Open wolffbruno opened 1 week ago
@wolffbruno Thanks for the question.
It seems that the existing configuration in biome.json is not considered in the action.
I'm going to check the behavior later, but I think the biome.json was loaded in my other projects!
I'd like to know a little more about it, can you please provide me with a repository or code to reproduce it?
I am also experiencing this and it's getting pretty painful having 100s of comments on each PR when a dep is added as it seems to scan the whole yarn.lock and generate messages for each item for a reason I have not been able to discover.
I can not provide you a repo unfortunately but I can provide you with the GH action & biome.json biome.json
jobs:
build-lint-test:
name: Build, Lint, Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build & Test
uses: ./.github/actions/build-test
lint:
name: Lint
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Biome
uses: mongolyy/reviewdog-action-biome@v1
with:
github_token: ${{ secrets.github_token }}
reporter: github-pr-review
@jsmenzies Thanks for the info. I'll investigate this weekend.
Hi @mongolyy,
I believe I've found the issue.
If you use yarn to install dependencies your lock.file will include the yarn.pkgs URL.
In the lib/biome.sh you run:
install_biome() {
if [ ! -f "$(npm root)"/.bin/biome ]; then
echo '::group::🐶 Installing Biome...'
npm install
echo '::endgroup::'
fi
if [ ! -f "$(npm root)"/.bin/biome ]; then
echo "❌ Unable to locate or install Biome. Did you provide a workdir which contains a valid package.json?"
exit 1
fi
echo "Biome $("$(npm root)"/.bin/biome --version)"
}
running npm install here will then overwrite all of the yarn.pkgs urls with npm.org.
If you have modified your yarn.lock file in the PR it will then be passed to reviewdog as something to report the results on and as there is a git diff done it will basically report all occassions of yarn.pkgs -> npm.org as if they were biome lint suggestions. This can cause hundreds of comments on a simple PR and is incredibly misleading as biome itself does not even scan yarn.lock files!
I strongly suggest you don't run npm install in lib/biome.sh's install_biome().
All you need to do is run biome over the codebase without it touching any package-lock/yarn.lock please. Perhaps just:
npx @biomejs/biome check
would work?
@jsmenzies @wolffbruno
If you add the steps to yarn install to your github actions, would you still get suggestions for yarn.lock? Like the following:
jobs:
build-lint-test:
name: Build, Lint, Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build & Test
uses: ./.github/actions/build-test
lint:
name: Lint
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
### add
- uses: actions/setup-node@v3
with:
node-version: "20" ### depends on your node version
- run: yarn install
###
- name: Biome
uses: mongolyy/reviewdog-action-biome@v1
with:
github_token: ${{ secrets.github_token }}
reporter: github-pr-review
I have written instructions on how to do this in README.md, but I feel it may be difficult to understand. https://github.com/mongolyy/reviewdog-action-biome?tab=readme-ov-file#usage
If the above response solves the problem, we will improve README.md.
I find it annoying and complicated to include a step to yarn install in the github actions.
I'll try the following actions to see if they will not cause problems with biome setup https://github.com/marketplace/actions/setup-biome
@jsmenzies @wolffbruno
I have two modification policies in mind. Please confirm that it works.
uses: mongolyy/reviewdog-action-biome@v1.6.0-beta
.uses: mongolyy/reviewdog-action-biome@v1.5.0
.I think 1 is fine. I look forward to hearing back from you!
Hey @mongolyy
Thanks for your work updating the action. I can confirm using v1.6.0-beta resolved the issue for us and to test I rolled back to v1.5.1 which caused the issue to appear again.
I also realised this issue would only occue in yarn.lock files which are version 1 (I think at least). I had no idea ours was so out of date so actually updating to yarn 4 generated a new lock.file without hardcoded package URLs which would also resolve the issue but would be a less optimal solution. However, I would suggest to @wolffbruno that you upgrade your yarn version as we are doing now as well 😆
Thanks for the help and fast responses! appreciate it 😄
How can I ignore files like
yarn.lock
? It seems that the existing configuration inbiome.json
is not considered in the action.biome.json
is located at root of repository.