reusable workflow in
listee-dev/listee-ci, ensuring you use the exact tag or corresponding commit SHA
for lint.yml, typecheck.yml and test.yml so the CI runs a pinned, immutable
workflow version.

[gentamura]

Merged #1