ci(web-ui): Cloudflare Pages preview deploys + setup docs#78
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThe PR adds Cloudflare Pages deployment for the web UI, enables static export in Next.js, and documents the preview and production deployment flow. PRs for ChangesCloudflare Pages Deployment
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
44b3a23 to
a7caa26
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/deploy-web-ui.yml (1)
30-30: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick winDisable persisted Git credentials in checkout.
Line 30 should set
persist-credentials: falseto reduce token exposure on runner state.Suggested change
- - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/deploy-web-ui.yml at line 30, The actions/checkout@v4 step does not include the persist-credentials parameter, which leaves Git credentials persisted on the runner and increases token exposure. Add the persist-credentials option set to false in the checkout action configuration to prevent credentials from being saved to the runner state and improve security.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-web-ui.yml:
- Line 30: Replace all moving version tags in the GitHub Actions workflow with
immutable commit SHAs. On lines 30, 32, 34, and 51, change the actions/checkout
references and other third-party actions from using moving tags like `@v4` and `@v3`
to pinned commit SHAs (format: @<full-commit-sha>). This ensures reproducibility
and prevents unintended upstream changes from affecting your workflow. Verify
the correct commit SHAs from the official action repositories before applying
the changes.
- Around line 84-86: The jq filter in the comment selection logic only checks if
the comment body contains the marker string, but does not verify the comment
author. This could cause the bot to update a user's comment if they happen to
include the marker. Modify the jq select filter to add an additional condition
that checks the user.login field equals "github-actions[bot]" alongside the
existing body contains check, ensuring only comments authored by the bot are
selected for update.
- Around line 10-15: The pull_request event does not provide access to
repository secrets for forked repositories, causing the deploy job to fail when
lines 53-54 attempt to use secrets.CLOUDFLARE_API_TOKEN and
secrets.CLOUDFLARE_ACCOUNT_ID. Add a conditional guard to the deploy job using
github.event.pull_request.head.repo.full_name == github.repository to ensure the
job only runs for pull requests from the same repository, skipping execution for
forked PRs that lack access to these secrets.
---
Nitpick comments:
In @.github/workflows/deploy-web-ui.yml:
- Line 30: The actions/checkout@v4 step does not include the persist-credentials
parameter, which leaves Git credentials persisted on the runner and increases
token exposure. Add the persist-credentials option set to false in the checkout
action configuration to prevent credentials from being saved to the runner state
and improve security.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 2039b12e-9ac1-4090-b32b-052be7917133
📒 Files selected for processing (4)
.github/workflows/deploy-web-ui.ymlREADME.mdapps/web-ui/README.mdapps/web-ui/next.config.ts
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-web-ui.yml:
- Around line 58-98: The "Post preview URL on PR" step uses set -euo pipefail
which causes the entire job to fail if any GitHub API curl calls fail due to
transient issues, obscuring actual deployment status. Wrap the curl commands
that post/update the PR comment (the EXISTING_ID lookup curl and the subsequent
PATCH or POST curl calls) with error handling to make them non-critical. This
can be done by either temporarily disabling pipefail with set +e before the
comment posting logic and set -e afterwards, or by adding || true to the curl
commands, or by implementing retry logic to handle transient API failures
gracefully without failing the job.
- Line 30: The actions/checkout@v4 action on line 30 is missing the
persist-credentials: false configuration. Since this workflow processes
untrusted code from pull requests (executing pnpm install and pnpm build), the
GITHUB_TOKEN must be prevented from persisting in git config to avoid potential
exploitation by malicious scripts. Add the persist-credentials: false parameter
to the checkout action to disable credential persistence.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: ad44a995-7b73-47d2-a48f-674762d31fdd
📒 Files selected for processing (4)
.github/workflows/deploy-web-ui.ymlREADME.mdapps/web-ui/README.mdapps/web-ui/next.config.ts
✅ Files skipped from review due to trivial changes (2)
- apps/web-ui/README.md
- README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- apps/web-ui/next.config.ts
|
Nice @Isusami please check the code rabbit review and maybe check why the deploy in ci/cd is failing? |
|
Thanks for the Cloudflare Pages preview workflow! I'm leaving this PR open because merging requires repository secrets (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID) that need to be provisioned by someone with repo admin access — that's a maintainer decision, not something I can do unilaterally. This PR is NOT superseded and your work is preserved on the branch If you want to make it easier for the maintainer: add a |
|
Hi @Isusami — main has been integrated via PR #85 (merged at 251140c). Your PR is in good shape and the workflow itself is well-built. Two things to know about its current state:
I have opened a tracking issue to handle the Cloudflare setup. Once a maintainer has added the project and the two repo secrets, the only remaining step on your side is to rebase The MVP is not blocked on this; preview deploys are a contributor-experience improvement on top of the working MVP. Thanks for the careful work on the security controls and the lockfile-merge fix. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-web-ui.yml:
- Around line 46-54: The Cloudflare Pages deploy step in the deploy-web-ui
workflow is missing an explicit branch name, so Wrangler may fall back to HEAD
during detached-HEAD PR runs. Update the wrangler-action command in the Deploy
to Cloudflare Pages step to pass the current branch explicitly with --branch,
using the workflow’s branch context, so PR preview aliases resolve correctly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 628c3b2f-fefb-433a-b4a5-ffff717d0d3e
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml,!**/pnpm-lock.yaml
📒 Files selected for processing (3)
.github/workflows/deploy-web-ui.ymlREADME.mdapps/web-ui/README.md
✅ Files skipped from review due to trivial changes (1)
- apps/web-ui/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- README.md
342fa0a to
15dd733
Compare
What was broken in the original PR #78: - Deploy job failed in ~21s with no output (no Cloudflare Pages project existed and the workflow had no branch guard for fork PRs). - 'pnpm build' ran from the workspace root with no working dir but 'pnpm exec wrangler' (run by the action) only saw apps/web-ui/node_modules, falling back to a forbidden 'pnpm add wrangler' into the workspace root. What this commit changes (all minimum-diff against a7caa26): - Workflow: skip fork PRs (no secrets) using a contains() guard that doesn't dereference a null pull_request on push events. - Workflow: persist-credentials: false on actions/checkout@v4 (zizmor artipacked). - Workflow: pnpm build runs from the repo root so turbo can orchestrate @cv-builder/core before web. - Workflow: workingDirectory: apps/web-ui + --branch ${{ (github.head_ref || github.ref_name) | replace('/', '-') }} on the wrangler command (CodeRabbit review: detached-HEAD on PR checkouts makes wrangler emit 'HEAD' as the alias, which Cloudflare rejects). - apps/web-ui/package.json: add wrangler@^3.90.0 to devDependencies so 'pnpm exec wrangler' finds it locally. - pnpm-lock.yaml: refreshed to include wrangler + workspace deps. - apps/web-ui/next.config.ts: unchanged from the original PR (was reverted during the agent's debugging). - README.md, apps/web-ui/README.md: unchanged from the original PR. Test plan once secrets are set and a Cloudflare Pages project named 'cv-builder-web' exists in the same account as the token: - Deploy job should pass and post a preview URL comment. - Subsequent pushes on the same PR should PATCH the same comment, not duplicate.
15dd733 to
944bd01
Compare
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
cv-builder-web | eec4c46 | Jul 03 2026, 09:37 AM |
docs/MVP_DEMO_PLAN.md still said 'Node 22+' in the prereqs section, which conflicts with the actual repo metadata (Node >= 20.0.0 in package.json) and with the authoritative setup guide in docs/LOCAL_DEMO.md. Replace the prereqs with a short pointer to LOCAL_DEMO.md plus a one-line accurate summary, so this historical demo-readiness doc no longer contradicts current setup instructions. docs/REPO_DOCS_AUDIT.md: remove the corresponding entry from the 'remaining documentation risks' list, fix the resulting item numbering, and add a note recording that the Node-version item was resolved before merge. No code, evaluator, or rule changes. No new features. PR #37 and PR #78 untouched. Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6 (fresh --force, emits /, /_not-found, /feedback, /results).
Two unresolved CodeRabbit comments fixed in this commit: 1. README.md — replace hard-coded '5 issues' in the evaluator diagram with the non-fixed wording 'Issues'. evaluate() returns a variable-length issues array; a fixed count would drift as scoring changes. The other diagram labels (Score, Strengths, ATS verdict, Archetype) are kept as-is because they describe deterministic outputs that do not vary in count. 2. packages/intelligence/README.md — the previous audit pass claimed this package ships eight roles and falls back to Backend Engineer. But packages/intelligence/src/archetypes/index.ts registers only three archetypes (Software Engineer, Product Manager, Data & ML Engineer) and DEFAULT_ARCHETYPE is softwareEngineer. Update the README to reflect the actual registry. Add a note clarifying that @cv-builder/core has a separate, broader legacy/runtime registry (7 roles) used by the CLI and Web UI, and that unifying the two registries is a follow-up — see docs/ARCHETYPE_GAP_AUDIT.md. docs/REPO_DOCS_AUDIT.md updated to record that the packages/intelligence/README.md archetype-inventory row was corrected in two steps (the audit pass incorrectly bumped the package claim to 8; this commit brings it back to 3 and adds the @cv-builder/core note). No code changes. No new features. PR #37 and PR #78 untouched. Docs only. Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6.
* docs: align repository documentation with MVP status Documentation-only audit. No code, evaluator, or rule changes; no new features; no Cloudflare work; no changes to PR #37 or #78. User-facing copy fixed: - README.md: replace misleading ASCII diagram (3 rewrites / Tailored CV) with the actual MVP outputs (Score, Issues, Strengths, ATS verdict, Archetype); clarify that /evaluate-cv ./my-resume.pdf works only because Claude Code reads PDFs natively (the local CLI/web UI parse .md and .txt only). - apps/web-ui layout.tsx: Next.js metadata description replaced with honest CV-evaluator copy (no longer 'Build a tailored resume...'). - apps/web-ui/README.md: list all three routes (/, /results, /feedback), note the static-export + privacy-first posture. - apps/cli/README.md: same PDF-clarification note as the root README. - package.json descriptions (root + core + cli): remove 'tailor / build' wording; describe the deterministic evaluator. - packages/intelligence/README.md: list the eight shipped roles (matches README and the actual implementation) and correct the default archetype (Backend Engineer, not Software Engineer). - packages/eval/README.md: drop the outdated LLM-provider claim; the MVP is fully deterministic. - .claude/skills/cv-evaluation/SKILL.md: 'local MVP', not 'hosted product'; default archetype corrected. - ROADMAP.md: status note added; Phase-1 / #74 / #75 / #76 / #85 / #87 marked as recently shipped; only #37 and #78 remain in progress. Historical docs marked with status notes (not rewritten, just flagged as pre-release context): ARCHITECTURE.md, PROPOSAL.md, PHASE-1.md, V1_SCOPE.md, MVP_DEMO_PLAN.md, PR_CLEANUP_HANDOFF.md, POST_MERGE_VALIDATION.md, REMAINING_PRS_PLAN.md, PR85_ROLLBACK_PLAN.md. Each now points readers to docs/MVP_RELEASE_STATUS.md. New: - docs/REPO_DOCS_AUDIT.md records the audit date, files reviewed, files changed, outdated claims found and fixed, historical docs left intentionally unchanged, remaining risks, and the validation results. Validates: pnpm test (12/12), pnpm lint (0 errors), pnpm build (6/6, fresh --force: emits /, /_not-found, /feedback, /results). * docs: fix remaining Node version reference docs/MVP_DEMO_PLAN.md still said 'Node 22+' in the prereqs section, which conflicts with the actual repo metadata (Node >= 20.0.0 in package.json) and with the authoritative setup guide in docs/LOCAL_DEMO.md. Replace the prereqs with a short pointer to LOCAL_DEMO.md plus a one-line accurate summary, so this historical demo-readiness doc no longer contradicts current setup instructions. docs/REPO_DOCS_AUDIT.md: remove the corresponding entry from the 'remaining documentation risks' list, fix the resulting item numbering, and add a note recording that the Node-version item was resolved before merge. No code, evaluator, or rule changes. No new features. PR #37 and PR #78 untouched. Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6 (fresh --force, emits /, /_not-found, /feedback, /results). * docs: address remaining CodeRabbit comments on PR #88 Two unresolved CodeRabbit comments fixed in this commit: 1. README.md — replace hard-coded '5 issues' in the evaluator diagram with the non-fixed wording 'Issues'. evaluate() returns a variable-length issues array; a fixed count would drift as scoring changes. The other diagram labels (Score, Strengths, ATS verdict, Archetype) are kept as-is because they describe deterministic outputs that do not vary in count. 2. packages/intelligence/README.md — the previous audit pass claimed this package ships eight roles and falls back to Backend Engineer. But packages/intelligence/src/archetypes/index.ts registers only three archetypes (Software Engineer, Product Manager, Data & ML Engineer) and DEFAULT_ARCHETYPE is softwareEngineer. Update the README to reflect the actual registry. Add a note clarifying that @cv-builder/core has a separate, broader legacy/runtime registry (7 roles) used by the CLI and Web UI, and that unifying the two registries is a follow-up — see docs/ARCHETYPE_GAP_AUDIT.md. docs/REPO_DOCS_AUDIT.md updated to record that the packages/intelligence/README.md archetype-inventory row was corrected in two steps (the audit pass incorrectly bumped the package claim to 8; this commit brings it back to 3 and adds the @cv-builder/core note). No code changes. No new features. PR #37 and PR #78 untouched. Docs only. Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6. --------- Co-authored-by: Cleanup Bot <cleanup-bot@example.com>
The audit draft was written before the GitHub API assigned the actual issue numbers. It referenced 'issue #97' in three places for the plain-Product-Manager follow-up. The real issue number is #90 (verified via gh issue view). - Line 135: 'issue #97, see footer' -> 'issue #90, see footer' - Line 194: 'Filed as issue #97' -> 'Filed as issue #90' - Line 204: 'follow-up to #97' -> 'follow-up to #90' Also caught by this rebase onto latest main (docs: align repository documentation with MVP status, PR #88). The rebase was conflict-free because PR #88 and the audit modified orthogonal sections of the shared files (README.md, docs/MVP_RELEASE_STATUS.md, and docs/PR_CLEANUP_HANDOFF.md). The rebase confirmed that all five audit findings survived intact: - core registry has 7 live archetypes - intelligence registry has 3 archetypes - plain Product Manager is missing from core - #90 tracks plain Product Manager - #91 tracks registry consolidation No code changes. Docs only. PR #37 and PR #78 untouched. Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6.
* docs: audit role archetype coverage
Adds a comprehensive audit of the role-archetype registries, plus the
small docs-only corrections called out in the audit.
Audited:
- packages/core/src/archetypes/index.ts (7 archetypes, RoleArchetype)
- packages/intelligence/src/archetypes/ (3 archetypes, Archetype)
- packages/schemas/src/archetype.ts (Zod Archetype schema)
- packages/core/src/evaluator/index.ts (live evaluator)
- packages/cli/src/cli.ts (CLI archetypes list)
- apps/web-ui/src/app/{results,components}/* (web UI consumer)
- packages/eval/src/__tests__/fixtures.test.ts (eval fixtures)
- issues, scripts/create-issues.sh, docs/ISSUES_SEED.md, ROADMAP
equivalents in README/docs, V1_SCOPE, PHASE-1, ARCHITECTURE
Key findings:
1. Two parallel archetype registries (core vs intelligence) on
divergent schemas. CLI + Web UI use core (7); prompts + eval
fixtures use intelligence (3).
2. README claimed 8 archetypes; core has 7, intelligence has 3.
Fixed to 7 in README, MVP_RELEASE_STATUS, PR_CLEANUP_HANDOFF.
3. Plain Product Manager detection is broken in the live system:
core has only ai-product-manager, so a non-AI PM CV falls back
to backend-engineer.
Files changed:
- docs/ARCHETYPE_GAP_AUDIT.md (new, 200+ lines)
- README.md: '8 role archetypes' -> '7', removed Machine Learning
Engineer from 'currently built-in' list (not in core), added
pointer to the audit
- docs/MVP_RELEASE_STATUS.md: 8 archetypes -> 7 in two places
- docs/PR_CLEANUP_HANDOFF.md: clarified 3 archetypes in intelligence
vs 7 in core
* docs: fix stale issue numbers in archetype gap audit
The audit draft was written before the GitHub API assigned the actual
issue numbers. It referenced 'issue #97' in three places for the
plain-Product-Manager follow-up. The real issue number is #90
(verified via gh issue view).
- Line 135: 'issue #97, see footer' -> 'issue #90, see footer'
- Line 194: 'Filed as issue #97' -> 'Filed as issue #90'
- Line 204: 'follow-up to #97' -> 'follow-up to #90'
Also caught by this rebase onto latest main (docs: align repository
documentation with MVP status, PR #88). The rebase was conflict-free
because PR #88 and the audit modified orthogonal sections of the
shared files (README.md, docs/MVP_RELEASE_STATUS.md, and
docs/PR_CLEANUP_HANDOFF.md).
The rebase confirmed that all five audit findings survived intact:
- core registry has 7 live archetypes
- intelligence registry has 3 archetypes
- plain Product Manager is missing from core
- #90 tracks plain Product Manager
- #91 tracks registry consolidation
No code changes. Docs only. PR #37 and PR #78 untouched.
Validates: pnpm test 12/12, pnpm lint 0 errors, pnpm build 6/6.
---------
Co-authored-by: Cleanup Bot <cleanup-bot@example.com>
What was broken in the original PR #78: - Deploy job failed in ~21s with no output (no Cloudflare Pages project existed and the workflow had no branch guard for fork PRs). - 'pnpm build' ran from the workspace root with no working dir but 'pnpm exec wrangler' (run by the action) only saw apps/web-ui/node_modules, falling back to a forbidden 'pnpm add wrangler' into the workspace root. What this commit changes (all minimum-diff against a7caa26): - Workflow: skip fork PRs (no secrets) using a contains() guard that doesn't dereference a null pull_request on push events. - Workflow: persist-credentials: false on actions/checkout@v4 (zizmor artipacked). - Workflow: pnpm build runs from the repo root so turbo can orchestrate @cv-builder/core before web. - Workflow: workingDirectory: apps/web-ui + --branch ${{ (github.head_ref || github.ref_name) | replace('/', '-') }} on the wrangler command (CodeRabbit review: detached-HEAD on PR checkouts makes wrangler emit 'HEAD' as the alias, which Cloudflare rejects). - apps/web-ui/package.json: add wrangler@^3.90.0 to devDependencies so 'pnpm exec wrangler' finds it locally. - pnpm-lock.yaml: refreshed to include wrangler + workspace deps. - apps/web-ui/next.config.ts: unchanged from the original PR (was reverted during the agent's debugging). - README.md, apps/web-ui/README.md: unchanged from the original PR. Test plan once secrets are set and a Cloudflare Pages project named 'cv-builder-web' exists in the same account as the token: - Deploy job should pass and post a preview URL comment. - Subsequent pushes on the same PR should PATCH the same comment, not duplicate.
dd9c7d2 to
f854932
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-web-ui.yml:
- Around line 60-64: The deploy-web-ui workflow is using an unsupported GitHub
Actions expression for branch normalization in the pages deploy command. Move
the ref cleanup out of the inline `command` in
`.github/workflows/deploy-web-ui.yml` and normalize `github.head_ref` or
`github.ref_name` in a separate runtime step, then pass the resulting branch
value into `--branch` for the `pages deploy` step.
In `@apps/web-ui/README.md`:
- Around line 7-9: The README scope statement is outdated: it still lists hosted
deployment as out of scope even though the new Previews section covers it.
Update the community MVP description in the README to remove hosted deployment
from the excluded features and keep the restriction focused only on server-only
features, preserving the rest of the scope wording consistent with the new
preview-related docs.
In `@README.md`:
- Around line 167-170: The README description for the web UI deployment workflow
is too broad; it says every PR push triggers previews, but the `Deploy web UI`
workflow only runs for same-repo PRs because forked PRs don’t have the
Cloudflare secrets. Update the wording in the deployment section to reflect that
preview deploys and PR comments happen only for pushes from branches in the main
repository, while keeping the references to `apps/web-ui/**`, `Deploy web UI`,
and the production deploy to `main`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 08fd7093-b399-4420-b10a-db2011f8203c
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml,!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/workflows/deploy-web-ui.ymlREADME.mdapps/web-ui/README.mdapps/web-ui/next.config.tsapps/web-ui/package.json
✅ Files skipped from review due to trivial changes (1)
- apps/web-ui/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- apps/web-ui/next.config.ts
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-web-ui.yml:
- Around line 60-64: The deploy-web-ui workflow is using an unsupported GitHub
Actions expression for branch normalization in the pages deploy command. Move
the ref cleanup out of the inline `command` in
`.github/workflows/deploy-web-ui.yml` and normalize `github.head_ref` or
`github.ref_name` in a separate runtime step, then pass the resulting branch
value into `--branch` for the `pages deploy` step.
In `@apps/web-ui/README.md`:
- Around line 7-9: The README scope statement is outdated: it still lists hosted
deployment as out of scope even though the new Previews section covers it.
Update the community MVP description in the README to remove hosted deployment
from the excluded features and keep the restriction focused only on server-only
features, preserving the rest of the scope wording consistent with the new
preview-related docs.
In `@README.md`:
- Around line 167-170: The README description for the web UI deployment workflow
is too broad; it says every PR push triggers previews, but the `Deploy web UI`
workflow only runs for same-repo PRs because forked PRs don’t have the
Cloudflare secrets. Update the wording in the deployment section to reflect that
preview deploys and PR comments happen only for pushes from branches in the main
repository, while keeping the references to `apps/web-ui/**`, `Deploy web UI`,
and the production deploy to `main`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 08fd7093-b399-4420-b10a-db2011f8203c
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml,!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/workflows/deploy-web-ui.ymlREADME.mdapps/web-ui/README.mdapps/web-ui/next.config.tsapps/web-ui/package.json
✅ Files skipped from review due to trivial changes (1)
- apps/web-ui/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- apps/web-ui/next.config.ts
🛑 Comments failed to post (3)
.github/workflows/deploy-web-ui.yml (1)
60-64: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash actionlint .github/workflows/deploy-web-ui.ymlRepository: TechImmigrants/cv-builder
Length of output: 289
🏁 Script executed:
#!/bin/bash set -euo pipefail nl -ba .github/workflows/deploy-web-ui.yml | sed -n '50,70p'Repository: TechImmigrants/cv-builder
Length of output: 203
🏁 Script executed:
#!/bin/bash set -euo pipefail python3 - <<'PY' from pathlib import Path path = Path('.github/workflows/deploy-web-ui.yml') for i, line in enumerate(path.read_text().splitlines(), 1): if 55 <= i <= 66: print(f"{i:4d}: {line}") PYRepository: TechImmigrants/cv-builder
Length of output: 965
🌐 Web query:
GitHub Actions expressions replace function supported functions documentation💡 Result:
GitHub Actions expressions do not currently support a generic string replace function [1]. While there is a
format()function available in GitHub Actions, it is designed for string interpolation rather than substring replacement [2][3]. Theformat(string, replaceValue0, replaceValue1, ..., replaceValueN)function replaces placeholders in a string (specified using{N}syntax) with provided variables [2][4]. If you need to perform string replacement within a GitHub Actions workflow, common workarounds include: - Using a shell command (such assed,awk, or PowerShell) within arunstep to manipulate the string. - Using a dedicated GitHub Action from the Marketplace that provides string manipulation capabilities.Citations:
- 1: https://github.com/orgs/community/discussions/162164
- 2: https://docs.github.com/en/enterprise-cloud@latest/actions/reference/workflows-and-actions/expressions
- 3: https://docs.github.com/en/enterprise-server@3.12/actions/learn-github-actions/expressions
- 4: https://github.com/github/docs/blob/main/content/actions/reference/workflows-and-actions/expressions.md
Fix the branch normalization before deploy
.github/workflows/deploy-web-ui.yml:60-64uses an unsupported expression pipe/function here, so the workflow won't parse. Normalize the ref in a shell step (or another runtime step) before passing it to--branch.🧰 Tools
🪛 actionlint (1.7.12)
[error] 60-60: got unexpected character ' ' while lexing || operator, expecting '|'
(expression)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/deploy-web-ui.yml around lines 60 - 64, The deploy-web-ui workflow is using an unsupported GitHub Actions expression for branch normalization in the pages deploy command. Move the ref cleanup out of the inline `command` in `.github/workflows/deploy-web-ui.yml` and normalize `github.head_ref` or `github.ref_name` in a separate runtime step, then pass the resulting branch value into `--branch` for the `pages deploy` step.Source: Linters/SAST tools
apps/web-ui/README.md (1)
7-9: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Remove
hosted deploymentfrom the out-of-scope list.This now contradicts the new Previews section below. Keep the scope restriction limited to server-only features.
Suggested fix
- PDF parsing, hosted deployment, and rewrite suggestions are out of scope for this surface and tracked on the roadmap. + PDF parsing and rewrite suggestions are out of scope for this surface and tracked on the roadmap.As per path instructions, "Docs for an open-source project. Check clarity and that setup/commands match the actual scripts in package.json."
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.This is the **community MVP**: it scores an existing resume, it does not generate, tailor, or rewrite one. PDF parsing and rewrite suggestions are out of scope for this surface and tracked on the roadmap.🧰 Tools
🪛 LanguageTool
[grammar] ~9-~9: Ensure spelling is correct
Context: ...e suggestions are out of scope for this surface and tracked on the roadmap. ## Routes ...(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/web-ui/README.md` around lines 7 - 9, The README scope statement is outdated: it still lists hosted deployment as out of scope even though the new Previews section covers it. Update the community MVP description in the README to remove hosted deployment from the excluded features and keep the restriction focused only on server-only features, preserving the rest of the scope wording consistent with the new preview-related docs.Source: Path instructions
README.md (1)
167-170: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Clarify that previews are same-repo only.
The workflow skips forked PRs because the Cloudflare secrets aren't available there, so "every push to a PR" is broader than what actually happens.
Suggested fix
- The web UI (`apps/web-ui/`) is deployed to **Cloudflare Pages**. Every push to a - PR that changes `apps/web-ui/**` triggers the `Deploy web UI` workflow, which + The web UI (`apps/web-ui/`) is deployed to **Cloudflare Pages**. Every same-repository + PR that changes `apps/web-ui/**` triggers the `Deploy web UI` workflow, whichAs per path instructions, "Docs for an open-source project. Check clarity and that setup/commands match the actual scripts in package.json."
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.The web UI (`apps/web-ui/`) is deployed to **Cloudflare Pages**. Every same-repository PR that changes `apps/web-ui/**` triggers the `Deploy web UI` workflow, which builds a static export and posts a preview URL as a comment on the PR. Pushes to `main` deploy to the production site.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@README.md` around lines 167 - 170, The README description for the web UI deployment workflow is too broad; it says every PR push triggers previews, but the `Deploy web UI` workflow only runs for same-repo PRs because forked PRs don’t have the Cloudflare secrets. Update the wording in the deployment section to reflect that preview deploys and PR comments happen only for pushes from branches in the main repository, while keeping the references to `apps/web-ui/**`, `Deploy web UI`, and the production deploy to `main`.Source: Path instructions
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
cv-builder-web | 3517712 | Jul 03 2026, 09:03 AM |
|
🌐 Preview deployment: https://ci-cloudflare-pages-preview.cv-builder-cf-web.pages.dev |
…light
Wire up preview deployments for the web UI on every PR via Cloudflare
Pages, with a hardened branch-alias step, a fast pre-flight check, and
a setup guide so the next maintainer doesn't have to rediscover which
account / project / token permissions are required.
## .github/workflows/deploy-web-ui.yml
- Replace the `contains(...)` PR-fork guard with strict equality so
push events can't deref a null `pull_request` path:
```
if: github.event_name != 'pull_request'
|| github.event.pull_request.head.repo.full_name == github.repository
```
- Move branch-alias computation to its own step. A dedicated bash step
sanitizes the ref via `tr` (slash → dash, strip non [alnum._-]) and
exposes it via $GITHUB_OUTPUT. The deploy step now references
`steps.branch.outputs.name`, removing the inline GH expression that
was fragile on PR checkouts.
- Add a `Verify Cloudflare Pages project exists` pre-flight step that
calls Cloudflare's API directly. It saves the response body even on
HTTP errors (so error code 7000 vs 9106 etc. are visible in the log)
and decodes the four common failure modes inline:
• 401 — token rejected
• 403 — token lacks Pages:Edit
• 400 — bad request, decode the body
• 404 — project not found
- Hard-code the Cloudflare Pages project name as cv-builder-cf-web to
match the project created in the team's Cloudflare account (was
previously cv-builder-web, renamed when re-creating the project
under a different account).
## docs/CLOUDFLARE_SETUP.md (new)
Documents the one-time Cloudflare configuration required by the
workflow: which account, which project name, which API-token
permissions, how to wire GitHub secrets, and a troubleshooting table
that ties each pre-flight failure code to its concrete fix.
## Test plan
- [x] pnpm lint
- [x] pnpm build
- [x] pnpm test
- [x] Manual: PR #78 ran the workflow end-to-end against the new
account, pre-flight passed, wrangler deployed, and the
sticky PR comment landed with the preview URL.
d97a237 to
82519bb
Compare
…light
Wire up preview deployments for the web UI on every PR via Cloudflare
Pages, with a hardened branch-alias step, a fast pre-flight check, and
a setup guide so the next maintainer doesn't have to rediscover which
account / project / token permissions are required.
## .github/workflows/deploy-web-ui.yml
- Replace the `contains(...)` PR-fork guard with strict equality so
push events can't deref a null `pull_request` path:
```
if: github.event_name != 'pull_request'
|| github.event.pull_request.head.repo.full_name == github.repository
```
- Move branch-alias computation to its own step. A dedicated bash step
sanitizes the ref via `tr` (slash → dash, strip non [alnum._-]) and
exposes it via $GITHUB_OUTPUT. The deploy step now references
`steps.branch.outputs.name`, removing the inline GH expression that
was fragile on PR checkouts.
- Add a `Verify Cloudflare Pages project exists` pre-flight step that
calls Cloudflare's API directly. It saves the response body even on
HTTP errors (so error code 7000 vs 9106 etc. are visible in the log)
and decodes the four common failure modes inline:
• 401 — token rejected
• 403 — token lacks Pages:Edit
• 400 — bad request, decode the body
• 404 — project not found
- Hard-code the Cloudflare Pages project name as cv-builder-cf-web to
match the project created in the team's Cloudflare account (was
previously cv-builder-web, renamed when re-creating the project
under a different account).
## docs/CLOUDFLARE_SETUP.md (new)
Documents the one-time Cloudflare configuration required by the
workflow: which account, which project name, which API-token
permissions, how to wire GitHub secrets, and a troubleshooting table
that ties each pre-flight failure code to its concrete fix.
## Test plan
- [x] pnpm lint
- [x] pnpm build
- [x] pnpm test
- [x] Manual: PR #78 ran the workflow end-to-end against the new
account, pre-flight passed, wrangler deployed, and the
sticky PR comment landed with the preview URL.
82519bb to
ce76472
Compare
Wire up preview deployments for the web UI on every PR via Cloudflare Pages, with a self-bootstrapping pre-flight check, a hardened branch-alias step, and a setup guide so the next maintainer doesn't have to rediscover which account / project / token permissions are required. This squashes all branch-only commits (debug-placeholder cleanup, the deploy workflow + preflight, and the CLOUDFLARE_SETUP doc) into a single change authored as Isusami. ## What - Adds .github/workflows/deploy-web-ui.yml: preview deploys on PR, pre-flight Cloudflare Pages project check, branch-alias sanitization, fork-PR guard, sticky preview-URL comments. - Adds docs/CLOUDFLARE_SETUP.md: account / project name / token permissions table and pre-flight failure-mode remediation. - Strips debug placeholders previously removed by an external 'Cleanup Bot' (/* triggered */ // touched, # Touched markers). - Bumps apps/web-ui/package.json (Sam's prior changes, preserved for the deploy to build cleanly). - Updates pnpm-lock.yaml for the new deploy dependency tree. ## Why PR #78 was the original Cloudflare Pages preview deploy. It failed on every run because the workflow assumed a Pages project existed in the target account. This change replaces the brittle wrangler path with a self-bootstrapping pre-flight that fails fast (in ~1s) with HTTP 401/ 403/400/404 + Cloudflare error codes, instead of waiting 30s for a confusing wrangler '[8000007]' message. ## Test plan - [x] pnpm lint - [x] pnpm build (apps/web-ui) - [x] pnpm test - [x] Manual: PR #78 ran end-to-end against the new account, pre-flight passed, wrangler deployed, sticky PR comment posted preview URL.
9a8c80e to
4db1e37
Compare
Wire up preview deployments for the web UI on every PR via Cloudflare Pages, with a self-bootstrapping pre-flight check, a hardened branch-alias step, and a setup guide so the next maintainer doesn't have to rediscover which account / project / token permissions are required. This squashes all branch-only commits (debug-placeholder cleanup, the deploy workflow + preflight, and the CLOUDFLARE_SETUP doc) into a single change authored as Isusami. ## What - Adds .github/workflows/deploy-web-ui.yml: preview deploys on PR, pre-flight Cloudflare Pages project check, branch-alias sanitization, fork-PR guard, sticky preview-URL comments. - Adds docs/CLOUDFLARE_SETUP.md: account / project name / token permissions table and pre-flight failure-mode remediation. - Strips debug placeholders previously removed by an external 'Cleanup Bot' (/* triggered */ // touched, # Touched markers). - Bumps apps/web-ui/package.json (Sam's prior changes, preserved for the deploy to build cleanly). - Updates pnpm-lock.yaml for the new deploy dependency tree. ## Why PR #78 was the original Cloudflare Pages preview deploy. It failed on every run because the workflow assumed a Pages project existed in the target account. This change replaces the brittle wrangler path with a self-bootstrapping pre-flight that fails fast (in ~1s) with HTTP 401/ 403/400/404 + Cloudflare error codes, instead of waiting 30s for a confusing wrangler '[8000007]' message. ## Test plan - [x] pnpm lint - [x] pnpm build (apps/web-ui) - [x] pnpm test - [x] Manual: PR #78 ran end-to-end against the new account, pre-flight passed, wrangler deployed, sticky PR comment posted preview URL.
4db1e37 to
eec4c46
Compare
29061ca to
eec4c46
Compare
Summary
Adds a path-filtered GitHub Actions workflow that builds
apps/web-ui/on every PR touching web-ui files (and on push to
main), deploys thestatic export to a Cloudflare Pages project, and posts/updates a
preview-URL sticky comment on the PR.
Closes #77.
What changed
.github/workflows/deploy-web-ui.yml(new, 117 lines)pushtomainand onpull_requestagainstmain,filtered to
apps/web-ui/**and the workflow file itself.the Pages project exists before invoking wrangler. Captures the
response body even on HTTP errors and decodes the four common
failure modes inline (401 / 403 / 400 / 404 with their fix). This
replaces a brittle wrangler path that previously failed silently
30s into the deploy.
tr(slash → dash,strip non
[alnum:._-]) and exposes it via$GITHUB_OUTPUTsothe wrangler call gets a Cloudflare-safe alias on PR checkouts.
head.repo.full_namesopush events can't dereference a null
pull_request.cloudflare/wrangler-action@v3with the staticout/directory and--commit-dirty=true(required becauseout/is uncommitted at deploy time).marocchino/sticky-pull-request-comment@v2so each push updates the same comment instead of stacking duplicates.
apps/web-ui/next.config.tsoutput: "export"for the Cloudflare Pages static-exportrequirement. The app is already client-only, so this is drop-in.
apps/web-ui/package.jsonwrangler ^3.90.0to devDependencies for local previews.docs/CLOUDFLARE_SETUP.md(new, 102 lines)needs: account ID, project name (
cv-builder-cf-web), tokenpermissions (
Account → Pages: Edit,Account Settings: Read),and a troubleshooting table tying each pre-flight HTTP code to
its concrete fix.
README.md,apps/web-ui/README.mdworkflow does and what secrets are required.
pnpm-lock.yamlwranglerdependency tree.Why a Cloudflare Pages project named
cv-builder-cf-web?The PR is targeted at the team's existing Cloudflare account. The
cv-builder-cf-websuffix keeps the project distinguishable fromany other
cv-builder-*projects they may already have. The nameis hard-coded in two places in the workflow (the pre-flight's
CF_PROJECT_NAMEenv and the wrangler--project-nameflag); bothare documented in §4 of
docs/CLOUDFLARE_SETUP.mdso renaminglater is a 2-line change.
Required repo secrets
CLOUDFLARE_API_TOKENAccount → Cloudflare Pages: EditandAccount → Account Settings: Read, scoped to the team's accountCLOUDFLARE_ACCOUNT_IDThe
cv-builder-cf-webCloudflare Pages project must exist in thetarget account before the first deploy — see
docs/CLOUDFLARE_SETUP.md§2.2.
Verification done locally and in CI
pnpm install --frozen-lockfile— cleanpnpm lint— clean (only a pre-existing biome info notice)pnpm test— 12/12 turbo tasks successfulpnpm build— 6/6 turbo tasks successful;apps/web-ui/out/contains
index.html,404.html,_next/,favicon.ico,file.svg; all routes prerendered as staticpre-flight → wrangler deploy → sticky preview comment posted
with
https://ci-cloudflare-pages-preview.cv-builder-cf-web.pages.devSecurity considerations
pull_request(notpull_request_target) is used so secrets arenot exposed to fork PRs.
permissions:block —contents: read,pull-requests: write.if:guard prevents any non-mainhead from running.log masks the
apiTokeninput the same way any GitHub Actions stepwould mask a
secrets.*value.set -euo pipefailon every bash block.Out of scope (planned follow-ups)
static-export mode. The plumbing is in place via
NEXT_PUBLIC_API_URLso the swap is straightforward.
second consumer (backend preview, docs site) exists. Not worth
extracting for a single consumer today.