chore: quick wins — CI, npm config, badges, security fixes#8
chore: quick wins — CI, npm config, badges, security fixes#8
Conversation
…docs update - Add GitHub Actions CI workflow (test + build on every PR) - Add npm publish metadata (engines, keywords, repository, author) - Add CI, npm, and GitHub stars badges to README - Fix CodeQL alert: iterative HTML tag stripping in copyscape.ts - Fix CodeQL alert: escape backslashes in regenerate-panel.tsx - Update GitHub repo description and topics - Add missing Contexts page to features.md dashboard table - Fix misleading getTextBlock() docs in custom-skills.md - Update CONTRIBUTING.md contribution ideas (remove shipped items) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 696793d25e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "files": [ | ||
| "src/", | ||
| "build.sh", | ||
| "README.md", | ||
| "LICENSE", |
There was a problem hiding this comment.
The new files whitelist excludes dashboard/, so npm installs no longer contain the web UI assets even though article-checker --ui is documented and the CLI explicitly expects ../dashboard at runtime (src/index.tsx exits when it is missing). This is a functional regression for all npm users: --ui now fails immediately after install. Please add the dashboard directory (and required files) to the published package, or remove the restrictive whitelist.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR focuses on “quick wins” around project metadata and reliability: adding CI, improving npm publishing metadata, updating documentation/README presentation, and addressing two CodeQL-reported security issues.
Changes:
- Add a GitHub Actions CI workflow to run CLI tests, dashboard tests/build, and build CLI binaries.
- Expand npm package metadata (description, engines, keywords, repository/bugs/homepage, publish
fileslist). - Apply CodeQL fixes (Copyscape snippet HTML tag stripping; escaping in dashboard regenerate command), plus docs/README updates.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/copyscape.ts |
Adjusts HTML snippet tag stripping logic per CodeQL guidance. |
package.json |
Adds npm publishing metadata, engines, and files allowlist. |
docs/features.md |
Documents the dashboard “Contexts” page. |
docs/custom-skills.md |
Updates guidance for MiniMax “thinking” blocks handling. |
dashboard/src/components/regenerate-panel.tsx |
Escapes backslashes in the displayed --fix command argument. |
README.md |
Adds badges and updates skills/MCP/tooling descriptions. |
CONTRIBUTING.md |
Refreshes contribution ideas list. |
.github/workflows/ci.yml |
Adds CI workflow to test and build on PRs/pushes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "files": [ | ||
| "src/", | ||
| "build.sh", | ||
| "README.md", | ||
| "LICENSE", | ||
| "AGENTS.md" | ||
| ], |
There was a problem hiding this comment.
files controls what gets published to npm. Excluding dashboard/ means article-checker --ui (which looks for ../dashboard at runtime) will fail for consumers installing from npm. Either include the dashboard (and ensure its dependencies are installable, e.g., via workspaces/postinstall) or update the CLI/README to clearly mark --ui as "source-repo only" and avoid advertising it for npm installs.
| const safeSource = source.replace(/\\/g, "\\\\").replace(/"/g, '\\"'); | ||
| const command = `article-checker --fix "${safeSource}"`; |
There was a problem hiding this comment.
This constructs a shell command by wrapping source in double quotes, but only escapes backslashes and ". In many shells, $(), backticks, $VAR, and embedded newlines are still interpreted inside double quotes, so copying/pasting the command can behave unexpectedly (or dangerously if source is attacker-controlled via the stored source label). Consider generating a properly shell-escaped argument (e.g., single-quote style escaping for POSIX shells) and/or showing separate commands for bash vs PowerShell.
Summary
Test plan
🤖 Generated with Claude Code