feat(n8n-nodes): add n8n-nodes-rocketride community node package#1255
Open
kgarg2468 wants to merge 4 commits into
Open
feat(n8n-nodes): add n8n-nodes-rocketride community node package#1255kgarg2468 wants to merge 4 commits into
kgarg2468 wants to merge 4 commits into
Conversation
kgarg2468
requested review from
Rod-Christensen,
jmaionchi,
kwit75 and
stepmikhaylov
as code owners
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a standalone ChangesN8N RocketRide Community Node Package
Sequence DiagramsequenceDiagram
participant RocketRideExec as RocketRide.execute
participant Helpers as helpers
participant HTTP as httpRequestWithAuthentication
participant Gateway as RocketRide Gateway
participant Normalize as normalizeRunResult
participant Output as Node Output
RocketRideExec->>Helpers: buildRunBody(mode, params) / buildChatBody(params)
Helpers-->>RocketRideExec: { contentType, body }
RocketRideExec->>HTTP: POST ${baseUrl}/webhook with Authorization Bearer
HTTP->>Gateway: send payload
Gateway-->>HTTP: response (maybe { data: ... })
HTTP-->>RocketRideExec: raw response
RocketRideExec->>Helpers: parseRocketRideResponse(raw)
Helpers-->>Normalize: parsed payload
Normalize-->>RocketRideExec: lifted lanes or objects map
RocketRideExec-->>Output: pairedItem with normalized result
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🤖 Internal: Discord sync markerAuto-managed by the Discord notification workflow. Stores the linked Discord message ID. Do not edit or delete. |
kgarg2468
force-pushed
the
feat/n8n-nodes-rocketride
branch
from
878f7d0 to
fde08c9
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 10
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/n8n-nodes-ci.yml:
- Around line 29-33: Update both workflow checkout and setup-node steps to
harden action resolution: replace mutable `uses: actions/checkout@v4` and `uses:
actions/setup-node@v4` with pinned SHA references, add `persist-credentials:
false` to the checkout step, and for the release workflow keep
`actions/setup-node` configuration minimal (only necessary fields) since it runs
with OIDC/publish permissions; locate and update the `checkout` and `setup-node`
steps in the CI and release workflows to apply these changes consistently.
- Around line 55-56: The CI step currently running the plain npm pack --dry-run
must be changed to run npm pack --dry-run --json and parse its JSON output to
enforce the packlist contract; update the workflow step that calls npm pack to
capture stdout, parse the files array, and fail the job if any packaged path is
not under dist/ or is not exactly README or LICENSE (i.e., enforce an allowlist
of dist/**, README, and LICENSE). Ensure the check emits a clear failure message
mentioning the unexpected entries so the action fails fast when extra files
would be shipped.
In @.github/workflows/n8n-nodes-release.yml:
- Around line 62-66: Update the publish step titled "Publish to npm (OIDC
trusted publishing + provenance)" to stop installing a floating npm@latest and
instead pin a vetted npm version (e.g. npm@11.17.0) by replacing the "npm
install -g npm@latest" invocation with a pinned install, and remove the
now-redundant "--provenance" flag from the "npm publish --provenance --access
public" command so it becomes a plain "npm publish --access public".
In `@packages/n8n-nodes/LICENSE`:
- Line 3: Update the LICENSE file to match the package ownership metadata by
replacing the conflicting copyright holder string "Copyright (c) 2026 Aparavi
Software AG" with the correct rights holder (e.g., "Copyright (c) 2026
RocketRide, Inc.") or the legally approved entity; ensure the LICENSE content
and the package metadata that lists "RocketRide, Inc." are aligned before
release.
In `@packages/n8n-nodes/nodes/RocketRide/helpers.ts`:
- Around line 23-30: The helper coerceJsonObject incorrectly treats arrays as
valid IDataObject; update the runtime checks in coerceJsonObject so it only
accepts plain objects (i.e., typeof value === 'object' && value !== null &&
!Array.isArray(value)) and, after JSON.parse, only return parsed when parsed is
an object and not an array (parsed && typeof parsed === 'object' &&
!Array.isArray(parsed)); otherwise return an empty IDataObject ({}). Ensure both
the initial object branch and the parsed branch use the Array.isArray guard so
arrays are never returned as IDataObject.
In
`@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.json`:
- Around line 8-10: Update the user-facing documentation URL in
RocketRideInboundTrigger.node.json: the primaryDocumentation entry currently
points to the moving "develop" branch; change it to a stable location (for
example a release tag, a "main"/"master" README, or a versioned docs page) so
the node's in-product docs match the published package; modify the
"primaryDocumentation" -> "url" value accordingly in
RocketRideInboundTrigger.node.json.
In
`@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.ts`:
- Around line 124-126: The code attaches raw request headers to workflow data
via json._rocketride.headers (set where getHeaderData() is called), which can
leak secrets; update getHeaderData() (or filter its result just before assigning
to json._rocketride) to remove sensitive headers such as Authorization, Cookie,
Set-Cookie, and any shared-secret headers, or instead return only a safe
allowlist of header names (e.g., content-type, user-agent, accept, x-request-id)
before assigning to json._rocketride.headers so the inbound auth secret is never
written to execution data.
In `@packages/n8n-nodes/README.md`:
- Line 58: The README's relative links to example assets
(examples/run-pipeline.workflow.json and examples/rocketride-webhook.pipe) can
break when published to npm; update the links in packages/n8n-nodes/README.md to
use absolute GitHub URLs pointing to the files in the repository (raw or blob
view as appropriate) so the examples load reliably from the package page,
keeping the same link text but replacing the relative paths with full repo URLs.
In `@packages/n8n-nodes/test/helpers.test.mjs`:
- Around line 33-46: Add a regression test to ensure coerceJsonObject rejects
arrays: update the describe block for coerceJsonObject in helpers.test.mjs to
include a new it case that passes an array (e.g., [1,2] or []) to
coerceJsonObject and asserts the result is {} so arrays do not get treated as
plain objects; reference the existing tests around coerceJsonObject to place the
new case alongside the "returns {} for junk, empty, or nullish" tests.
In `@packages/n8n-nodes/tsconfig.json`:
- Around line 4-7: The tsconfig currently emits CommonJS/ES2019 and contains a
malformed lib entry ("es2022.error"); update the package tsconfig.json to match
the repo baseline by setting "target" to "ES2022" and "module" to "ESNext" (keep
"moduleResolution": "node"), and fix the "lib" array to include the appropriate
ES2022 lib (e.g., replace "es2022.error" with "es2022" and remove any invalid
entries) so the package output and runtime surface align with the monorepo's
ES2022/ESNext expectation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 40a7178b-ecb8-40f2-a9b2-7ce7b972ebcf
⛔ Files ignored due to path filters (5)
packages/n8n-nodes/nodes/RocketRide/rocketride.dark.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRide/rocketride.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRideInboundTrigger/rocketride.dark.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRideInboundTrigger/rocketride.svgis excluded by!**/*.svgpackages/n8n-nodes/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (28)
.github/workflows/n8n-nodes-ci.yml.github/workflows/n8n-nodes-release.yml.prettierignoreeslint.config.mjspackages/n8n-nodes/.gitignorepackages/n8n-nodes/.prettierrc.jspackages/n8n-nodes/CHANGELOG.mdpackages/n8n-nodes/LICENSEpackages/n8n-nodes/README.mdpackages/n8n-nodes/eslint.config.mjspackages/n8n-nodes/examples/rocketride-webhook.pipepackages/n8n-nodes/examples/run-pipeline.workflow.jsonpackages/n8n-nodes/nodes/RocketRide/RocketRide.node.jsonpackages/n8n-nodes/nodes/RocketRide/RocketRide.node.tspackages/n8n-nodes/nodes/RocketRide/helpers.tspackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.jsonpackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.tspackages/n8n-nodes/package.jsonpackages/n8n-nodes/test/RocketRide.chat.test.mjspackages/n8n-nodes/test/RocketRide.node.test.mjspackages/n8n-nodes/test/RocketRide.upload.test.mjspackages/n8n-nodes/test/RocketRideApi.credentials.test.mjspackages/n8n-nodes/test/RocketRideInboundTrigger.test.mjspackages/n8n-nodes/test/helpers.test.mjspackages/n8n-nodes/test/integration.test.mjspackages/n8n-nodes/test/normalize.test.mjspackages/n8n-nodes/test/reachability.test.mjspackages/n8n-nodes/tsconfig.json
| @@ -0,0 +1,21 @@ | |||
| MIT License | |||
|
|
|||
| Copyright (c) 2026 Aparavi Software AG | |||
Contributor
There was a problem hiding this comment.
Resolve copyright owner mismatch before release.
The license holder at Line 3 conflicts with the package ownership metadata (RocketRide, Inc.), which creates legal ambiguity for consumers. Align the copyright notice with the actual rights holder.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/n8n-nodes/LICENSE` at line 3, Update the LICENSE file to match the
package ownership metadata by replacing the conflicting copyright holder string
"Copyright (c) 2026 Aparavi Software AG" with the correct rights holder (e.g.,
"Copyright (c) 2026 RocketRide, Inc.") or the legally approved entity; ensure
the LICENSE content and the package metadata that lists "RocketRide, Inc." are
aligned before release.
Comment on lines
+4
to
+7
| "module": "commonjs", | ||
| "moduleResolution": "node", | ||
| "target": "es2019", | ||
| "lib": ["es2019", "es2020", "es2022.error"], |
Contributor
There was a problem hiding this comment.
Align the package compiler output with the repo’s ES2022/ESNext baseline.
This package is currently compiled as CommonJS targeting ES2019. That diverges from the repository rule for TS/JS files, so the node package will emit a different module/runtime surface than the rest of the monorepo expects.
Suggested config diff
- "module": "commonjs",
- "moduleResolution": "node",
- "target": "es2019",
- "lib": ["es2019", "es2020", "es2022.error"],
+ "module": "esnext",
+ "moduleResolution": "node",
+ "target": "es2022",
+ "lib": ["es2022", "es2022.error"],As per coding guidelines, **/*.{ts,tsx,js,jsx,mjs,cjs}: TypeScript/JavaScript: strict mode, ES2022 target, ESNext modules.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "module": "commonjs", | |
| "moduleResolution": "node", | |
| "target": "es2019", | |
| "lib": ["es2019", "es2020", "es2022.error"], | |
| "module": "esnext", | |
| "moduleResolution": "node", | |
| "target": "es2022", | |
| "lib": ["es2022", "es2022.error"], |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/n8n-nodes/tsconfig.json` around lines 4 - 7, The tsconfig currently
emits CommonJS/ES2019 and contains a malformed lib entry ("es2022.error");
update the package tsconfig.json to match the repo baseline by setting "target"
to "ES2022" and "module" to "ESNext" (keep "moduleResolution": "node"), and fix
the "lib" array to include the appropriate ES2022 lib (e.g., replace
"es2022.error" with "es2022" and remove any invalid entries) so the package
output and runtime surface align with the monorepo's ES2022/ESNext expectation.
Source: Coding guidelines
Adds packages/n8n-nodes — a verified-ready n8n community node package
(npm: n8n-nodes-rocketride) for n8n <-> RocketRide:
* RocketRide action node — Run Pipeline / Upload Files / Chat; usableAsTool
* RocketRide Trigger node — branded webhook receiver (RocketRide -> n8n)
* RocketRide API credential (Bearer pk_ key)
Zero runtime dependencies, MIT, n8n verified-lint clean, 40 unit tests green,
clean ~16 kB tarball (dist + README + LICENSE only).
Monorepo integration:
* Self-contained npm toolchain (@n8n/node-cli); kept out of pnpm-workspace
and excluded from root eslint/prettier so its config stays byte-identical
to the verified default.
* Root .gitignore's global 'credentials/' rule is negated for this package —
the credential file is a schema-only TYPE DEFINITION, not a secret.
* CI + release use 'npm install' (not 'npm ci'): a transitive 'ignore'
dual-version makes npm's own lockfile fail 'npm ci'; with zero runtime
deps, build-tool reproducibility is moot, so no lockfile is committed.
* Versions independently via tag n8n-nodes-vX.Y.Z; release publishes with
npm OIDC trusted publishing + --provenance (mirrors _release.yaml).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
kgarg2468
force-pushed
the
feat/n8n-nodes-rocketride
branch
from
fde08c9 to
ca9f4a0
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
♻️ Duplicate comments (2)
packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.ts (1)
124-126:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDo not copy the inbound auth secret into workflow data.
_rocketride.headerscurrently forwards every incoming header. When the webhook is protected, that includes theAuthorizationheader carrying the shared secret, so the secret gets written into execution data and exposed to downstream nodes. Strip sensitive headers or store only an allowlist before attaching request metadata.🔒 Proposed fix to filter sensitive headers
const body = this.getBodyData(); const json: IDataObject = body && typeof body === 'object' && !Array.isArray(body) ? { ...body } : { data: body }; + const headers = { ...(this.getHeaderData() as Record<string, unknown>) }; + delete headers.authorization; + delete headers.cookie; + delete headers['set-cookie']; json._rocketride = { - headers: this.getHeaderData(), + headers, query: this.getQueryData(), } as unknown as IDataObject;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.ts` around lines 124 - 126, The code currently copies all incoming headers into json._rocketride via getHeaderData(), which can leak the webhook Authorization/shared secret; change getHeaderData() (or the place where json._rocketride.headers is set) to filter out sensitive headers (at minimum remove "authorization" and other common secrets like "cookie" or "set-cookie") or instead build and attach an allowlist of safe headers before assigning to _rocketride.headers; keep getQueryData() unchanged but ensure only non-sensitive header keys are included in the final json._rocketride.headers object.packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.json (1)
8-10:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winPoint
primaryDocumentationat stable docs, notdevelop.This link is user-facing, but it targets a moving branch. Since the package is versioned and published independently, the in-product docs can drift away from the released node and send users to unreleased instructions. Prefer a stable location such as a tagged README or another version-stable doc surface.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.json` around lines 8 - 10, The primaryDocumentation URL currently points to the moving "develop" branch; update the "primaryDocumentation" entry in RocketRideInboundTrigger.node.json to reference a version-stable doc (e.g., a tagged README or a release-specific URL) instead of "develop" so in-product docs match the released node—locate the primaryDocumentation array in the JSON and replace the develop branch URL with the appropriate tag/release or stable docs endpoint.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/n8n-nodes-ci.yml:
- Around line 29-33: The workflow uses mutable action tags and omits credential
hardening: replace the floating references actions/checkout@v4 and
actions/setup-node@v4 with their pinned SHA commits (use the latest commit SHAs
for those actions) and add the checkout option persist-credentials: false to the
actions/checkout step; update both occurrences (the checkout and setup-node
steps referenced by actions/checkout and actions/setup-node) consistently so
both workflows are pinned and the checkout step disables credential persistence.
In `@packages/n8n-nodes/credentials/RocketRideApi.credentials.ts`:
- Around line 14-15: Update the documentationUrl constant in
RocketRideApi.credentials.ts: replace the personal fork URL
('https://github.com/kgarg2468/n8n-nodes-rocketride?tab=readme-ov-file#credentials')
with the canonical repository URL used in package.json (the
rocketride-org/rocketride-server GitHub repo) so documentation links remain
accurate after merge; locate the documentationUrl symbol in the
RocketRideApi.credentials.ts file and modify its string to point to the
canonical repo's credentials/readme anchor.
In `@packages/n8n-nodes/package.json`:
- Around line 46-68: CI shows a nonzero DEPS because something mutates
packages/n8n-nodes/package.json before the "Enforce verified-node invariants"
step; open .github/workflows/n8n-nodes-ci.yml and add a debug step immediately
before that invariants step that prints the runtime value of
require('./package.json').dependencies (to confirm what was injected) and also
log the computed DEPS expression
(Object.keys(require('./package.json').dependencies || {}).length) so you can
correlate which task (build/lint/test) added the dependency; place the debug
command right before the step that enforces verified-node invariants and ensure
it runs in the same working directory as the package.json referenced by the DEPS
computation.
In `@packages/n8n-nodes/test/RocketRide.node.test.mjs`:
- Around line 5-23: The three test files duplicate the makeContext test helper;
extract a single unified makeContext implementation into a shared test utilities
module that accepts all optional parameters used across tests (params,
credentials, httpMock, continueOnFail, items, binaries) and preserves behaviors
like calls array, getInputData, getCredentials, getNodeParameter, getNode,
continueOnFail, and helpers.httpRequestWithAuthentication.call; then update
RocketRide.node.test.mjs, RocketRide.chat.test.mjs, and
RocketRide.upload.test.mjs to import and use this shared makeContext helper so
all tests use the same mock implementation.
In `@packages/n8n-nodes/test/RocketRideInboundTrigger.test.mjs`:
- Around line 42-50: Add a new test in RocketRideInboundTrigger.test.mjs that
calls RocketRideInboundTrigger.prototype.webhook via makeCtx with params.secret
and headers containing "authorization: 'Bearer s3cr3t'" plus another header
(e.g., "x-custom"), then assert the returned
out.workflowData[0][0].json._rocketride.headers.authorization is undefined and
that the other header remains (e.g., _rocketride.headers['x-custom'] ===
'value') to ensure sensitive Authorization header is filtered from
_rocketride.headers.
---
Duplicate comments:
In
`@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.json`:
- Around line 8-10: The primaryDocumentation URL currently points to the moving
"develop" branch; update the "primaryDocumentation" entry in
RocketRideInboundTrigger.node.json to reference a version-stable doc (e.g., a
tagged README or a release-specific URL) instead of "develop" so in-product docs
match the released node—locate the primaryDocumentation array in the JSON and
replace the develop branch URL with the appropriate tag/release or stable docs
endpoint.
In
`@packages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.ts`:
- Around line 124-126: The code currently copies all incoming headers into
json._rocketride via getHeaderData(), which can leak the webhook
Authorization/shared secret; change getHeaderData() (or the place where
json._rocketride.headers is set) to filter out sensitive headers (at minimum
remove "authorization" and other common secrets like "cookie" or "set-cookie")
or instead build and attach an allowlist of safe headers before assigning to
_rocketride.headers; keep getQueryData() unchanged but ensure only non-sensitive
header keys are included in the final json._rocketride.headers object.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e3939f56-2202-43ef-a53d-2d50e168546a
⛔ Files ignored due to path filters (6)
packages/n8n-nodes/credentials/rocketride.dark.svgis excluded by!**/*.svgpackages/n8n-nodes/credentials/rocketride.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRide/rocketride.dark.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRide/rocketride.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRideInboundTrigger/rocketride.dark.svgis excluded by!**/*.svgpackages/n8n-nodes/nodes/RocketRideInboundTrigger/rocketride.svgis excluded by!**/*.svg
📒 Files selected for processing (30)
.github/workflows/n8n-nodes-ci.yml.github/workflows/n8n-nodes-release.yml.gitignore.prettierignoreeslint.config.mjspackages/n8n-nodes/.gitignorepackages/n8n-nodes/.prettierrc.jspackages/n8n-nodes/CHANGELOG.mdpackages/n8n-nodes/LICENSEpackages/n8n-nodes/README.mdpackages/n8n-nodes/credentials/RocketRideApi.credentials.tspackages/n8n-nodes/eslint.config.mjspackages/n8n-nodes/examples/rocketride-webhook.pipepackages/n8n-nodes/examples/run-pipeline.workflow.jsonpackages/n8n-nodes/nodes/RocketRide/RocketRide.node.jsonpackages/n8n-nodes/nodes/RocketRide/RocketRide.node.tspackages/n8n-nodes/nodes/RocketRide/helpers.tspackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.jsonpackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.tspackages/n8n-nodes/package.jsonpackages/n8n-nodes/test/RocketRide.chat.test.mjspackages/n8n-nodes/test/RocketRide.node.test.mjspackages/n8n-nodes/test/RocketRide.upload.test.mjspackages/n8n-nodes/test/RocketRideApi.credentials.test.mjspackages/n8n-nodes/test/RocketRideInboundTrigger.test.mjspackages/n8n-nodes/test/helpers.test.mjspackages/n8n-nodes/test/integration.test.mjspackages/n8n-nodes/test/normalize.test.mjspackages/n8n-nodes/test/reachability.test.mjspackages/n8n-nodes/tsconfig.json
Comment on lines
+14
to
+15
| documentationUrl = | ||
| 'https://github.com/kgarg2468/n8n-nodes-rocketride?tab=readme-ov-file#credentials'; |
Contributor
There was a problem hiding this comment.
Documentation URL points to personal fork instead of canonical repository.
The documentationUrl references github.com/kgarg2468/n8n-nodes-rocketride, which appears to be a personal fork or development repository, while package.json homepage points to the canonical rocketride-org/rocketride-server repository. After this PR merges, the personal repository URL may become stale or inaccessible.
🔗 Proposed fix to align with canonical repository
documentationUrl =
- 'https://github.com/kgarg2468/n8n-nodes-rocketride?tab=readme-ov-file#credentials';
+ 'https://github.com/rocketride-org/rocketride-server/tree/develop/packages/n8n-nodes#credentials';📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| documentationUrl = | |
| 'https://github.com/kgarg2468/n8n-nodes-rocketride?tab=readme-ov-file#credentials'; | |
| documentationUrl = | |
| 'https://github.com/rocketride-org/rocketride-server/tree/develop/packages/n8n-nodes#credentials'; |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/n8n-nodes/credentials/RocketRideApi.credentials.ts` around lines 14
- 15, Update the documentationUrl constant in RocketRideApi.credentials.ts:
replace the personal fork URL
('https://github.com/kgarg2468/n8n-nodes-rocketride?tab=readme-ov-file#credentials')
with the canonical repository URL used in package.json (the
rocketride-org/rocketride-server GitHub repo) so documentation links remain
accurate after merge; locate the documentationUrl symbol in the
RocketRideApi.credentials.ts file and modify its string to point to the
canonical repo's credentials/readme anchor.
Comment on lines
+46
to
+68
| "n8n": { | ||
| "n8nNodesApiVersion": 1, | ||
| "strict": true, | ||
| "credentials": [ | ||
| "dist/credentials/RocketRideApi.credentials.js" | ||
| ], | ||
| "nodes": [ | ||
| "dist/nodes/RocketRide/RocketRide.node.js", | ||
| "dist/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.js" | ||
| ] | ||
| }, | ||
| "devDependencies": { | ||
| "@n8n/node-cli": "0.34.0", | ||
| "eslint": "9.29.0", | ||
| "prettier": "3.6.2", | ||
| "release-it": "^19.0.4", | ||
| "typescript": "5.9.2", | ||
| "vitest": "^4.1.8" | ||
| }, | ||
| "peerDependencies": { | ||
| "n8n-workflow": "*" | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify that no dependencies field is added during build/prerelease
cd packages/n8n-nodes || exit 1
echo "=== Original package.json dependencies check ==="
if jq -e '.dependencies' package.json > /dev/null 2>&1; then
echo "❌ Found dependencies field in source package.json:"
jq '.dependencies' package.json
else
echo "✅ No dependencies field in source package.json"
fi
echo ""
echo "=== Simulating prerelease step ==="
npm install --no-save 2>&1 | head -20
npx n8n-node prerelease 2>&1 | head -20 || echo "(prerelease command not available in sandbox)"
echo ""
echo "=== Checking package.json after prerelease ==="
if jq -e '.dependencies' package.json > /dev/null 2>&1; then
echo "⚠️ dependencies field appeared after prerelease:"
jq '.dependencies' package.json
else
echo "✅ Still no dependencies field after prerelease"
fi
echo ""
echo "=== Checking CI workflow for dependency verification logic ==="
rg -A5 -B5 'ZERO runtime dependencies|Found.*dependencies' .github/workflows/n8n-nodes-ci.yml || echo "(pattern not found)"Repository: rocketride-org/rocketride-server
Length of output: 162
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Inspect packages/n8n-nodes/package.json for dependencies field ==="
ls -la packages/n8n-nodes/package.json
rg -n '"dependencies"\s*:' packages/n8n-nodes/package.json || true
cat -n packages/n8n-nodes/package.json | sed -n '35,90p'
echo
echo "=== Locate CI workflow that mentions ZERO runtime dependencies ==="
ls -ლა .github/workflows || true
fd -a -e yml -e yaml "n8n" .github/workflows || true
rg -n "ZERO runtime dependencies|Found.*dependencies|runtime dependencies" .github/workflows .github/actions .github/scripts 2>/dev/null || true
echo
echo "=== Search for any prerelease/build step that might rewrite package.json ==="
rg -n "prerelease|release-it|n8n-node prerelease|node prerelease" packages/n8n-nodes/package.json .github/workflows 2>/dev/null || true
cat -n packages/n8n-nodes/package.json | sed -n '1,120p'Repository: rocketride-org/rocketride-server
Length of output: 10386
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== CI step around ZERO runtime dependencies ==="
nl -ba .github/workflows/n8n-nodes-ci.yml | sed -n '1,120p'
echo
echo "=== Any helper scripts that implement the dependency check ==="
rg -n "ZERO runtime dependencies|runtime dependencies|DEPS" .github -S || true
echo
echo "=== CI release workflow message (if any) ==="
nl -ba .github/workflows/n8n-nodes-release.yml | sed -n '1,200p'Repository: rocketride-org/rocketride-server
Length of output: 186
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== CI step around ZERO runtime dependencies ==="
cat -n .github/workflows/n8n-nodes-ci.yml | sed -n '1,120p'
echo
echo "=== Any helper scripts that implement the dependency check ==="
rg -n "ZERO runtime dependencies|runtime dependencies|DEPS" .github -S || true
echo
echo "=== CI release workflow message (if any) ==="
cat -n .github/workflows/n8n-nodes-release.yml | sed -n '1,200p'Repository: rocketride-org/rocketride-server
Length of output: 5402
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Search for package.json dependency mutations ==="
rg -n "package\.json|dependencies" packages/n8n-nodes .github/workflows -S \
--glob='*.js' --glob='*.ts' --glob='*.yaml' --glob='*.yml' --glob='*.sh' || true
echo
echo "=== Check scripts in packages/n8n-nodes package.json ==="
cat packages/n8n-nodes/package.jsonRepository: rocketride-org/rocketride-server
Length of output: 3266
Fix CI diagnosis for “ZERO runtime dependencies”: the check is correct; failure implies dependencies got added before the invariant step.
packages/n8n-nodes/package.jsonhas no top-leveldependencies(onlydevDependencies+peerDependencies)..github/workflows/n8n-nodes-ci.ymlcomputesDEPSfromObject.keys(require('./package.json').dependencies || {}).lengthand prints it via bash-expanded$DEPS, so$DEPSisn’t a placeholder/interpolation bug.- If CI reports
found $DEPS != 0, something is mutatingpackages/n8n-nodes/package.jsonduringnpm run build/lint/testbefore “Enforce verified-node invariants”. - Add a debug dump right before that step (e.g.,
node -p "require('./package.json').dependencies || null") to see what gets injected.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/n8n-nodes/package.json` around lines 46 - 68, CI shows a nonzero
DEPS because something mutates packages/n8n-nodes/package.json before the
"Enforce verified-node invariants" step; open .github/workflows/n8n-nodes-ci.yml
and add a debug step immediately before that invariants step that prints the
runtime value of require('./package.json').dependencies (to confirm what was
injected) and also log the computed DEPS expression
(Object.keys(require('./package.json').dependencies || {}).length) so you can
correlate which task (build/lint/test) added the dependency; place the debug
command right before the step that enforces verified-node invariants and ensure
it runs in the same working directory as the package.json referenced by the DEPS
computation.
Comment on lines
+5
to
+23
| function makeContext({ params, credentials, httpMock, continueOnFail = false, items = [{ json: {} }] }) { | ||
| const calls = []; | ||
| return { | ||
| calls, | ||
| getInputData: () => items, | ||
| getCredentials: async () => credentials, | ||
| getNodeParameter: (name, _i, fallback) => (name in params ? params[name] : fallback), | ||
| getNode: () => ({ name: 'RocketRide' }), | ||
| continueOnFail: () => continueOnFail, | ||
| helpers: { | ||
| httpRequestWithAuthentication: { | ||
| call: async (_ctx, _credName, opts) => { | ||
| calls.push(opts); | ||
| return httpMock(opts); | ||
| }, | ||
| }, | ||
| }, | ||
| }; | ||
| } |
Contributor
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | ⚡ Quick win
Consolidate duplicated makeContext test helper across packages/n8n-nodes/test/RocketRide.node.test.mjs, packages/n8n-nodes/test/RocketRide.chat.test.mjs, and packages/n8n-nodes/test/RocketRide.upload.test.mjs.
The makeContext mock helper appears in all three test files with nearly identical implementations (differing only in optional parameters like continueOnFail, items, and binaries). Extract a single unified version into a shared test utilities file (e.g., packages/n8n-nodes/test/helpers/makeContext.mjs) that accepts all optional parameters, then import it in each test file. This eliminates duplication, reduces maintenance burden, and ensures consistent mocking behavior across the test suite.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/n8n-nodes/test/RocketRide.node.test.mjs` around lines 5 - 23, The
three test files duplicate the makeContext test helper; extract a single unified
makeContext implementation into a shared test utilities module that accepts all
optional parameters used across tests (params, credentials, httpMock,
continueOnFail, items, binaries) and preserves behaviors like calls array,
getInputData, getCredentials, getNodeParameter, getNode, continueOnFail, and
helpers.httpRequestWithAuthentication.call; then update
RocketRide.node.test.mjs, RocketRide.chat.test.mjs, and
RocketRide.upload.test.mjs to import and use this shared makeContext helper so
all tests use the same mock implementation.
- trigger: redact Authorization/Cookie headers from _rocketride.headers (don't leak the shared secret into execution data) - helpers: coerceJsonObject rejects arrays (plain object only) + regression test - tsconfig: target es2019 -> es2022 (kept module: commonjs; n8n loads community nodes via require, so ESM would break loading) - docs: codex doc URLs -> stable npm package page; README example links absolute - package.json author -> Aparavi Software AG (align with LICENSE / legal entity) - workflows: pin actions to commit SHAs + persist-credentials: false; enforce the packlist (dist+README+LICENSE only); pin npm 11.5.1 in release Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Addressed CodeRabbit's review in Applied as suggested
One intentional divergence
Verified locally: build ✓, verified-lint ✓, 41/41 tests ✓, tarball clean (dist + README + LICENSE). |
- credential documentationUrl -> stable npm package page (was a personal-fork URL, missed because the credential file was gitignored when the package was re-homed) - add trigger test asserting Authorization/Cookie headers are redacted from _rocketride Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Re-review follow-ups addressed in the latest commit:
Verified locally: build ✓, verified-lint ✓, 42/42 tests ✓. |
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/n8n-nodes-release.yml (1)
63-67: 🧹 Nitpick | 🔵 Trivial | 💤 Low valueThe
--provenanceflag may be redundant with OIDC trusted publishing.A previous review noted that npm OIDC trusted publishing (npm >= 11.5.1) generates provenance attestations automatically, making the explicit
--provenanceflag redundant. However, the monorepo's own_release.yamlworkflow uses--provenancewith OIDC, creating conflicting evidence about whether the flag is necessary or just harmless redundancy.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/n8n-nodes-release.yml around lines 63 - 67, The publish step named "Publish to npm (OIDC trusted publishing + provenance)" is passing an explicit --provenance flag which is redundant when using OIDC trusted publishing (npm >= 11.5.1); remove the --provenance token from the npm publish invocation (replace "npm publish --provenance --access public" with "npm publish --access public") and ensure consistency with the repo's _release.yaml (either remove the flag there too or add a clarifying comment if you intentionally keep it for explicitness).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/n8n-nodes-release.yml:
- Around line 63-67: The publish step named "Publish to npm (OIDC trusted
publishing + provenance)" is passing an explicit --provenance flag which is
redundant when using OIDC trusted publishing (npm >= 11.5.1); remove the
--provenance token from the npm publish invocation (replace "npm publish
--provenance --access public" with "npm publish --access public") and ensure
consistency with the repo's _release.yaml (either remove the flag there too or
add a clarifying comment if you intentionally keep it for explicitness).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7383d250-7af2-4ff5-b111-345e9d41ef79
📒 Files selected for processing (10)
.github/workflows/n8n-nodes-ci.yml.github/workflows/n8n-nodes-release.ymlpackages/n8n-nodes/README.mdpackages/n8n-nodes/nodes/RocketRide/RocketRide.node.jsonpackages/n8n-nodes/nodes/RocketRide/helpers.tspackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.jsonpackages/n8n-nodes/nodes/RocketRideInboundTrigger/RocketRideInboundTrigger.node.tspackages/n8n-nodes/package.jsonpackages/n8n-nodes/test/helpers.test.mjspackages/n8n-nodes/tsconfig.json
Rod-Christensen
left a comment
Rod-Christensen
left a comment
Collaborator
There was a problem hiding this comment.
Before this is merged, I want to review this with you. Once this is released, it essentially sets the structure of this in stone.
kwit75
reviewed
Jun 12, 2026
kwit75
left a comment
kwit75
left a comment
Collaborator
There was a problem hiding this comment.
CI/CD review (the .github/workflows part is my turf — overall this is exactly right: OIDC trusted publishing with no token, SHA-pinned actions, the tag↔package.json version guard, environment: release reusing the same approval gate as server releases, and the n8n toolchain kept isolated from the pnpm workspace. Nice work.)
Two things before this can ship end-to-end:
-
Commit
packages/n8n-nodes/package-lock.jsonand switch both workflows tonpm ci— without a lockfile, CI and the publish job resolve dependencies fresh on every run, so the published artifact isn't reproducible and a hijacked transitive dep walks straight into a verified community node.npm ci+ lockfile pins the whole tree. -
First-publish bootstrap (not in this PR, just sequencing): npm's trusted publishing can only be configured on a package that already exists, so v0.1.0 needs one manual
npm publishfrom a maintainer account first; then we set the Trusted Publisher exactly as your header comment documents (reporocketride-org/rocketride-server, workflown8n-nodes-release.yml, environmentrelease), and every release after that is the tag flow, tokenless. I'll coordinate the manual publish + npm package settings — ping me when this merges.
🤖 Generated with Claude Code
Pin the dependency tree for reproducible, supply-chain-safe CI/publish: - commit package-lock.json (un-ignore it); switch both workflows to npm ci - both workflows install npm@11.5.1 before npm ci (matches the publish step) Lockfile is generated with 'npm install && npm dedupe': npm install alone writes an incomplete lockfile for the transitive 'ignore' dual-version (eslint pulls ignore@7, another devtool ignore@5) that npm ci then rejects -- a known npm bug on npm 10 and 11. The usual 'overrides' fix is forbidden by n8n verified-lint (no-overrides-field), so 'npm dedupe' is the override-free workaround. Dev-only deps; the published node still has zero runtime dependencies. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Point 1 done in
Point 2 (first-publish bootstrap): understood — I'll ping you to do the manual |
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/n8n-nodes-ci.yml (1)
10-18:⚠️ Potential issue | 🟠 MajorExpand
pathsfilter so CI runs when repo-level wiring/config changes
GitHub Actionspull_request.paths/push.pathsevaluates the changed files and runs the workflow only if at least one changed file matches the configured patterns; with the current filter, PRs that change only.github/workflows/n8n-nodes-release.yml,.gitignore,.prettierignore, oreslint.config.mjswill skip this workflow, leaving thepackages/n8n-nodestoolchain unvalidated. Add those files to this workflow’spaths(or drop the restrictivepathsfilter).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/n8n-nodes-ci.yml around lines 10 - 18, Update the GitHub Actions trigger configuration so CI runs when repo-level wiring/config changes by expanding or removing the restrictive paths filter: modify the pull_request.paths and push.paths entries in the workflow to include the additional repo-level files (e.g., '.github/workflows/n8n-nodes-release.yml', '.gitignore', '.prettierignore', 'eslint.config.mjs') or simply remove the paths filter entirely; ensure you edit the pull_request.paths and push.paths blocks in the .github/workflows/n8n-nodes-ci.yml workflow to reflect this change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/n8n-nodes-ci.yml:
- Around line 10-18: Update the GitHub Actions trigger configuration so CI runs
when repo-level wiring/config changes by expanding or removing the restrictive
paths filter: modify the pull_request.paths and push.paths entries in the
workflow to include the additional repo-level files (e.g.,
'.github/workflows/n8n-nodes-release.yml', '.gitignore', '.prettierignore',
'eslint.config.mjs') or simply remove the paths filter entirely; ensure you edit
the pull_request.paths and push.paths blocks in the
.github/workflows/n8n-nodes-ci.yml workflow to reflect this change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4e7d979d-5279-4d96-a7fa-33e83f69f79d
⛔ Files ignored due to path filters (1)
packages/n8n-nodes/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
.github/workflows/n8n-nodes-ci.yml.github/workflows/n8n-nodes-release.ymlpackages/n8n-nodes/.gitignore
💤 Files with no reviewable changes (1)
- packages/n8n-nodes/.gitignore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
packages/n8n-nodes— an n8n community node package (npm:n8n-nodes-rocketride) for the n8n → RocketRide direction, the counterpart totool_n8n(#1231):usableAsToolso n8n's AI Agent can call RocketRide.pk_key).Verification
dist+ README + LICENSE) vianpm pack --dry-run.Monorepo wiring (why a few things look unusual)
A verified n8n node keeps the
@n8n/node-clitoolchain with its own byte-identicaleslint.config.mjsand zero runtime deps. To fit cleanly:pnpm-workspace.yaml; self-contained npm toolchain..gitignore's globalcredentials/rule is negated for this package — the credential file is a schema-only type definition, not a secret.npm install(notnpm ci): a transitiveignoredual-version makes npm's own lockfile failnpm ci; with zero runtime deps, build-tool reproducibility is moot, so no lockfile is committed.n8n-nodes-vX.Y.Z; release publishes with npm OIDC trusted publishing +--provenance(mirrors_release.yaml).Notes
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation
CI / Release
Packaging / Config
Tests