ci(repo): add commitlint checks

[davidemarcoli]

Summary by CodeRabbit

• Chores
  • Added commit message linting to enforce standardized commit conventions across the repository.
  • Enhanced pull request validation workflows to trigger on additional event types and include project environment setup.
  • Updated development dependencies to support commit message validation infrastructure.

[coderabbitai]

Warning

Review limit reached

@davidemarcoli, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 53 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 86dd504a-8d19-4141-a264-c68b0ad42d2d

📥 Commits

Reviewing files that changed from the base of the PR and between 56f5b2c and 2184c56.

📒 Files selected for processing (2)

• .github/workflows/pr-quality.yaml
• commitlint.config.mjs

📝 Walkthrough

Walkthrough

This PR introduces commit message linting via commitlint, dynamically configured with repository-aware scopes. Dependencies are added to the workspace catalog, a configuration file derives valid scopes from the app and package directories, and validation is integrated into both local git hooks and the pull request quality workflow.

Changes

Commit Message Linting

Layer / File(s)	Summary
Commitlint dependency declarations package.json, pnpm-workspace.yaml	@commitlint/cli and @commitlint/config-conventional are added to devDependencies and pinned to ^21.0.2 in the workspace catalog.
Commitlint configuration with dynamic scopes commitlint.config.mjs	getScopes() reads apps and packages directories, derives scopes by stripping known prefixes (plugin-, util-, feature-), and builds a sorted scope list including "repo". The exported config extends @commitlint/config-conventional and enforces the dynamic scope enum.
Git hook and workflow integration .husky/commit-msg, .github/workflows/pr-quality.yaml	commit-msg hook runs pnpm commitlint --edit $1 on each commit. The pr-quality workflow expands triggers to include synchronize and edited events, adds a setup step before validation, and runs commitlint with NODE_ENV: production.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• rivenmedia/riven-ts#186: Introduced the original pr-quality.yaml workflow that this PR extends with additional event triggers and setup steps.

Poem

🐰 A commit message so fine,
With scopes validated by mine,
Each app and package in place,
Git hooks keep a tidy space,
Conventions now shall align!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'ci(repo): add commitlint checks' accurately describes the main change: adding commitlint configuration and integration across the repository's CI/CD workflow, commit hooks, and dependencies.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/commitlint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/pr-quality.yaml (1)

21-22: ⚡ Quick win

Harden checkout: disable credential persistence and pin the action.

Per the repo's static-analysis policy, actions/checkout persists credentials by default (flagged artipacked) and @v6 is not pinned to a commit SHA (unpinned-uses). Since this is a pull_request_target workflow, leaking the persisted token is higher risk.

🛡️ Suggested change

       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@<commit-sha> # v6.x.x
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-quality.yaml around lines 21 - 22, The checkout step
("Checkout repository") currently uses "actions/checkout@v6" and leaves
credentials persisted; update that step to pin the action to a full commit SHA
(replace "`@v6`" with the specific commit SHA for actions/checkout) and add a
"with: persist-credentials: false" entry to disable token persistence for the
workflow (keep the step name "Checkout repository" and the uses string when
locating the change).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-quality.yaml:
- Around line 27-30: The "Validate PR title" step currently interpolates
github.event.pull_request.title directly into the shell which allows script
injection under pull_request_target; change the step to pass the PR title into a
dedicated environment variable (e.g., PR_TITLE) using env: PR_TITLE: ${{
github.event.pull_request.title }} and then reference that variable in the run
command with proper quoting (e.g., echo "$PR_TITLE" | pnpm commitlint) so the
title is not re-interpreted by the shell; update the step named "Validate PR
title" accordingly.

In `@commitlint.config.mjs`:
- Around line 8-22: getScopes() currently reads "apps" and "packages" with
readdirSync but only adds top-level package names (so packages/core/* derived
scopes like eslint-config, graphql-helpers, etc. are missed) and doesn't filter
entries to directories; update getScopes() to use readdirSync(..., {
withFileTypes: true }) and only include Dirent.isDirectory() entries, and when
encountering a package named "core" (or any package that contains subpackages)
enumerate its subdirectories and add those subfolder names (stripping configured
prefixes from each) into the scopes array; also deduplicate the scopes (e.g.,
via Set) and sort before returning. Ensure you adjust references to the prefixes
variable and the scopes array and keep behavior for apps the same.

---

Nitpick comments:
In @.github/workflows/pr-quality.yaml:
- Around line 21-22: The checkout step ("Checkout repository") currently uses
"actions/checkout@v6" and leaves credentials persisted; update that step to pin
the action to a full commit SHA (replace "`@v6`" with the specific commit SHA for
actions/checkout) and add a "with: persist-credentials: false" entry to disable
token persistence for the workflow (keep the step name "Checkout repository" and
the uses string when locating the change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 17912256-efcb-4486-b753-bcb648a029a0

📥 Commits

Reviewing files that changed from the base of the PR and between 5fe8262 and 56f5b2c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/workflows/pr-quality.yaml
• .husky/commit-msg
• commitlint.config.mjs
• package.json
• pnpm-workspace.yaml

[github-actions]

Coverage Report for Riven

Status	Category	Percentage	Covered / Total
🔴	Lines	62.93% ⬆️ +0.29%	2684 / 4265
🔴	Statements	62.99% ⬆️ +0.28%	2713 / 4307
🔴	Functions	63.02% ⬆️ +0.66%	566 / 898
🔴	Branches	51.93% ⬆️ +0.41%	1155 / 2224

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Affected Files
apps/riven/lib/message-queue/flows/process-media-item/process-media-item.processor.ts	45.9% ⬆️ +4.92%	23.8% 🟰 ±0%	100% 🟰 ±0%	45.9% ⬆️ +4.92%	57-58, 71-98, 119, 149-228
apps/riven/lib/message-queue/flows/request-content-service/request-content-service.processor.ts	22.44% 🟰 ±0%	10.71% ⬆️ +3.57%	33.33% 🟰 ±0%	22.44% 🟰 ±0%	28-32, 74-177
apps/riven/lib/message-queue/flows/request-stream-link/request-stream-link.processor.ts	94.87% ⬇️ -2.56%	83.33% ⬇️ -8.33%	100% 🟰 ±0%	94.87% ⬇️ -2.56%	56, 151-152
apps/riven/lib/message-queue/sandboxed-jobs/utilities/create-sandboxed-worker.ts	76.92% ⬆️ +7.69%	50% 🟰 ±0%	66.66% ⬆️ +33.33%	76.92% ⬆️ +7.69%	74-78
apps/riven/lib/message-queue/utilities/create-flow-worker.ts	84% ⬇️ -4.00%	62.5% 🟰 ±0%	75% ⬇️ -12.50%	84% ⬇️ -4.00%	63, 97, 123, 132

Generated in workflow #371 for commit 2184c56 by the Vitest Coverage Report Action