Conversation
This workflow runs ESLint to scan JavaScript and TypeScript code on push and pull request events, and uploads the results in SARIF format.
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run ESLint-based code scanning and upload results to GitHub Code Scanning (SARIF), aligning with the repo’s CI/security tooling.
Changes:
- Introduces an
ESLintworkflow triggered on push/PR (and scheduled) to run ESLint and generate SARIF output. - Uploads the generated SARIF report via
github/codeql-action/upload-sarif@v3.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (3)
.github/workflows/eslint.yml:36
- This workflow uses npm for dependency installation, but the project consistently uses Bun as its package manager across all other workflows. The test.yml and npm-publish.yml workflows all use
oven-sh/setup-bun@v2withbun-version: '1.3.7'followed bybun install --frozen-lockfile. This inconsistency could lead to different dependency resolution or installation issues.
The workflow should be updated to:
- Set up Bun using
oven-sh/setup-bun@v2withbun-version: '1.3.7' - Install dependencies with
bun install --frozen-lockfile - Install the SARIF formatter with
bun add -d @microsoft/eslint-formatter-sarif@3.1.0
- name: Install dependencies
run: |
npm ci
npm install @microsoft/eslint-formatter-sarif@3.1.0
.github/workflows/eslint.yml:43
- The
--extflag is deprecated in ESLint v9 and is only supported by the legacy eslintrc configuration system. This project uses the new flat config system (eslint.config.js), which determines file patterns from the config file itself. The eslint.config.js file already specifiesfiles: ['**/*.{ts,tsx,js,jsx}'], so the --ext flag is redundant and will cause a warning or error with ESLint v9.39.2 (as specified in package.json).
Remove the --ext .js,.jsx,.ts,.tsx argument from the ESLint command. The flat config already handles file matching.
npx eslint . \
--ext .js,.jsx,.ts,.tsx \
.github/workflows/eslint.yml:17
- The pull_request trigger only targets the "main" branch, but the codeql.yml workflow (which performs similar security scanning) targets both "main" and "development" branches. The push trigger correctly includes both branches on line 14. This inconsistency means that pull requests targeting the "development" branch won't run ESLint scanning, creating a gap in code quality checks.
Update line 17 to match the codeql.yml pattern: branches: [ "main", "development" ]
branches: [ "main" ]
Changed npm install command to install bun globally.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
This workflow runs ESLint to scan JavaScript and TypeScript code on push and pull request events, and uploads the results in SARIF format.