ci: update of files from global .github repo#5364
Conversation
✅ Deploy Preview for asyncapi-website ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughThis pull request migrates GitHub Actions notification workflows from Mailchimp to Kit.com for TSC member email notifications. It updates Node.js runtime to version 20, introduces new Kit integration scripts with email validation and HTML generation, removes deprecated Mailchimp modules, and corrects a Slack notification step name. Changes
Sequence DiagramsequenceDiagram
participant GH as GitHub Webhook
participant WF as Workflow Runner
participant Script as Kit Integration Script
participant Kit as Kit.com API
participant Core as GitHub Actions Core
GH->>WF: Trigger workflow<br/>(issue/PR/discussion event)
WF->>Script: Execute script<br/>(link, title)
Script->>Script: Validate link (HTTPS)<br/>& sanitize title
Script->>Script: Generate HTML email<br/>with XSS escaping
Script->>Script: Calculate send_at<br/>(now + 1 min)
Script->>Kit: POST broadcast payload<br/>(API key, subject, HTML, tag)
alt API Success
Kit-->>Script: 200 OK + scheduled time
Script->>Core: core.info(success message)
else API Failure
Kit-->>Script: Error response
Script->>Core: core.setFailed(error)
end
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~30 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
⚡️ Lighthouse report for the changes in this PR:
Lighthouse ran on https://deploy-preview-5364--asyncapi-website.netlify.app/ |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/scripts/kit/index.js:
- Around line 35-58: The code uses TSC_TAG_ID =
Number(process.env.KIT_TSC_TAG_ID) which can be NaN and will serialize
incorrectly into subscriber_filter, and the fetch has no timeout; fix by
validating KIT_TSC_TAG_ID after reading it (e.g., parseInt/Number and if
!Number.isInteger(TSC_TAG_ID) or isNaN throw/log and exit) so the function does
not continue with an invalid tag id (reference TSC_TAG_ID and subscriber_filter
in the POST body), and add an AbortController with a short configurable timeout
(create controller, setTimeout to controller.abort after e.g. 10s, pass
controller.signal into the fetch call and clear the timer on success) so the
fetch to KIT_BASE/broadcasts cannot hang the runner.
- Around line 8-40: sanitizeLinkAndTitle currently calls core.setFailed and
returns its value (undefined), causing the caller to destructure undefined and
throw a misleading TypeError; change sanitizeLinkAndTitle to throw new
Error(...) (with descriptive messages) instead of returning core.setFailed, and
in the caller (the exported async function where you call sanitizeLinkAndTitle)
wrap the call in a try-catch that catches the thrown Error, calls
core.setFailed(err.message) and exits/returns early so the rest of the function
does not run with invalid data. Ensure you reference sanitizeLinkAndTitle for
the throw changes and the exported async function (the module.exports wrapper
that destructures { sanitizedLink, sanitizedTitle }) for the try-catch handling.
In @.github/workflows/scripts/kit/package.json:
- Around line 5-7: Update the pinned `@actions/core` version in package.json from
"1.6.0" to a conservative caret range "^2.0.3" to pick up Node 24 support and
security fixes while avoiding the ESM-only 3.x breaking change; edit the
"dependencies" entry for "@actions/core", run your package manager
(npm/yarn/pnpm) to restore lockfile, and run the test/build workflow to verify
compatibility (look for the "@actions/core" dependency entry in the JSON to
locate the change).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: a2b6253f-4ea0-495c-9104-d8b31b8eb029
⛔ Files ignored due to path filters (2)
.github/workflows/scripts/kit/package-lock.jsonis excluded by!**/package-lock.json.github/workflows/scripts/mailchimp/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (6)
.github/workflows/notify-tsc-members-mention.yml.github/workflows/scripts/kit/htmlContent.js.github/workflows/scripts/kit/index.js.github/workflows/scripts/kit/package.json.github/workflows/scripts/mailchimp/index.js.github/workflows/scripts/mailchimp/package.json
💤 Files with no reviewable changes (2)
- .github/workflows/scripts/mailchimp/package.json
- .github/workflows/scripts/mailchimp/index.js
| const sanitizeLinkAndTitle = (link, title) => { | ||
| // Validate inputs to prevent injection attacks | ||
| if (!link || typeof link !== 'string' || link.length > 2000) { | ||
| return core.setFailed('Invalid link parameter'); | ||
| } | ||
| if (!title || typeof title !== 'string' || title.length > 500) { | ||
| return core.setFailed('Invalid title parameter'); | ||
| } | ||
|
|
||
| let parsedLink; | ||
| try { | ||
| parsedLink = new URL(link); | ||
| } catch (error) { | ||
| return core.setFailed('Invalid link parameter'); | ||
| } | ||
|
|
||
| if (parsedLink.protocol !== 'https:') { | ||
| return core.setFailed('Link must use https protocol'); | ||
| } | ||
|
|
||
| // Sanitize title by removing control characters and limiting length | ||
| const sanitizedTitle = title.replace(/[\x00-\x1F\x7F]/g, '').substring(0, 250); | ||
| return { sanitizedLink: parsedLink.toString(), sanitizedTitle }; | ||
| }; | ||
|
|
||
| module.exports = async (link, title) => { | ||
| const KIT_BASE = 'https://api.kit.com/v4'; | ||
| const TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID); | ||
|
|
||
| // Schedule 1 minute ahead | ||
| const sendAt = new Date(Date.now() + 60 * 1000); | ||
|
|
||
| const { sanitizedLink, sanitizedTitle } = sanitizeLinkAndTitle(link, title); |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Does @actions/core setFailed terminate execution or just set an error and exit code?
💡 Result:
@actions/core's setFailed logs an error message and sets the Node.js process.exitCode to 1 (failure), but does not immediately terminate execution. The process continues running until it naturally exits or process.exit is explicitly called. When the action's main script exits with a non-zero exit code, GitHub Actions marks the step as failed, which cancels concurrent steps and skips subsequent ones in the job.
Citations:
- 1: core.setFailed and core.error won't fail the workflow actions/toolkit#1385
- 2: https://docs.github.com/actions/creating-actions/setting-exit-codes-for-actions
- 3: https://github.com/actions/toolkit/blob/main/packages/core/src/core.ts
- 4: https://www.npmjs.com/package/@actions/core
Critical: validation does not terminate — function will destructure undefined and throw a misleading TypeError.
core.setFailed() only sets the exit code and logs an error; it does not stop execution. When validation fails at any of lines 12, 16, or 22, the function "returns" undefined (the return value of core.setFailed). Line 40 then attempts to destructure this undefined, throwing TypeError: Cannot destructure property 'sanitizedLink' of 'undefined'. This masks the actual validation error and, if the error were somehow tolerated, the broadcast would proceed with undefined content.
Use throw new Error() instead of return core.setFailed() inside sanitizeLinkAndTitle, and wrap the call at line 40 in a try-catch to properly catch and report the error.
Proposed fix
const sanitizeLinkAndTitle = (link, title) => {
// Validate inputs to prevent injection attacks
if (!link || typeof link !== 'string' || link.length > 2000) {
- return core.setFailed('Invalid link parameter');
+ throw new Error('Invalid link parameter');
}
if (!title || typeof title !== 'string' || title.length > 500) {
- return core.setFailed('Invalid title parameter');
+ throw new Error('Invalid title parameter');
}
let parsedLink;
try {
parsedLink = new URL(link);
} catch (error) {
- return core.setFailed('Invalid link parameter');
+ throw new Error('Invalid link parameter');
}
if (parsedLink.protocol !== 'https:') {
- return core.setFailed('Link must use https protocol');
+ throw new Error('Link must use https protocol');
}
const sanitizedTitle = title.replace(/[\x00-\x1F\x7F]/g, '').substring(0, 250);
return { sanitizedLink: parsedLink.toString(), sanitizedTitle };
};
module.exports = async (link, title) => {
const KIT_BASE = 'https://api.kit.com/v4';
const TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID);
const sendAt = new Date(Date.now() + 60 * 1000);
- const { sanitizedLink, sanitizedTitle } = sanitizeLinkAndTitle(link, title);
+ let sanitizedLink, sanitizedTitle;
+ try {
+ ({ sanitizedLink, sanitizedTitle } = sanitizeLinkAndTitle(link, title));
+ } catch (err) {
+ return core.setFailed(err.message);
+ }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scripts/kit/index.js around lines 8 - 40,
sanitizeLinkAndTitle currently calls core.setFailed and returns its value
(undefined), causing the caller to destructure undefined and throw a misleading
TypeError; change sanitizeLinkAndTitle to throw new Error(...) (with descriptive
messages) instead of returning core.setFailed, and in the caller (the exported
async function where you call sanitizeLinkAndTitle) wrap the call in a try-catch
that catches the thrown Error, calls core.setFailed(err.message) and
exits/returns early so the rest of the function does not run with invalid data.
Ensure you reference sanitizeLinkAndTitle for the throw changes and the exported
async function (the module.exports wrapper that destructures { sanitizedLink,
sanitizedTitle }) for the try-catch handling.
| const TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID); | ||
|
|
||
| // Schedule 1 minute ahead | ||
| const sendAt = new Date(Date.now() + 60 * 1000); | ||
|
|
||
| const { sanitizedLink, sanitizedTitle } = sanitizeLinkAndTitle(link, title); | ||
|
|
||
| const res = await fetch(`${KIT_BASE}/broadcasts`, { | ||
| method: 'POST', | ||
| headers: { | ||
| 'X-Kit-Api-Key': process.env.KIT_API_KEY, | ||
| 'Content-Type': 'application/json' | ||
| }, | ||
| body: JSON.stringify({ | ||
| subject: `TSC attention required: ${sanitizedTitle}`, | ||
| preview_text: 'Check out the latest topic that TSC members have to be aware of', | ||
| content: htmlContent(sanitizedLink, sanitizedTitle), | ||
| description: `TSC notification - ${new Date().toUTCString()}`, | ||
| public: false, | ||
| published_at: null, | ||
| send_at: sendAt.toISOString(), | ||
| subscriber_filter: [{ all: [{ type: 'tag', ids: [TSC_TAG_ID] }] }] | ||
| }) | ||
| }); |
There was a problem hiding this comment.
Validate KIT_TSC_TAG_ID and add a fetch timeout.
Two reliability gaps:
Number(process.env.KIT_TSC_TAG_ID)(line 35) becomesNaNif the secret is missing/misconfigured, then serializes tonullinsidesubscriber_filter, silently broadcasting to the wrong audience (or none) instead of failing loudly.- The
fetchtoapi.kit.comhas no timeout/AbortSignal — a hung connection will pin the runner until the job/step timeout.
🛡️ Proposed fix
const KIT_BASE = 'https://api.kit.com/v4';
- const TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID);
+ const TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID);
+ if (!Number.isInteger(TSC_TAG_ID) || TSC_TAG_ID <= 0) {
+ return core.setFailed('KIT_TSC_TAG_ID is missing or not a positive integer');
+ }
+ if (!process.env.KIT_API_KEY) {
+ return core.setFailed('KIT_API_KEY is not set');
+ }
@@
- const res = await fetch(`${KIT_BASE}/broadcasts`, {
+ const res = await fetch(`${KIT_BASE}/broadcasts`, {
method: 'POST',
+ signal: AbortSignal.timeout(15000),
headers: {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scripts/kit/index.js around lines 35 - 58, The code uses
TSC_TAG_ID = Number(process.env.KIT_TSC_TAG_ID) which can be NaN and will
serialize incorrectly into subscriber_filter, and the fetch has no timeout; fix
by validating KIT_TSC_TAG_ID after reading it (e.g., parseInt/Number and if
!Number.isInteger(TSC_TAG_ID) or isNaN throw/log and exit) so the function does
not continue with an invalid tag id (reference TSC_TAG_ID and subscriber_filter
in the POST body), and add an AbortController with a short configurable timeout
(create controller, setTimeout to controller.abort after e.g. 10s, pass
controller.signal into the fetch call and clear the timer on success) so the
fetch to KIT_BASE/broadcasts cannot hang the runner.
| "dependencies": { | ||
| "@actions/core": "1.6.0" | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest stable release of @actions/core on npm?
💡 Result:
The latest stable release of @actions/core on npm is 3.0.0, published on January 29, 2026.
Citations:
- 1: https://www.npmjs.com/package/@actions/core
- 2: https://www.npmjs.com/package/@actions/core/v/1.6.0?activeTab=dependents
- 3: https://www.npmjs.com/package/@actions/core/v/1.6.0
🌐 Web query:
@actions/core npm version history release dates 2.x 3.0.0 timeline
💡 Result:
The @actions/core npm package version history, focusing on 2.x and the 3.0.0 release timeline, is as follows based on official npm and GitHub sources: 2.x series (Dec 2025 - Jan 2026): - 2.0.0: Released December 9, 2025. Added Node 24 support (PR #2110) and bumped @actions/http-client to 3.0.0. - 2.0.1: Released December 11, 2025. Bumped @actions/exec to 2.0.0 (PR #2199). - 2.0.2: Released January 8, 2026. - 2.0.3: Released January 27, 2026. Bumped @actions/http-client to 3.0.2. 3.0.0: Released January 29, 2026. Breaking change: ESM-only (no CommonJS support; use dynamic import). Full changelog available in https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md. npm page: https://www.npmjs.com/package/@actions/core (33 versions total since Aug 7, 2019).
Citations:
- 1: https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md
- 2: https://www.npmjs.com/package/@actions/core
- 3: https://www.npmjs.com/package/@actions/core/v/1.6.0?activeTab=dependents
- 4: https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md
- 5: https://www.npmjs.com/package/@actions/core/v/1.6.0
- 6: https://security.snyk.io/package/npm/%40actions%2Fcore
- 7: prepare @actions/exec 2.0.1 relesae + chore(core): bump @actions/exec from ^1.1.1 to ^2.0.0 actions/toolkit#2199
Bump @actions/core to address version stagnation from 2021.
@actions/core 1.6.0 is from 2021 and is significantly outdated. The package has evolved substantially: version 2.0.3 (stable for 3 months) adds Node 24 support and security improvements while maintaining CommonJS compatibility. Version 3.0.0 (released Jan 29, 2026) introduces a breaking ESM-only change, so ^2.0.3 is the recommended conservative bump.
♻️ Suggested bump
"dependencies": {
- "@actions/core": "1.6.0"
+ "@actions/core": "^2.0.3"
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "dependencies": { | |
| "@actions/core": "1.6.0" | |
| } | |
| "dependencies": { | |
| "@actions/core": "^2.0.3" | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scripts/kit/package.json around lines 5 - 7, Update the
pinned `@actions/core` version in package.json from "1.6.0" to a conservative
caret range "^2.0.3" to pick up Node 24 support and security fixes while
avoiding the ESM-only 3.x breaking change; edit the "dependencies" entry for
"@actions/core", run your package manager (npm/yarn/pnpm) to restore lockfile,
and run the test/build workflow to verify compatibility (look for the
"@actions/core" dependency entry in the JSON to locate the change).
Summary by CodeRabbit
Release Notes
Infrastructure Updates
Bug Fixes