fix(action): align auto mode reporting and base comparison

[srod]

User description

Summary

• align auto mode reporting with explicit mode by honoring PR comments and annotations
• switch auto mode summary to the dedicated auto-mode reporter
• compare PR size deltas against base output artifacts when available (not source file paths)
• scope esbuild/yui type validation to explicit mode only

Testing

• bun run test packages/action
• bun run lint (packages/action)
• bun run typecheck (packages/action)

---

PR Type

Bug fix, Enhancement, Tests

---

Description

• Track output file paths in minification results for accurate base comparisons

• Compare minified sizes against base output artifacts instead of source files

• Scope esbuild/yui type validation to explicit mode only, allowing auto mode flexibility

• Align auto mode reporting with explicit mode by honoring PR comments and annotations

• Add comprehensive tests for output path tracking and auto mode reporting features

---

Diagram Walkthrough

flowchart LR
  A["Minification Results"] -->|"Track outputFile path"| B["FileResult with outputFile"]
  B -->|"Use outputFile for comparison"| C["compareWithBase"]
  C -->|"Query base branch artifacts"| D["Accurate Size Deltas"]
  E["Auto Mode"] -->|"Honor PR comments/annotations"| F["Aligned Reporting"]
  G["Type Validation"] -->|"Explicit mode only"| H["Auto mode flexibility"]

Loading

File Walkthrough

	Relevant files
Enhancement	3 files types.ts Add optional outputFile field to FileResult                            +1/-0      minify.ts Track output file path in minification results                      +1/-0      index.ts Implement auto mode reporting with PR comments and annotations +15/-2
Bug fix	2 files compare.ts Compare against output paths instead of source files          +12/-9    inputs.ts Scope type validation to explicit mode only                            +1/-1
Tests	4 files compare.test.ts Test output file path comparison functionality                      +44/-0    minify.test.ts Verify outputFile field in minification results                    +1/-0      inputs.test.ts Test esbuild type validation in auto mode                                +15/-0    runAutoMode.test.ts Test auto mode reporting with comments and annotations      +71/-6

---

---

Summary by cubic

Aligns auto mode with explicit mode and hardens base comparisons. Auto mode now uses its own summary, can post PR comments and annotations, and compares size deltas against base output artifacts.

• Bug Fixes
  • Compare against base output artifacts via outputFile; store outputFile as repo‑relative (includes workingDirectory, normalizes Windows paths).
  • Sanitize and normalize compare paths; fall back to source path when unsafe, or mark the file as new when both paths are unsafe.
  • Auto mode uses the auto-mode summary and honors reportPRComment/reportAnnotations to post PR comments and add annotations.
  • Require type for esbuild/yui only in explicit mode; auto mode no longer needs type.

^{Written for commit 7c834bd. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Auto mode can post PR comments and add annotations with minification summaries.
  • Minification results now include repository-relative outputFile paths for clearer reporting.

• Bug Fixes / Improvements

  • Base-branch comparisons normalize Windows paths and skip unsafe compare paths with a warning.
  • Auto mode no longer requires an explicit type for certain compressors (e.g., esbuild).

• Tests

  • Added tests for outputFile handling, base-compare behavior, PR comments, annotations, and input parsing.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7c834bd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds repository-relative outputFile to minification results, normalizes and validates compare paths for base-branch lookups (skipping unsafe paths with warnings), relaxes required-type validation in auto mode, and extends auto mode to generate summaries, post PR comments, and add annotations; tests updated accordingly.

Changes

Cohort / File(s)	Summary
Types packages/action/src/types.ts	Added optional outputFile?: string to FileResult.
Minification packages/action/src/minify.ts	Added toRepositoryPath and populate outputFile on file results (repository‑relative POSIX path).
Comparison Logic packages/action/src/compare.ts	Introduced normalizeComparePath; compareWithBase computes/validates comparePath, skips unsafe paths with warnings, and forwards comparePath to compareFile (signature updated to accept sourceFilePath + comparePath).
Inputs & Auto Mode packages/action/src/inputs.ts, packages/action/src/index.ts	Disabled required-type enforcement when auto is true; runAutoMode now sets outputFile, uses generateAutoModeSummary, posts PR comments, and adds annotations when configured.
Tests — Compare & Auto Mode packages/action/__tests__/compare.test.ts, packages/action/__tests__/runAutoMode.test.ts	Added tests for explicit/Windows/unsafe outputFile compare paths, warning expectations, PR comment posting, and annotation behavior; replaced generateSummary usage with generateAutoModeSummary in tests.
Tests — Minify & Inputs packages/action/__tests__/minify.test.ts, packages/action/__tests__/inputs.test.ts	Expect outputFile on minification results; allow esbuild compressor in auto mode without explicit type.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Workflow Client
    participant Action as Minify Action
    participant GitHub as GitHub API
    participant Base as Base Branch

    Client->>Action: Trigger runAutoMode (produce outputs)
    Action->>Action: runMinification -> FileResult(s) with `outputFile`
    Action->>Action: normalizeComparePath for each file
    alt valid comparePath
        Action->>GitHub: fetch file content at comparePath
        GitHub->>Base: request file@base
        Base-->>GitHub: return content or 404
        GitHub-->>Action: base content / not-found
        Action->>Action: compute diffs, generateAutoModeSummary
        Action->>GitHub: post PR comment (if PR context & enabled)
    else unsafe or no valid comparePath
        Action->>Action: skip base fetch, mark as new, emit warning
    end
    alt reportAnnotations enabled
        Action->>GitHub: addAnnotations(results)
    end
    Action-->>Client: Complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• feat(action): add base branch size comparison in PR comments #2796 — continues/refactors compareWithBase/compareFile behavior and tests.
• feat(action): add @node-minify/action GitHub Action package for Marketplace #2760 — overlapping changes to action compare/minify/input logic and tests.

Suggested labels

Possible security concern, Review effort 4/5

Poem

🐇 I hopped through paths both safe and odd,
outputFile trimmed to the repo’s rod.
I sniffed for ../ secrets with a twitch and a wink,
warned when a path darted too close to the brink.
A tiny rabbit cheers — minify, click!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: aligning auto mode reporting and base comparison logic, which is the primary objective across multiple file modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/action-review-fixes

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Base artifact probing Description: The new use of fileResult.outputFile as comparePath in octokit.rest.repos.getContent({ path: comparePath }) can allow untrusted/PR-controlled output paths to query arbitrary repository paths on the base branch (at least revealing existence/metadata like file size), which is a potential information disclosure vector when the action runs with a privileged githubToken and later reports results/logs. compare.ts [41-145] Referred Code const results = await Promise.all( result.files.map((fileResult) => compareFile( octokit, owner, repo, baseBranch, fileResult.file, fileResult.outputFile ?? fileResult.file, fileResult.minifiedSize ) ) ); return results; } /** * Compares a single file against the base branch version. * * @param octokit - Authenticated Octokit instance ... (clipped 84 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Token edge case: The new auto-mode PR comment flow calls compareWithBase and postPRComment with inputs.githubToken without an explicit guard for missing/empty tokens, which may cause runtime failures depending on how parseInputs populates githubToken. Referred Code if (inputs.reportPRComment && context.payload.pull_request) { const comparisons = await compareWithBase( minifyResult, inputs.githubToken ); await postPRComment(minifyResult, inputs.githubToken, comparisons); } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error detail exposure: The new warning message includes raw error.message from the GitHub API call, which could expose internal/request details to workflow logs depending on upstream error contents. Referred Code // Log unexpected errors but don't fail the action warning( `Failed to fetch base branch version of ${comparePath}: ${error instanceof Error ? error.message : String(error)}` ); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Unstructured warning log: The updated warning(...) call logs a free-form interpolated string including comparePath and error.message, which is not structured logging and may inadvertently include sensitive upstream error details. Referred Code // Log unexpected errors but don't fail the action warning( `Failed to fetch base branch version of ${comparePath}: ${error instanceof Error ? error.message : String(error)}` ); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Path input validation: The new base comparison uses fileResult.outputFile as comparePath without visible normalization/validation, so the safety of passing potentially user-influenced paths into octokit.rest.repos.getContent depends on upstream constraints not shown in the diff. Referred Code const results = await Promise.all( result.files.map((fileResult) => compareFile( octokit, owner, repo, baseBranch, fileResult.file, fileResult.outputFile ?? fileResult.file, fileResult.minifiedSize ) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Propagate critical API errors properly In compareFile, re-throw critical GitHub API errors (e.g., 401, 403) instead of treating them as if the file is new, to provide clear feedback on configuration or permission issues. packages/action/src/compare.ts [128-153] if ( error instanceof Error && "status" in error && (error as { status: number }).status === 404 ) { + // File doesn't exist in base branch, which is an expected case. return { file: sourceFilePath, baseSize: null, currentSize, change: null, isNew: true, }; } -// Log unexpected errors but don't fail the action +// For other API errors (e.g., 401, 403, rate limits), re-throw to fail fast. +// This makes configuration issues visible instead of silently producing incorrect results. warning( `Failed to fetch base branch version of ${comparePath}: ${error instanceof Error ? error.message : String(error)}` ); +throw error; -return { - file: sourceFilePath, - baseSize: null, - currentSize, - change: null, - isNew: true, -}; - [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that masking critical API errors (like 401/403) can lead to misleading results and difficult debugging, so re-throwing them provides much clearer feedback to the user.	Medium
General	Guard PR comment on token Add a check for inputs.githubToken before attempting to post a PR comment to prevent errors and warn the user if the token is missing. packages/action/src/index.ts [305-311] -if (inputs.reportPRComment && context.payload.pull_request) { +if (inputs.reportPRComment && inputs.githubToken && context.payload.pull_request) { const comparisons = await compareWithBase( minifyResult, inputs.githubToken ); await postPRComment(minifyResult, inputs.githubToken, comparisons); +} else if (inputs.reportPRComment) { + warning("GitHub token missing, skipping PR comment"); } Apply / Chat Suggestion importance[1-10]: 7 __ Why: This is a good defensive check to ensure a githubToken exists before attempting API calls, improving robustness and providing a helpful warning to the user if the token is missing.	Medium
	Avoid redundant API calls during reporting Fetch base branch comparison data once if any reporting feature is enabled in a pull request, and pass this data to all relevant reporting functions to avoid redundant API calls. packages/action/src/index.ts [301-315] +let comparisons: ComparisonResult[] = []; +if ( + (inputs.reportPRComment || inputs.reportSummary || inputs.reportAnnotations) && + context.payload.pull_request +) { + comparisons = await compareWithBase(minifyResult, inputs.githubToken); +} + if (inputs.reportSummary) { - await generateAutoModeSummary([minifyResult], inputs); + // Assuming generateAutoModeSummary is updated to accept comparisons + await generateAutoModeSummary([minifyResult], inputs, comparisons); } if (inputs.reportPRComment && context.payload.pull_request) { - const comparisons = await compareWithBase( - minifyResult, - inputs.githubToken - ); await postPRComment(minifyResult, inputs.githubToken, comparisons); } if (inputs.reportAnnotations) { - addAnnotations(minifyResult); + // Assuming addAnnotations is updated to accept comparisons + addAnnotations(minifyResult, comparisons); } Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a good architectural suggestion that improves efficiency by avoiding potential redundant API calls, making the code more scalable for future reporting features that might need comparison data.	Low
Update

[cubic-dev-ai]

No issues found across 9 files

[greptile-apps]

Greptile Overview

Greptile Summary

This PR improves the GitHub Action's auto mode to align with explicit mode behavior and fixes base comparison logic to use output artifacts instead of source files.

Key Changes:

• Tracks outputFile as repository-relative paths in minification results for accurate base-branch comparisons
• Auto mode now honors reportPRComment and reportAnnotations settings (previously ignored)
• Switches auto mode to use dedicated generateAutoModeSummary reporter instead of generic summary
• Compares minified output files against base branch artifacts instead of source file paths
• Adds path normalization and security validation in normalizeComparePath to prevent path traversal attacks
• Scopes esbuild/yui type validation to explicit mode only, allowing auto mode to detect file types automatically

Implementation Details:

• The toRepositoryPath helper normalizes absolute paths to repository-relative paths with forward slashes (Windows-compatible)
• Path validation rejects unsafe patterns: .., absolute paths, Windows drive letters, empty strings
• When outputFile path is unsafe, falls back to source file path; if both are unsafe, marks file as new
• Comprehensive test coverage includes Windows path normalization, unsafe path handling, and auto mode reporting features

The changes are well-structured, maintain backward compatibility, and include proper error handling and security validation.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The code changes are well-implemented with comprehensive test coverage. Security validation for path traversal is properly handled in normalizeComparePath. The changes maintain backward compatibility and follow the project's coding standards. All modifications are additive or improve existing behavior without breaking changes.
• No files require special attention

Important Files Changed

Filename	Overview
packages/action/src/types.ts	Added optional outputFile field to FileResult interface for tracking output paths
packages/action/src/minify.ts	Added toRepositoryPath helper and stores repository-relative output path in results
packages/action/src/compare.ts	Added path normalization with normalizeComparePath, compares against output paths instead of source files, includes security validation
packages/action/src/inputs.ts	Scoped type validation to explicit mode only (line 101), allowing auto mode flexibility for esbuild/yui
packages/action/src/index.ts	Auto mode now uses generateAutoModeSummary, stores outputFile paths, and honors reportPRComment and reportAnnotations settings

Sequence Diagram

sequenceDiagram
    participant Action as GitHub Action
    participant Minify as runMinification/runAutoMode
    participant Compare as compareWithBase
    participant Normalize as normalizeComparePath
    participant GitHub as GitHub API
    participant Report as Reporters

    Action->>Minify: Execute minification
    Minify->>Minify: Store outputFile (repo-relative)
    Minify-->>Action: MinifyResult with outputFile

    alt In PR Context
        Action->>Compare: compareWithBase(result, token)
        loop For each file
            Compare->>Normalize: normalizeComparePath(outputFile)
            Normalize-->>Compare: Validated path or null
            alt outputFile invalid
                Compare->>Normalize: normalizeComparePath(sourceFile)
                Normalize-->>Compare: Fallback path or null
            end
            alt comparePath exists
                Compare->>GitHub: getContent(comparePath, baseBranch)
                GitHub-->>Compare: Base file size
                Compare->>Compare: Calculate size delta
            else comparePath unsafe
                Compare->>Compare: Mark as new file
            end
        end
        Compare-->>Action: ComparisonResult[]
    end

    alt reportSummary
        Action->>Report: generateAutoModeSummary/generateSummary
    end
    
    alt reportPRComment
        Action->>Report: postPRComment(result, comparisons)
    end
    
    alt reportAnnotations
        Action->>Report: addAnnotations(result)
    end

Loading

[greptile-apps]

_{9 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

packages/action/src/compare.ts
Repo vs filesystem path
compareWithBase passes fileResult.outputFile ?? fileResult.file directly to octokit.rest.repos.getContent({ path }) (repo-relative path). In explicit mode runMinification populates outputFile from the output input (which can be an absolute/OS-specific filesystem path after resolution), so the GitHub API call will fail and the comparison will be reported as isNew: true (dropping base deltas). This breaks “vs base” reporting whenever users provide absolute outputs or Windows-style paths.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/action/src/compare.ts
Line: 41:55

Comment:
**Repo vs filesystem path**
`compareWithBase` passes `fileResult.outputFile ?? fileResult.file` directly to `octokit.rest.repos.getContent({ path })` (repo-relative path). In explicit mode `runMinification` populates `outputFile` from the `output` input (which can be an absolute/OS-specific filesystem path after resolution), so the GitHub API call will fail and the comparison will be reported as `isNew: true` (dropping base deltas). This breaks “vs base” reporting whenever users provide absolute outputs or Windows-style paths.

How can I resolve this? If you propose a fix, please make it concise.

---

packages/action/src/comment.ts
Comparison key mismatch
generateCommentBody builds comparisonMap keyed by ComparisonResult.file and looks up with f.file. After this PR, explicit mode runMinification sets FileResult.file to the input path and outputFile to the output path, while compareWithBase queries base using outputFile. If any caller still produces comparisons keyed by output paths (or mixed fixtures), the “vs Base” column will show - even though comparisons exist. Consider making the keying consistent (e.g., always key comparisons by FileResult.file or by outputFile, but not a mix).

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/action/src/comment.ts
Line: 94:103

Comment:
**Comparison key mismatch**
`generateCommentBody` builds `comparisonMap` keyed by `ComparisonResult.file` and looks up with `f.file`. After this PR, explicit mode `runMinification` sets `FileResult.file` to the *input* path and `outputFile` to the output path, while `compareWithBase` queries base using `outputFile`. If any caller still produces comparisons keyed by output paths (or mixed fixtures), the “vs Base” column will show `-` even though comparisons exist. Consider making the keying consistent (e.g., always key comparisons by `FileResult.file` or by `outputFile`, but not a mix).

How can I resolve this? If you propose a fix, please make it concise.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/action/__tests__/runAutoMode.test.ts`:
- Line 60: Replace the unsafe cast "(context as any).payload = ..." with a
proper typed cast that declares payload shape (e.g. "(context as { payload:
Record<string, unknown> }).payload = ...") wherever it occurs in
runAutoMode.test.ts (both at the current occurrence and the one at the other
location), so tests retain type safety consistent with compare.test.ts; update
both assignments to use the typed cast rather than "as any".

🧹 Nitpick comments (2)

packages/action/src/index.ts (1)

240-249: The as FileResult & { compressor: string } cast is loose.

The compressor field added here is never consumed downstream since allResults is typed FileResult[]. If this per-file compressor label is needed, consider adding it to the FileResult type in types.ts. If not, the cast can be simplified to just FileResult.

packages/action/src/minify.ts (1)

24-32: Extract toRepositoryPath to a shared utility module to eliminate duplication.

The function is defined identically in both minify.ts (line 30) and index.ts (line 67). Move it to a shared utility file (e.g., utils.ts) and import it in both files.

[srod]

@greptile

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.18%. Comparing base (86c5780) to head (7c834bd).
⚠️ Report is 5 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2807      +/-   ##
===========================================
+ Coverage    95.09%   95.18%   +0.09%     
===========================================
  Files           73       73              
  Lines         1693     1725      +32     
  Branches       509      523      +14     
===========================================
+ Hits          1610     1642      +32     
  Misses          83       83              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.