Refactor: Improve Build Workflow

[victorkl400]

PR description

This PR updates the Lint & Build GitHub Actions workflow to run via pull_request_target, add an “external PR” guidance comment job, and adjust concurrency grouping.

Also bumps checkout/setup-node from v3 to v4, switches build/lint commands to yarn build + yarn lint, and adds a compressed-size check on packages/vechain-kit/dist.

Summary by CodeRabbit

• Chores
  • Removed the standalone automated build-size workflow.
  • Consolidated CI so external PRs receive a guidance comment instead of full checks.
  • Split CI into an external-PR commentary job and an internal build/lint/size-validation job.
  • Package size comparisons and full build/test runs now run only for internal branches or when a special label is present.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the standalone build-size workflow and consolidated its behavior into an updated lint-build-test workflow that runs under pull_request_target, adds a guarded external-PR comment job, updates action versions, and adds an internal package-size comparison step.

Changes

Cohort / File(s)	Summary
Removed workflow ​.github/workflows/build-size.yaml	Deleted. Previously contained comment-external-pr and build-size-check jobs for fork guidance and internal package-size comparison.
Updated primary CI workflow ​.github/workflows/lint-build-test.yaml	Reworked trigger to pull_request_target (types: labeled, opened, synchronize, reopened) scoped to main; added repo contents: read permission and concurrency. Split into comment-external-pr (posts guidance for forked PRs) and build-and-test-job (updated checkout/setup-node, install/build/lint steps) and added a "Compare package sizes" step using preactjs/compressed-size-action.

Sequence Diagram(s)

sequenceDiagram
    participant PR as Pull Request (fork or internal)
    participant GH as GitHub Actions (pull_request_target)
    participant Comment as comment-external-pr job
    participant CI as build-and-test-job
    participant Size as Compressed Size Action

    PR->>GH: PR opened / labeled / synchronized / reopened
    alt PR head is from a fork
        GH->>Comment: run comment-external-pr
        Comment-->>PR: post guidance comment (size checks gated)
    else Internal PR or has safe-to-build label
        GH->>CI: run build-and-test-job
        CI->>CI: checkout, setup-node, install, build, lint
        CI->>Size: compare package sizes (packages/vechain-kit/dist/**)
        Size-->>CI: report size diff
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Pin and update versions to commit SHAs #582 — Overlapping changes that pin action versions and touch .github/workflows/build-size.yaml, which this PR removes.

Suggested reviewers

• Vombato

Poem

🐇 I hopped through workflows, tidied every trail,

Forks get a note, insiders run the veil,
I count the bundle bytes where the dist files hide,
A carrot for CI—clean, guarded, and spry! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Refactor: Improve Build Workflow' is generic and vague, using non-descriptive terms that don't convey the specific nature of the changes.	Consider a more specific title that captures the main change, such as 'Refactor: Reorganize GitHub Actions workflows with external PR checks and size comparisons' or 'Refactor: Move size check to lint-build workflow and add external PR guidance'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Size Change: -17.9 kB (-0.31%)

Total Size: 5.77 MB

Filename	Size	Change
packages/vechain-kit/dist/assets-aAdDxPJu.mjs	50.1 kB	+50.1 kB (new file)	🆕
packages/vechain-kit/dist/assets-aAdDxPJu.mjs.map	70.2 kB	+70.2 kB (new file)	🆕
packages/vechain-kit/dist/assets-BL24r-Yp.mjs	0 B	-51.3 kB (removed)	🏆
packages/vechain-kit/dist/assets-BL24r-Yp.mjs.map	0 B	-74.1 kB (removed)	🏆
packages/vechain-kit/dist/assets-DNJsQD7_.cjs	0 B	-58.5 kB (removed)	🏆
packages/vechain-kit/dist/assets-DNJsQD7_.cjs.map	0 B	-75.5 kB (removed)	🏆
packages/vechain-kit/dist/assets-DXVXPy3w.cjs	54.8 kB	+54.8 kB (new file)	🆕
packages/vechain-kit/dist/assets-DXVXPy3w.cjs.map	71.6 kB	+71.6 kB (new file)	🆕
packages/vechain-kit/dist/index-BN8V0jxo.d.mts	5.63 kB	+5.63 kB (new file)	🆕
packages/vechain-kit/dist/index-BN8V0jxo.d.mts.map	2.99 kB	+2.99 kB (new file)	🆕
packages/vechain-kit/dist/index-BttaB_nw.d.mts	151 kB	+151 kB (new file)	🆕
packages/vechain-kit/dist/index-BttaB_nw.d.mts.map	43.8 kB	+43.8 kB (new file)	🆕
packages/vechain-kit/dist/index-BVAPXVIE.d.cts	151 kB	+151 kB (new file)	🆕
packages/vechain-kit/dist/index-BVAPXVIE.d.cts.map	43.8 kB	+43.8 kB (new file)	🆕
packages/vechain-kit/dist/index-CWViOs1U.d.mts	0 B	-5.63 kB (removed)	🏆
packages/vechain-kit/dist/index-CWViOs1U.d.mts.map	0 B	-2.99 kB (removed)	🏆
packages/vechain-kit/dist/index-DJeQ-GDE.d.cts	0 B	-151 kB (removed)	🏆
packages/vechain-kit/dist/index-DJeQ-GDE.d.cts.map	0 B	-43.8 kB (removed)	🏆
packages/vechain-kit/dist/index-DSMUkHcK.d.cts	5.63 kB	+5.63 kB (new file)	🆕
packages/vechain-kit/dist/index-DSMUkHcK.d.cts.map	2.99 kB	+2.99 kB (new file)	🆕
packages/vechain-kit/dist/index-I8fe7GR2.d.cts	0 B	-5.63 kB (removed)	🏆
packages/vechain-kit/dist/index-I8fe7GR2.d.cts.map	0 B	-2.99 kB (removed)	🏆
packages/vechain-kit/dist/index-L4AW6cPh.d.mts	0 B	-151 kB (removed)	🏆
packages/vechain-kit/dist/index-L4AW6cPh.d.mts.map	0 B	-43.8 kB (removed)	🏆
packages/vechain-kit/dist/index.cjs.map	1.87 MB	-2.68 kB (-0.14%)
packages/vechain-kit/dist/index.mjs.map	1.82 MB	-2.01 kB (-0.11%)
packages/vechain-kit/dist/utils-BQ9mZctf.cjs	0 B	-25.9 kB (removed)	🏆
packages/vechain-kit/dist/utils-BQ9mZctf.cjs.map	0 B	-64.8 kB (removed)	🏆
packages/vechain-kit/dist/utils-BxZj2QIg.mjs	0 B	-20.9 kB (removed)	🏆
packages/vechain-kit/dist/utils-BxZj2QIg.mjs.map	0 B	-64.1 kB (removed)	🏆
packages/vechain-kit/dist/utils-CNYVq6tT.mjs	21.2 kB	+21.2 kB (new file)	🆕
packages/vechain-kit/dist/utils-CNYVq6tT.mjs.map	63.4 kB	+63.4 kB (new file)	🆕
packages/vechain-kit/dist/utils-DcAJej3n.cjs	26.4 kB	+26.4 kB (new file)	🆕
packages/vechain-kit/dist/utils-DcAJej3n.cjs.map	63.7 kB	+63.7 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
packages/vechain-kit/dist/assets	4.1 kB	0 B
packages/vechain-kit/dist/assets/index.cjs	716 B	0 B
packages/vechain-kit/dist/assets/index.d.cts	973 B	0 B
packages/vechain-kit/dist/assets/index.d.mts	973 B	0 B
packages/vechain-kit/dist/assets/index.mjs	718 B	0 B
packages/vechain-kit/dist/index.cjs	613 kB	+451 B (+0.07%)
packages/vechain-kit/dist/index.d.cts	20.5 kB	0 B
packages/vechain-kit/dist/index.d.mts	20.5 kB	0 B
packages/vechain-kit/dist/index.mjs	578 kB	+210 B (+0.04%)
packages/vechain-kit/dist/utils	4.1 kB	0 B
packages/vechain-kit/dist/utils/index.cjs	1.94 kB	0 B
packages/vechain-kit/dist/utils/index.d.cts	2.97 kB	0 B
packages/vechain-kit/dist/utils/index.d.mts	2.97 kB	0 B
packages/vechain-kit/dist/utils/index.mjs	1.96 kB	0 B

_{compressed-size-action}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/lint-build-test.yaml (2)

36-38: Minor formatting and style issues in the comment body.

• Line 36: "Eg." should be styled as "e.g.," (lowercase with comma) per standard English conventions.
• Line 38: Excessive indentation before "Next steps:" creates awkward spacing.

🔎 Proposed fix

             Since this PR comes from a forked repository, the lint and build will only run for internal PRs for security reasons.
-            Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main**
+            Please ensure that your PR is coming from a meaningful branch name, e.g., feature/my-feature **not main**

-                      **Next steps:**
+            **Next steps:**
                       1. A maintainer will review your code

---

65-72: Consider enabling compression for more accurate size analysis.

The compression: none setting means the size comparison doesn't account for how files will actually be served (typically gzipped or brotli-compressed). Consider using compression: gzip or compression: brotli for a more realistic size impact assessment.

🔎 Proposed change

       - name: Compare package sizes
         uses: preactjs/compressed-size-action@946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a # v2
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           pattern: "packages/vechain-kit/dist/**/*"
           exclude: "{**/node_modules/**}"
-          compression: none
+          compression: gzip
           minimum-change-threshold: 1000

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb2990f and e4b7670.

📒 Files selected for processing (2)

• .github/workflows/build-size.yaml
• .github/workflows/lint-build-test.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/build-size.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-size-check
• GitHub Check: e2e-test

🔇 Additional comments (1)

.github/workflows/lint-build-test.yaml (1)

52-58: Action version updates look good.

The updates to actions/checkout@v4 and actions/setup-node@v4 are appropriate. The Node.js setup correctly uses the .nvmrc file for version management and enables yarn caching for faster builds.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/lint-build-test.yaml (1)

49-55: Checkout still doesn’t test PR changes under pull_request_target.

With pull_request_target, actions/checkout@v4 without an explicit ref/repository checks out the base branch, so this job currently builds and lints main, not the PR’s code—even for internal PRs and for external PRs with safe-to-build. That makes the CI signal misleading and effectively useless for catching regressions.

To both respect the gating you’ve added and actually exercise the PR code, explicitly check out the PR head commit from the PR’s repository (and avoid persisting credentials):

Proposed checkout fix

       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false

This keeps the pull_request_target security posture (thanks to your gating + minimal permissions) while ensuring builds/lints are run against the actual PR code.

In GitHub Actions, for workflows triggered by `pull_request_target`, what commit does `actions/checkout@v4` check out when `ref` is omitted, and what is the recommended pattern to safely build/test the PR’s head commit (including for forks) while minimizing token permissions?

🧹 Nitpick comments (1)

.github/workflows/lint-build-test.yaml (1)

33-41: Clarify external‑PR guidance text to match actual behavior.

The message says “lint and build will only run for internal PRs,” but the job condition also allows external PRs once a maintainer adds the safe-to-build label. To avoid confusing contributors, consider rephrasing to something like “lint and build won’t run automatically for forked PRs; a maintainer can trigger them by adding the safe-to-build label,” while keeping the numbered steps.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4b7670 and e538915.

📒 Files selected for processing (1)

• .github/workflows/lint-build-test.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-size-check

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/lint-build-test.yaml:
- Around line 32-43: The comment body under the "body:" YAML key contains excess
leading spaces on the "Next steps" block (lines containing "**Next steps:**",
the numbered list items and closing lines) which causes GitHub to render it as a
code block; remove the extra indentation so those lines align with the
surrounding paragraph (no more than 0–1 leading spaces) and ensure the numbered
list lines start at the same column as "## 👋 Thanks for your contribution!" to
restore proper Markdown list rendering.

🧹 Nitpick comments (2)

.github/workflows/lint-build-test.yaml (2)

49-51: Consider adding explicit parentheses for clarity.

The condition works correctly due to operator precedence (&& binds tighter than ||), but the inconsistent parenthesization reduces readability. Wrapping the entire second condition makes the intent explicit.

Proposed fix

     if: |
       (github.event.label.name == 'safe-to-build') ||
-      (github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main'
+      ((github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main')

---

53-56: Consider pinning all actions to SHA for consistency and supply-chain security.

The workflow pins peter-evans/create-or-update-comment and preactjs/compressed-size-action to SHA hashes but uses tag references for actions/checkout@v4 and actions/setup-node@v4. SHA pinning provides stronger supply-chain security guarantees by preventing tag hijacking.

Proposed fix with SHA-pinned versions

       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}

       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version-file: .nvmrc
           cache: yarn

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e538915 and e932b86.

📒 Files selected for processing (1)

• .github/workflows/lint-build-test.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-size-check

🔇 Additional comments (2)

.github/workflows/lint-build-test.yaml (2)

4-8: Security setup for pull_request_target is reasonable.

The workflow correctly uses pull_request_target with a label-gating mechanism for external PRs. The contents: read permission at the workflow level is appropriate. The zizmor annotation documents the known risk and mitigation strategy.

Be aware that this pattern still requires maintainers to carefully review PR code before adding the safe-to-build label, as the workflow will execute arbitrary code from the PR with access to secrets.GITHUB_TOKEN.

Also applies to: 14-15

---

64-77: Build and lint steps look good.

The workflow correctly sequences dependency installation, build, size comparison, and linting. The compressed-size-action is properly configured with a reasonable threshold.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/lint-build-test.yaml:
- Around line 32-43: The comment body in the workflow step (the YAML "body"
string) contains extra leading spaces on the lines starting with "**Next
steps:**" through "3. **After each new commit**..." which makes Markdown treat
them as a code block; edit the "body" value to remove the additional indentation
on those lines so all lines align with the paragraph text (no leading spaces
before the bullets and phrases), preserving the same text but normalizing
indentation to avoid unintended code-block rendering.
- Around line 14-15: The workflow currently only sets top-level permissions to
"contents: read", preventing the compressed-size-action from posting PR
comments; update the permissions for the build-and-test-job (job name:
build-and-test-job) to include "pull-requests: write" (or add the same
permission at the workflow level) so the compressed-size-action can post size
comparison comments—modify the permissions block that references permissions:
contents: read to also include pull-requests: write for that job.

🧹 Nitpick comments (1)

.github/workflows/lint-build-test.yaml (1)

49-51: Add explicit parentheses to clarify operator precedence.

The condition relies on && having higher precedence than ||. While this likely produces the intended behavior, explicit parentheses would make the intent clearer and prevent future maintenance errors.

Proposed fix

     if: |
       (github.event.label.name == 'safe-to-build') ||
-      (github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main'
+      ((github.event.pull_request.head.repo.full_name == github.repository) && (github.event.pull_request.head.ref != 'main'))

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e932b86 and 3a2c767.

📒 Files selected for processing (1)

• .github/workflows/lint-build-test.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-size-check

🔇 Additional comments (4)

.github/workflows/lint-build-test.yaml (4)

3-8: The pull_request_target security model is correctly implemented.

The workflow properly gates the build job behind either the safe-to-build label (for external PRs) or same-repository origin checks. This follows the recommended pattern for safely handling fork PRs with pull_request_target.

---

64-78: Build, lint, and size comparison steps look good.

The yarn && yarn install:all pattern is appropriate for monorepos where root dependencies need to be installed before running workspace-specific install scripts. The step ordering (install → build → size compare → lint) is logical.

---

58-62: The setup-node action SHA is correctly pinned to v4.4.0.

The SHA 49933ea5288caeca8642d1e84afbd3f7d6820020 is a valid release commit corresponding to v4.4.0 of actions/setup-node. The pinned SHA practice is sound.

---

53-56: No action needed. The code correctly uses actions/checkout@v6.0.1 with a valid SHA. Version 6 is the current major release, and the specified commit 8e8c483db84b4bee98b60c0593521ed34d9990e8 is confirmed as a legitimate release commit dated December 2, 2025. The version and SHA are both accurate and secure.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing pull-requests: write permission for the build job.

The compressed-size-action (line 70) needs pull-requests: write permission to post size comparison comments on the PR. Currently, only contents: read is set at the workflow level, and the build-and-test-job doesn't override this.

Proposed fix

Add permissions to the build-and-test-job:

   build-and-test-job:
     runs-on: ubuntu-latest
     name: Lint & Build & Compare package sizes
+    permissions:
+      contents: read
+      pull-requests: write
     if: |

🤖 Prompt for AI Agents

In @.github/workflows/lint-build-test.yaml around lines 14 - 15, The workflow
currently only sets top-level permissions to "contents: read", preventing the
compressed-size-action from posting PR comments; update the permissions for the
build-and-test-job (job name: build-and-test-job) to include "pull-requests:
write" (or add the same permission at the workflow level) so the
compressed-size-action can post size comparison comments—modify the permissions
block that references permissions: contents: read to also include pull-requests:
write for that job.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent indentation in comment body will render poorly.

Lines 38-42 have extra leading spaces that will cause them to render as a code block in Markdown, breaking the visual consistency of the comment.

Proposed fix

           body: |
             ## 👋 Thanks for your contribution!

             Since this PR comes from a forked repository, the lint and build will only run for internal PRs for security reasons.
             Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main**

-                      **Next steps:**
-                      1. A maintainer will review your code
-                      2. If approved, they'll add the `safe-to-build` label to trigger build and test
-                      3. **After each new commit**, the maintainer will need to remove and re-add the label for security
+            **Next steps:**
+            1. A maintainer will review your code
+            2. If approved, they'll add the `safe-to-build` label to trigger build and test
+            3. **After each new commit**, the maintainer will need to remove and re-add the label for security

             Thank you for your patience! 🙏

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	body: |
	## 👋 Thanks for your contribution!
	Since this PR comes from a forked repository, the lint and build will only run for internal PRs for security reasons.
	Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main**
	**Next steps:**
	1. A maintainer will review your code
	2. If approved, they'll add the `safe-to-build` label to trigger build and test
	3. **After each new commit**, the maintainer will need to remove and re-add the label for security
	Thank you for your patience! 🙏
	body: |
	## 👋 Thanks for your contribution!
	Since this PR comes from a forked repository, the lint and build will only run for internal PRs for security reasons.
	Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main**
	**Next steps:**
	1. A maintainer will review your code
	2. If approved, they'll add the `safe-to-build` label to trigger build and test
	3. **After each new commit**, the maintainer will need to remove and re-add the label for security
	Thank you for your patience! 🙏

🤖 Prompt for AI Agents

In @.github/workflows/lint-build-test.yaml around lines 32 - 43, The comment
body in the workflow step (the YAML "body" string) contains extra leading spaces
on the lines starting with "**Next steps:**" through "3. **After each new
commit**..." which makes Markdown treat them as a code block; edit the "body"
value to remove the additional indentation on those lines so all lines align
with the paragraph text (no leading spaces before the bullets and phrases),
preserving the same text but normalizing indentation to avoid unintended
code-block rendering.