Avoid suggestions in yarn.lock

[wolffbruno]

How can I ignore files like yarn.lock? It seems that the existing configuration in biome.json is not considered in the action.

biome.json is located at root of repository.

[mongolyy]

@wolffbruno Thanks for the question.

It seems that the existing configuration in biome.json is not considered in the action.

I'm going to check the behavior later, but I think the biome.json was loaded in my other projects!

I'd like to know a little more about it, can you please provide me with a repository or code to reproduce it?

[jsmenzies]

I am also experiencing this and it's getting pretty painful having 100s of comments on each PR when a dep is added as it seems to scan the whole yarn.lock and generate messages for each item for a reason I have not been able to discover.

I can not provide you a repo unfortunately but I can provide you with the GH action & biome.json biome.json

jobs:
  build-lint-test:
    name: Build, Lint, Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build & Test
        uses: ./.github/actions/build-test

  lint:
    name: Lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Biome
        uses: mongolyy/reviewdog-action-biome@v1
        with:
          github_token: ${{ secrets.github_token }}
          reporter: github-pr-review

[mongolyy]

@jsmenzies Thanks for the info. I'll investigate this weekend.

[jsmenzies]

Hi @mongolyy,

I believe I've found the issue.

If you use yarn to install dependencies your lock.file will include the yarn.pkgs URL.

In the lib/biome.sh you run:

install_biome() {
  if [ ! -f "$(npm root)"/.bin/biome ]; then
    echo '::group::🐶 Installing Biome...'
    npm install
    echo '::endgroup::'
  fi

  if [ ! -f "$(npm root)"/.bin/biome ]; then
    echo "❌ Unable to locate or install Biome. Did you provide a workdir which contains a valid package.json?"
    exit 1
  fi

  echo "Biome $("$(npm root)"/.bin/biome --version)"
}

running npm install here will then overwrite all of the yarn.pkgs urls with npm.org.

If you have modified your yarn.lock file in the PR it will then be passed to reviewdog as something to report the results on and as there is a git diff done it will basically report all occassions of yarn.pkgs -> npm.org as if they were biome lint suggestions. This can cause hundreds of comments on a simple PR and is incredibly misleading as biome itself does not even scan yarn.lock files!

I strongly suggest you don't run npm install in lib/biome.sh's install_biome().

All you need to do is run biome over the codebase without it touching any package-lock/yarn.lock please. Perhaps just:

npx @biomejs/biome check

would work?

[mongolyy]

@jsmenzies @wolffbruno

If you add the steps to yarn install to your github actions, would you still get suggestions for yarn.lock? Like the following:

jobs:
  build-lint-test:
    name: Build, Lint, Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build & Test
        uses: ./.github/actions/build-test

  lint:
    name: Lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
### add
      - uses: actions/setup-node@v3
        with:
          node-version: "20" ### depends on your node version
      - run: yarn install
###
      - name: Biome
        uses: mongolyy/reviewdog-action-biome@v1
        with:
          github_token: ${{ secrets.github_token }}
          reporter: github-pr-review

I have written instructions on how to do this in README.md, but I feel it may be difficult to understand. https://github.com/mongolyy/reviewdog-action-biome?tab=readme-ov-file#usage

If the above response solves the problem, we will improve README.md.

[mongolyy]

I find it annoying and complicated to include a step to yarn install in the github actions.

I'll try the following actions to see if they will not cause problems with biome setup https://github.com/marketplace/actions/setup-biome

[mongolyy]

@jsmenzies @wolffbruno

I have two modification policies in mind. Please confirm that it works.

1. I have created a version with improved biome setup as v1.6.0-beta. a. Please try to run it with uses: mongolyy/reviewdog-action-biome@v1.6.0-beta.
2. If 1 doesn't work, please try what I commented at https://github.com/mongolyy/reviewdog-action-biome/issues/56#issuecomment-2198472923 . a. Please try to run it with uses: mongolyy/reviewdog-action-biome@v1.5.0.

I think 1 is fine. I look forward to hearing back from you!

[jsmenzies]

Hey @mongolyy

Thanks for your work updating the action. I can confirm using v1.6.0-beta resolved the issue for us and to test I rolled back to v1.5.1 which caused the issue to appear again.

I also realised this issue would only occue in yarn.lock files which are version 1 (I think at least). I had no idea ours was so out of date so actually updating to yarn 4 generated a new lock.file without hardcoded package URLs which would also resolve the issue but would be a less optimal solution. However, I would suggest to @wolffbruno that you upgrade your yarn version as we are doing now as well 😆

Thanks for the help and fast responses! appreciate it 😄