CI: Update GitHub actions

[anaxite]

Description

Update GitHub actions to increase security, bump versions, and replace unmaintained workflows.

Type of contribution

• Quick change (typo, broken link, small wording change)
• Standard change (new content, examples, or improvements)
• Substantial change (new feature docs, major restructuring, tutorials)

Changes made

• Update maintained GitHub actions to their latest versions
• Replace unmaintained GitHub actions with alternatives
• Replace SVG optimizer workflow with a new, more maintained set of steps
• Remove unnecessary options from some actions
• Set default shells
• Add a dependabot rule to keep actions up-to-date monthly

Testing performed

• Previewed changes locally (npm run start)
• Tested all code examples
• Verified all links work
• Ran build successfully (npm run build)
• Ran style checks with Vale (if applicable)
• Added/updated Doc Detective tests (if applicable)

Checklist

• I have signed the Contributor License Agreement
• My changes follow the contribution guidelines
• I have used the appropriate content template (if applicable)
• All new content files use .mdx extension
• Front matter is included on all new pages
• Links use absolute paths (e.g., /docs/page not ../page)
• Code examples are complete and tested
• I have spell-checked my changes
• I have reviewed my own changes for errors

Additional notes

The new SVG optimizer workflow should only trigger on changed SVG files. It may need extra testing to make sure it works properly.

---

For reviewers:

• See Review Process for guidelines
• Focus on technical accuracy and user value
• Don't block on minor style issues—automation handles those

Summary by CodeRabbit

• New Features

  • Added automatic SVG optimization on pull requests.
  • Enabled Mermaid diagrams and refreshed site theme/config (navbar, footer, code themes).

• Chores

  • Updated GitHub Actions workflows to pin actions and set a default shell for runs.
  • Configured Dependabot to check GitHub Actions monthly.
  • Removed legacy SVG optimization workflow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates GitHub workflows by pinning external actions to specific commit SHAs, adds Dependabot updates for GitHub Actions (monthly), removes an old SVG optimize workflow, and adds a new workflow that auto-optimizes changed SVGs on pull requests.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Added a Dependabot entry to update GitHub Actions dependencies in / on a monthly schedule alongside the existing devcontainers update.
Workflow action pinning .github/workflows/deploy-preview.yml, .github/workflows/deploy.yml, .github/workflows/doc-detective.yml, .github/workflows/ekline.yml, .github/workflows/update-common.yml, .github/workflows/vale.yml	Replaced loose action tags with specific commit SHAs (with inline version comments) for multiple actions (e.g., actions/checkout, actions/setup-node, others). Added workflow defaults.run.shell: bash to some workflows. In deploy.yml replaced paths-filter with changed-files and adjusted file globs/conditions.
New SVG optimization workflow .github/workflows/optimize-svg.yml	Added a workflow that triggers on PRs to main, detects changed SVGs, conditionally sets up Node, runs svgo (multipass) on changed files, and commits optimizations via an auto-commit action.
Removed workflow .github/workflows/optimize.yml	Deleted the prior Optimize workflow that used ericcornelissen/svgo-action@v3.
Config change docusaurus.config.ts	Enabled Mermaid in markdown and expanded/restructured themeConfig and related site config (reflowed presets, navbar/footer, prism, and custom inkeep settings) without changing public API signatures.

Sequence Diagram(s)

sequenceDiagram
    participant PR as Pull Request
    participant WF as optimize-svg Workflow
    participant GH as GitHub
    participant Node as Node.js
    participant Git as Auto Commit Action

    PR->>WF: on: pull_request (target: main)
    WF->>GH: actions/checkout (pin) -> checkout repo
    WF->>WF: changed-files -> list changed SVGs
    alt SVGs changed
        WF->>Node: setup-node (pin)
        Node-->>WF: node ready
        WF->>Node: run svgo --multipass on each changed SVG
        Node-->>WF: optimized files
        WF->>Git: git-auto-commit-action -> commit & push
        Git->>GH: push auto-commit
        GH-->>WF: workflow completes
    else No SVG changes
        WF-->>WF: skip Node and optimization steps
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Heterogeneous edits: many workflows updated with similar pinning changes (low per-file complexity) plus one new workflow and one workflow removal.
• Review focus:
  • Confirm each pinned SHA corresponds to the intended action/version and that inline comments (e.g., #v6.0.0) match expectations.
  • Verify deploy.yml replacement of paths-filter with changed-files correctly captures docs/** and src/pages/** and that the any_changed condition preserves prior behavior.
  • Ensure the new optimize-svg.yml has correct permissions for committing (GITHUB_TOKEN/write) and that the changed-files output is handled safely (escaping file paths, handling many files).

Poem

"I hopped through commits with tiny paws,
Pinning actions, obeying laws.
SVGs trimmed with a cheerful snip,
CI gardens tidy—fluffy tip-tap trip! 🐰"

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'CI: Update GitHub actions' is vague and overly broad, using generic terms that do not clearly convey the specific changes made.	Consider a more specific title that reflects key changes, such as 'CI: Pin GitHub Actions to commit hashes for security' or 'CI: Update and secure GitHub Actions workflows'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers most required sections with clear change summaries and appropriate checklist marks, though testing performed section shows no completed checks despite security-critical changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/optimize-svg.yml (1)

37-41: Potential issue with shell word splitting in file loop.

The loop for file in ${ALL_CHANGED_FILES} could fail if SVG filenames contain spaces or special characters. Even though safe_output: false is documented, consider quoting the variable for robustness:

  for file in ${ALL_CHANGED_FILES}; do
    npx svgo --multipass "$file" --output "$file"
  done

Alternatively, if the files list is known to be space-delimited, iterate more defensively:

echo "$ALL_CHANGED_FILES" | while read -r file; do
  npx svgo --multipass "$file" --output "$file"
done

.github/workflows/doc-detective.yml (1)

17-18: Clarify the "May 7 2025" annotation on doc-detective action.

The comment #latest, May 7 2025 appears to be a documentation artifact. Since the current date is past May 7, 2025, this label may be outdated or misleading. Consider using a more descriptive version tag or removing the date.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 474bf58 and 6974b84.

📒 Files selected for processing (9)

• .github/dependabot.yml (1 hunks)
• .github/workflows/deploy-preview.yml (3 hunks)
• .github/workflows/deploy.yml (4 hunks)
• .github/workflows/doc-detective.yml (1 hunks)
• .github/workflows/ekline.yml (1 hunks)
• .github/workflows/optimize-svg.yml (1 hunks)
• .github/workflows/optimize.yml (0 hunks)
• .github/workflows/update-common.yml (2 hunks)
• .github/workflows/vale.yml (1 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/optimize.yml

🔇 Additional comments (12)

.github/dependabot.yml (1)

13-16: Dependabot configuration looks good.

Monthly updates for GitHub Actions is a sensible cadence that balances security with stability. Dependabot will help maintain pinned commits automatically.

.github/workflows/update-common.yml (2)

13-15: Explicit bash shell default is good practice.

Setting defaults.run.shell: bash ensures consistent shell behavior across all run steps.

---

23-23: I need to gather information via web search since the API calls returned null. Let me verify the actions/checkout version and any breaking changes.

Let me search for more specific breaking changes information and verify the second action.

Let me do one final search to specifically check the softprops/action-gh-release commit.

Pinned commit SHA for actions/[email protected] is valid; softprops/action-gh-release commit cannot be verified.

The actions/checkout commit 1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 corresponds to the v6.0.0 release, so that pin is correct. However, the softprops/action-gh-release commit 5be0e66d93ac7ed76da52eca8bb058f665c3a5fe could not be verified through GitHub API, web search, or official release notes. This suggests it may not exist or be invalid.

Regarding the v4→v6 upgrade for actions/checkout: This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios. The primary changes are infrastructure-level (credential persistence file, Node.js 24 support) with no major breaking changes documented. Multiple production projects have already completed this v5→v6 upgrade without reported issues.

Verify the second action's commit SHA is correct in .github/workflows/update-common.yml (line 134). If it's a copy-paste error, update it or use the tag reference (e.g., softprops/action-gh-release@v2) instead.

.github/workflows/deploy.yml (4)

10-12: Explicit bash shell default maintains consistency.

Setting a global shell default aligns with other workflows in the PR.

---

70-78: Logic change from paths-filter to changed-files needs verification.

The sync_inkeep job switched from a paths-filter-based approach to tj-actions/changed-files. Verify that the new logic correctly detects changes to docs/** and src/pages/**:

1. Does changed-files with these patterns match the previous paths-filter behavior?
2. Is any_changed == 'true' the correct condition (vs. the previous trigger)?
3. Will this properly skip Inkeep sync when only unrelated files change?

Test the changed-files detection locally or in a test PR to confirm correct behavior.

---

18-18: I need to investigate the actual API responses to determine if these are genuinely invalid commits or if there's an issue with how the verification is being performed.

The verification script indicates all commit SHAs returned "Invalid," but this result appears unreliable. Web searches confirm that actions/checkout SHA 1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 is used widely in recent dependency updates for v6.0.0, and actions/setup-node SHA 2028fbc5c25fe9cf00d9f06a71cc4710d4507903 is also confirmed for v6.0.0 releases.

The script's blanket "Invalid" response suggests the jq validation logic failed to parse API responses correctly—likely due to authentication issues or error responses lacking a .sha field, rather than the commits actually being invalid. Without a valid GITHUB_TOKEN or with API rate limiting, all responses would return errors, causing the test to incorrectly flag valid commits as invalid.

Definitive verification of all six commit SHAs cannot be completed with the available tools, but evidence from public dependency updates and deployment workflows indicates the pinned commits are legitimate and in active use across multiple projects.

---

20-20: The upgrade from setup-node v4 to v6 is safe for this workflow.

Verification confirms that while v6 has a breaking change regarding automatic caching behavior (caching is now restricted to npm when packageManager is configured), the workflow explicitly sets cache: npm which continues to work without changes. The explicit cache configuration protects this workflow from any breaking changes.

.github/workflows/deploy-preview.yml (3)

9-11: Explicit bash shell default is consistent with other workflows.

Setting defaults.run.shell: bash aligns with the broader workflow standardization.

---

34-34: Commented steps are properly pinned for future re-activation.

The deployment steps are commented out but have been updated with commit SHAs. This is good practice for maintainability—if these steps are uncommented later, they'll have secure pinned references.

Also applies to: 55-55, 58-58

---

17-17: I'll examine the workflow files and package configuration to verify whether the v6 upgrade compatibility concern is valid.

I need to examine the actual workflow files and package configuration to verify the compatibility concern.Based on the web search results, I have now gathered comprehensive information about the v4→v6 compatibility changes for actions/setup-node. The review comment is asking to verify npm cache compatibility with v6, and based on the search results, I can provide clarification about what actually changed.

Key findings from web search:

In v6, caching is automatically enabled for npm projects when either the devEngines.packageManager field or the top-level packageManager field in package.json is set to npm. For other package managers, such as Yarn and pnpm, caching is disabled by default and must be configured manually using the cache input.

This is a significant difference: while v5 enabled automatic caching for Yarn/pnpm when detected, v6 restricts automatic caching to npm only.

The review comment is asking for verification that the npm cache behavior is compatible with v6. Since the search results confirm that caching for npm dependencies is automatically enabled when your package.json contains either devEngines.packageManager field or top-level packageManager field set to npm, and this behavior is controlled by the package-manager-cache input, which defaults to true, the change should be compatible if the codebase:

1. Uses npm as its package manager, OR
2. Has explicit cache configuration in the workflow

Without access to the actual .github/workflows/deploy-preview.yml content and package.json to verify which package manager is used, I can only flag this as requiring manual verification to confirm the codebase is compatible with the v6 breaking change regarding Yarn/pnpm caching.

.github/workflows/doc-detective.yml (1)

17-18: Commit SHA is valid and maintained.

The pinned commit 7cd1f3609abc91634935dbc990bfa7b6e6326f71 is confirmed valid—it's the latest release of the doc-detective/github-action repository, published May 7, 2025, and tagged "latest" on the main branch. The repository remains actively maintained.

.github/workflows/vale.yml (1)

14-14: Vale action pinning verified and approved.

Verified that the pinned commit d89dee975228ae261d22c15adcd03578634d429c correctly corresponds to v2.1.1 (released 2024-10-15). The security pinning strategy is consistent and valid across both actions.

[anaxite]

@hawkeyexl I finished my test of the SVG optimizer workflow. Seems to work well :)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

docusaurus.config.ts (3)

25-31: Verify the intentional difference in broken link handling.

Line 25 uses onBrokenLinks: "throw" (strict), while Line 29 uses onBrokenMarkdownLinks: "warn" (lenient). This difference might allow broken markdown links to slip through during builds while catching regular broken links.

If this is intentional, consider adding a comment explaining the reasoning.

---

87-88: Consider removing commented-out code.

Lines 87-88 and 131-134 contain commented-out menu items. If these features are not planned for the near future, consider removing this code to improve maintainability. If they're intentionally kept for future use, add a comment explaining why.

Also applies to: 131-134

---

148-163: Validate InKeep environment variables before use.

The InKeep configuration directly uses environment variables (Lines 150-152) without validation. If these variables are undefined, they'll be passed to the configuration, potentially causing runtime issues with the InKeep integration.

Consider validating that required environment variables are set, or provide clearer error messages when they're missing.

 		inkeepConfig: {
 			baseSettings: {
-				apiKey: process.env.INKEEP_API_KEY, // required
-				integrationId: process.env.INKEEP_INTEGRATION_ID, // required
-				organizationId: process.env.INKEEP_ORGANIZATION_ID, // required
+				apiKey: process.env.INKEEP_API_KEY || "", // required
+				integrationId: process.env.INKEEP_INTEGRATION_ID || "", // required
+				organizationId: process.env.INKEEP_ORGANIZATION_ID || "", // required
 				primaryBrandColor: "#00c122", // required -- your brand color, the widget color scheme is derived from this
 				organizationDisplayName: "Doc Detective", // required -- your organization name

Alternatively, validate at the top of the file:

// Validate required environment variables for InKeep
if (process.env.INKEEP_API_KEY && (!process.env.INKEEP_INTEGRATION_ID || !process.env.INKEEP_ORGANIZATION_ID)) {
  throw new Error("INKEEP_INTEGRATION_ID and INKEEP_ORGANIZATION_ID must be set when INKEEP_API_KEY is provided");
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6974b84 and 51f2a33.

📒 Files selected for processing (1)

• docusaurus.config.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: runTests
• GitHub Check: Test deployment

🔇 Additional comments (5)

docusaurus.config.ts (5)

7-23: LGTM!

The site metadata and GitHub Pages deployment configuration looks correct and complete.

---

35-38: LGTM!

The i18n configuration is correctly set up for English-only support.

---

40-63: LGTM!

The presets configuration is well-structured with proper type safety using satisfies Preset.Options.

---

181-198: LGTM!

The conditional plugin loading pattern is well-implemented. This allows optional integrations (InKeep and PostHog) to be included only when their respective API keys are provided, which is a good practice.

---

199-199: LGTM!

The themes configuration properly includes the Mermaid theme (consistent with mermaid: true on Line 27) and the JSON schema plugin.

[hawkeyexl]

LGTM! Thanks for the workflow security updates @anaxite.